At the Canadian Association of Defence and Security Industries (CADSI)’s 2023 CANSEC, then Minister of National Defence Anita Anand announced that the Government of Canada will begin developing a mandatory cybersecurity certification for specific defence contracts starting in Winter 2024. This program is now known as the Canadian Program for Cyber Security Certification (CPCSC).

Quietly on 24 August 2023, the Canadian Commercial Corporation announced that the program was moving forward that I believe is the first update since Minister Anand’s announcement at CANSEC. Budget 2023 provided Public Services and Procurement Canada $25 million budget over three years to create the CPCSC program in partnership with National Defence and the Standards Council of Canada.

What this means will be very mixed depending on who is talking. Defence contractors groaned and will soon proclaim that this is a costly or needless measure. In other words, the usual thing corporations will say when they are forced to care about cybersecurity.

The reality is that this is a very positive step forward. Cybersecurity cannot be treated as a luxury, but is an integral part of the operation of the modern state and national security apparatus. At least in this case, the Canadian Program for Cyber Security is only set to be required for certain defense contracts, but this can be understood as the start as opposed to the limit. On the surface, CPCSC serves as a lever for the Government of Canada to ensure due diligence in cybersecurity by major defense contractors that work with the government. However, CPCSC as a program will also:

• Establish a baseline cybersecurity certification that can be leveraged with the rest of industry through procurement and offering a cybersecurity certification that is universally accepted

  • The difficulty with this is that because CPCSC is meant for major defense contracts and modelled off the United States’ Cybersecurity Maturity Model Certification (CMMC), it is not really meant to be a cross-cutting tool.
    

• The Government of Canada has said that CPCSC will be compatible with the United States’ CMMC. This is probably the biggest win for industry out of everything because the CMMC is already an expensive and time-consuming process. CPCSC being compatible will allow Canadian industry to sell to the US Government and will increase Canadian cyber industry’s exposure and representation in the global market by having an industry-recognized and government-backed certification.
  

• There are also some less tangible potential benefits to such a program. My hope is that having such a program becoming central to procurement and government recognition of processes and certifications at the federal level will improve the knowledge of bureaucrats and those in government.

  • A longstanding issue related to Canadian cyber policy is knowledge. Cyber policy is a unique skill and knowledge that has to be developed, trained, and sustained like other areas. Programs requiring cyber engagement from policy, as opposed to technical, point of view will force the government to adapt.
    
    We can look to Shared Services Canada as an example of how this can go poorly. If you stand up the program with insufficient funding, people, and poor management, can lead to poor cyber services and capabilities. The Government of Canada must ensure the program gets the manpower, funding, and time that it needs to understand what its doing, bring in the people to ensure they know what they’re doing, and ensure processes that maintain and improves that knowledge base and digital literacy.

What this means in the short term does not mean much. The three-year funding is telling about how long this will take. It is difficult to say at this point if CPCSC will by CMMC, but with Canadian spelling, but already I can say that is an understatement. Central to CMMC are the mechanisms and compliance processes to ensure that firms are acquiring the certification properly and keeping up their ability to sustain these measures. This is not just about creating an entity that can ensure compliance, but doing so legally under Canadian law, with the proper expertise, is complicated.

This will be a program I will be following very closely.