Officially announced by (former) Minister of National Defence, Anita Anand at CANSEC 2023, the Canadian Program for Cyber Security Certification (CP-CSC) will be established as a mandatory cybersecurity requirement for Government of Canada defence contractors. The CP-CSC aims to protect government data stored on third party systems, networks, and applications, in response to the growing number of cybersecurity attacks within Canada, including those targeting government and defence contractors.
Established though collaboration between Public Services and Procurement Canada, National Defence, and the Standards Council of Canada, the CP-CSC will align with Canada’s National Cyber Security Action Plan as well as its National Cyber Security Strategy goals [1].
The federal government allocated $25 million over three years for the creation of CP-CSC in Budget 2023.
Readers should note that consultations with the defense industry and other key players are expected to start in the coming months [2].
What Will It Do?
The CP-CSC will:
- apply to select Canadian contracts on the basis of a risk framework, starting with defence contracts.
- assist and expand the Canadian cyber security industry by creating a “sustainable and scalable solution” for cyber security certification.
- introduce a Canadian Industrial Cyber Security Standard based on the standards established by the National Institute of Standards and Technology (NIST), to ensure it is developed “in lockstep” with the United-States’ cyber security certification.
- allow for mutual recognition of certification between the two countries and internationally.
- increase the baseline for cyber security of Canadian industry as a whole.
- support the operational demands of the Canadian Armed Forces by maintaining supplier system integrity.
What’s Next and What to Expect
Although scheduled for release in July 2023, and identified for implementation in late 2024, as of the date of publication, the policy is not yet available.
For small and medium-sized suppliers (SMEs), the Standards Council of Canada will offer voluntary cyber security certifications under the existing CyberSecure Canada standard.
Though it is not clear how Canada’s support to Ukraine will be covered under the CP-CSC, it is likely that much of Canada’s technical aid to Ukraine will be provided within the scope of this new defence policy.
[1] Link to news release containing program announcement: Government of Canada helping defence industry protect itself from cyber security threats
[2] Consultation notices will be posted on the Government Electronic Tendering Service (GETS): CanadaBuys website.
