The Cyber Assess Scheme aims to bolster businesses’ security and resilience by offering specialised cybersecurity expertise and services. This initiative empowers businesses to proactively handle cyber threats, strengthen local enterprises, and reduce supply chain risks in the private sector. Tailored offerings furnish technical and business acumen, enhancing IT system security and effectively addressing information security threats.

This project is fully funded by the Recovery and Resilience Facility fund which is part of the NextGenerationEU Programme.

OPEN CALL FOR APPLICATIONS
CYBER ASSESS SCHEME

Scope of Scheme

Our comprehensive services focus on assessing IT systems and infrastructure (excluding Software as a Services (SaaS), Platform as a Service (PaaS), SCADA, Operational Technology (OT), and personal devices), emphasizing Vulnerability Assessments, Penetration Testing, Security Architecture Reviews, Risk Assessment, and Audits & Reviews.

 

Get a Free Cybersecurity Service:

The Cyber Assess Scheme will operate on a first-come, first-served basis, subject to service availability. With a dedicated budget of up to €150,000, the scheme provides free of charge services to eligible enterprises. To ensure equitable distribution and effective utilization of resources, specific allocations have been established for each service category.

Vulnerability Assessments

12 businesses – Assessment will be capped at maximum 4 business days for each business

Penetration Testing

3 large businesses – Pen Test will be capped at maximum 8 business days for each large business

6 SMEs – Pen Test will be capped at maximum 6 business days for each SME

Security Architecture Reviews

3 businesses – Review will be capped at maximum 10 business days for each business

Risk Assessments

3 businesses – Assessment will be capped at maximum 10 business days for each business

Audit & Reviews

3 businesses – Review will be capped at maximum 10 business days for each business

Provision of Services

Collaborating with industry leaders, our Contractors will deliver these services remotely, between Quarter 1 2024 and Quarter 3 2025, ensuring your business’s cybersecurity needs are met with expertise. MITA will not be processing any data exchanged between the Contractor and the applicant; Contractor and applicant will be in direct contact to complete the assignment. Commitment will be formalised between MITA and the applicant if the application is successful.

Application Timeframes

Start Date: 5th February 2024

End Date: 31st July 2024*

Note: The assessment and selection of projects shall be undertaken after each application submission.

*Subject to service availability

Documents related to the Scheme

 

Eligibility Criteria

These criteria outline the requirements that applicants must meet to be eligible for the Cyber Assess Scheme.

  • Eligible Participants: The Scheme is open to natural or legal entities engaged in economic activities formally recognized by relevant Government authorities in Malta.
  • Internet-Facing Services: The applicant must have at least one of the following eligible internet-facing services:
    a. Corporate e-mail solution with a dedicated domain
    b. File Transfer Protocol (FTP) solution managed by the applicant
    c. Corporate VPN service
    d. API endpoints connected to the corporate infrastructure managed by the applicant
  • Service Limitation: Each participating entity is eligible for one service.
  • Compliance with State Aid Regulations: Free of charge services under this Scheme must adhere to the State Aid regulations outlined in Commission Regulation (EU) No 2023/2831. According to the De Minimis Regulation, a single undertaking may not receive more than €300,000 in De Minimis aid from any public funding source (EU Funds and/or national funds) over a rolling period of three fiscal years.
  • Application Submission: A complete application form, as specified by the Scheme, must be submitted for consideration.

Application/Selection Process

  1. Application Submission: An application form will be accessible in February 2024 for interested applicants to fill out. Upon successful submission of an application, the system will generate a unique reference number. An acknowledgment email, containing such application reference number, will be promptly sent.
  2. Application Review: Applications will be processed continuously and evaluated in order of submission to assess their eligibility and alignment with the Scheme’s criteria.
  3. Notification of Application Status: Upon completion of the review process, the National Cybersecurity Coordination Centre (NCC) will notify the respective applicant of the outcome. If the application is accepted, a positive reply will be sent together with a scoping document and prospective date for an appraisal meeting. Please note that receiving this does not establish any binding commitment from the NCC until both parties have signed the respective agreement. If the application is not accepted, the communication will include clear and relevant reasons for rejection. Applicants may reapply with corrections from previous application and selection process will be reinitiated.
  4. Agreement Signing: After application acceptance and scoping meeting, applicants will receive the agreement. Both parties, namely the applicant and the NCC, are required to sign this agreement before proceeding with the service. The agreement will also contain specific forms that need to be completed by the applicant. These forms are crucial for governance purposes and will be utilized by the Malta Information Technology Agency (MITA).

