- Tammy Buchanan
- Best Practice Updates
DfE Cyber Security Standards for Schools: June 2026 Update | DPE
This is the second update to the DfE cyber security standards in 2026. Our April 2026 article covered the earlier change, which introduced a mandatory 14-day remediation window for high-risk vulnerabilities. This article covers only what changed in June.
|
DPE Cyber Security Tracker, action required: DPE has updated its DfE Cyber Security Tracker to reflect the June 2026 changes. If you are a DPE customer, please log in and review your answers. Two additional questions have been added under Access Management to reflect the updated MFA requirement and the revised account management obligations. This may have changed your progress score. |
What has changed?
The June 2026 update makes changes in three areas of the standard: devices and firewall requirements, user account controls, and alignment with Cyber Essentials 2026.
1. IoT devices explicitly included in device and firewall requirements
The standard now explicitly names Internet of Things (IoT) devices within the requirement for all network-connected devices to be securely configured, kept up to date, and protected by firewalls. This is a clarification rather than a new obligation, but schools should confirm that IoT devices on their network, such as smart whiteboards, cameras, and environmental sensors, are captured within their device management and firewall arrangements.
The firewall section has also been updated. Schools and colleges that receive a firewall as part of their broadband connection must discuss the technical requirements with their broadband provider. Where a broadband provider does not include a firewall, IT support must source and configure one independently.
A new security checks requirement has also been added: IT support must ensure that any custom-built or commissioned applications are developed securely and align with the UK Software Security Code of Practice.
2. User account controls strengthened: passwords, MFA, and account management
The user accounts and access section has been updated in three respects.
Passwords
Explicit password requirements have been added to the standard. Users must be authenticated with unique credentials before accessing devices, the network, or services. Passwords must be:
• Unique to the user
• Protected from unauthorised access
• Supported by technical controls that reduce the risk of compromise
Where staff access a number of systems, schools should consider a single sign-on (SSO) solution.
Multi-factor authentication (MFA): scope expanded
This is the most significant change in the June 2026 update. The previous requirement applied mandatory MFA only to senior leaders and staff working with confidential, financial, or personal data. The updated standard substantially widens this.
|
Area |
Previously |
June 2026 |
|
MFA : mandatory scope |
Senior leaders and staff working with confidential, financial, and personal and sensitive personal data |
All staff accounts with access to cloud services or on-site systems, and all IT administrative accounts |
Passkeys are noted as a potential alternative where staff use a dedicated device. Schools must also consider alternatives or additional support for anyone with accessibility needs or disabilities. Where MFA is not available for a given system, a more complex password should be used in its place.
The optional extensions previously listed in the standard: MFA for all cloud services, MFA for all staff, MFA for students, have been removed now that broader MFA is mandatory.
Account management: section rewritten
The account management section has been entirely rewritten. The updated standard focuses on only creating accounts when necessary and removing access promptly when it is no longer needed. The requirements are:
• Accounts must be created only when required
• Access privileges must be limited to what the user needs for their role
• Accounts must be disabled as soon as someone leaves their role
|
DPE has added two new questions to the Access Management section of the DfE Cyber Security Tracker to reflect the updated MFA scope and the revised account management requirements. The question about leavers has been modified to specify leaving their role, as opposed to the organisation. DPE clients should review their answers to this section as their progress will have changed. |
3. Alignment with Cyber Essentials 2026
The update explicitly aligns the DfE standard with the NCSC's Cyber Essentials 2026 scheme. Cyber Essentials remains a requirement for colleges under their funding agreement. For schools, it is not mandatory but provides a useful framework for assurance. The April 2026 update to the DfE standard, covering the 14-day patching window for high-risk vulnerabilities, also reflects Cyber Essentials 2026 requirements, so the two updates together bring the DfE standard into full alignment with the current scheme.
What should you do now?
• Check your MFA coverage: is it now active on all staff accounts with access to cloud or on-site systems, not just those handling sensitive data?
• Review your account management process: are accounts created only when needed, are access rights appropriately scoped, and are accounts disabled promptly when staff leave?
• Confirm that any IoT devices on your network are included in your device management and firewall arrangements - remember this might include CCTV!
• If you use any custom-built or commissioned applications, confirm they have been developed in line with the UK Software Security Code of Practice
• DPE clients: log in to the DfE Cyber Security Tracker and review your answers, particularly under Access Management
Related: April 2026 — DfE Cyber Security Standards: 14-day patching update (DPE) | DfE Cyber Security Core Standard (GOV.UK) | DfE Digital and Technology Standards — all updates
© Data Protection Education 2026. This article is provided for information and guidance purposes. It does not constitute legal advice. For advice specific to your organisation, please contact your DPE adviser.