GBEST is a new scheme based on the CBEST model and is being rolled out across UK Government Departments. The scheme aims to be very similar to CBEST but with some minor differences; for example, a GBEST assessment is expected to take slightly longer than an average CBEST.
GBEST has been successfully piloted in several departments across 2017-2018. The Cabinet Office has successfully bid for funding to carry out several exercises per year. The long-term ambition is for a GBEST exercise to take place in every major department at least once every five years.
The overall scheme is co-ordinated by the Cabinet Office but each exercise is procured, led and ultimately owned by the Government Department carrying out the exercise. The NCSC provide validation of the Threat Intelligence and general technical assurance to each exercise.
CREST STAR members, including those approved by the Bank of England for CBEST, will be eligible to compete for the Threat Intelligence and Penetrating Testing stages in each GBEST exercise.
The Cabinet Office is in discussion with Crown Commercial Services at the moment to decide the most appropriate way to procure for each exercise and hope to be able to distribute further guidance on the precise procurement process in the near future.
The Cabinet Office has decided that CREST STAR accreditation will be an appropriate level to compete for GBEST work.
During the GBEST pilots, CBEST experience was required to bid for the work. This will not be a requirement for the roll-out of GBEST across HM Government.
The Threat Intelligence and Penetration Testing phases will be procured separately. Government Departments will be advised that it is usually advantageous to have a difference provider for each phase.
The funding for each year of GBEST is tied to the financial year (ie. funds must be spent by the end of each financial year). Therefore, it is likely that many departments will be procuring at around the same time.
A list of GBEST approved suppliers is listed here.