Canadian Program for Cyber Security Certification 101
A breakdown of the basics about the upcoming Canadian Program for Cyber Security Certification, modelled off of the United States' CMMC
At the Canadian Association of Defence and Security Industries (CADSI) 2023 CANSEC, Minister of National Defence Anita Anand announced that the government of Canada will begin developing a mandatory cybersecurity certification for specific defence contracts starting in the Fall/Winter of 2024. This program is now the Canadian Program for Cyber Security Certification (CP-CSC).
Since I originally wrote about the CP-CSC in September, I have gotten the chance to talk with the CP-CSC secretariat, who was nice enough to share their slide deck with me, which I have included here.
Disclaimer: The information and slides preview the CP-CSC, which is still relatively early in its development process. This information is subject to change. This especially goes for the timelines, which will be discussed later.
Everything written here and not contained in the slides are my thoughts and analysis and do not represent the views of the CP-CSC or anyone else.
Context
The context presented here is straightforward in explaining what has motivated the Government of Canada to create the CP-CSC. Cyber threats continually evolve, and supply chain attacks increasingly lead to some of the most serious security incidents. Although the CP-CSC will only required for select defence contracts beginning in Fall/Winter 2024, the intention is for the CP-CSC to help establish a baseline cybersecurity standard.
Although we can all rightfully understand the security reasons and imperative to developing the CP-CSC, the real motivating factor is what else is mentioned: the United States. In 2021, the United States developed the Cybersecurity Maturity Model Certification (CMMC) to ensure certain suppliers have a baseline cybersecurity standard to protect US national security. This was also required by designated Canadian suppliers who sell to the United States. As the slide above notes, this is significant as 49% of Canadian defence exports go to the United States. Where the problem arises is the cost that goes into receiving the CMMC.
I have seen various estimates about the costs of getting CMMC 2.0 certified, but it isn’t easy to gauge the average costs for CP-CSC assessments. This is important to note for two reasons. The first is that CMMC 2.0 is expensive for US companies and even more expensive for Canadian companies. The costs associated with certification under CMMC are a significant variable contributing to the development of the CP-CSC. This is why reciprocity with CMMC is a core aim, which would reduce the costs associated with selling to the United States. The second aspect to note is that this raises questions about how much it will cost Canadian companies to become certified. The costs associated with getting CP-CSC will remain a big question until more details come out. I have seen estimates put CMMC costs between $3,000 and $100,000, depending on the organization’s size, to get certified. My initial assumption is that it will not be as expensive in Canada, but I think it will come down to the market and processes developed for assessments.
Here Comes CP-CSC
Budget 2023 gave $25 million over three years to create the CP-CSC and require mandatory cyber security requirements by late 2024. CMMC and the ability of Canadian companies to get certified have been a concern ever since the introduction of CMMC 1.0 in 2020, so this was a long time coming, long before CMMC’s formal introduction in 2020.
Since then, there have been discussions about how Canada should respond. The primary response I have heard is for Canada to develop its own CMMC. Still, there has been persistent resistance to these from some in industry not wanting to put up the money to comply and be certified, as well as from some elements in government that want to avoid additional barriers for Canadian companies to sell to the government. I have heard fingers pointing at ISED and PSPC as responsible for this resistance. However, I would not blame any single government ministry; instead, I would blame a general ignorance of cyber defense and the false assumption that the CP-CSC will cause economic harm.
CP-CSC Who?
So, who exactly is the CP-CSC? Apparently, a lot! Although Public Services and Procurement Canada (PSPC) is the lead on developing the CP-CSC, the program itself requires coordination and partnership with multiple departments and ministries across the Government of Canada.
Believe it or not, this is reasonable, and each of these organizations plays a vital role in standing up to the CP-CSC. Here is a quick breakdown of some:
PSPC: The lead and will be in charge of the defense procurements that will ultimately require CP-CSC level 3 certification.
Department of National Defence: While we know that defense contracts for DND will require CP-CSC, DND will be responsible for assessing level 3 of the CP-CSC. The Director Information Management Security, under the Assistant Deputy Minister of Information Management/Chief Information Officer, will be the specific group responsible for these assessments.
Communications Security Establishment: CSE is working hard to adapt the NIST SP 800-171 and 172 certifications for Canada. Bearing in mind that one of the core purposes of the CP-CSC is reciprocity, we can expect there to be little difference in the Canadian standard compared with the NIST standards.
