The Department of Information and Communications Technology (DICT) has launched a new framework that sets strict national standards for who can test the cybersecurity systems of government agencies and key institutions.
Called the Trusted Assessment Providers (DTAP) framework and formalized under Department Circular No. HRA-001, the policy requires cybersecurity firms to be officially accredited before they can conduct Vulnerability Assessment and Penetration Testing (VAPT) and Information Security Management System (ISMS) assessments for government bodies and covered organizations.
Under DTAP, only providers that meet DICT’s requirements for technical skill, ethical conduct, and accountability will be allowed to perform these tests. This reflects DICT’s position that cybersecurity assessments are not routine technical exercises, but a core part of good governance and public trust.
The framework supports the National Cybersecurity Plan 2023–2028, particularly its goal of improving the quality and credibility of cybersecurity assessments nationwide. By tightening control over who can conduct these evaluations, DICT aims to help organizations better identify risks, protect sensitive data, and comply with national cybersecurity standards.
Special Assistant to the Secretary for Cybersecurity Julius Gorospe said DTAP ensures that cybersecurity assessments for government agencies and Critical Information Infrastructures are handled only by competent and trustworthy providers. He noted that clear and enforceable standards allow organizations to better understand cyber risks and make informed decisions to secure their systems.
Accreditation under DTAP may be granted for one year for fully compliant providers, or for six months on a provisional basis for those still meeting certain requirements.
With DTAP, DICT signals a stricter, more policy-driven approach to cybersecurity testing, reinforcing its commitment to a secure and reliable digital environment as the country pushes forward with digital transformation.
