The Information Technology Industry Council (ITI) this week released its guide for cybersecurity certification, which includes a warning against a “one-size-fits-all solution” in certification.
ITI’s Policy Principles for Cybersecurity Certification came the same week that the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) began training provisional assessors for the Department of Defense’s new cybersecurity standard.
“The tech industry recognizes that maintaining resilient cybersecurity is a shared responsibility between governments, vendors, consumers, and other involved parties,” said John Miller, ITI Senior Vice President for Policy and Senior Counsel, in a statement upon the release of the principles.
The council recommends six key points for any potential regulations:
- “Leverage the expertise of public and private stakeholders and ensure transparency”;
- “Take a risk-based approach and clearly define the scope of certification schemes”;
- “Reference international standards and best practices as the technical basis to avoid technical trade barriers”;
- “Consider alternatives to certification such as supplier declarations of conformity or vendor attestations”;
- “Recognize supplier/vendor assessments, avoid localized testing, and leverage mutual recognition schemes”; and
- “Adopt fair enforcement.”
In the principles, the ITI cautions that “certification only reviews information about security at a specific point in time and does not necessarily equate to security or reduced risk.”