top of page
Search

Your Preliminary Guide to CPCSC and CMMC for Canadian Defence Sub-Contractors

  • Terry Telford
  • Aug 19
  • 7 min read
Green tank icon on green background, overlaid on a shield shape. No text. Simple and bold.

The defence contracting rules of engagement have changed. For small and medium-sized defence subcontractors in Canada or the U.S., the landscape has shifted from a "trust me" handshake to a "show me" mandate. The days of simply having a great product or service are over. Today, your ability to win and keep lucrative contracts hinges on your company's cybersecurity posture, verified by two powerful new frameworks: Canada's new Program for Cyber Security Certification (CPCSC) and the U.S. Department of Defense's Cybersecurity Maturity Model Certification (CMMC). 


For any Small and Medium Enterprise (SME) subcontractor, understanding and implementing CPCSC and CMMC is the new cost of entry. This guide will help you demystify these frameworks, understand their purpose, and chart a course toward compliance and continued success in the defence market. 


The Purpose Behind the CPCSC and CMMC Mandate: Protecting National Secrets 


Both CPCSC  and CMMC were born from a shared concern about the alarming rate of intellectual property theft and sensitive data exfiltration from the defence supply chain. As governments outsource more of their critical functions and technology development, they are entrusting a vast network of private companies, many of them small businesses, with sensitive, unclassified information. This data, if compromised, can give foreign adversaries a significant strategic advantage, undermining national security. 


This is where the concepts of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) come in. 


  • Federal Contract Information (FCI): This is any information, not intended for public release, that is provided by or generated for a government entity under a contract. Think of things like project schedules, internal memos, or simple lists of contract-specific materials. It's the most basic level of information protection. 

  • Controlled Unclassified Information (CUI): This is a much broader and more sensitive category. It's unclassified information that still requires safeguarding or dissemination controls as mandated by law, regulation, or government-wide policy. This includes everything from technical drawings and engineering specifications to sensitive personal data and financial information related to a project. A single piece of CUI could be the blueprint for a next-generation fighter jet component or the design for a secure communications system. 


CPCSC and CMMC are designed to create a verifiable security framework that ensures every company handling this information, from the largest prime contractor down to the smallest sub-supplier, has the necessary controls in place to protect it. It’s a unified effort to lock down the entire supply chain, preventing a single weak link from compromising the whole. 


CPCSC  vs CMMC: A Tale of Two Frameworks 


While both frameworks share a common goal, their implementation and specific requirements have key differences. 


CPCSC (Canadian Program for Cyber Security Certification) 

  • Governing Body: The Canadian Centre for Cyber Security (CCCS) in collaboration with Public Services and Procurement Canada (PSPC) and the Department of National Defence (DND). 

  • Foundation: Aligned with Canadian security standards, notably the ITSG-33 IT Security Risk Management framework. While it closely mirrors NIST SP 800-171, it is tailored to the Canadian context. 

  • Structure: Similar to CMMC, CPCSC has a tiered structure designed to match the sensitivity of the information handled and the risk level of the contract. The specifics of its three levels, including the assessment requirements (self-assessment, third-party assessment, or government assessment), closely mirror the CMMC model. 

 

CMMC (Cybersecurity Maturity Model Certification) 

  • Governing Body: U.S. Department of Defense (DoD). 

  • Foundation: Built upon established U.S. standards, primarily the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which outlines 110 security controls for protecting CUI in non-federal systems. 

  • Structure: CMMC 2.0 streamlines the original model into a three-tiered system: 

  • Level 1 (Foundational): Requires the implementation of 15 basic cyber hygiene practices to protect FCI. This level typically allows for a self-assessment, which must be affirmed annually in the Supplier Performance Risk System (SPRS). 

  • Level 2 (Advanced): Requires the full implementation of the 110 security controls from NIST SP 800-171 to protect CUI. Depending on the contract, this can require either a triennial self-assessment or a triennial third-party assessment by a CMMC Third-Party Assessor Organization (C3PAO). 

  • Level 3 (Expert): For companies handling the most sensitive, high-value CUI, this level requires the 110 controls from NIST SP 800-171 plus an additional 24 enhanced controls from NIST SP 800-172. Assessment is conducted by the government's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). 


Key Similarities: A Unified Approach to Security 


Despite their different national origins and foundational standards, CPCSC  and CMMC are fundamentally aligned in their strategic approach. 

  • Tiered Model: Both frameworks use a graduated, tiered approach. The level of required cybersecurity maturity directly corresponds to the type and sensitivity of information you handle. This prevents a small machine shop with minimal data from having the same burden as a company designing mission-critical avionics. 

  • Focus on CUI: Both frameworks prioritize the protection of Controlled Unclassified Information. This is the intellectual property and critical data that is vital to national security and defence capabilities. 

  • Verification, Not Just Trust: A key departure from past regulations is the move toward a verifiable compliance model. Previously, companies could simply self-attest that they met cybersecurity requirements. Now, depending on the level, you must be able to demonstrate your controls through an official assessment, either by your own team, a certified third party, or the government itself. This shift from "trust us" to "show us" is the core of both programs. 

