BlackBerry has become the first major mobile vendor to receive the new Cyber Essentials Plus (CE+) certification from the UK Government.
The base Cyber Essentials certification covers a wide range of security processes, including account management, firewall configuration, device configuration, backup processes and other security-related configurations. In order to obtain Cyber Essentials Plus, a qualified and authorized external tester needs to perform additional tests and checks within the organization, including an internal scan of the network, verification of account security for both standard users and administrative accounts, testing for defenses against malicious software installation via email and web browsing.
Adam Boulton, Senior VP of Security Technology for BlackBerry said,
“Third-party security certifications and validations such as FIPS 140-2, Common Criteria and NIAP are widely used in the industry to show that products have been independently tested by professional labs not affiliated with the company. The vendors and products that receive the certifications are found to have met high-security standards set forth by standards bodies such as the National Institute of Standards and Technology. While no certification can provide absolute certainty that a vendor or product will never be hacked, certifications do provide assurance that the product has been independently tested and often help to justify the vendor’s security claims.”
Cyber Essentials Plus
In addition, BlackBerry is now an accredited certifying body for Cyber Essentials Plus, meaning that the company can help your business obtain its own Cyber Essentials certification.
As cyber security becomes more and more of a concern, the UK Ministry of Defense is mandating that its supply chain be Cyber Essentials certified for sensitive projects. BlackBerry leads the industry in secure military and government communications, and the Cyber Essentials certification gives BlackBerry yet another competitive advantage over other embedded software platform vendors.
BlackBerry have already helped government departments, product suppliers, manufacturers and administrative organizations achieve Cyber Essentials accreditation, and the company will continue to help  customers and industry partners improve their cybersecurity programs.
Boulton commented,
“With now over 80 certifications and validations, BlackBerry continues to widen the gap as the world’s most trusted and secure mobile software platform.”
Since January 2016, all MoD tenders are required to comply with the Cabinet Office procurement policy note 09/14 .
When introduced the buyer will identify the level of risk for each piece of work and the organisation being contracted with will need to demonstrate that they have the required controls in place. This will flow down through the supply chain as necessary (determined by the risk assessment).
For each level of CSM there is a requirement for Certification to the Cyber Essentials Standard.
The following table identifies the risk levels and the required level of Cyber Essentials Certification. Cyber Essentials is not the only requirement to meet the risk levels. Full requirements can be found here.
[table style=”table-striped”]
| Not Applicable | For contracts where it is assessed that there is no, or only a negligible, cyber risk. It is not expected that many contracts will fall in to this category |
| Very Low | For contracts where a basic threat is faced (i.e. simple hacking, phishing or spyware) and where any attacker is likely to be opportunistic, unskilled and non-persistent. The sorts of contracts this will apply to are likely to be those covering commodity purchases or standard service provisions e.g. office supplies or the disposal of non-sensitive waste |
| Low | For contracts where the threat may be slightly more targeted (i.e. involving spear phishing, whaling or ransomware and where attackers are semi-skilled but may not be persistent). It is likely to apply to contracts for basic parts or services but not where these could be linked to military capability. This profile is likely to apply primarily to contracts handling information classified as OFFICIAL, but may also occasionally apply to those involving small quantities of OFFICIAL information which have the handling instruction
PLUS 16 ADDITIONAL CONTROLS |
| Moderate | For contracts subject to more advanced threats that are tailored and targeted with the objective of gaining access to specific assets or enacting denial of service. The attacker is likely to be persistent, organised and either be skilled or have access to skills e.g. cyber criminals or hacktivists. This will likely apply to contracts that involve handling greater volumes of, or more sensitive, personal information, and those involving larger quantities of OFFICIAL-SENSITIVE information
PLUS 32 ADDITIONAL CONTROLS |
| High | For contracts assessed as being subject to Advanced Persistent Threats (APT), which may be sustained over long periods and not exploited for months, or years after the initial attack. Attackers will be organised, highly sophisticated, well resourced and persistent. This will likely apply to contracts that are essential to support key military capability and those handling information classified at SECRET or above
PLUS AN ADDITIONAL 43 CONTROLS |
[/table]
