Navigating Canada's Cybersecurity Mandates: Bill C-8, CMMC, CPCSC, and CAN/DGSI 104

Canada is poised for a significant legislative push to bolster its cyber defenses, which intensifies the need for robust compliance strategies. These vital Canadian cybersecurity frameworks, like Bill C-8, are shaping a resilient digital future for our critical infrastructure. For Canadian businesses that hold contracts or sub-contracts within the critical infrastructure, telecommunications, energy, finance, transportation, or nuclear power industrial segments, it means there is an ever increasing need to have a comprehensive understanding of a complex web of cybersecurity regulations. 

While the focus of this post is on Bill C-8, we start by reviewing CPCSC, CMMC and CAN/DGSI 104 as they are all interwoven components of the Canadian Cybersecurity landscape. 

Understanding the Canadian Cybersecurity Landscape: Key Frameworks Explained 

Canada's approach to cybersecurity is multi-faceted, reflecting the diverse threats and the varied sectors that require protection. Several key frameworks guide organizations in safeguarding sensitive information and critical systems. 

Canadian Centre for Cyber Security (CCCS) and CAN/DGSI 104

The Canadian Centre for Cyber Security (CCCS), part of the Communications Security Establishment (CSE), is Canada’s national authority on cybersecurity. In 2019, the CCCS published the Baseline Cyber Security Controls for Small and Medium Organizations, which became the foundation for the CAN/DGSI 104 National Standard of Canada.

The standard, CAN/DGSI 104:2021 / Rev 1:2024, Baseline Cyber Security Controls for Small and Medium Organizations was developed and is maintained by the Digital Governance Standards Institute (DGSI), accredited by the Standards Council of Canada (SCC). CCCS played a formative role by supplying the original baseline control set, contributing subject matter expertise, and ensuring alignment with Government of Canada cybersecurity priorities.

What it is

CAN/DGSI 104 provides a baseline framework of cybersecurity controls designed for small and medium organizations (SMEs). It:

• Defines Level 1 and Level 2 controls to scale security measures according to risk.

• Covers risk assessments, incident response, secure configuration, backup integrity, cloud and outsourcing safeguards, and email authentication (SPF, DKIM, DMARC).

• Acts as the technical foundation for the CyberSecure Canada program managed by SCC and the Digital Governance Council Cyber Ready program.

Who it affects

• SMEs (under 500 employees): The primary audience, particularly those handling sensitive, personal, or financial data.

• Contractors and service providers: The controls in CAN/DGSI 104 reflect government and supply chain security expectations.

• Larger organizations: While not mandatory, CAN/DGSI 104 can serve as a baseline benchmark, with additional controls layered on as needed.

Key components: CAN/DGSI 104 emphasizes a proactive approach to cybersecurity, covering areas such as: 

• Asset Identification: Knowing what assets need protecting. 

• Threat and Risk Assessments (TRAs): Identifying potential threats and vulnerabilities. 

• Security Controls Implementation: Deploying technical and administrative controls to mitigate risks (e.g., access controls, encryption, patch management). 

• Security Event Management and Incident Response: Establishing robust processes for detecting, analyzing, and responding to cyber incidents. 

• Security Awareness Training: Ensuring all personnel understand their role in maintaining security. 

Canadian Program for Cyber Security Certification (CPCSC) 

The CPCSC was introduced by the Government of Canada to strengthen the security of the national defense supply chain. It's a Canadian counterpart to the U.S. Department of Defense's Cybersecurity Maturity Model Certification (CMMC) and is designed to ensure that Canadian companies can meet international standards and compete for defense contracts with allied nations, particularly the United States. 

What it is: The program's core goal is to protect Controlled Information (CI), which includes sensitive but unclassified data like technical drawings, engineering specifications, and other proprietary information related to defense projects. By mandating a standardized approach to cybersecurity, the CPCSC aims to reduce the risk of this information being compromised by cyberattacks and prevent unauthorized access to, or transfer of, these sensitive items, which could pose a risk to national security. 

Who it affects: If your business manufactures, possesses, inspects, or transfers controlled goods—or even holds technical data related to them—you are likely subject to CPCSC requirements. This includes contractors in the aerospace, defense, and related high-tech sectors. 

Cybersecurity link: Much of the sensitive technical data associated with controlled goods exists in electronic format. Therefore, robust IT security is paramount. CPCSC mandates require organizations to implement comprehensive security measures, including cybersecurity protocols, to protect this digital information from unauthorized access, modification, or disclosure. This means securing networks, servers, workstations, and even portable devices that handle controlled technical data. 

Cybersecurity Maturity Model Certification (CMMC) 

While a U.S. Department of Defense (DoD) framework, the Cybersecurity Maturity Model Certification (CMMC) has significant and growing implications for Canadian companies. Many Canadian businesses are integral parts of the North American defence supply chain, directly or indirectly contracting with the U.S. DoD. 

What it is: CMMC is a unified standard for implementing cybersecurity across the defence industrial base (DIB). It's designed to ensure that defence contractors and their suppliers adequately protect sensitive unclassified information, specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC features a tiered model, with five levels of cybersecurity maturity, each requiring specific practices and processes. 

