How healthy is your cybersecurity?
Download this resource to measure your appetite for cyber risk and to gauge your current cybersecurity status.
.jpg?ext=.jpg)
What is the CPCSC?
If you are a contractor in Canada, you may already be quite familiar with the acronym CPCSC. If you have not yet encountered it, it stands for Canadian Program for Cyber Security Certification, and essentially it is a Canadian counterpart to the US Department of Defense CMMC (Cybersecurity Maturity Model Certification).
The Canadian CPCSC will borrow heavily from the NIST 800-171 standard for protecting CUI, and contractors will need to have the certification in order to conduct business with the Canadian Department of Defence.
How Many Security Levels?
As of now, it looks like the CPCSC will have three tiered levels, just like CMMC. Those levels are as follows:
Level 1: Requires an annual cyber security self-assessment
Level 2: Requires an external party to assess cybersecurity (currently there is no indication of frequency)
Level 3: Requires an assessment from the Canadian Department of Defence
CPCSC and CMMC
The Canadian government has worked hard to ensure that there is reciprocity between CMMC and CPCSC. Not only will this enable Canadian contractors to do work for US primes or the US Department of Defense, but it will also allow contractors to work on both standards simultaneously. Other countries, including New Zealand, Australia, and the UK (“the Five Eyes network) are also discussing developing their own CMMC-type standard.
Timing
As of now, CPCSC is due to go into effect a bit later than what is hypothesized for CMMC. According to the same source cited above, the timing for the launch of CPCSC is being declared as winter 2025. Like CMMC, Canada is planning to phase in compliance requirements over a period of time.
What This Means for US Manufacturers
The potential impact on US manufacturers doing work for the US Department of Defense could be significant. Once Canadian contractors are able to become CPCSC-certified, they, along with other American CMMC-certified companies, will be able to compete for US Department of Defense contracts. Companies that do not have either certification will not even be in the running. The best way to stay ahead of the competition, both domestic and international, is to work on NIST SP 800-171r2 compliance now and be ready for CMMC assessments as soon as the light on the new rule goes green.
If you have any questions about your current status or what CPCSC may mean for your company, feel free to contact us today.