ITI Warns Against Uniformity in Policy Principles for Cybersecurity Certification

The Information Technology Industry Council (ITI) this week released its guide for cybersecurity certification, which includes a warning against a “one-size-fits-all solution” in certification.

ITI’s Policy Principles for Cybersecurity Certification came the same week that the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) began training provisional assessors for the Department of Defense’s new cybersecurity standard.

“The tech industry recognizes that maintaining resilient cybersecurity is a shared responsibility between governments, vendors, consumers, and other involved parties,” said John Miller, ITI Senior Vice President for Policy and Senior Counsel, in a statement upon the release of the principles.

The council recommends six key points for any potential regulations:

  • “Leverage the expertise of public and private stakeholders and ensure transparency”;
  • “Take a risk-based approach and clearly define the scope of certification schemes”;
  • “Reference international standards and best practices as the technical basis to avoid technical trade barriers”;
  • “Consider alternatives to certification such as supplier declarations of conformity or vendor attestations”;
  • “Recognize supplier/vendor assessments, avoid localized testing, and leverage mutual recognition schemes”; and
  • “Adopt fair enforcement.”

In the principles, the ITI cautions that “certification only reviews information about security at a specific point in time and does not necessarily equate to security or reduced risk.”

Categories

Recent