American CMMC vs Canadian CMMC (CPCSC)
If you're a Canadian company doing business with the U.S. Department of Defense (DoD), you've probably heard that Canada is going to create its own cybersecurity certification equivalent to the U.S. CMMC.
In this blog post, we'll introduce you to these two (2) certifications.
It all started with the American CMMC
DoD has decided to create a cybersecurity certification to ensure that its contractors and subcontractors implement acceptable security measures to protect the data entrusted to them. Two (2) types of data are concerned:
Information on federal contracts (FCI)
Controlled unclassified information (CUI)
To find out more about these two types of information, please see our blog post about FCI vs CUI.
There are three (3) CMMC levels (current CMMC version = 2.0), depending on the type of information you access as part of your business relationship with DoD. To find out which CMMC level you must comply with, please consult this article.
All DoD suppliers, whether in the USA, Canada, Europe or anywhere else, must obtain CMMC certification to continue doing business with this department.
Canada decides to create its own CMMC certification
Faced with an upsurge in cyber attacks targeting the Canadian defense supply chain, the federal government has decided to create its own cybersecurity certification called Canadian Program for Cyber Security Certification (CPCSC).
The Federal government indicates that the CPCSC will be implemented in late 2024 or early 2025.
Once the CPCSC is in effect, all Canadian Defense contractors and subcontractors will be required to obtain this certification (or the U.S. CMMC) if they wish to continue doing business with this department.
Discussions underway between the USA and Canada to obtain equivalence of the 2 certifications
Canada and the USA are working to establish an equivalence between CMMC and CPCSC. As a result, a Canadian company with CPCSC certification will automatically be recognized by DoD as having CMMC certification.
American CMMC 2.0 vs Canadian CMMC (CPCSC)
The 2 certifications will have 3 equivalent levels
- CMMC 2.0 Level 1 = CPCSC Level 1
CMMC 2.0 Level 2 = CPCSC Level 2
CMMC 2.0 Level 3 = CPCSC Level 3
The reference systems for the 2 certifications are different
CMMC 2.0 is based on NIST 800-171 Rev2
CPCSC is based on NIST 800-171 Rev3
Note that Canada has decided to use the latest version of NIST 800-171 (Rev3, effective May 2024), while the USA relies NIST 800-171 Rev2.
It should also be pointed out that there is a major difference between these 2 versions of NIST 800-171, which means that CMMC and CPCSC will be equivalent, without the same safety controls having to be implemented.
The challenges of equivalence between CMMC 2.0 and CPCSC
The main challenge is that the USA and Canada use 2 different classification systems:
In the USA we talk about FCI, CUI
In Canada, the classifications are : Protected A, B, C.
The two countries will therefore have to harmonize their classification systems to ensure consistency in the level of certification required according to the type of data to which DoD or National Defence Canada suppliers have access.
Medium-term convergence
Since NIST 800-171 Rev 3 is now in force (rendering Rev2 obsolete), we can expect the American CMMC to gradually converge towards this standard. After a transition period of a few years, both CMMC and CPCSC will be based on NIST-800-171 Rev3.
Will CPCSC be mandatory for Canadian companies?
Canadian companies will be able to obtain CPCSC certification, or go for CMMC certification.
Since the 2 certifications will be equivalent, CPCSC will be accepted by DoD, and National Defence Canada will accept CMMC. So it's up to you to choose which of these 2 certifications you'd like to obtain.
An important point to note here is that if you are a DoD supplier certified CPCSC, you may be asked by one of your prime contractors to submit an SPRS score. You will then submit this score to DoD's SPRS platform.
For the moment, it's unclear whether Canada will implement an equivalent to SPRS.
How StreamScan can help you with your CMMC compliance process
Streamscan is a CMMC Registered Provider Organization (RPO) and is officially authorized to assist organizations in their CMMC process.
Contact one of our experts or call us at +1 877-208-9040 to discuss your CMMC compliance.