What is the CPCSC?
Affected businesses will likely need assistance in achieving certification with CPCSC
New legislation expected in 2025 will require companies who wish to bid or work on certain federal government contracts first meet the Canadian Program for Cyber Security Certification (CPCSC) standards. Once in effect, it will serve as Canada’s equivalent to the US Department of Defense’s CMMC. According to Scott Birmingham, CET, CIM, and Principal Consultant at Birmingham Consulting, the changes will affect companies in a range of industries.
“The CPCSC will affect any company seeking to bid or work on select Government of Canada defence contracts. It will now be a requirement for them to be certified under the CPCSC before doing work for the Department of Defence,” he says.
This isn’t such a large departure from bidding requirements. Now, though, we’re rapidly approaching a point where COR certification is a requirement to win any contract. I’ve been predicting for years that something similar was going to happen with cyber security, and this will be the first stage of more requirements moving forward.
When does the CPCSC take effect?
The Government of Canada has stated that the CPCSC is set to take effect in the winter of 2025. We expect more information will be released later this year or early next year.
As of now, Public Services and Procurement Canada (PSPC) completed a request for information (RFI) process in June 2024. Companies that took part in the RFI had the chance to “significantly influence the development and implementation of the program.”
It’s encouraging for defence contractors that PSPC conducted the RFI process. This indicates that suppliers had an opportunity to contribute to shaping policies that prioritize the security of both their organizations and the Government.
Three CPCSC Certification Levels
As it’s currently written September 2024, there will be three levels of certification companies will need to attain before bidding on these projects, that will also in turn increase their information security posture.
The new requirements, which also provide protection for the federal government’s unclassified contractual information, are broken down into three certification levels:
- Level 1: requires annual cyber security self-assessments
- Level 2: requires external cyber security assessments performed by an accredited certification body
- Level 3: requires high level cyber security assessments conducted by the Department of Defence
“To cover all the bases, you’ll need to engage with your Chief Information Security Officer (CISO), or a company that provides virtual CISO (vCISO) services. Risk assessments, analyses and validation of technical controls, strategy development and execution, executive-level reporting – all support achieving CPCSC certification,” explains Scott.
Why the Change?
When contracting on defence projects, contractors have to deal with sensitive data. But they haven’t been held to the same security clearance standards as the Department of National Defence. While we don’t think it’s happened yet, it’s only a matter of time before a bad actor gains access to that information through contractors. CPCSC makes it clear that information security isn’t just for tech companies – it matters for everybody. We all have data that bad actors and hackers find value in, even if it’s not “ours”.
CMMC and CPCSC
The Canadian government has made significant efforts to establish reciprocity between CMMC and CPCSC. This alignment will not only facilitate Canadian contractors in working with US primes or the US Department of Defense, but it will also enable them to comply with both standards at the same time. Additionally, countries such as New Zealand, Australia, and the UK—part of the “Five Eyes” network—are also exploring the development of their own CMMC-like standards.
Preparing for Cyber Incidents – Incident Response Plans
Information security is essential for businesses. Therefore, as Scott explains, having an Incident Response Plan is critical.
“The Incident Response Plan is a procedural document that outlines what your company should do when a cyber incident occurs. You probably have a written plan for health and safety emergencies – why not for cyber emergencies?”
An Incident Response Plan (IRP) is a documented guide detailing the steps to follow when a cyber incident occurs. Cyber insurance providers assess whether your business can handle situations such as unusual email activity, stolen devices, or ransomware attacks.
“Businesses should ensure they have a comprehensive IRP with annual reviews and updates, which can be effectively tested through tabletop exercises.”
It’s crucial to regularly test IRPs to identify any weaknesses that need to be addressed. The typical approach to testing an IRP involves conducting a tabletop exercise—essentially a role-playing scenario for executives and staff. It’s akin to a fire drill for cyber security, or what the military refers to as “wargames”.
Why do you need an Incident Response Plan?
Cyber attacks are becoming increasingly frequent and easier to carry out, particularly with advancements in AI. Tools for engaging in cybercrime are now more affordable and user-friendly, with ransomware-as-a-service emerging as a viable business model.
Since the beginning of 2024, high-profile cyber incidents have affected the City of Hamilton, the RCMP, Global Affairs Canada, and Canada’s financial intelligence unit, FINTRAC. The private sector has seen numerous additional incidents, many of which haven’t even made headlines.
Last year, businesses in the manufacturing sector faced the highest levels of targeting, with 47% of respondents reporting an attack. This was followed by the construction sector at 38% and the healthcare and pharmaceutical sectors at 35%. Notably, only 18% of public sector organizations reported being impacted by ransomware. (Reference: Palo Alto Networks Canada, 2023).
Cyber Breach vs. Cyber Incident
In addition to having an emergency plan in place, organizations must understand the terminology used in cyber security to avoid missteps.
“Using the right terminology in your information security policies is key. Example: receiving a spam e-mail is an event. You reply to that spam email and send information you shouldn’t have sent and now it is an incident. Did that information contain something that was private or confidential? Now it becomes a breach. The term ‘breach’ has very different legal implications than event or incident,” Scott explains.
Security issues start as “events”.
“Events” that impact operations are escalated to “incidents”.
“Incidents” involving information being obtained by unauthorized parties are escalated to “breach” status.
“Breaches” of Personally Identifiable Information, aka “PII” may need to be reported to the Privacy Commissioner.
Cyber Security vs. Information Security
Scott continues, “Knowing the difference between cyber security and information security matters more than you probably think. Cyber security only refers to the technical controls and protections that protect networks and data – we call them the ‘knobs and dials’. Information security is the inclusive management of technical (aka cyber security) along with administrative controls and physical controls. Limiting your protection to just cyber security leaves organizations vulnerable. This could result in increased liability when a cyber incident occurs.”
Information security, also known as InfoSec, is managing risk to the Confidentiality, Integrity and Availability of information through Administrative, Physical and Technical controls. It involves the processes and tools implemented to safeguard information from unauthorized access, alteration, disclosure or destruction. Therefore, it encompasses a variety of security tools, solutions, and processes designed to safeguard information across devices and locations. Together, these help businesses and individuals defend against cyber attacks and other forms of cyber incidents.
Information security encompasses the protection of various types of information, including digital data, physical documents, and intellectual property. In contrast, cyber security is a subset of information security that specifically focuses on the technical measures used to protect computer systems and networks.
It’s essential to recognize that it’s not just about technology; it’s about safeguarding all forms of information. So every aspect must be considered, including administrative policies, like cyber awareness training, as well as physical security measures.
Media reports on cyber attacks often refer to “cyber security” when discussing these incidents. Experts frequently mention “investing in more cyber security,” but a more accurate term would be “information security”. It encompasses a broader range of protective measures than cyber security alone.
For a deeper understanding of the significance of the new CPCSC requirements, conduct a self-assessment of your current security policies and systems. You should also know whether or not your business has enough cyber insurance – quantify your liability using this free calculator.