This new legislation requires companies who wish to bid or work on certain federal government contracts meet the Canadian Program for Cyber Security Certification (CPCSC) standards. It will serve as Canada’s equivalent to the US Department of Defense’s CMMC. According to Scott Birmingham, Principal Consultant at Birmingham Consulting, the changes will affect companies in a range of industries.

“The CPCSC will affect any company seeking to bid or work on select Government of Canada defence contracts. They will be required to be certified under the CPCSC before doing work for the Department of Defence,” he says.

This isn’t such a large departure from bidding requirements. For example, we’re rapidly approaching a point where COR certification is a requirement to win any contract. We’ve been predicting for years that something similar was going to happen with cyber security. Therefore, we expect this will be the first stage of more requirements moving forward.

The Honourable Jean-Yves Duclos, Minister of Public Services and Procurement, announced the launch of the first phase of the Canadian Program for Cyber Security Certification (CPCSC). Starting March 2025, the CPCSC will establish a cyber security standard for companies handling government information in defence contracting. The phased rollout will include a new industrial standard, an accreditation process, and a self-assessment tool for Level 1 certification. Certification will initially be required only after contracts are awarded. Therefore, this will give businesses time to adjust and ensure the resilience of Canada’s defence supply chains.

• The phased rollout of the Canadian Program for Cyber Security Certification will include:
  • Phase 1 (March 2025): A new cyber security standard for levels 1 and 2 will be available for businesses with a level 1 self-assessment tool to be launched by full program implementation. The Standards Council of Canada will start accepting applications from organizations that want to become certification bodies to support the evaluation and certification of standard compliance. Support systems will be set up to help businesses get level 2 certification through third-party assessments.
  • Phase 2 (Fall 2025): Some defence contracts will require level 1 certification, achieved through a self-assessment. Level 2 certification, which is achieved through a third-party assessment, will be tested in certain defence contracts.
  • Phase 3 (Spring 2026): While some defence contracts will start requiring level 2 certification, level 3 certification will officially begin following publication of the additional level 3 controls.
  • Phase 4 (2027): For a small number of contracts, level 3 certification requirements will gradually be incorporated into select defence requests for proposals. Level 3 certification will be conducted by National Defence.

Public Services and Procurement Canada (PSPC) completed a request for information (RFI) process in June 2024. Companies that took part in the RFI had the chance to “significantly influence the development and implementation of the program.”

It’s encouraging for defence contractors that PSPC conducted the RFI process. This indicates that suppliers had an opportunity to contribute to shaping policies that prioritize the security of both their organizations and the Government.

As it’s currently written, there will be three levels of certification companies will need to attain before bidding on these projects, that will also in turn increase their information security posture. Please refer to the guidelines provided by the Government of Canada for the most up to date information.

The new requirements, which also provide protection for the federal government’s unclassified contractual information, are broken down into three certification levels:

• Level 1: requires annual cyber security self-assessments
• Level 2: requires external cyber security assessments performed by an accredited certification body
• Level 3: requires high level cyber security assessments conducted by National Defence

“To cover all the bases, you’ll need to engage with your Chief Information Security Officer (CISO), or a company that provides virtual CISO (vCISO) services. Risk assessments, analyses and validation of technical controls, strategy development and execution, executive-level reporting – all support achieving CPCSC certification,” explains Scott.

The CPCSC aligns with the National Cyber Security Action Plan and the National Cyber Security Strategy, while helping suppliers improve their resilience to cyber threats, better manage risks, and ensure a more secure supply chain.

The implementation of the CPCSC will enhance the security of unclassified government contractual information in Canada. It will also bolster the cyber security infrastructure across the country’s defense supply chain.

For suppliers, a single successful cyber attack has the potential to cause significant disruptions – financially, operationally, by reputation and more. The CPCSC aims to improve the cyber resilience of suppliers, empowering them to better identify, evaluate, and manage risks that could affect the integrity of Canada’s supply chain. This proactive approach will contribute to a more secure and reliable defense infrastructure.

The CPCSC was developed to secure the federal contracting process, in order to strengthen the defense supply chain.

When contracting on defence projects, contractors have to deal with sensitive data. But until now, they haven’t been held to the same security clearance standards as the Department of National Defence. So, it’s all too common for Canadian companies to be more susceptible to cyber crime because they haven’t allocated enough resources to protect against threats. Companies that become certified for CPCSC will have much stronger security defences in place.