Who it affects: If your Canadian company is part of the U.S. DoD supply chain, or plans to be, you will likely need to achieve a specific CMMC level to bid on and win contracts. This means safeguarding any FCI or CUI you handle according to CMMC standards. 

Key focus: CMMC mandates a proactive and auditable approach to cybersecurity. It focuses on the implementation of cybersecurity practices (the "what") and the institutionalization of processes (the "how") to achieve varying levels of cyber hygiene. 

• FCI Protection: Basic safeguarding of Federal Contract Information (Level 1). 

• CUI Protection: More advanced protection of Controlled Unclassified Information (Levels 2 and 3). 

• Advanced Persistent Threat (APT) Protection: Proactive and sophisticated defenses against advanced threats (Levels 4 and 5). 

Bill C-8: A New Legislative Push for Critical Infrastructure Cybersecurity 

Canada's approach to cybersecurity is evolving, moving from largely voluntary frameworks to a mandatory and enforceable legislative environment. The introduction of Bill C-8 marks a significant step in this evolution, aiming to fortify the nation's critical infrastructure against escalating cyber threats. 

What is Bill C-8? 

Official Title: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. 

Purpose: Bill C-8 is designed to proactively protect Canada's vital systems and services from cyber threats. It's a direct response to the increasing frequency and sophistication of cyberattacks targeting essential services, which can have devastating economic and social consequences. 

Context: Bill C-8 is not entirely new; it is essentially a reintroduction of the previous Bill C-26, which died on the Order Paper when Parliament was prorogued. The reintroduction under a new bill number signals the government's unwavering commitment to enacting this crucial cybersecurity legislation. This continuity means that many organizations may already be familiar with its proposed requirements. 

Key components: Bill C-8 is structured around two main legislative thrusts: 

1. Amendments to the Telecommunications Act: These amendments will grant the government, specifically the Minister of Innovation, Science and Industry, greater powers to issue directives to telecommunications service providers (TSPs) to secure Canada's telecom system. This includes directives to prohibit specific products and services, or to implement measures to address threats. 

2. Enactment of the new Critical Cyber Systems Protection Act (CCSPA): This is the core of Bill C-8's critical infrastructure protection. The CCSPA will establish a new regulatory framework to improve the cybersecurity of designated critical cyber systems in vital sectors. 

Who Does Bill C-8 Affect? 

The CCSPA component of Bill C-8 will primarily affect federally regulated critical infrastructure sectors, referred to as "designated operators." These are the entities whose systems are deemed essential for national security, public safety, or economic stability. 

Specific Sectors initially covered: 

• Telecommunications: Providers of essential communication services. 

• Energy: Operators within the electricity grid, and the oil and gas sectors. 

• Finance: Key players in banking, clearing, and settlement systems. 

• Transportation: Operators in air, rail, marine, and pipeline transportation. 

• Nuclear: Organizations involved in nuclear energy production and associated activities. 

It’s important to note that the scope of "designated operators" and specific systems will be further defined through regulations, but businesses in these sectors should begin preparing now. 

Key Cybersecurity Obligations Under Bill C-8 (The CCSPA) 

The Critical Cyber Systems Protection Act (CCSPA) imposes significant new cybersecurity obligations on designated operators, marking a shift from voluntary guidelines to mandatory requirements. 

1. Cybersecurity Programs: Designated operators will be mandated to establish and implement comprehensive cybersecurity programs. These programs must be designed to protect their critical cyber systems from cyber incidents and ensure the continued delivery of essential services. The programs will need to be regularly reviewed and updated. 

2. Risk Management: A cornerstone of the CCSPA is a proactive approach to risk. Organizations will be required to: 

• Identify and assess cybersecurity risks to their critical cyber systems. 

• Implement measures to mitigate these risks, including those arising from supply chains and third-party vendors. This aspect is particularly crucial as supply chain attacks are increasingly common and devastating. 

• Establish and maintain a record of their risk assessments and mitigation strategies. 

3. Incident Reporting: To ensure a coordinated national response to cyber threats, the CCSPA will impose strict requirements for reporting significant cybersecurity incidents. Designated operators will be obligated to report these incidents to the Canadian Centre for Cyber Security (CCCS) and potentially other relevant regulators. This allows for faster threat intelligence sharing and collective defense. 

4. Audits and Compliance: The CCSPA introduces mechanisms for oversight and enforcement. Designated operators will be required to conduct regular cybersecurity audits and reviews of their programs. Furthermore, the Minister of Public Safety will have the power to conduct inspections and audits to ensure compliance. 

5. Information Sharing: While specific details will emerge through regulations, the CCSPA envisions an environment where designated operators may be required to share certain cybersecurity information with government bodies to enhance collective threat awareness and response capabilities. 

The Impact on Critical Industries 

Bill C-8 represents a paradigm shift for Canada's critical infrastructure operators, moving them towards a more regulated and accountable cybersecurity posture. 

1. Shift to Proactive Security: The legislation compels organizations to adopt a proactive, rather than reactive, approach to cybersecurity. It mandates the implementation of robust programs and controls before an incident occurs. 

