If governments are going to insist on using certification schemes—like the Defense Department’s new Cybersecurity Maturity Model Certification program—in efforts to improve cybersecurity, they should at least consider technology vendors’ own assessments, the Information Technology Industry Council said in new policy principles.
“Governments should consider alternatives to certification, such as supplier’s declaration of conformity/vendor attestation,” reads the policy recommendation released Tuesday.
The suggestion is among six items the group offered for governments’ consideration, amid the Defense Department’s high-profile rejection of “self-attestation” in developing its CMMC program.
ITI Senior Vice President for Policy and Senior Counsel John Miller said the guidance is meant for a global audience, and highlighted the traction certification schemes have had not just within the U.S. and the European Union but also in countries like Brazil and India.
“Cybersecurity certification is not a comprehensive, one-size-fits-all solution, nor should it be considered a solution of first resort,” the document reads. “Nonetheless, if governments choose to set regulations to mandate certification schemes even after recognizing the limitations of certification, we recommend they follow six key considerations.”
ITI argues that certification programs only reflect a specific point-in-time, and that the vendors themselves are in a better position to determine whether the most up to date protections are in place. The group also notes the importance of training and education for improving cybersecurity.
The other five recommendations in the document are that governments “leverage the expertise of public and private stakeholders and ensure transparency; take a risk-based approach and clearly define the scope of certification schemes; reference international standards and best practices as the t ..
Support the originator by clicking the read the rest link below.
