Cybersecurity
ITI Urges Government to Consider Vendors’ Self-Assessment of Cybersecurity
The Information Technology Industry Council said that the government should at least consider technology vendors' cybersecurity assessments if it will insist on using certification schemes like the Cybersecurity Maturity Model Certification program.
"Governments should consider alternatives to certification, such as supplier’s declaration of conformity/vendor attestation," ITI said in its policy recommendation released Sept. 2.
John Miller, ITI's senior vice president for policy and senior counsel, said the recommendations was created to target global audiences as certification schemes are also being adopted countries outside the United States and the European Union, including Brazil and India.
Miller said cybersecurity certification still has a crucial role but must not be mandated, particularly when some means of self-attestation are already underpinned by international standards.
“Our principles do not suggest there is not a role for cybersecurity certification, particularly in cases where products, services or processes may require a high level of security assurance such as critical infrastructure," Miller told Nextgov.
ITI added that certification programs only reflect performance at a specific point in time and that the vendors are the most capable of determining whether their cybersecurity is up to date.
The certification proposal was only one of six recommendations in the document. ITI also recommended that governments leverage stakeholder expertise for transparency, adopt a risk-based approach to certification, reference international standards, leverage mutual recognition schemes and adopt fair enforcement.
Certification schemes like the Department of Defense's CMMC were introduced after stakeholders noticed that product manufacturers rush through their development cycles without much incentive to prioritize cybersecurity.
Category: Popular Voices