Key Features of the CPCSC
At its core, the CPCSC will introduce several key features designed to bolster cybersecurity. The program will outline specific cybersecurity controls for federal contracting. These controls will be based on a new Canadian cybersecurity standard, closely adapted from the United States Department of Commerce’s National Institute of Standards and Technology Special Publications 800-171 and 800-172. These publications provide guidelines for protecting Controlled Unclassified Information in non-federal systems and organizations, and Enhanced Security Requirements for the same. A comprehensive risk assessment process will be integral to the CPCSC. This process will identify defence contracts with mandatory requirements and determine the level of certification needed. Through these risk assessments, the program will ensure that cybersecurity measures are appropriately tailored to specific contracts, maximizing protection while maintaining efficiency. The CPCSC will also introduce mandatory contractual clauses within defence procurement documents, including Requests for Proposals (RFPs). These clauses will ensure the full implementation of CPCSC requirements, reinforcing the commitment to cybersecurity within the contracting process. The Standards Council of Canada will accredit third-party assessors who will conduct and certify level 2 (moderate) cybersecurity assessments for suppliers. These assessors will play a crucial role in verifying that suppliers meet the CPCSC requirements, further ensuring the integrity of defence contracts.The CPCSC Certification Levels
The CPCSC will incorporate three certification levels:Level 1 will require an annual cybersecurity self-assessment, enabling suppliers to evaluate their own cybersecurity practices.
Level 2 will necessitate external cybersecurity assessments led by an accredited certification body. This external perspective will provide an added layer of scrutiny, ensuring robust cybersecurity practices are in place.
Level 3 will consist of cybersecurity assessments conducted by the Department of National Defence, providing the highest level of assurance.
Benefits to Canada and Suppliers
The introduction of the CPCSC offers substantial benefits for both Canada and its suppliers. The program will help safeguard the Government of Canada’s unclassified contractual information and enhance the cybersecurity capabilities of Canada’s defence supply chain. This will ensure alignment with the National Cyber Security Action Plan and the National Cyber Security Strategy. The CPCSC offers suppliers an opportunity to strengthen their cybersecurity resilience. A single successful cyber-attack can have widespread impacts. Therefore, the CPCSC will assist suppliers in better identifying, assessing, and managing potential risks, ensuring the integrity of Canada’s supply chain.
Implementation Timeline
Starting at the end of 2024, CPCSC requirements will become mandatory for certain defence-related RFPs. However, these changes will be introduced in phases to allow suppliers and the cybersecurity community ample time to adapt. During this interim period, defence suppliers are encouraged to assess and evaluate their current cybersecurity readiness proactively. By preparing for these changes, suppliers can ensure a smooth transition to the new requirements.
Conclusion
The introduction of the Canadian Program for Cyber Security Certification (CPCSC) marks a pivotal moment for suppliers within Canada's defence industry. If your organization is involved in supplying the Government of Canada's defence sector, now is the time to assess and enhance your cybersecurity measures. Don't wait until the last minute—start preparing today to navigate this transition smoothly and maintain your competitive edge in the global defence market.
Want to Learn More?
How can Lares help you align your business to support the new CPCSC requirements? Please reach out to our experts today and we'll walk you through our iterative process to assess your gaps and provide a detailed roadmap on how to get your organization ready by year end.
Empowering Organizations to Maximize Their Security Potential.
Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing, and coaching since 2008.
16+ Years
In business
600+
Customers worldwide
4,500+
Engagements
Darryl has over 20 years experience in the IT security sector, having been responsible for developing, managing and assessing information security programs for all levels of enterprise and government level organizations.
He has spoken at multiple conferences such as Security BSides St.John’s and GoSec. He also sits on the Board of Directors for AtlSecCon and is the former lead organizer for Security BSides Cape Breton.