GBEST

GBEST is a new scheme based on the CBEST model and is being rolled out across UK Government Departments. The scheme aims to be very similar to CBEST but with some differences. For example, a GBEST assessment is expected to take slightly longer than an average CBEST.

GBEST has been successfully piloted in several departments in 2017-2018. The Cabinet Office has successfully bid for funding to carry out several exercises per year. The long-term ambition is for a GBEST exercise to take place in every major department at least once every five years.

The overall scheme is co-ordinated by the Cabinet Office but each exercise is procured, led and ultimately owned by the government department carrying out the exercise.

The National Cyber Security Centre provides validation of the Threat Intelligence and general technical assurance to each exercise. Those CREST STAR members holding the requisite qualified consultants, including those approved by the Bank of England for CBEST, will be eligible to compete for the Threat Intelligence and Penetration Testing stages in each GBEST exercise.

Please note that for GBEST penetration testing assignments, the work must be carried out by a consultant holding a current CC SAS qualification and the assignment must be overseen by a consultant holding a current CC SAM qualification. For the avoidance of doubt, this means that all members of the penetration testing team conducting the actual live testing need to hold the CC SAS qualification. The team should be overseen by a consultant holding the CC SAM qualification. They may have support from other staff throughout, but those actually doing the live testing work need to be holders of CC SAS or CC SAM as outlined above.

Procurement

The Cabinet Office is in discussion with Crown Commercial Services at the moment to decide the most appropriate way to procure for each exercise and hope to be able to distribute further guidance on the precise procurement process in the near future.

The Cabinet Office has decided that CREST STAR accreditation will be an appropriate level to compete for GBEST work.

During the GBEST pilots, CBEST experience was required to bid for the work. This will not be a requirement for the roll-out of GBEST across HM Government.

The Threat Intelligence and Penetration Testing phases will be procured separately. Government Departments will be advised that it is usually advantageous to have a difference provider for each phase.

The funding for each year of GBEST is tied to the financial year (ie. funds must be spent by the end of each financial year). Therefore, it is likely that many departments will be procuring at around the same time.