CPCSC Compliance Software2024-01-23T07:14:25+00:00

Canadian Program for Cyber Security Certification (CPCSC)

Rizkly offers CPCSC compliance software to address the new Canadian cyber security program.  CPCSC reduces the defence industry burden by seeking mutual recognition with the United States under the U.S. Cyber Security Maturity Model Certification (CMMC) program.  The goal is to streamline and facilitate certification under a single regime, enabling Canadian suppliers to do business in Canada and the U.S.  In partnership with National Defence and the Standards Council of Canada, engagement with the defence industry and other key stakeholders will continue throughout the Program. The establishment of the CPCSC means that defence contractors will need to redouble their efforts, and verify, beyond trust, that their (and any subcontractors’) cybersecurity efforts conform with new policy.

The Three Levels of US CMMC Certification

  • Level 1“Foundational” – Basic Cyber Hygiene
    – 17 NIST 800-171 controls 
  • Level 2“Advanced” – Intermediate Cyber Hygiene
    – All of the 110 NIST 800-171 controls
  • Level 3“Expert” – Good Cyber Hygiene
    – 20 of the NIST 800-172 controls for a total of 130 controls

Best CPCSC Compliance Solution

Rizkly CPCSC Solution Datasheet

Learn more about what you get as part of the Rizkly CPCSC solution and why it’s best answer for small and mid-sized defence contractors.

In conforming to standards, companies may consider working with IT consultants to ensure compliance. Rizkly offers a lower, controlled cost and guided compliance service to simplify your CPCSC compliance efforts. Rizkly compliance experts are highly experienced in helping SMBs achieve compliance with cyber security frameworks such as NIST 800-171, GDPR/CCPA Data Privacy, and SOC2.  Rizkly, powerful cloud SaaS application and expert advisory combined, enables you to address the important dynamics associated of CPCSC:

  • CPCSC combines various cybersecurity standards and best practices and maps these controls and processes across several maturity levels that range from basic cyber hygiene to advanced

  • Certification at specific CPCSC levels required by the Government of Canada, becoming a procurement decision point

  • Certification will be performed by accredited third party, private sector assessors

  • All Canadian Defence contractors (prime and subcontractors) have to achieve a minimum certification level

  • Consistent with CMMC requirements, CPCSC will likely not allow POAMs. If you cannot adequately address a practice for a given level,  you will not certify at that level.

Rizkly CMMC Success eBook

Our CMMC eBook describes CMMC mistakes to avoid, tips to minimize costs and strategies for faster, efficient CMMC success.

CPCSC with Rizkly GCaaS

The establishment of CPCSC indicates The Government of Canada’s increasing focus on defence contractor cyber security. Partnering with Rizkly provides you with both a CPCSC compliance automation platform along with a dedicated CPCSC expert that guides you to success at a reasonable price.

  • CPCSC Compliance Software:  A secure compliance automation application along with a dedicated expert that helps you achieve and sustain required CPCSC compliance levels.  The Rizkly CPCSC software helps you stay in control of the effort, track tasks, organize artifacts and generate audit-ready documentation. Learn more about Rizkly CPCSC features here.

  • Dedicated CPCSC Expertise: A CPCSC expert answers your questions and guides you to success.  Rizkly CPCSC experts help you define you system boundary, provide you with a prioritized CPCSC action plan and help you prepare for your CPCSC external assessment.

  • Tasking and Tracking: Assign ownership and access compliance status with a few clicks. Users receive alerts when it’s time to review controls or attach evidence

  • CPCSC Compliance Audit Documentation: One-click creation of audit-ready documentation such as System Security Plans (SSP) and Incident Response Plans  (IRP) reduces the time and effort needed to create, review, and maintain compliance documents, letting you focus on implementing security, rather than documenting it

  • CPCSC Audit Success: the combination of the Rizkly app and your dedicated CPCSC expert ensures that you are prepared for successful CPCSC assessment and certification efforts.   We help you avoid common pitfalls, automate CPCSC audit documentation generation and can also serve as your CPCSC audit liaison.  Learn more about the features that make Rizkly the most effective SMB CPCSC solution here.

