The Government of Canada recently announced a certification program for its defense contractors that will align with the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) program.

Similar to the CMMC program, the primary objective of the Canadian Program for Cyber Security Certification (CPSCS) is to safeguard unclassified information. The Canadian Commercial Corporation (CCC) noted that it expects to include mandatory certification requirements in select federal defense contracts as early as winter 2024.

What does this mean for US defense contractors?

Canada’s implementation of a cybersecurity certification program that aligns with CMMC will mean more competition for DoD contracts from foreign defense suppliers. It’s also a clear sign of confidence that CMMC will be implemented in the United States.

More competition

CCC is a government-owned enterprise established to help Canadian businesses enter contracts with foreign governments in a wide range of sectors, including defense. CCC understands that Canadian defense contractors will need to meet CMMC standards to be a part of the US Defense Industrial Base (DIB) supply chain and do work for the DoD.

Canada—and the other countries in the Five Eyes intelligence network as well (Australia, New Zealand, and the United Kingdom, along with the United States)—expect to negotiate reciprocity agreements to recognize their cybersecurity certification programs as equivalent to the DoD’s CMMC program. As for timing, Stacy Bostjanik, DoD’s CMMC director, said in 2022 that after federal rulemaking is finalized for CMMC, additional rulemaking for establishing reciprocity with international partners will follow.

International reciprocity agreements for CMMC mean competition for DoD contracts not just from US-based defense contractors, but from contractors around the world too. Organizations that move to achieve CMMC certification as soon as that’s possible will be best positioned to win DoD work. Contractors that lack CMMC certification will find themselves shut out of the proposal process.

CMMC implementation to come in the United States

Perhaps most important, there should be no doubt in defense contractors’ minds that CMMC will be implemented by DoD as soon as it makes its way through the Federal rulemaking process. DoD’s 2023 Cyber Strategy, just released in Sept. 2023, states that to help ensure DIB cybersecurity, “the Department will continue implementation of the Cybersecurity Maturity Model Certification Program [CMMC].” DoD is not turning back.

America’s allies—particularly those with which it has close intelligence sharing and cybersecurity relationships—are confident that CMMC will be implemented in the United States. Indeed, Canada isn’t the only country keeping a close eye on US cybersecurity standards: see for example the UK’s Ministry of Defence Compliance with Cyber Security Requirements from Other Nations and CMMC Certification in New Zealand.

CMMC basics

CMMC is designed to increase defense contractors’ accountability and compliance with existing DoD regulations. CMMC has three levels that reflect increasingly sophisticated capabilities for protecting sensitive unclassified information. Once CMMC becomes law, all defense contractors—primes and subs—will need to achieve the CMMC level specified in their DoD contract.

Organizations that handle Controlled Unclassified Information (CUI) will need to achieve at least CMMC Level 2. Level 2 requires implementation of the 110 security controls specified in NIST SP 800-171 and outside, independent verification of that compliance. NIST SP 800-171 has been in effect since late 2017; any defense contractors that have not yet implemented its 110 controls need to move now to do so. Experts estimate that, depending on their current cybersecurity level, organizations will need 12-18 months on average to be ready for their CMMC Level 2 assessment.

To learn more:

If you need help or have questions about CMMC, NIST SP 800-171, or any other topics, please don’t hesitate to reach out and schedule a free 15-minute consultation with our compliance team.

Or you may wish to learn more by reading PreVeil’s white papers and blogs:

Or learn more by watching our videos:

To access additional white papers, blogs and videos, please visit PreVeil’s resources page.