deepagopi2011 - Fotolia

Crest takes over NSA Cira accreditation

Crest hopes to grow the accreditation programme into a global initiative to certify cyber response capabilities

Crest, the UK-based accreditation and certification body for the technical information security industry, is set to take over the US Cyber Incident Response Assistance programme (Cira).

The organisation has signed a memorandum of understanding with the National Security Agency (NSA) in the US to improve incident response.

The aim of the relationship between the information assurance directorate (IAD) of the NSA and Crest is to facilitate the growth of the Cira programme, while also ensuring the continued integrity of all aspects of the strict accreditation process.

“The Crest relationship with the NSA will support the maturity of incident response services into other government and commercial departments outside of NSS,” said Rowland Johnson, director of Crest International.

“It is hoped that it will encourage cyber security service providers to have their capabilities assessed and accredited. This will drive increasing levels of capability and capacity in to the market.”

Speaking to Computer Weekly, Johnson said: “A number of governments recognise the cyber threat is very real and have built country-specific programmes. In the US, this is Cira, which accredits organisations that have capabilities to detect and respond to cyber attacks.”

He said through this accreditation programme, the NSA’s national security systems operators would identify capable organisations and people with the right skills. They also identified best practices in cyber incident response.

The NSA now wants the industry to run this programme. “The NSA wants to build capacity in the market to get more individuals through the programme. Crest is unique as we are one organisation that accredits companies and individuals,” said Howard.

He added that Crest will run the programme and operate it on behalf of the NSA.

According to Howard, in an interconnected world, it does not make sense if one county has strong cyber incident response capabilities while others are less capable. “We want to raise standards internationally,” he said.

Read more on Regulatory compliance and standard requirements