Cyber Essentials Montpellier – What You Need To Know

The much-anticipated Montpellier release of the Cyber Essentials questionnaire has arrived, and now we’ve had time to assess its merits, our Lead Assessor, Tony Wilson, will guide you through additions, relaxations, and even changes that affect responses to the current Evendine questionnaire to pave the way to Montpellier on April 24th 2023. 

Montpellier is the second major release of the questionnaire since IASME became the sole NCSC delivery partner of the scheme in 2020. For details of the Evendine questionnaire, please see last year’s blog called “Cyber Essentials Evendine – what you need to know”. 

Like Evendine, the new questionnaire takes its name from one of the freshwater springs around Malvern and most questions have been carried over to Montpellier. 

Timescales/changeover period 

Montpellier was originally scheduled for release in January 2023, but has been delayed until April 24th 2023. This means that Evendine applications can be purchased up to April 23rd 2023. Certification Bodies will not mark any Evendine submissions after 23rd October 2023. So, even if Evendine questions were submitted on 22nd October, should there be any clarifications to answer, the applicant may not get them back in time to be completed before the deadline. In this situation, the applicant must purchase the Montpellier question set and resubmit using that. Our advice is to get Evendine submissions to us in plenty of time ahead of the October cut-off. 

The Montpellier questionnaire can be found here ahead of the go-live date: Montpellier question set download 

No requirement to list the model of the device. 

We’ll start with changes that have been implemented with immediate effect, and have involved a change in assessment of the following questions currently active on the portal: 

  • A2.4 Please list the quantities of laptops, desktops and virtual desktops within the scope of this assessment.  
  • A2.6 Please list the quantities of tablets and mobile devices within the scope of this assessment. 

The above questions no longer require the applicant to include the model of the device – simply listing the Make and Operating System is sufficient (even though the Evendine portal questions still, confusingly, include the word “model”).  

Removing the requirement to submit models certainly makes the questions easier to complete, especially for larger companies that use device management solutions that do not record device models. 

If companies still choose to supply models unnecessarily, Certification Bodies may still highlight possible discrepancies relating to a certain model’s ability to run a supported Operating System. For example, if an Apple iPhone 5s is stated as running iOS 16 – then the applicant will be informed that this is not possible, and it will be marked as non-compliant. 

It should be noted that there is still a requirement to give the edition and feature version of Windows Operating Systems – so responses that do not state the Windows OS in full will still be marked as non-compliant. An example of a full OS declaration would be “Windows 10 Pro 22H2”. 

There is also still a requirement to mention the Make and Model of boundary firewalls in question “A2.8 Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers).” 

Vendor specific issues 

Another change with immediate effect relates to Next Generation Anti Malware solutions. It is no longer required to have an Anti-Virus Solution that is signature based – as long as the product is installed to the manufacturer’s recommendations. 

Some operating systems are not flexible enough to meet the Cyber Essentials requirements for to lock-out after 10 attempts, or do not have the ability to throttle the attempts in the required time-frame. Certification Bodies can now accept, with immediate effect, devices that lockout to the manufacturer’s minimum ability (e.g. 15 attempts on some devices). 

So now we have covered all the changes that have been implemented ahead of Montpellier, let’s examine the main differences between Montpellier and Evendine. 

Multi Factor Authentication (MFA). 

Perhaps the most surprising change is the relaxation of the MFA requirements, i.e. applicants cannot fail by choosing not to apply Multi Factor Authentication (MFA)  – unless additional non-compliant responses have also been submitted. 

The main reason that this is so surprising is that the Evendine question set actually informed applicants in advance that, in the 2023 questionnaire (Montpellier), “A7.17 Has MFA been applied to all users of your cloud services?” was to be marked for compliance, and this was expected to amount to a Fail if all users did not have MFA enabled where available. 

Furthermore, whilst A7.17 has not been implemented as expected, applicants can now also choose not to implement MFA on Administrator cloud accounts – even where this service is available – if there are no other non-compliant questions in the submission. This is surprising, as a failure to apply MFA to administrative cloud accounts under Evendine amounted to an automatic Fail.  

BYOD 

In Evendine, contractor-owned devices are deemed out-of-scope but Montpellier goes into further detail regarding the scope of BYODs. 

In Montpellier, personal devices of employees, volunteers, trustees, and university research assistants are all in-scope if they access company information or services. Whereas those devices owned by students, MSP administrators, third-party contractors and customers are not in-scope, even if they access company information or services. 

Thin clients 

Thin clients (computers designed to run from resources stored on a central server instead of a localised hard drive) must be submitted and the Make and Operating System must be listed (submitting the model may result in a discrepancy being found and a Fail being awarded if the model is known not to run a supported Operating System). 

Cyber Essentials Plus changes

The main changes to the Plus requirements are:

  • All internal servers are now sampled whether they connect to the internet or not – not just those used for Remote Desktop functions.
    • These are only tested in relation to their use – e.g. a back-end server, that is not used for browsing the web or reading emails, will only be scanned for patching issues – without performing the email and URL checks.
    • The sample is based on the different server operating systems used. So it is possible that, if an applicant has a large number of back-end servers, the time taken to assess these could be greater under Montpellier than under Evendine and could therefore incur further costs.
    • The sample is calculated as follows:
      Number of each Server OS Sample Size 
      1 1 
      2-5 2 
      6-19 3 
      20-60 4 
      61+ 5 
  • Anti Virus manual steps have been included – to help ensure Next-Generation Anti Virus software is compliant
    • Next-Gen AntiVirus software can be thought of as those applications that do not use Virus Definition files to detect malicious software (such as CrowdStrike, Webroot etc)

Other structural changes to the scheme 

There are other minor changes in structure and flow within the Montpellier questionnaire that we have not gone into in this blog, for more information on these and the changes mentioned above you may wish to consult the following NCSC resources: 

Additional research conducted by Aidan Collins