Skip to content

Introduction

Use of the Services Procurement Guidelines

Due to the sensitive nature of TIBER-EU tests, entities need to carefully select TI and RT providers which can provide an appropriate level of professional expertise and support for conducting the test.

The market for threat intelligence and red team testing varies widely, with many providers providing an array of services. It is important that entities take due care during their procurement process. It is therefore recommended that entities and the TIBER Cyber Teams (TCTs) work in close collaboration with TI/RT providers, to ensure that a standardised and consistent approach is followed in using the services of TI/RT providers, and that there is a common understanding of the standards required to perform such tests. Following the Guidelines will allow their target audience (Section 2.3) to make sure that the requirements for TI/RT providers to deliver TIBER-EU tests are met.

As the TIBER-EU Framework is operationalised across the European Union (EU), the TIBER-EU Knowledge Centre (TKC) will monitor the evolution of the threat intelligence and red team testing market and update the requirements, if necessary. The TKC will undertake this task by closely liaising with the authorities that adopt the TIBER-EU Framework, the entities that undertake the tests and the TI/RT providers that deliver the tests.

Structure of the Guidelines

The Guidelines are structured as follows:

  • Threat Intelligence Requirements sets out the requirements and standards that must be met by TI providers to deliver recognised TIBER-EU tests, and offers guiding principles and selection criteria for entities, as they look to procure services from prospective providers.
  • Red Team Requirements sets out the requirements and standards that must be met by RT providers to deliver recognised TIBER-EU tests, and offers guiding principles and selection criteria for entities, as they look to procure services from prospective providers.
  • Possible role of authorities provides guidance to authorities that are looking to implement TIBER- EU at national and European level, with specific regard to procurement.
  • Annex 1 provides a list of certifications that staff members and providers may be, depending on the case, required to possess. Annexes 2-5 provide specific questions that entities could use when considering prospective providers and agreement checklists to assist the procurement functions during theirprocurement process, respectively.

Target audience of the Guidelines

The Guidelines are directed at:

  • authorities responsible for the adoption, implementation and management of the TIBER-EU Framework at national and European levels;
  • entities looking to undertake TIBER-EU tests;
  • organisations interested in providing cyber threat intelligence services under TIBER-EU;
  • organisations interested in providing red team testing services under TIBER- EU; and
  • accreditation and certification providers.

Multinational entities

Although the Guidelines set out the requirements for TI and RT providers in the EU conducting TIBER-EU tests, there are multinational entities that may need to conduct such tests beyond the EU or in collaboration with other non-EU relevant authorities that implement their own red team testing framework.

In such circumstances, the entities in question should understand the requirements of the authorities in the other relevant jurisdictions and, furthermore, they are encouraged to analyse the authorities’ respective requirements. This is particularly important if the entity wishes to use the results of the test to satisfy the requirements of authorities from other jurisdictions. In such cases, the entity should liaise with all relevant authorities, which may provide guidance to the entity on the procurement requirements. For example, some jurisdictions may mandate the validation of expertise by accreditation and certification providers. Entities should seek to confirm their approach meets all involved jurisdictions’ requirements at the scoping stage of the process. In all cases, the requirements set out in this document are the minimum standards that must be met to achieve a recognised TIBER-EU test.

Procurement agreements

In some cases, entities may be party to an agreement with a provider or range of providers that enables them to place orders for different types of services without running lengthy, full tendering exercises. In such cases, if the entity opts to use its agreement to procure TI and RT providers to conduct TIBER-EU tests, the prospective TI/RT providers must meet the requirements set out in these Guidelines.

In cases where such agreements are in place, the entity should liaise with the relevant TCT for further clarifications.