The trade association for the industry’s largest companies recommends relying on vendor declarations.
If governments are going to insist on using certification schemes—like the Defense Department’s new Cybersecurity Maturity Model Certification program—in efforts to improve cybersecurity, they should at least consider technology vendors’ own assessments, the Information Technology Industry Council said in new policy principles.
“Governments should consider alternatives to certification, such as supplier’s declaration of conformity/vendor attestation,” reads the policy recommendation released Tuesday.
The suggestion is among six items the group offered for governments’ consideration, amid the Defense Department’s high-profile rejection of “self-attestation” in developing its CMMC program.
ITI Senior Vice President for Policy and Senior Counsel John Miller said the guidance is meant for a global audience, and highlighted the traction certification schemes have had not just within the U.S. and the European Union but also in countries like Brazil and India.
“Cybersecurity certification is not a comprehensive, one-size-fits-all solution, nor should it be considered a solution of first resort,” the document reads. “Nonetheless, if governments choose to set regulations to mandate certification schemes even after recognizing the limitations of certification, we recommend they follow six key considerations.”
ITI argues that certification programs only reflect a specific point-in-time, and that the vendors themselves are in a better position to determine whether the most up to date protections are in place. The group also notes the importance of training and education for improving cybersecurity.
The other five recommendations in the document are that governments “leverage the expertise of public and private stakeholders and ensure transparency; take a risk-based approach and clearly define the scope of certification schemes; reference international standards and best practices as the technical basis to avoid technical trade barriers; recognize supplier/vendor assessments, avoid localized testing, and leverage mutual recognition schemes; and adopt fair enforcement.”
The concept of cybersecurity certification by independent third parties emerged as stakeholders observed that product manufacturers, in the rush to market their products, are not necessarily incentivized to prioritize cybersecurity in their development. Consumer groups and lawmakers such as Sen. Edward Markey, D-Mass., pushed for features such as labels that people could use to determine if a product or service had incorporated some basic measures to ensure security.
Miller told Nextgov, “Our principles do not suggest there is not a role for cybersecurity certification, particularly in cases where products, services or processes may require a high level of security assurance such as critical infrastructure. However, even in such cases certification should not be mandated as the only option to demonstrate security, particularly where alternative means of attestation, such as supplier’s declaration of conformity and vendor attestation, exist that are underpinned by international standards and enable companies of all sizes to more rapidly deploy tools to address cybersecurity challenges.”
For the DOD, vendor attestations didn’t cut it. Too much sensitive information was still being pilfered from contractor-controlled systems, and the DOD’s Katie Arrington has said if suppliers were already attesting to required standards, then certification shouldn’t be such a hard lift for them anyway.
If other sectors and governments follow their lead, ITI argues, the result could be fewer or pricier gadgets.
“Certification can be costly, and resources are finite,” the document says. “Thus, requiring cybersecurity certification could result in undesirable trade-offs, a main one might be stifling innovation. The monetary tradeoff could preclude some suppliers/vendors from bringing products to market, negatively limiting consumer’s/business’ choices.”