Introduction
I’m seeing organisations who are looking the 54 Technical Guidance Measures within the Third party supplier measures 3 section as part of their compliance journey with the Telecommunications code of practice, yet are unclear on when the measures need to be addressed because they have a indicated date of evidence as being all new contracts from their initial indicated evidenced date (31st March 2024 for Tier 1 providers and 31st March 2025 for Tier 2 providers) and all contracts from 31st March 2027.
What’s new?
Now, what does new mean in this context? Well, key concept 6.39 from the code of practice has your answer
In reference to the (new/existing) timeframes in Section 3, whether or not a contract with an existing supplier is ‘new’ should be defined in terms of whether the scope or scale of the contracted work changes. Therefore on this basis:
• a renewal of a contract to continue completing the same work would not be defined as new;
• software upgrades or service agreements that do not change the scope or scale of the work would not be defined as new (for example, a patch or general version of existing functionality would not be new);
• a renewal of a contract which resulted in a software upgrade that leads to a change in the quality of service or enables a new service to be delivered would be new;
• a renewal of a contract which resulted in the supply of updated, modified or new equipment hardware would be new;
• where there is a framework arrangement in place with individual statements of work under this agreement then a change in either the framework contract or the individual statements of work would be in scope of a new contract if they change the scope or scale of the work; and
• where an existing contract is amended to change the scope or scale of the work it would be new.
What’s the difference between the measures?
For all of these measures, the intention is that the measures are met by the initial evidenced date but there is a challenge that not all of these measures are related to a contract, as shown below in Figure 1:
19 of the measures are related to activities that the provider has to do themselves to manage the environment that third party suppliers operate in, which cover the following key areas:
Network segmentation
Ensuring that providers:
- When making network or user data available to third party suppliers outside of a secure privileged access system, the provider’s environment that is used to hold and make the network and user data available to the third party shall be secure and segregated from the provider’s wider systems and data.
- Shall not allow routine, direct access to network equipment by third party administrators (3PAs), with access via mediation points owned and operated by the provider.
- Shall implement and enforce security enforcing functions at the boundary between the 3PA network and the provider network.
- Make sure that the elements of the provider network that are accessible by the third party administrator shall be the minimum required to perform its contractual function.
Access control
Providers are to:
- Maintain an up-to-date list of all third party administrator personnel that are able to access its network, including their roles, responsibilities and expected frequency of access.
- Retain the right to determine permissions of the accounts used to access its network by third party administrators.
Information management
Providers need to:
- Retain control and oversight of their network and user data.
- Define what information is made accessible to any third party supplier, ensuring that it is the minimum necessary to fulfil their function. Providers shall place controls on that information and limit third party access to the minimum required to fulfil the business function.
- Avoid transferring control of their network and user data to third parties, except where necessary. Any such transfer of control should be limited to the necessary and defined purpose. Where a data transfer is necessary, it shall be through a defined process.
- Use an encrypted and authenticated channel between both providers and suppliers when sharing user or network data.
Hardening
Providers shall ensure that:
- Their equipment is in a secure-by-default configuration, based on the principle that only required services are made available.
- All deployed equipment either meets the network equipment supplier’s recommended secure configuration (as a minimum), or that any variations are recorded and the risk assessed.
Vulnerability management
Providers are expected to:
- Update all supported equipment within such period as is appropriate of any relevant and appropriate version being released.
- Deploy all security related patches and patches with a security element in a way that is proportionate to the risk of security compromise that the patch is intended to address (see Table 2 within Section 3 of the Code of Practice). Should this not be possible, patches shall be deployed as soon as practicable and effective alternative mitigations put in place until the relevant patch has been deployed. Where a patch addresses an exposed, actively-exploited vulnerability, providers shall ensure that such patches are deployed as soon as can reasonably be achieved, and at most within 14 days of release.
- Ensure that network equipment continues to meet the requirements in M8.04 (procurement of equipment), M8.05 (out of support/EoL), M8.06 (hardening of accounts and protocols), M10.48 (secure by default) and M10.49 (built to suppliers configuration at a minimum) throughout its lifecycle including after an upgrade or patch.
- Verify that their third party network equipment suppliers have a vulnerability disclosure policy. This shall include, at a minimum, a public point of contact and details around timescales for communication.
Resilience
Providers shall:
- Ensure that they retain sufficient in-house expertise and technical ability to re-tender their managed services arrangements at any time and shall produce and maintain a plan for moving the provided services back in-house, or to another third party supplier.
- Implement necessary mitigations based on identified equipment risks (e.g. use of an out-of-support component), such that these equipment risks do not increase the overall risk to their networks.
Monitoring
Providers shall both log and record all 3PA access into its networks.
What does this mean, and why should I care?
The items in the above section which are non-contractual in nature are being missed from those organisations which are assessing based on the due date, purely because there is a date range. Does this mean that you have until 31st March 2027 to address the issues, or do they need assessing their initial indicated evidenced date? I’ve taken the view that it has to be latter, which is the reason why all my analysis has reflected this already.
The reasoning is as follows; not only are the above measures items nothing to do with contractual agreements, but they are also required to be present ready for any new contract in operation from initial evidence date. If they are not present then how could you meet the compliance requirements for new contracts?
Summary
There is a lot to take in when undertaking compliance within the code of practice, and if you are being led by the dates rather than looking at the content of the measures then you may have fallen into the trap of assigning the above measures to a workstream which is handling contracts rather than viewing the above as foundational controls to be reviewed and managed as part of the wider governance. My recommendation is to include the above measures as part of your compliance approach, with the timescales of 31st March 2024/2025 accordingly.