Photo of Kate GrowleyPhoto of Caitlyn WeeksPhoto of Michael G. Gruden, CIPP/GPhoto of Daniel W. WolffPhoto of Nkechi KanuPhoto of Jacob Harrison

On March 12, 2025, the Government of Canada announced plans to launch the Canadian Program for Cyber Security Certification (CPCSC). CPCSC is a cybersecurity compliance verification program that aims to protect sensitive unclassified government information handled by Canadian government contractors and subcontractors within Canada’s defense sector. Canada will roll out CPCSC to contractors in four phases, with the first phase launching this month.

CPCSC’s structure appears closely aligned with the U.S. Department of Defense (DoD) Cyber Maturity Model Certification (CMMC) program. Like CMMC, CPCSC is broken out into 3 compliance levels, will verify compliance via self, third-party, and government-conducted assessments, and will be included in Canadian government defense solicitations and other procurement opportunities.

However, CPCSC and CMMC have one key difference: as currently structured, they will evaluate contractors against fundamentally different security standards. CMMC assessments are primarily based on security controls from the U.S. National Institute of Standards and Technology Special Publication (NIST SP) 800-171, Revision 2. CPCSC, in contrast, will evaluate Canadian defense contractors against Canadian industrial security standard (ITSP 10.171), a Canadian government standard that mirrors NIST SP 800-171, Revision 3.

While this distinction may appear minor, there are significant differences between the security controls found in Revision 2 and Revision 3 of NIST SP 800-171. DoD has stated that CMMC will eventually adopt Revision 3, but to date all CMMC rulemaking and guidance materials have been tailored to Revision 2. Accordingly, reciprocity or mutual recognition for CMMC and CPCSC assessment and certifications does not appear feasible, at least for now. Simultaneously, however, DoD has begun socializing the possibility of contractors’ voluntary adoption of Revision 3, an approach that now merits more consideration for contractors supporting both countries’ defense supply chains.

Given the historically close ties between the U.S. and Canadian defense sectors, contractors on both sides of the border should watch closely for further updates from Canada on its phased rollout of CPCSC, updates from DoD regarding CMMC’s adoption of NIST SP 800-171, Revision 3, and any discussions of mutual recognition between the respective programs.

Tags: Cybersecurity, government contracts
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kate Growley Kate Growley

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy…

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Read more about Kate Growley
Show more Show less
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Read more about Michael G. Gruden, CIPP/G
Show more Show less
Photo of Daniel W. Wolff Daniel W. Wolff

Dan Wolff represents clients facing enterprise-level risks arising out of government enforcement actions and complex commercial disputes. He is a problem solver who understands how to use litigation, whether as plaintiff or defendant, to achieve exceptional business solutions and outcomes. Dan leads the…

Dan Wolff represents clients facing enterprise-level risks arising out of government enforcement actions and complex commercial disputes. He is a problem solver who understands how to use litigation, whether as plaintiff or defendant, to achieve exceptional business solutions and outcomes. Dan leads the firm’s administrative law litigation practice, counseling clients and litigating on their behalf in federal and state courts around the country in matters arising under the Administrative Procedure Act, other federal statutes, and the U.S. Constitution. He also litigates commercial disputes and matters arising in tort. He has deep experience arguing dispositive motions and appeals, in addition to trying jury cases. Notably, The National Law Journal named Dan a Political Activism and First Amendment Rights Trailblazer.

Beyond the courtroom, clients also seek Danʼs counsel in government investigations of workplace accidents, fatalities, supervisor liability, and requests for company records.

Dan serves on the firm’s Public Service Committee and maintains an active pro bono practice. In recent years, he has focused on civil rights impact litigation, helping to secure victories or favorable settlements under the First Amendment, § 1983, and the Voting Rights Act.

Immediately following law school, Dan clerked for two years in the Southern District of Ohio for the Honorable Walter H. Rice. He is licensed to practice in the District of Columbia and Ohio and is also a member of the bars of multiple federal courts, including the U.S. Supreme Court.

Read more about Daniel W. WolffDaniel's Linkedin Profile
Show more Show less
Photo of Nkechi Kanu Nkechi Kanu

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with…

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with complex internal investigations and represents clients in government investigations involving allegations of fraud. She also focuses on assisting clients with investigations relating to cybersecurity and information security compliance. Her complementary litigation practice involves defending companies in government-facing litigation arising under the FCA, resulting in the dismissal of qui tam complaints and successful settlements of FCA claims with DOJ.

Read more about Nkechi Kanu
Show more Show less
Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.

Read more about Jacob Harrison
Show more Show less
Related Posts
For Better or MORSE: Another Settlement Under DOJ’s Civil Cyber-Fraud Initiative
April 10, 2025
FedRAMP 20x: Proposed Framework Aims To Increase Automation and Efficiency
March 26, 2025
An Un[waiver]ing Commitment to CMMC: The Department of Defense Issues Guidance for Determining Assessment Levels
February 25, 2025