Vulnerability Assessments provide insight as to which assets are susceptible to cyber-attacks by providing detailed reports of the weaknesses in the systems scoped for testing. The severity of these weaknesses is measured through authenticated or unauthenticated scans as requested by the applicant. The Assessments also document easily identifiable vulnerabilities, showing how they were discovered. The vulnerabilities are listed with prioritization based on CVSS scores, and recommendations for remediation are provided.

Vulnerability scanning supports IPv4, IPv6 and hybrid networks, whilst Technologies/Operating Systems supported are the following: AIX, Junos, SQL Server, Alma Linux, MacOS X, SuSE, Amazon Linux, Mandriva, Ubuntu, Android MariaDB, Virtuozzo, CentOS MongoDB, VMware ESX, CISCO, MySQL, VMware ESXi, Citrix, Netware, vSphere, DB2, NewStart CGSL Windows, Debian Oracle, F5 Networks, Oracle Linux, Fedora OracleVM, Fortinet Palo Alto, FreeBSD, PhotonOS, Gentoo, PostgreSQL, HP-UX Red Hat, Huawei, Rocky Linux, Hyper-V, iIBM iSeries, Scientific Linux, Informix/DRDA, Slackware, Apple iOS, Solaris.

For the Vulnerability Assessment service, between 5 and 25 devices/components can be scanned. As an alternate option, applicants can opt to have 1 web application assessed.

Service will be capped to 12 businesses with a maximum of 4 business days each, covering the below steps:

  • Vulnerability identification

Vulnerability testing can be run via authenticated and unauthenticated scans:

Authenticated scans: Allow vulnerability scanners’ system access to networked resources using remote administrative protocols and authenticate using provided system credentials. Authenticated scans should include information but not be limited to access to low-level data such as specific services, configuration details and accurate information about operating systems, installed software, configuration issues, access control, security controls and patch management.

Unauthenticated scans: Scans that do not provide system access to networked resources, which can result in false positives and unreliable information about operating systems and installed software. However, they can provide visibility into which vulnerabilities on the system/s are easily identifiable without having credentialed access to the system/s.

  • Vulnerability analysis

In the vulnerability analysis stage, the following steps will be taken:

  1. Identifying the responsible components and root cause of each vulnerability, with manual verification to minimize false positives.
  2. Determining the age of vulnerabilities.
  3. Assessing exploitability based on CVSS 3.1 format.
  4. Evaluating the exploit code maturity using CVSS 3.1 format.
  • Risk assessment

The applicant will be presented the Risk scores. For each vulnerability, the vulnerability ranking will include CVSS scores.

  • Remediation

The applicant will be guided in terms of prioritization of vulnerabilities according to CVSS 3.1 format, accompanied by recommendations for remediation.

Penetration Testing involves both manual and automated testing to replicate real-life cyber-attacks, mapping out potential breach paths that attackers might take. The primary objectives are to validate the effectiveness of existing security controls based on specified goals and scope, ensuring they adequately protect the system or assets in question. Covert testing is used to evaluate the response capabilities of IT and security personnel when faced with simulated cyber-attacks.

In cases where vulnerabilities are identified and deemed exploitable, detailed documentation is provided, illustrating the breach methods used for each vulnerability. Additionally, the service offers recommendations for remediation to prevent the recurrence of these vulnerabilities and enhance overall cybersecurity defences.

Service will be capped to 3 large businesses with a maximum of 8 business days each, and 6 SMEs with a maximum of 6 business days each, as follows:

Guided by The Penetration Testing Execution Standard and NIST SP800-115, Technical Guide to Information Security Testing and Assessment, the Penetration Testing activities to be included, but not limited to, are:

  • Intelligence Gathering
  • Threat Modelling
  • Vulnerability Analysis
  • Exploitation
  • Post Exploitation
  • Reporting which would align with the PTES Reporting section and also the PTES Technical Guidelines – Reporting section. The report will include clear explanation on the identification and explanation of vulnerabilities, with associated recommended remedial actions, step-by-step attack replication instructions, evidence of compromise/verification with screenshots and solutions. Detailed technical reports and executive summary reports with recommendations and a remediation plan with prioritised actions for risk mitigation are also included.

Security Architecture Reviews involve assistance and guidance in the development and design of architectures that effectively manage identified risks through appropriate controls. It includes the identification and articulation of risks at both abstract and detailed levels in systems and services design.