Global Affairs Canada: Responsible for much of the discussions on reciprocity with the United States.
Standards Council of Canada: Their big responsibility is accrediting third-party assessors who conduct assessments of suppliers seeking level 2 CP-CSC.
CP-CSC Objectives
Part of this has already been covered to some degree, but it is good to reiterate the dual aspects of the CP-CSC, which are both security and economic.
Security
Protect Government of Canada data
Increase cyber resilience
Maintain system integrity
Economic
Maintain industry access
Grow the Canadian Cyber Security Industry
An important aspect to consider on the economic side of the CP-CSC is less so the government procurement opportunities but the ecosystem and investments in cybersecurity. Canada has a sizeable and robust cybersecurity and cyber defense industry, which the Canadian Association of Defence and Security Industries (CADSI) says contributed $3.2 billion to Canada’s GDP in 2020. The CP-CSC will mean additional investment in Canadian cybersecurity and create a new market related to the CP-CSC with assessors and those supporting the certification process.
CP-CSC Elements
It is of little surprise that the very first element mentioned is reciprocity with CMMC. There are tacit assurances of reciprocity, and I even learned that the United States is encouraging other allies to develop similar programs. This would make a lot of sense when considering Joint All Domain Command and Control (JADC2), which is now increasingly referred to as Combined-JADC2. Combined refers to allies becoming part of the extended JADC2 network. I have long said this is central to JADC2 and NORAD Modernization.
As has been referenced, the CP-CSC will have three levels of certification, each corresponding to increasingly demanding and more stringent standards and assessment requirements. I’ll talk about this more later.
As mentioned, CSE is developing the cyber security standard based on NIST SP 800-171 and 172, the standards used to establish the CMMC. This is where the root of reciprocity comes in, which is using the same standard. By the simple fact that Canada and the United States are different countries, you cannot replace all instances of “United States” with “Canada,” so it can take time to ensure that not only does the Canadian standard match the NIST standards, but it must do so applied to Canadian bureaucracy, and they must be translated into French.
It has been mentioned multiple times that the CP-CSC will be required on certain defense contracts beginning in the Fall/Winter of 2024. However, there are only a few details beyond this. This slide is where we learn more details on how the program will work and be applied to contracts.
A risk assessment will be done to identify and prioritize which defense contracts require certification. In addition, the risk assessment will determine the level of certification required. The three levels of certification will have different compliance regimes and requirements to achieve, and naturally, what will be needed for contracts will vary depending on the contract’s content. It would not make sense to require a level 3 CP-CSC for contracts that have limited to no national security implications. It would also not make sense logistically and administratively in terms of how much DND can handle.
The introduction of requiring CP-CSC in select contracts in Winter 2024 is meant to give some lead time for suppliers to prepare to become certified. While they have not said what level of certification will be required in the contracts, we anticipate that it will likely be level 1 and level 2 certifications that will be required first. However, if any major/capital requests for proposals are released during this time, a level 3 certification may be required. In such an event, due to how long such projects can take, there will likely be sufficient time for suppliers to become certified.
Ultimately, the Government of Canada and DND want this to have as minimal negative impact on industry and the procurement process as possible. The concerns I have mentioned about barriers to selling to the Government of Canada are legitimate, especially when Canada's procurement system is notoriously difficult and fraught with trouble. As a result, they don’t want this to add any additional delays or reasons to criticize procurement.
CP-CSC Certification Levels
Finally, we see a rough outline of the various levels of the CP-CSC and how the certification administration will work. Whereas the risk assessment framework mentioned in the last section will determine which contracts will require a supplier to receive certification, a DND injury test will determine what level of certification will be necessary for the contract. The three levels will generally mirror the levels in CMMC, again highlighting how much equivalency and reciprocity with the United States is at the center of the CP-CSC.
The introductory level is CP-CSC level 1, which will be acquired via self-assessment by the supplier. CMMC’s level 1 has been described as basic and foundational cyber hygiene, which all organizations likely should adhere to. The level 1 certification will require annual re-assessments, while levels 2 and 3 will require triennial re-assessments.
Most of the certification work will likely occur in the level 2 certification. To acquire a level 2 certification will require an external assessment by an accredited third-party assessor that the Standards Council of Canada has accredited.
