If governments are going to insist on using certification schemes – like the Defense Department’s new Cybersecurity Maturity Model Certification program – in efforts to improve cybersecurity, they should at least consider technology vendors’ own assessments, the Information Technology Industry Council said in new policy principles document. The suggestion is among six items the group offered for governments’ consideration, amid the Defense Department’s high-profile rejection of “self-attestation” in developing its CMMC program.
