Table of Contents
As cybersecurity threats continue to evolve, the Government of Canada is taking steps to protect sensitive but unclassified information that must be exchanged with defense contractors. This is an essential step in strengthening the security postures of the Government and its suppliers, as hackers can potentially execute supply chain attacks if they gain access to one or more systems associated with Government contracting processes.
Consequently, the Government is developing a new cybersecurity standard called the Canadian Program for Cyber Security Certification, or CPCSC. This standard will apply to any organization that bids on defense contracts for the Government of Canada.
While the standard is still under development, it’s not too early for defense contractors to gather information and start preparing for compliance. Here’s what we know today.
What the CPCSC will look like
The Government of Canada has already provided quite a bit of information about the new standard. Here are the key takeaways.
- The CPCSC will create a new Canadian cybersecurity standard based on NIST 800-171 and 800-172. The fact that the CPCSC takes its cue from these US standards will help align Canadian and US requirements, making it easier for defense contractors to continue working with both governments.
- The CPCSC will outline specific cybersecurity controls required for companies that wish to engage in federal contracting with the Government of Canada.
- The CPCSC will provide standards and processes for the secure handling of Controlled Unclassified Information by non-governmental organizations.
- The CPCSC will establish a risk assessment process to balance security with efficiency in contracted projects.
- The CPCSC will establish contractual clauses that will be required in all defense-related RFPs.
- The CPCSC will establish accreditation processes for third-party assessors who will audit organizations for compliance with the standard.
When does the CPCSC become law?
According to the Government of Canada’s documentation, the CPCSC will go into effect during the winter of 2025. As of this writing, the Government has not provided a specific date, but we expect that detailed information will come out later this year or early next year. Public Services and Procurement Canada (PSPC) has conducted a request for information (RFI) process that closed on June 28, 2024. Companies that participated in the RFI process had the opportunity to “significantly influence the development and implementation of the program.”
While the RFI process has closed, defense contractors should find encouragement in the fact that PSPC sought input from suppliers. This process gave contractors a voice in shaping policy that will keep both their organizations and the Government secure.
Certification levels under the CPCSC
The Government of Canada recognizes that not all contractors need to meet the same standards. Some suppliers handle less-sensitive information, while others handle far more sensitive data. Consequently, the CPCSC will establish three levels of certification.
- Level 1 will require an annual cybersecurity self-assessment. The organization can conduct this assessment internally.
- Level 2 will require a cybersecurity assessment conducted by an accredited certification body.
- Level 3 will require a cybersecurity assessment conducted directly by the Department of National Defence rather than by a third-party assessor.
How defense contractors can prepare for compliance
Until the Government of Canada finalizes the CPCSC, contractors won’t be able to achieve total compliance with the new regulation. However, given the fact that the CPCSC is based on NIST 800-171 and 800-172, organizations can begin examining their security posture in light of these two US standards. Doing so can provide a high-level view of problem areas as well as things that are working well.
CISOs who are familiar with these NIST standards should begin informal auditing processes to identify initiatives that may be required to comply with the CPCSC. CISOs who lack the resources or in-house expertise to conduct these assessments may consider working with a cybersecurity consultant to define where they stand today in relation to the NIST frameworks.
Ultimately, the CPCSC will make organizations more secure in addition to protecting the Government of Canada. This new legislation is a welcome development for defense contractors, and we look forward to seeing the impact it will have.
Ross Filipek is the Chief Information Security Officer of Corsica Technologies. He has more than 20 years’ experience in the cybersecurity industry as both an engineer and a consultant. In addition to leading Corsica’s efforts to manage cyber risk, he provides vCISO consulting services for many of Corsica’s clients. Ross has achieved recognition as a Cisco Certified Internetwork Expert (CCIE #18994; Security track) and an ISC2 Certified Information Systems Security Professional (CISSP). He has also earned an MBA degree from the University of Notre Dame. Ross can be reached online at LinkedIn and at our company website www.corsicatech.com
