New legislation expected in 2025 will require companies who wish to bid or work on certain federal government contracts first meet the Canadian Program for Cyber Security Certification (CPCSC) standards. According to Scott Birmingham, CET, CIM, and Principal Consultant at Birmingham Consulting, the changes will affect companies in a range of industries.
“The CPCSC will affect any company seeking to bid or work on select Government of Canada defence contracts. It will now be a requirement for them to be certified under the CPCSC before doing work for the Department of Defence,” he says.
Three Certification Levels
The new requirements, which are meant to provide additional protection for the federal government’s unclassified contractual information, are broken down into three certification levels:
- Level 1: requires annual cyber security self-assessments
- Level 2: requires external cyber security assessments performed by an accredited certification body
- Level 3: requires high level cyber security assessments conducted by the Department of Defense
In order to cover all the bases, it’s important to engage with your Chief Information Security Officer (CISO), or a company that provides virtual CISO (vCISO) services, in order to conduct risk assessments, analyses and validation of technical controls, strategy development and execution, executive-level reporting, and more – all of which supports achieving CPCSC certification,” explains Scott.
Preparing for Cyber Incidents
For any business, whether the CPCSC is required or not, prioritizing information security is essential. As Scott explains, having an Incident Response Plan is critical.
“The Incident Response Plan is a procedural document that outlines what your company should do when a cyber incident occurs. You probably have a written plan for health and safety emergencies – why not for cyber emergencies?” he says. “Businesses should ensure they have a comprehensive IRP with annual reviews and updates, which can be effectively tested through tabletop exercises.”
Cyber Breach vs. Cyber Incident, Cyber Security vs. Information Security
In addition to having an emergency plan in place, organizations must also understand the very specific terminology used in cyber security to avoid missteps.
“Using the right terminology in your information security policies is key. For example, you get a spam e-mail and that's called an event. You reply to that spam email and send information you shouldn’t have sent and now it is an incident. Did that information contain something that was private or confidential? Now it becomes a breach. The term ‘breach’ has very different legal implications than event or incident,” Scott explains.
He continues, “Knowing the difference between cyber security and information security also matters more than you probably think. Cyber security only refers to the technical controls and protections that protect networks and data – we call them the ‘knobs and dials’. Information security is the inclusive management of technical (aka cyber security) along with administrative controls and physical controls. Limiting your protection and readiness to just cyber security leaves organizations vulnerable and could result in increased liability when a cyber incident occurs.”
For a deeper understanding of the significance of the new CPCSC requirements, conduct a self-assessment of your current security policies and systems. It is also recommended to have sufficient cyber insurance to be prepared for the financial impact from an incident – quantify your liability using this free calculator.