UK Government May Force MSPs to Follow Security Standards

Cyber Security News

The UK government is considering forcing managed service providers (MSPs) to follow updated security standards.

The Department for Digital, Culture, Media and Sport (DCMS) is asking for views on these measures and more to boost the cyber-resilience of the UK’s critical supply chains.

The DCMS revealed it is considering making it a requirement for MSPs to meet the current Cyber Assessment Framework, which comprises 14 security principles. These include having policies to protect devices and prevent unauthorized access, keeping secure and accessible backups of data, and training staff and pursuing a positive cybersecurity culture.

The government also wants the views of MSPs and companies procuring digital services to help understand whether it needs to update existing guidance for supply chain risk management, including the assessment framework.

Currently, the National Cyber Security Centre offers a range of information and resources to help organizations on how to assess the security or risks of their suppliers, including specific supply chain security and supplier assurance guidance.

The announcement has been made as organizations are increasingly moving their operations online, meaning they are more reliant on digital supply chains and third-party IT service operators. Despite this trend, the DCMS highlighted research earlier this year showing that just 12% of organizations review the cybersecurity risks of their immediate suppliers, and only 5% address vulnerabilities in their wider supply chain.

Digital Infrastructure Minister Matt Warman commented: “There is a long history of outsourcing of critical services. We have seen attacks such as ‘CloudHopper’ where organizations were compromised through their MSP. It’s essential that organizations take steps to secure their mission critical supply chains—and remember they cannot outsource risk.

“Firms should follow free government advice on offer. They must take steps to protect themselves against vulnerabilities, and we need to ensure third-party kit and services are as secure as possible.

“We’re seeking views from firms that both procure and provide digital services, as a first step in considering whether we need updated guidance or strengthened rules.”

Supply chain security has come into sharper focus in recent months following the damaging SolarWinds attacks at the end of 2020.