CREST takes over cyber-assurance programme from NSA in America

CREST has signed a deal with the National Security Agency in America to run its Cyber Incident Response Assistance (CIRA) accreditation programme.

CREST is a not-for-profit accreditation and certification body which began in the UK in 2006 and represents and supports the technical information security market. It works closely with GCHQ, CESG and the Bank of England on a number of cyber-accreditation schemes.

Under the memorandum of understanding between the NSA's Information and Assurance Directorate (IAD) and CREST, the two organisations will aim to grow CIRA while maintaining a strict accreditation process.

The IAD provided advanced CIRA and Vulnerability Assessment (VA) services to address security incidents against national security systems. The National Security Cyber Assistance Program (NSCAP) was created to leverage the cyber-expertise of the industry to perform select cyber-security services for owners and operators of critical computer systems.

Accreditation of qualified commercial industry partners capable of providing cyber-security assistance services is based on stringent NSA criteria and industry and government best practices.

To support the work, CREST has established a new US chapter, welcoming Gotham Digital Services (a Stroz Friedberg company), MWR InfoSecurity, Nettitude, Stroz Friedberg and Trustwave as its first members. In addition to the UK, CREST has chapters in Australia, Malaysia, Hong Kong and Singapore.

The deal is being hailed as another example of the benefits of collaboration between industry and government to develop and support cyber-security capabilities. It is also seen as a triumph in the quest to export more British cyber-security expertise, and CREST has welcomed the active support of the FCO in establishing the new chapter in New York City.

Rowland Johnson, director of CREST International, is delighted with CREST's latest international chapter. “The US market is likely the largest cyber market in the world, and the opportunity to work with key stakeholders in the market is the dawn of a new era for CREST,” he told

The agreement with the NSA is fundamental to the model that CREST operates in other countries. “We have been talking to the government in the US for a number of years,” he said. “CREST is unique as the only entity that certifies individuals and accredits companies.”

CREST has been working with the NSA since early this year, taking on more and more of the running of CIRA. The final stage of the handover was completed on 1 September.

He said the impact on the UK organisation of making CREST more international will only be positive. Each chapter will operate independently but follow common processes for accreditation and certification to ensure global consistency, he said.

“We are very encouraged with the relationship [with the NSA] and will make sure we do the best of our ability to make the relationship successful and build capacity into the programme. We want to find new organisations with capabilities in incident response to onboard them into the programme and to raise awareness about the programme,” he said.

Justin Clarke-Salt, director at Gotham Digital Science, told SC he is excited about the new scheme. GDS has operated in New York City for 11 years and had been looking to bring its US team into line with UK staff by getting them accredited by CREST UK. “We have been looking to roll this out to the US team for ages now,” he said, “but now we have a local presence [for CREST] so our US staff can follow the same accreditation path as the UK staff.”

He added: “This is a great example of cooperation on an international basis. There is a lot of cooperation between the US and the UK but also with other governments such as Singapore and Hong Kong… It's about exporting expertise developed in the UK that will help overseas.”

Lawrence Munro, director of SpiderLabs at Trustwave, told SC said the global expansion of CREST is good news for his company because of the spread of standards. “There is a lack of de facto standards in the US and a body that organisations can accredit to. So it will be useful for us, as a cyber-security business, to be able to talk in global terms,” he said.

He said awareness of the CIRA scheme in the US is growing. “The involvement of the NSA will increase awareness among certain organisations and I hope that American-centred organisations will see the benefits of joining CREST.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.