The timeline states that the government will begin to accredit assessors in Spring 2024. One of my initial concerns, and one others have been concerned about as well, is the time suppliers will have to get certified between when assessors are accredited in Spring 2024 and the introduction of CP-CSC requirements in contracts in Winter 2024. How CP-CSC will attempt to head this off will be by building off certification regimes already built under CyberSecure Canada. In addition, when the requirement will be introduced to contracts in Winter 2024, that is not to be immediately certified in Winter 2024. Still, suppliers will need to begin planning to be certified to win certain defense contracts whose RFP will be posted in Winter 2024.
The level 3 certification will be the most stringent and expensive certification due to the need to protect some of the most highly sensitive information and data. DND will be responsible for these assessments, which the Director of Information Security will conduct under ADM Information Management/CIO.
It is only with the level 3 certifications that I am concerned if DND will have the capacity to take on projects without incurring delays. This is about something other than the ability to do so, but instead having the personnel to do this. Those in charge of this are in contact with the US CMMC teams and looking to learn best practices, so they are certainly not starting from zero in terms of understanding how to approach this. However, how DND will handle this amid an already desperate need for people remains to be seen.
Timelines
The timeline in question is the launch of the CP-CSC in Fall/Winter 2024. Although they say the launch of the CP-CSC here, it will not be an overnight change in terms of requiring all defense contracts to require CP-CSC. Although “phased implementation” is not a term used, it is the general approach they appear to be taking regarding contracts that will require CP-CSC.
With that said, these timelines are subject to change. Broadly speaking, the CP-CSC secretariat is trying to ensure Canada’s defense industrial base is aware of what is coming and to ensure it prepares accordingly. These previews and information outreach they are conducting serve as a foundation for consultations with stakeholders on the injury test, risk framework, and the standard itself.
Conclusion
This forms the core preview of CP-CSC, which has also included highlights of the overall government and private-sector resources for SMEs to improve organizational cyber security. Initially, I was going to put these slides at the very end, but I wanted to put them up front to highlight that the CP-CSC is about defense cybersecurity at the center. Still, it is also about developing a public-private ecosystem that recognizes the critical importance of cybersecurity. The first step is to ensure the cyber security of the Government of Canada, National Defence, and Canadian companies. The second is to realize and ensure that this compliance system has economic benefits.
Canada has a strong and robust cyber security industry, and ensuring that it is involved and plays a role in ensuring suppliers can be certified also serves to help bring investment to Canada’s cyber security industry. My biggest hope from this is that the overall cyber security certification regime will help improve the baseline understanding of cyber security in the government of Canada, particularly at DND.
Takeaway for Firms going into 2024:
Prepare now, not later.
Although we do not know the total costs of CP-CSC, firms can begin to project approximate costs right now. Because we know what the standard CP-CSC will be based on: NIST SP 800-171 and 172: Protecting Controlled Unclassified Information in Non-federal Systems and Organizations. As a result of knowing the standards, firms can approximate steps needed or begin the process to ensure compliance.
The CP-CSC will come faster than you realize
Throughout this article, I have stressed that there is a phased approach to applying the certification requirements at the end of 2024. That is still just a year away. For large firms, this can be quite the task to take on. While I will not be sympathetic to organizations that do not have cyber security or information security professionals and policies in place, for those that do, it may not wholly fit NIST SP 800-171 and 172. This goes back to the first takeaway: start your preparations immediately with an audit to figure out where you are and where you need to go.
The CP-CSC wants to get this right
Although CMMC is not something I have followed closely, I have been aware of and know just how much trouble it has caused in the United States defense industrial base, and it is a reason we have a CMMC 2.0. This is very much on the mind of the CP-CSC, and they are trying to be deliberate and cautious as they create this certification. Beyond this, the secretariat is very much aware of the importance of such a piece and its implications.
Contact the CP-CSC for more information and questions.
As shown in the slides above, the CP-CSC is making a concerted effort to build trust and engagement with stakeholders. This certification program will have a significant impact on defense procurement, so they want to get this right and be sure to maintain communication with industry. The above slides are a “preview” and informational on what is to come and what to expect, even if things are subject to change a little bit. This is an essential step to develop these connections as the CP-CSC looks to begin consultations on the program’s specifics in 2024.