CMMC vs. CGP (Controlled Goods Program)
CMMC (Cybersecurity Maturity Model Certification) and CGP (Controlled Goods Program) are two regulatory frameworks related to the defense sector.
CMMC concerns suppliers to the US Department of Defense (DoD), while CGP concerns suppliers to National Defence Canada.
Is CGP equivalent to CMMC?
In this blog post, we'll answer that question.
Introduction to the Controlled Goods Program (CGP)
The Controlled Goods Program (CGP) is a Canadian regulatory framework designed to ensure the security and control of sensitive and strategic goods in Canada.
In particular, it serves to reduce the risk of sensitive Canadian equipment and goods falling into the wrong hands, which can have an impact on Canada's security.
Examples of controlled goods:
Military goods and technology.
Sensitive military systems, devices and applications
Nuclear components
etc.
The list of controlled goods in Canada can be found here.
CGP is managed by Public Services and Procurement Canada (PSPC).
CMMC (Cybersecurity Maturity Model Certification)
CMMC is a cybersecurity certification that all DoD contractors and subcontractors must meet. There are 3 CMMC levels depending on the types of data you have access to as part of your business relationship with DoD.
CMMC vs CGP
CMMC
CMMC is focused on cybersecurity and explicitly targets companies (regardless of size) that work with DoD and collect, process or generate Controlled Unclassified Information (CUI) under DoD contracts.
If you are not yet a DoD supplier and want to be able to do business with DoD, you need to prepare for and obtain CMMC certification.
CMMC is a certification.
The Controlled Goods Program CGP
CGP has a broader scope than cybersecurity. It covers the export, import and brokering of defense technologies, defense services and related technical data.
Jurisdiction: any Canadian company that manufactures, imports, exports or provides services considered controlled goods must comply with CGP, even if it is not a supplier to National Defence Canada.
Note that some CGP data is sensitive, requiring you to comply with the US CMMC or Canadian CMMC (Canadian Program for Cyber Security Certification or CPCSC).
CGP is not a certification.
CGP cybersecurity requirements
If you're registered with CGP, you probably have data that's considered sensitive. Therefore, you must protect it. In addition, security screening must be performed for all persons accessing controlled goods or related data.
Examples of cybersecurity measures required by the CGP:
Access control: ensuring that only authorized persons have access to data relating to controlled goods
Data encryption
Audit, logging and monitoring of security events generated by systems within the scope of the CGP
Etc.
CGP and sanctions
Companies are required to disclose whether they have breached CGP requirements. Violations include, but are not limited to: exporting or transferring controlled technologies without the required licenses and approvals, non-compliance with license conditions, falsification of information, etc.
Loss or theft of controlled goods must also be reported.
The penalties for non-compliance with CGP rules are quite severe:
Prosecution and fines of up to $2,000,000 and/or imprisonment for up to 10 years.
CGP and ITAR
CGP and ITAR have similar objectives. Their main difference lies in their jurisdiction (ITAR in the USA, CGP in Canada).
CMMC and CGP
If you are a Canadian defense contractor, you must register with the CGP. If you're also a DoD contractor or subcontractor, you'll need to obtain CMMC certification (or the Canadian CPCSC, when it comes into effect). In all likelihood, you'll also need to register with ITAR.
How can StreamScan help you in your CMMC compliance process?
Streamscan is a CMMC Registered Provider Organization (RPO) and is officially authorized to assist organizations in their CMMC process.
Contact one of our experts or call us at +1 877-208-9040 to discuss your CMMC compliance.