  • Standardized Requirements: Both programs standardize cybersecurity practices across a wide array of companies. This makes it easier for prime contractors to vet their supply chains and for government entities to ensure a baseline level of security across all its partners. 


Key Differences: Navigating the Nuances 


While the spirit of the two programs is the same, SMEs must pay close attention to the details to avoid a compliance misstep. 

  • Governing Authority: The most obvious difference is the governing body. CPCSC is a Canadian government initiative, while CMMC is a DoD program. This distinction is crucial for understanding who will be auditing your company and which contractual clauses will apply. 

  • Foundational Standards: CPCSC, while drawing inspiration from NIST, is based on the Canadian ITSG-33 framework. CMMC is rooted in the U.S. NIST SP 800-171 and 800-172.  While there is a strong overlap in controls, they are not identical. A company that is fully compliant with NIST may still have to make minor adjustments to meet CPCSC or CMMC regulations. 

  • Assessment Ecosystem: The accreditation bodies for assessors are different. In Canada, CPCSC will establish its own ecosystem of accredited assessors. An American C3PAO cannot, by default, perform a CPCSC assessment, and a Canadian assessor for CPCSC would need to be accredited by the Cyber AB to perform a CMMC assessment. In the U.S., assessments are conducted by C3PAOs accredited by the Cyber AB.  


What This Means for Your Business: The Path Forward 


The rollout of these frameworks is already underway, with CPCSC in a phased rollout, with requirements expected to be mandated in Canadian contracts in the near future. CMMC requirements are appearing in an increasing number of U.S. Requests for Information (RFIs) and Requests for Proposals (RFPs), so the time to act is now.  

 

Here is a practical, step-by-step approach for your SME: 

  1. Identify Your Data: The first and most critical step is to understand the type of government data you handle. Do you receive or generate FCI? Is there any CUI in your systems? The answers to these questions will determine the CPCSC and/or CMMC level you need to achieve. 

  2. Conduct a Gap Assessment: Once you know your required level, perform a comprehensive gap analysis. This involves a professional review of your current cybersecurity posture against the specific controls required by the applicable framework. This will identify the deficiencies you need to remediate. 

  3. Remediate and Implement: Based on your gap analysis, you will need to implement the necessary technical controls, update your policies and procedures, and train your employees. This is often the most time-consuming and challenging part of the process, but it is non-negotiable. 

  4. Document Everything: Compliance isn't just about having the controls; it's about proving it. You will need to create a System Security Plan (SSP) and other documentation that clearly outlines your security measures and how they meet the requirements. 


Your Call to Action 


The defence contracting industry is undergoing a historic transformation. The days when an SME could operate with minimal cybersecurity are rapidly coming to an end. CPCSC and CMMC are not temporary, they are permanent fixtures designed to protect national security and will soon be the ultimate gatekeepers to defence contracts. 


The costs of compliance may seem daunting, but the cost of non-compliance is far greater. Ignoring these mandates will not only shut you out of new opportunities but could also lead to the loss of your existing contracts. Conversely, by embracing these new requirements, you secure your business and gain a powerful competitive advantage, signaling to prime contractors and governments that you are a trusted, secure, and a reliable partner. 

Don't wait until the next RFP comes out with a compliance clause you can't meet. Take control of your company's future today. 


Engage in a readiness assessment to determine which framework(s) apply to your business. Contact us today to schedule your assessment and take the first step toward a secure and prosperous future in the defence industry. 


 

Bibliography 

Canadian Program for Cyber Security Certification (CPCSC) 

  • Canadian Centre for Cyber Security (CCCS). ITSG-33 IT Security Risk Management: A Lifecycle Approach. This is the core framework upon which CPCSC is based. 

  • Government of Canada. Program for Cyber Security Certification (CPCSC) official publications and guidance. As the program is still in its rollout phase, information is provided through official government websites and publications. 

 

U.S. Cybersecurity Maturity Model Certification (CMMC) 

  • CMMC for Canadians. CMMC 2.0 – Know about U.S. DoD’s cybersecurity certification. https://www.ccc.ca/en/insights-for-exporters/cmmc-2-0-know-about-dods-evolving-cybersecurity-certification/  

  • U.S. Department of Defense (DoD). Cybersecurity Maturity Model Certification (CMMC) Program. This is the official source for all CMMC information. 

  • National Institute of Standards and Technology (NIST). NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This document provides the foundational security requirements for CMMC Level 2. 

  • National Institute of Standards and Technology (NIST). NIST Special Publication 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information. This publication provides the advanced controls for CMMC Level 3. 

  • The Cyber Accreditation Body (The Cyber AB). The Cyber AB is the sole authorized organization for accrediting CMMC Third-Party Assessor Organizations (C3PAOs) and individual assessors. Its website provides information on the assessment process. 

bottom of page