On September 1st 2016, CREST took over the accreditation process for the NSA CIRA program. The CIRA (Cyber Incident Response Assistance) program is designed to leverage the cyber expertise within industry to deliver Cyber Incident Response services to National Security Systems (NSS) operators. The CIRA accreditation scheme has been operated as part of the National Security Agencies Cyber Assurance Program (NSCAP) for 2 years, and the program has provided support to many operators during this period. The aim of the relationship between the Information Assurance Directorate (IAD) of the NSA and CREST is to facilitate the growth of the CIRA program, while also ensuring the continued integrity of all aspects of the strict accreditation process. By working with CREST, it will be possible to build capacity in to the market and respond with agility to the evolving cyber threat.
CREST will be operating the CIRA accreditation program through its east coast office in NYC and through its international accreditors. The program will remain unchanged from the documented process defined in the NSCAP website.
Process for organisations applying for 1st time accreditation
Organisations wishing to apply for CIRA accreditation should initially register their interest through the NSCAP accreditation portal (NAP). Users should click the “New Registration” button to register their company. Once the company has been registered, users will be e-mailed a link to generate a new user account. Once their account is vetted and authorized, they will have the ability to start the application process. Once the NSA IAD has authorized the access request, the process will be managed by CREST and all information will be assessed and reviewed by the CREST accreditation team.
Process for organisations being re-accredited
Organisations that have previously been accredited, will be contacted by CREST three months in advance of their renewal date. A CREST accreditor will provide details with what the submission process is and what the organization should expect during the assessment process. The organization is required to submit all of their re-accreditation package through the NSCAP accreditation portal (NAP).
Fees associated with CIRA accreditation
During the initial six month handover phase commencing September 1st 2016, there will be no fees associated with CIRA accreditation.
For organizations that are either going through first time accreditation or that are being re-accredited after March 1st 2017, the following fees will be charged.
|Date||Initial Audit Fee||Annual Accreditation Fee|
|Pre March 1st 2017||No Charge||No Charge|
|After March 1st 2017||$1,000||$9,000|
From March 1st 2017, all organizations will be required to pay a $9,000 annual accreditation fee.
Consistency with CREST CSIR scheme
Although the CIRA accreditation program is designed to support NSS operators, there is recognition that the program could provide benefits to other public and private sector organisations. As a consequence, CREST is undertaking an internal study to build pathways between CIRA accredited organisations and the CREST CSIR program. CREST is currently in a beta phase for this program, and expects to be able to launch public results about this initiative by the end of March 2017.
For any organisations that are interested in learning more about CIRA accreditation, please contact [email protected]