This service provides guidance on reducing the likelihood of exploiting vulnerabilities and minimizing the impact in case of a compromise. It offers support for secure development, building, deployment, operation, and management of systems and services. Additionally, the service advises on adopting and securely implementing common architectural blueprints or patterns. Applicants are guided in selecting technologies that adequately mitigate potential vulnerabilities identified in system architectures. Furthermore, the service simplifies technical security analysis into easily understandable language for both technical and executive audiences, facilitating better decision-making and understanding of security measures.

Service will be capped to 3 businesses with a maximum of 10 business days each, as follows:

Security Architecture assessments align with at least one of the below Threat Modelling approaches and where technically possible with Zero Trust Architecture principles as per NIST.SP.800-207:

  • Draft NIST Special Publication 800-154, Guide to Data-Centric System Threat Modelling
  • STRIDE
  • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
  • IDDIL/ATC

The final report is intended to include a threat model for the systems under review, including a list of potential attack vectors and means to mitigate these. Recommendations on adopting and securely implementing common architectural best practices are also included.

The Risk Assessment and Management service offers guidance and advice to applicants to determine the appropriate approach to risk assessment based on their specific activities and desired business outcomes. Working collaboratively, this service helps applicants gain a realistic understanding of cybersecurity risks related to their business objectives.

The service includes the conduct and documentation of the risk assessment, assisting the applicants in identifying and addressing cybersecurity risks that align with its goals. As a result, such assessments will help facilitating informed security and business decision-making processes, providing the applicants with comprehensive support in managing cybersecurity risks effectively.

Cybersecurity control recommendations are provided to ensure comprehensive management of identified risks.

Additionally, the service helps in developing and documenting tailored risk management plans that align with the applicant’s business objectives and activities. Furthermore, the service assists applicants in developing adaptive approaches to continuously manage evolving risks, considering changes in the business, threat landscape, and technology.

Risk Assessment and Management can be conducted at all three tiers in the risk management hierarchy—including Tier 1 (organization level), Tier 2 (mission/business process level), and Tier 3 (information system level).

For the Risk Assessment service, applicants must opt for one of the 3 specified tiers.

Tier 1 includes, for example:

  • organization-wide information security programs, policies, procedures, and guidance;
  • the types of appropriate risk responses (i.e., risk acceptance, avoidance, mitigation, sharing, or transfer);
  • investment decisions for information technologies/systems;
  • procurements;
  • minimum organization-wide security controls;
  • conformance to enterprise/security architectures;
  • monitoring strategies and ongoing authorizations of information systems and common controls.

Tier 2 includes, for example:

  • enterprise architecture/security architecture design decisions;
  • the selection of common controls;
  • the selection of suppliers, services, and contractors to support organizational missions/business functions;
  • the development of risk-aware mission/business processes;
  • the interpretation of information security policies with respect to organizational information systems and environments in which those systems operate.

Tier 3 includes, for example:

  • design decisions (including the selection, tailoring, and supplementation of security controls and the selection of information technology products for organizational information systems);
  • implementation decisions (including whether specific information technology products or product configurations meet security control requirements);
  • operational decisions (including the requisite level of monitoring activity, the frequency of ongoing information system authorizations, and system maintenance decisions).

Service will be capped to 3 businesses with a maximum of 10 business days each, as follows:

According to the NIST Special Publication 800-30 Risk Management Guide and NIST Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, the Risk Assessment and Management activities to be included, but not limited to, are:

The Audit and Reviews service offers comprehensive guidance to applicants on maintaining and continuously improving their internal or external cybersecurity standards, policies, and procedures. Applicants can choose specific parts of their policies or procedures to be audited or reviewed, aligning with standards such as the “ISO27k” family, NIST CSF, and PCI-DSS.

The service also assists applicants in meeting certification or compliance requirements related to these standards. Additionally, for existing cybersecurity policies and procedures, applicants can opt for audits and reviews of specific parts of their policies/procedures/standards in line with a subset of the standards mentioned, assisted through recommendations of changes or improvements.

Service will be capped to 3 businesses with a maximum of 10 business days each, as follows:

Guided by the Guidelines for auditing management systems (ISO 19011:2018), the activities to be included, but not limited to, are:

  • Determine any areas of interest, concern or risks to the auditee in relation to the specific audit
  • Determine feasibility of audit
  • Collect and verify information
  • Audit evidence
  • Evaluate evidence against audit criteria
  • Generate audit findings
  • Determine audit conclusions
  • Conduct closing meeting & Audit Report

 

This information is subject to change, and MITA retains the right to update it.

 

This project is fully funded by the Recovery and Resilience Facility fund which is part of the NextGenerationEU Programme.