In May 2024, Public Services and Procurement Canada (PSPC) launched a request for information concerning the proposed Canadian Certification for Cyber Security (CPCSC). On November 18, 2024, PSPC released the summary report of the RFI. In this post, I will delve into the report, its contents, its implications, and, importantly, what it does not include.

If you are unfamiliar with the CPCSC, I wrote a short introduction about the program last year that I recommend reading if you are not familiar.

Research Methodology Mishaps

The executive summary immediately raises some eyebrows. A total of 91 organizations completed responses, including prime contractors (23%), subcontractors (12%), cybersecurity/IT consultants (26%), and IT service providers(17%). You are correct to think this does not add up to 100%. PSPC has not included this additional 22% because “due to a lack of responses and available data, as they constituted a very small proportion of the total responses.”

PSPC would want us to think that the additional 22% of responses did not provide enough information to be substantive, but this is not what they are saying here. They do not want to include this other 22% because it did not provide enough information or data to include in a data analysis. This begs the question: What information or data are they not showing or even considering?

Counterfactual or spurious variables can misrepresent the true state of the situation when observing broader trends. However, having parsimonious data should not be a concern when attempting to understand a certification regime's market and industry impact.

Although this does not mean PSPC and the federal government are not reading or recognizing the input of this other 22%, it does introduce doubt and concerns about transparency. In addition, it shows the major flaws in the government’s reliance upon quantitative methods and the greater need for qualitative research specialists to better understand the data and information they possess.

Key Findings

They have broken down the data and shown the key findings for each major group identified above.

Prime Contractors

• Have a preference for the CPCSC if it is fully reciprocal with CMMC.

• Prime’s top concerns appear in supply chain and downstream sub-contractor compliance.

• Most expect to spend upwards of $250K on CPCSC readiness and implementation.

Sub-Contractors

• Overall, lower-level of cyber maturity

• Expect to invest more than $50K for compliance and implementation

• Many appear still early in understanding CPCSC

Cybersecurity/IT Consultants

• Comparatively, younger and smaller firms compared to other groups

• Seek to benefit monetarily from the regime: 58% are seeking to become assessors; 63% are interested in providing consulting and remediation

• They want CPCSC-CMMC alignment and clear accreditation pathways for assessors to capitalize on these opportunities.

IT Service Providers

• Currently exploring compliance strategies

• Want clearer guidance on the applicability and scope of CPCSC

• Wants CPCSC to align with existing security standards

Takeaways

• PSPC's current methodology for understanding industry and market impacts via RFI or other methods is deeply flawed. PSPC and others involved in CPCSC should reevaluate their engagement with industry and experts.
  

• Subcontractors will be a problem here. Based on this data, subcontractors not directly involved in information technology and cyber appear ill-prepared for CPCSC.
  

• Many stakeholders appear unaware that NIST 800-171 is the foundational security standard for CMMC and, subsequently, CPCSC. (Clarification edit: Under CPCSC, it uses ITSP.10.171, which is the Canadian version of NIST 800-171. Which should be out soon from what I have been told.)
  

• Few understand the full costs of CPCSC compliance.

  • Edit: I have been advised that a good way to gauge costs is to read the most recent rulemaking by the United States, which has a large section on costing. I am of the mind that industry is underestimating the costs, particularly sub-contractors, who have historically not invested as much in cybersecurity as US counterparts.