Demonstrate your company’s CMMC compliance status with Rizkly.

Need More Information?

    CPCSC Learning Resources 

    Questions about CPCSC cybersecurity compliance and where you stand?

    Schedule a call to discuss your needs and demonstrate why Rizkly’s combination of app and expert is the right model for most companies.

    Under 100 employees? Register for our CPCSC SMB Starter package.

    Specially priced for small and mid-sized Canadian defence suppliers that need to address CPCSC compliance.

    Request a Rizkly CPCSC Software Demo

    Get a demo of Rizkly CPCSC software or request trial access.  Learn more about our starter packages and working with a Rizkly compliance expert.

    CMMC SMB Solution

    Register for CMMC and CPCSC Updates

      What is OSCAL and its role in FedRAMP Automation?2023-08-16T16:05:25+00:00

      By Chor-Ching Fan

      FedRAMP automation is on its way.  The Open Security Controls Assessment Language (OSCAL) is a machine-readable information exchange format developed by the National Institute of Standards and Technology (NIST) to enable automation of risk management and compliance frameworks based on security controls and functional requirements. OSCAL support the expression of compliance information through XML, JSON and YAML formats.  OSCAL was released in June 2021 and is currently in Version 1.1.0 (late July 2023)

      The FedRAMP cybersecurity management program is the first key adopter of the OSCAL standard.  OSCAL promises to enable FedRAMP automation (and other frameworks that adopt it) improving the efficiency and effectiveness of compliance management by providing a standardized, machine-readable format for capturing and sharing security information.  OSCAL automation has the ability to simplify many of the manual tasks involved in compliance including:

      • Generating security documentation
      • Assessment plan and results evaluation
      • Tracking remediation activities
      • Reporting on compliance status

      OSCAL can be used to support a wide range of compliance frameworks, including:

      • FedRAMP (early adoption in progress)
      • NIST Cybersecurity Framework (CSF)
      • ISO/IEC 27001
      • SOC 2
      • HIPAA
      • PCI DSS

      FedRAMP automation with OSCAL promises to be significant improvement over previous approaches to compliance automation.  As proven by similar information exchange automation initiatives in other industries i.e. ecommerce supply chain documents or financial filing with the SEC,  OSCAL should make compliance management be more efficient, more effective, and more scalable.

      Here are some of the benefits of using the new OSCAL compliance framework:

      • Efficiency: OSCAL automation will reduce manual tasks involved in compliance, such as generating security documentation, conducting assessments, and tracking remediation activities. This can save organizations a significant amount of time and money.  FedRAMP SSPs can easily run 300+ pages in Microsoft Word.  With continual updates and document submissions to the FedRAMP PMO,  this task alone will benefit greatly from OSCAL.
      • Effectiveness: OSCAL provides a standardized, machine-readable format for capturing and sharing security information. This makes it easier to identify, evaluate and determine next steps to remediate key risks for the US government and cloud service providers.
      • Scalability & Extensibility: OSCAL is a scalable framework that can be used to support a wide range of compliance frameworks.  OSCAL is extensible so any user or standards body can leverage the reference models while ensuring it supports the unique elements of their own privacy and security risk program.

      Since its 1.0 release in 2021,  Rizkly has supported the OSCAL standard with the goal of providing the best software for FedRAMP automation.  We love OSCAL and think its great for the cybersecurity compliance world.  Companies (CSPs) can import their existing Word SSPs and generate OSCAL with one-click in Rizkly.  It will not be practical for most organizations to use XML editors and handcraft OSCAL files each time there are updates or submission requirements.  While still in a pre-commercialization status for FedRAMP,  we recommend that CSPs explore the transition to OSCAL along with their FedRAMP R4 to R5 gap analysis and planning efforts. If you’re wondering about a FedRAMP R4 vs R5 gap analysis,  Rizkly, compliance automation software with dedicated FedRAMP OSCAL compliance experts, is ready to assist…just contact us.

