Red teaming redefined: How FedRAMP is raising US cybersecurity standards
Red teaming redefined: How FedRAMP is raising US cybersecurity standards
https://www.ibm.com/think/x-force/red-teaming-redefined-fedramp-raising-us-cybersecurity-standards
Publish Date: 2026-06-01 13:30:00
Source Domain: www.ibm.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
The Bank of England launched CBEST back in 2014. It was built using CREST, HM Treasury and the Financial Conduct Authority. As the first intelligence‑driven red team framework led by regulators, CBEST applied to firms at the core of the UK financial system, helping ensure they are protected against sophisticated cyber threats. To maintain the integrity of these engagements, CREST, the certification body, established stringent credentials requirements, including the Certified Simulated Attack Manager and Certified Simulated Attack Specialist qualifications. Testers are mandated to log many hours in financial services work before qualifying to lead a CBEST engagement, effectively raising the bar for industry standards.
The impact of CBEST resonated across Europe, prompting the European Central Bank to publish TIBER-EU, its own threat-intelligence-based ethical red teaming framework. Inspired by both CBEST and TIBER-NL, an earlier initiative from the Dutch Central Bank, TIBER was designed to be adopted by national regulators across the EU. This includes local implementations like TIBER-DE in Germany and TIBER-IT in Italy. Today, more than twenty countries have national TIBER implementations. The introduction of the Digital Operational Resilience Act (DORA) made threat-led penetration testing mandatory for in scope financial entities across the EU.
Various other regions have developed their own versions of red teaming protocols. Hong Kong implemented iCAST, Australia introduced CORIE, and Singapore established the ABS red teaming guidelines. In the UK, STAR-FS launched in 2024 to extend the CBEST model to firms that are not considered systemically critical. The result is a mature ecosystem in which regulators, testers and regulated companies share a common framework. Providers carry recognized certifications and results can be shared across international borders seamlessly, through mutual recognition.
Until now, the United States lacked a similar framework. With FedRAMP’s recent revisions, however, the opportunity for the US to lead in structured red teaming initiatives is finally within reach.
