GDS Puts Three Suppliers in ‘Taxi Rank’ to Test Service Vulnerabilities

The Government Digital Service’s new "taxi rank" framework reflects a shift toward continuous, on‑demand cyber‑risk assessment for public‑sector digital products. Rather than a single, long‑term vendor, GDS rotates three specialist firms, ensuring fresh perspectives and preventing complacency. This approach aligns with the National Cyber Security Centre’s CHECK scheme, which guarantees that each tester meets stringent accreditation standards for critical national infrastructure. By mandating immediate alerts for exploitable flaws and daily progress reports, the contracts embed rapid response into the security lifecycle, a practice increasingly demanded by regulators worldwide.

For the suppliers—NCC Group, Salus and Prism Infosec—the £1.2 million (≈$1.5 million) award represents a foothold in the lucrative government cyber‑testing market. The contracts’ two‑year baseline, with a potential extension to four years, could double the revenue, incentivising firms to refine their methodologies and invest in advanced tooling. The requirement for a management‑level summary also pushes vendors to translate technical findings into actionable business language, a skill set that differentiates premium providers in a crowded marketplace.

Industry observers see the taxi‑rank model as a template for other ministries seeking agility without sacrificing oversight. By spreading risk across multiple accredited providers, GDS mitigates the chance of a single point of failure and encourages competitive innovation. As cyber threats grow in sophistication, such collaborative procurement strategies may become the norm, driving higher standards of resilience across the public sector and setting a benchmark for private‑sector enterprises aiming to secure their digital ecosystems.