CP-CSC, CMMC, and North American Cybersecurity

CMMC International compliance featured

International collaboration between countries in cybersecurity isn’t unheard of, but it involves several miles of red tape and regulations. That’s why many countries seek parity in their security frameworks.

One such parity that Canadian officials are seeking is between their own CP-CSC and the CMMC model for handling CUI.


What Is the Canadian Program for Cyber Security Certification (CP-CSC)?

The CP-CSC was officially announced by Anita Anand, the (former) Minister of National Defence, at CANSEC 2023

The CP-CSC is set to be established as a mandatory cybersecurity requirement for Government of Canada defense contractors. The primary aim of the CP-CSC is to protect government data stored on third-party systems, networks, and applications in response to the growing threats and vulnerabilities in the cybersecurity landscape.

More importantly for us in the United States, this standard mirrors the CMM standard, including using NIST Special Publications 800-171 and 800-172, a framework of maturity levels, and third-party assessments.


What Does This Mean for Defense Contractors?

The short answer is that we don’t know 100% how this will work.

Canadian officials are working with their U.S. counterparts to argue for 1-1 reciprocity between the two. This will have two primary benefits:

  1. Streamlining security measures between agencies will benefit collaborative cyber defense between Canada and the United States. While this doesn’t necessarily mean that information can be passed between compliant agencies without scrutiny, it does mean that collaboration is much more likely between groups that share the same standards and security vocabulary.
  2. Defense contractors will have more opportunities to work in other countries. Already, lobbyists on the Canadian side are hoping this reciprocity will help Canadian security firms tap into the U.S. Defense market. 

It remains to be seen whether or not this kind of reciprocity will ever happen. The two nations are part of several cybersecurity and data-sharing alliances, and CMMC doesn’t regulate data with a SECRET classification by default, so there is some wiggle room. 

However, it’s important to note that this is a signal that CMMC as a model has gained traction outside of the U.S. The open nature of NIST 800-171 and 800-172 and CMMC could promote good security practices worldwide. 


Can Canadian Security Firms Work with the U.S. DIB (and Vice Versa)?

Canadian cybersecurity companies can work with the U.S. Defense Industrial Base (DIB) under certain conditions and frameworks to facilitate such cooperation. The collaboration between Canadian and U.S. companies, especially in the cybersecurity and defense sectors, is supported by various agreements and organizations that aim to strengthen the defense capabilities of both nations. 

Some of the critical frameworks and considerations include:

  • Defense Production Sharing Agreement (DPSA): DPSA is a framework for integrating Canadian and U.S. defense industries. This would permit citizens of the two countries to be involved in projects that include binational and multinational defense programs. Generally speaking, this provides a framework for U.S. contractors to work with Canadian agencies and vice-versa.
  • North American Technology and Industrial Base Organization (NATIBO): NATIBO is a set of standards promoting a shared industrial base between Canada and the United States. As currently designed, it encourages interagency cooperation among U.S. and Canadian military services, other government agencies, and the defense and cybersecurity industries.
  • Security Clearances and Export Controls: Canadian cybersecurity firms working with the U.S. DIB will face significant controls and varying U.S. security clearance requirements. The same holds for U.S. companies working within Canada’s defense sector.
  • Bilateral and Multilateral Agreements: Besides those specific defense agreements, the U.S. and Canada work together through NATO and other international alliances, which promote collaboration in defense and security infrastructure, including cyber security. 
  • Direct Contracts or Subcontracts: Canadian firms can be bidders for U.S. defense contracts, work under contract with, or subcontract to a U.S. company contracted with the DoD based on their adherence to the above rules. Most partnerships are requested with the permission of companies that meet the security and operational standards set by the U.S. government.


The Importance of CMMC as an Example of a Maturity Model

CMMC International compliance

As a maturity model, the Cybersecurity Maturity Model Certification (CMMC) is important for several reasons. It reflects its structured approach to enhancing the cybersecurity posture of Department of Defense (DoD) contractors and their supply chains. Here are the key reasons why the maturity aspect of CMMC is crucial:

  • Structured Path for Improvement: Maturity models provide a structured way for organizations to implement an improved cybersecurity posture. These structured paths are easy to understand and follow and make sense from start to finish.
  • Focus on Process and Practices: Unlike general compliance frameworks, which may focus on meeting specific technical standards or requirements, maturity models emphasize the importance of processes and practices. They are less about checklists and more about understanding organization-wide systems and how they bolster security. 
  • Benchmarks for Measurement and Comparison: Maturity models facilitate internal assessments and comparisons against industry standards, helping organizations understand their current state and where improvements are needed.
  • Customization and Flexibility: Maturity models support the idea that not all organizations have similar needs, available resources, and acceptable risks. Thus, customization and flexibility are essential for implementing cybersecurity practices within an institution while maintaining growth and progress against established requirements. 
  • Emphasis on Continuous Improvement: Maturity models inherently promote continuous improvement. Defining multiple maturity levels encourages organizations to meet a minimum standard and continually enhance their cybersecurity measures. This ongoing process helps organizations adapt to evolving cyber threats and technologies.
  • Enhanced Stakeholder Confidence: Achieving a higher level of maturity in a recognized model like CMMC can significantly enhance stakeholders’ confidence, including customers, partners, and regulatory bodies. It demonstrates a commitment to cybersecurity and the ability to protect sensitive information against threats.
  • Strategic Alignment with Business Objectives: Maturity models facilitate the alignment of cybersecurity strategies with overall business goals. By integrating cybersecurity practices into core business processes, organizations can ensure that their cyber defenses support and enable their business objectives.
  • Reduction of Risks and Costs: Through a comprehensive and proactive approach to cybersecurity, maturity models can help organizations reduce the likelihood and impact of cyber incidents. This protects against potential losses and can minimize the costs associated with breaches, such as recovery expenses, fines, and reputational damage.

The CMMC’s maturity model approach ensures that cybersecurity measures are not static but evolve as threats change and organizations grow and mature in their cybersecurity practices. This dynamic approach is key to addressing the complex and ever-changing landscape of cyber threats facing DoD contractors and their supply chains.


CMMC and International Security with Lazarus Alliance

Cybersecurity is a global concern, and countries are looking to address challenges (and opportunities) through shared standards rooted in NIST and CMMC requirements. 

If you’re looking to kickstart your assessment, contact Lazarus Alliance.

Lazarus Alliance