Canada Jumps Into the CMMC Pond

Author: Robert Teague, Sr. Manager CMMC Services, MBA | CCA | CCP

Since the announcement of the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program, there have been a lot of questions from foreign nations on how the program would impact them and their support for the U.S. DoD.

The CMMC program is a validation arm for the DoD to ensure contractors within the Defense Industrial Base (DIB) are protecting sensitive data used for the development of many military programs. The impact of this program will mainly be felt by the U.S.-based contracting companies at first, but the DoD has intentions of expanding the program to include host nation partners that support the DoD.

The initial guidance was, the DoD would have to develop some kind of memorandum of agreements with foreign nations to include them in the program, but the process to get that portion of the program off the ground has been slow to develop. Thus, some of our foreign nation partners are not waiting on the DoD.

In June of 2023, The Honorable Anita Anand, Minister of National Defence, announced the government’s commitment to developing and implementing the cyber security certification program by unveiling plans to establish a Canadian Program for Cyber Security Certification (CPCSC). The CPCSC seeks to alleviate the industry’s burden by pursuing mutual recognition between Canada and the United States. This marks the first foreign country to agree to implement the DoD’s program and to enhance the supply chain in Canada by adopting NIST SP 800-171 requirements. This mutual recognition would enable certified Canadian suppliers to be acknowledged in both jurisdictions establishing trust in the resiliency of Canadian suppliers and paving the way for other partner nations to join in the protection efforts of sensitive data.

The Canadian government aims to engage with the defense industry and other key stakeholders through upcoming sessions in late 2023 to shape the program’s development. The Canadian government allocated $25 million to stand up the program and announced the following initiatives:

• Adopt NIST SP 800-171 and create an identical “Canadian version”
• Mandate cybersecurity certification for select defense contracts by fall 2024
• Canada’s desired end-state is full reciprocity from the U.S. DoD and would allow for:
  • Canadian firms’ CPCSC would be accepted for DoD CMMC requirements
  • American firms’ CMMC would be accepted for Canadian defense contracts
  • American C3PAOs would be authorized to assess Canadian firms for CPCSC
  • Canadian C3PAOs would be authorized to assess American firms for CMMC˙

There is still much work to be done in this effort, but the Canadian government made it very clear that “there are no prohibitions or restrictions on U.S. CMMC Third-Party Assessing Organization’s (C3PAOs) or Registered Practitioner Organizations (RPOs) from working with Canadian companies.” Additionally, Canada’s efforts to move forward with this program sends a clear message to the U.S. DoD that our foreign nation partners are not waiting.

It’s also worth noting that there is already a lot of misleading information in the Canadian news about CMMC. More alarming is the Canadian consulting companies claiming they can help these Canadian organizations get certified. The same thing happened in the U.S. when CMMC 2.0 was released in August 2020, many consulting firms claimed they could help organizations get certified, only to find out that many organizations seeking certification (OSCs) wasted time, energy, and resources employing these consulting firms with little to no improvements in their security posture and the documentation created did not meet the requirements of CMMC.

Redspin applauds the efforts by the Canadian government to launch the CPCSC program in conjunction with the CMMC efforts. However, Redspin also cautions those Canadian OSCs to be cautious when selecting consulting companies to assist them. Many of the U.S.-based C3PAOs are standing by to assist the Canadian OSCs and have already had conversations with some of them. Whether you seek information about CMMC or need assistance in preparing, Redspin is here to assist our Canadian neighbors in their journey.