CPCSC makes it clear that information security isn’t just for tech companies – it matters for everybody. Organizations must remember that we all have data that cyber criminals find value in, even if it’s not “ours”.

The Canadian government has made significant efforts to establish reciprocity between CMMC and CPCSC. This alignment will facilitate Canadian contractors in working with US primes or the US Department of Defense. It will also enable them to comply with both standards at the same time. Additionally, countries such as New Zealand, Australia, and the UK—part of the “Five Eyes” network—are also exploring the development of their own CMMC-like standards.

Information security is essential for businesses. Therefore, as Scott explains, having an Incident Response Plan is critical.

“The Incident Response Plan is a procedural document that outlines what your company should do when a cyber incident occurs. You probably have a written plan for health and safety emergencies – why not for cyber emergencies?”

An Incident Response Plan (IRP) is a documented guide detailing the steps to follow when a cyber incident occurs. Cyber insurance providers assess whether your business can handle situations such as unusual email activity, stolen devices, or ransomware attacks.

“Businesses need to have a comprehensive IRP with annual reviews and updates. They can test their IRP through tabletop exercises, which also serves as an effective training exercise.”

It’s crucial to regularly test IRPs to identify weaknesses that need addressing. The typical approach to testing an IRP involves conducting a tabletop exercise—essentially a role-playing scenario for executives and staff. It’s akin to a fire drill for cyber security, or what the military refers to as “wargames”.

Cyber attacks are becoming increasingly frequent and easier to carry out, particularly with advancements in AI. Tools for engaging in cybercrime are now more affordable and user-friendly, with ransomware-as-a-service emerging as a viable business model.

At the end of 2024 during a briefing with ambassadors, Tedros Adhanom Ghebreyesus, WHO Director-General, highlighted the significant harm caused by cyberattacks on hospitals and healthcare systems, stressing the need for immediate and unified global efforts to tackle this escalating issue.

The American business services giant and government contractor Conduent, a municipality in Hamilton and a Scottish health board have all had high-profile cyber incidents since 2024. And those are just the ones that made the news!

In addition to having an emergency plan in place, organizations must understand the terminology used in cyber security to avoid missteps.

“Using the right terminology in your information security policies is key. Example: receiving a spam e-mail is an event. You reply to that spam email and send information you shouldn’t have sent and now it is an incident. Did that information contain something that was private or confidential? Now it becomes a breach. The term ‘breach’ has very different legal implications than event or incident,” Scott explains.

Security issues start as “events”.
“Events” that impact operations are escalated to “incidents”.
“Incidents” involving information being obtained by unauthorized parties are escalated to “breach” status.
“Breaches” of Personally Identifiable Information, aka “PII” may need to be reported to the Privacy Commissioner.

Scott continues, “Knowing the difference between cyber security and information security matters more than you probably think. Cyber security only refers to the technical controls and protections that protect networks and data – we call them the ‘knobs and dials’. Information security is the inclusive management of technical (aka cyber security) along with administrative controls and physical controls. Limiting your protection to just cyber security leaves organizations vulnerable. This could result in increased liability when a cyber incident occurs.”

Information security, also known as InfoSec, is managing risk to the Confidentiality, Integrity and Availability of information through Administrative, Physical and Technical controls. It involves the processes and tools implemented to safeguard information from unauthorized access, alteration, disclosure or destruction. Therefore, it encompasses a variety of security tools, solutions, and processes designed to safeguard information across devices and locations. Together, these help businesses and individuals defend against cyber attacks and other forms of cyber incidents.

Information security encompasses the protection of various types of information, including digital data, physical documents, and intellectual property. In contrast, cyber security is a subset of information security that specifically focuses on the technical measures used to protect computer systems and networks.

It’s essential to recognize that it’s not just about technology; it’s about safeguarding all forms of information. Businesses need to consider every aspect, including administrative policies (ex. cyber awareness training policy), as well as physical security measures.

Media reports on cyber attacks often refer to “cyber security” when discussing these incidents. Experts frequently mention “investing in more cyber security,” but a more accurate term would be “information security”. It encompasses a broader range of protective measures than cyber security alone.

For a deeper understanding of the significance of the new CPCSC requirements, conduct a self-assessment of your current security policies and systems. You should also know whether or not your business has enough cyber insurance – quantify your liability using this free calculator.