Exclusive - Canadian Program for Cyber Security Certification Equivalence in Peril
Equivalence between CPCSC and CMMC is not on the menu (for now)
Canadian Cyber in Context is sponsored by
All views expressed belong to Canadian Cyber in Context and do not reflect the position of any sponsor.
On March 12, the Canadian Program for Cyber Security Certification (CPCSC) finally announced the launch of phase 1 and the publication of its supporting standard, ITSP.10.171, after a couple of months of delay. Readers will likely be familiar with the CPCSC, as I wrote a CPCSC 101 article nearly a year and a half ago outlining its basics.
You can download and read the full ITSP.10.171 standard here:
In brief, CPCSC was originally launched to establish a baseline cyber security standard for defence industry organizations to obtain if they want to do business with the government. The intention is to increase cyber security and better protect Canada and Canadian defence firms from cyber attacks. This standard wouldn’t be required for all procurement activities but for certain sensitive defence and security procurement projects.
The United States has had a similar program called the Cybersecurity Maturity Model Certification (CMMC), which it has been developing since 2019. Although the primary purpose of CPCSC is to increase cyber security and protection of information, a significant reason for its creation right was to develop equivalency with the United States’ CMMC. Many Canadian and United States defence companies work with both governments, so the idea was to reduce costs by establishing equivalence between the two programs so that companies would only have to get a third-party assessment in CPCSC or CMMC and everyone benefits from increased cyber security protections.
But what happens if Canada isn’t able to achieve that equivalence?
Where’s the Equivalence?
Following the big announcement of the start of Phase 1, many people quickly identified that the CPCSC’s website, where they will continue to post updates, mentions nothing about equivalence with CMMC. Recognizing this myself, I contacted the CPCSC secretariat to ask if equivalence was still on the table or still being worked on. Their reply was not surprising, but still unfortunate:
Currently, there is no arrangement to establish equivalence between CMMC and CPCSC. The CMMC Final Program rule does not include a pathway for recognition of equivalent international frameworks, making full reciprocity unachievable at this time.
However, we continue to engage with our U.S. Government counterparts to explore potential areas of cooperation between both certification frameworks, given their close alignment and use of a common set of controls, with the aim to reduce industry burden to the extent possible.The CPCSC secretariat says that “recognition of equivalent international frameworks” is currently unachieveable at this time. Although the United States has been actively encouraging other countries to develop similar programs, it appears they don’t want to provide incentives for it. It is difficult to say what led to this as indications from both Canada and the United States prior to January were that they wanted equivalency to reduce industry burden. However, we do know one significant change that is likely leading to this: Trump.
The CPCSC Secretariat says it continues to work with the United States government to explore cooperation and reduce the burden on industry. However, given the current US administration's actions toward Canada and the ongoing mercantile, isolationist, and protectionist economic measures, I believe this is not likely to happen anytime soon.
Is the CPCSC Still Good?
YES!
Although a loss of equivalence is a bad thing and will hurt Canadian businesses trying to do business with the United States government, the focus on equivalence with the United States overlooks the whole point of CPCSC:
To raise the baseline cyber security expectations for defence and security companies working with the Government of Canada.
This is representative of the Canadian government taking cyber security more seriously and requiring the defence industrial base to do the same. Even if it does not have equivalence with the United States, this should not negate the whole purpose of the CPCSC. The priority of cyber security is not to promote business, but to protect the business and its customers.
Why is this bad?
No equivalence between the United States and Canada creates an additional burden on businesses in both countries. This is complicated because CMMC and CPCSC currently use different versions of the same standard. Jacob Horne has a breakdown of this and notes that CMMC verifies NIST SP 800-171 revision 2 while CPCSC verifies ITSP.10.171, which is based on NIST SP 800-171 revision 3. According to Horne, version 3 requires 32% more verification on top of some other differences in terms of what is verified in Revision 2, which is not in Revision 3. Not only does this make things more difficult for defence companies that do business with the United States and Canadian governments, but it also complicates things for assessors who may have to assess a business against both and juggle the differences.
I speculate that Canada and the United States under the Biden administration may have agreed to equivalence in principle, with the mechanisms for the United States to formally recognize this coming later which led to Canada adopting Revision 3 under the belief that once equivalence was achieved, the United States and Canada would both be using Revision 3. However, there is still much we do not know and casting blame on Canada for no equivelance is premature when there is nothing to indicate Canada did anything wrong.
Where do we go from here?
As the response above notes, Canada continues to engage with the United States to hopefully establish some level of equivalence or reciprocity. However, we cannot overlook the current state of affairs between the United States and Canada. Simply stated, Canada cannot establish the level of trust for equivalence when the United States continues to threaten Canada’s sovereignty, which is tantamount to threats of invasion and violence. For the time being, we should not expect any movement on equivalency until the United States ceases its threats against Canada. There is no incentive for Canada to spend any resources or energy on equivalency and cooperation while the United States threatens the existence of Canada. In the end, as the CPCSC Secretariat states, the lack of equivalence is because of a lack of a mechanism for international frameworks despite previous assurances from the United States.
Consequently, the lack of equivalence is the fault of the United States.