WASHINGTON – Today, global tech trade association ITI released a first-of-its kind guide developed by industry to guide policymakers and other stakeholders considering using certification as a means to demonstrate cybersecurity. ITI’s new Policy Principles for Cybersecurity Certification detail the limits of certification approaches and caution policymakers to avoid viewing cybersecurity certification as a comprehensive, one-size-fits-all solution. Should governments choose to mandate certification schemes even after recognizing their limitations, ITI offers recommendations and step-by-step guidance to help achieve the goals of certification without harming innovation.
“The tech industry recognizes that maintaining resilient cybersecurity is a shared responsibility between governments, vendors, consumers, and other involved parties,” said John Miller, ITI Senior Vice President for Policy and Senior Counsel. “As countries around the world consider cybersecurity certification schemes for products, services, or company processes, it is in the first instance critical that they understand the limitations of certification, and that they leverage private sector expertise, reference international standards, recognize vendor attestation, and avoid country-specific testing if they identify certification as an appropriate solution. ITI’s first-of-its-kind guide will help shape cyber certification schemes currently at different stages of development in several countries.”
ITI urges policymakers to recognize that certification is not a comprehensive solution for cybersecurity. If governments choose to set regulations that mandate certification schemes, ITI recommends they take into consideration six key points:
- Leverage the Expertise of Public and Private Stakeholders and Ensure Transparency. Any government certification schemes should be proposed and adopted through an open and transparent process that allows for stakeholder input and public comment.
- Take a Risk-based Approach and Clearly Define the Scope of Certification Schemes. Any certification schemes should be based on appropriate risk factors, with priority given to certification schemes requiring high security assurance.
- Reference International Standards and Best Practices as the Technical Basis to Avoid Technical Trade Barriers. Cybersecurity certification schemes should be grounded in international, industry-driven, voluntary consensus standards and best practices.
- Consider Alternatives to Certification such as Supplier Declarations of Conformity or Vendor Attestations. Alternatives to certification are widely accepted in the marketplace to demonstrate compliance and industry has extensive experience with such mechanisms.
- Recognize Supplier/Vendor Assessments, Avoid Localized Testing, and Leverage Mutual Recognition Schemes. Governments should accept supplier/vendor assessments and recognize competent testing labs owned by suppliers/vendors. If third-party assessments are necessary, localized testing should be avoided and mutual/multilateral recognition schemes leveraged.
- Adopt Fair Enforcement. Ensure harmonized regulatory enforcement and guidance, including appropriate market surveillance, to accelerate industry adoption of schemes.
In addition to the Policy Principles, ITI also created a graphic flowchart with step-by-step guidance for policymakers to follow when adopting certification schemes in order to avoid stifling innovation or other harmful trade-offs.