DICT Issues New Accreditation Rules for Cybersecurity Testing Laboratories

The Department of Information and Communications Technology (DICT) has issued Department Circular No. HRA-003, series of 2026, prescribing mandatory documentary requirements for the accreditation and renewal of Cybersecurity Posture Assessment Laboratory (CPAL) accredited cybersecurity testing laboratories. 

The DICT–Cybersecurity Bureau (CSB) is designated as the implementing authority to ensure that cybersecurity assessment providers comply with standardized technical and operational protocols.

The Circular applies to all public and private institutions applying for CPAL accreditation, and all existing CPAL-accredited laboratories undergoing renewal or surveillance. Section 5 of the department circular requires the applicants to submit four main types of documents: 1) legal and institutional documents, such as a certificate of registration or articles of incorporation; 2) declarations and attestations, including a vendor neutrality statement and conflict of interest declaration, or a data confidentiality and non-disclosure undertaking; 3) facility and infrastructure documentation, such as a description of the testing lab or an inventory of cybersecurity tools; and 4) personnel and competency requirements, which may include staff CVs, proof of employment, and relevant professional certifications. 

Accreditation is valid for one year and subject to annual renewal. Incomplete or false submissions may result in denial and serve as grounds for disciplinary action under CPAL Rules.