2. Increased Compliance Burden: For many organizations, complying with the CCSPA will involve a significant investment in time, resources, and expertise. New policies, processes, technological upgrades, and training will be necessary. The administrative burden of documenting compliance will also increase. 

3. Financial Penalties for Non-Compliance: Bill C-8 introduces substantial penalties for non-compliance, with fines potentially reaching into the millions of dollars for serious violations. This financial risk underscores the urgency for organizations to take the legislation seriously. 

4. Supply Chain Implications: One of the most far-reaching impacts will be on the supply chain. As designated operators are required to manage risks from their third-party vendors, they will undoubtedly impose more stringent cybersecurity requirements on their suppliers. This means that even companies not directly classified as critical infrastructure may find themselves needing to enhance their cybersecurity to remain competitive in these supply chains. 

5. Enhanced National Security: Ultimately, Bill C-8 aims to bolster Canada's overall cyber resilience. By mandating stronger security for critical systems, it helps to protect against state-sponsored attacks, cybercrime, and other malicious activities that could disrupt essential services and compromise national security. 

123 Cyber Keeps You Compliant 

The evolving Canadian cybersecurity landscape, marked by frameworks like CANDGSI 104, CPCSC, CMMC, and Bill C-8, presents both challenges and opportunities. 123 Cyber is uniquely positioned to help your organization navigate these complexities. 

Our Expertise Across Frameworks 

We offer an integrated approach to cybersecurity compliance. Our team possesses a deep understanding of the unique requirements of each framework while also recognizing their overlaps. This allows us to develop holistic strategies that address multiple compliance needs efficiently. Whether you're a government contractor, own an SME needing CAN/DGSI 104, a defense supplier eyeing CMMC, or a critical infrastructure operator preparing for Bill C-8, we have the expertise to guide you. 

Our Pre-Audit Process 

Our comprehensive pre-audit process is designed to provide clarity, identify vulnerabilities, and ensure your organization is compliant and genuinely secure. 

1. Assessment and Gap Analysis: We begin by thoroughly assessing your current cybersecurity posture against the specific requirements of the relevant frameworks. This identifies crucial gaps that need to be addressed. 

2. Policy and Procedure Development: We assist in developing or refining the necessary cybersecurity policies, procedures, and documentation required for compliance and effective risk management. 

3. Reporting and Remediation Support: We provide clear, actionable reports outlining findings and offer expert guidance and support for implementing recommended remediation strategies. 

How We Work

Our pre-audit services assess your organization's alignment with the appropriate regulations and requirements, identifying gaps and recommending actionable steps to ensure your systems and processes meet the stringent demands of government data protection. 

• Deep Understanding of Canadian Regulatory Landscape: Our firm is intimately familiar with the nuances of Canadian cybersecurity laws and regulations, including the latest developments surrounding Bill C-8. 

• Certified and Experienced Auditors: Our certified team is comprised of experienced cybersecurity professionals who bring a wealth of practical knowledge to every engagement. 

• Proactive Approach to Emerging Legislation: We stay ahead of legislative changes, like Bill C-8, ensuring our clients are prepared for new requirements well in advance. 

• Tailored Solutions: We understand that every organization is unique. We provide customized pre-audit and advisory services that fit your specific needs, industry, and risk profile. 

Building a Resilient Canadian Cyber Future Together 

The demands on organizations to protect their data and systems is a moving target. From adhering to the rigorous guidelines of CAN/DGSI 104, to multi-tiered certifications under CPCSC, to meeting international standards like CMMC for defense supply chains, and now preparing for the mandates of Bill C-8 for critical infrastructure, the task of cybersecurity compliance is more challenging and more crucial than ever. 

We believe that robust cybersecurity is not just a regulatory burden, but a strategic advantage. It protects your assets, preserves your reputation, and ensures your continued operation in an uncertain world. By partnering with us, you gain a trusted ally dedicated to fortifying your digital defenses and guiding you through the intricate maze of Canadian cybersecurity regulations. 

Don't wait for a breach or a non-compliance penalty. Proactively address your cybersecurity posture and ensure your organization is ready for what's next. 

Contact us today to discuss your cybersecurity audit and compliance needs 

Bibliography 

Canadian Legislation & Frameworks 

• Bill C-8:  Parliament of Canada - Bill C-8 

• Legislative Information: openparliament.ca - Bill C-8 

• Canadian Centre for Cyber Security (CCCS): CCCS

• CyberSecure Canada Certification: Standards Council of Canada - CAN/DGSI 104:2021 

• Digital Governance Council: Digital Governance Council - CyberReady Validation  

• Program Overview: Canada.ca - Controlled Goods Program 

• Contact & Resources: Canada.ca - Contact the Controlled Goods Program 

U.S. Legislation & Frameworks 

• Official CMMC Program Information: U.S. DoD CIO - About CMMC 

• Accreditation Body: The Cyber AB - Official Website 

• NIST SP 800-171: NIST - SP 800-171 Rev. 2 

• NIST SP 800-172: NIST - SP 800-172