      What’s the difference between CMMC and FedRAMP?2023-08-17T17:58:39+00:00

      By Chor-Ching Fan

      As organizations chart their growth through government contracts and assess the cost of cybersecurity compliance initiatives,  many wonder “what’s the the difference between CMMC and FedRAMP”?  The Cybersecurity Maturity Model Certification (CMMC) and the Federal Risk and Authorization Management Program (FedRAMP) are two different compliance frameworks that organizations must follow if they want to work with the US government.

      CMMC is a comprehensive framework designed to protect the defense industrial base’s (DIB) sensitive unclassified information.  While it started with five levels of maturity, the latest version of the CMMC 2.0 framework includes 3 levels and tracks very closely with the NIST 800-171 control framework.  All DoD contractors will need to achieve at least Level 1 (based on the sensitivity level of the information handled by the contractor) in order to keep and/or win new work with the DoD

      FedRAMP is a cybersecurity framework that focuses on the security of cloud service providers (CSPs) doing business with the US federal government. There are two approaches to achieving FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through a specific government agency sponsor. The JAB is the primary governing body for FedRAMP and includes representation from the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). There are four different control baselines that support the different FedRAMP authorization impact levels.

      CMMC FedRAMP
      Purpose Assesses and enhance the cybersecurity maturity of  all contractors working with the DoD Focuses on the security of cloud service providers serving federal agencies
      Certification/Authorization Levels 3 4
      Minimum Level Required for Work Contracts Level 1 (once CMMC is finalized) Authorized at applicable impact level
      Levels and Control Scope
      • CMMC Level 1: 15 controls
      • CMMC Level 2: 110 controls
      • CMMC Level 3: 134 controls
      • LI-SaaS (Low Impact SaaS): 37-57 controls
      • Low: 125 controls
      • Moderate: 325 controls
      • High impact: 421 controls
      Applicability Applies to all contractors that work with the DoD Applies to cloud service providers (CSPs) that work with US government agencies

      CMMC vs FedRAMP

      CSPs must achieve Authorized status in order to provide services to US government agencies.  Soon,  DoD contractors will need to achieve at least CMMC Level 1 status before winning new contracts.

      In general, FedRAMP is a more comprehensive framework than CMMC. FedRAMP requires organizations to enhance process maturity and capabilities across a wider range of topics dealing with data, network, staff, physical building and vendor security.  Here are additional considerations to keep in mind regarding CMMC and FedRAMP compliance:

      • CMMC has been in development for the past few years and is now (2023) nearing finalization.
      • FedRAMP is a mature framework (based on NIST 800-53) that has been in place for over a decade (2011).  We view it as the high bar for cloud cybersecurity compliance.
      • Both CMMC and FedRAMP are constantly evolving. The DoD, FedRAMP PMO and NIST are constantly updating the requirements to reflect the latest cybersecurity threats.
      • Compliance with CMMC and FedRAMP can be a complex and expensive process, especially for SMBs.  Rizkly helps SMBs consider their needs and regulatory requirements and offers an effective and efficient solution for achieving and sustaining improved cybersecurity posture and compliance.
      Do you perform system remediation work?2022-05-19T02:00:44+00:00

      Rizkly experts will advise, guide and review hardware and software technology changes to ensure that they address specific compliance controls but we do not perform the actual implementation work.  Over the years, we have a developed a trusted ecosystem of partners who offer effective and affordable solutions to expedite remediation of security and compliance gaps.  We will gladly refer you to appropriate partners if and when the need arises.   Creating policies,  procedures and other artifacts are also a key part of compliance remediation efforts and these are activities that our advisors do perform using powerful Rizkly features for policies and procedures.

      A description of the services that Rizkly expert advisors provide?2022-05-19T01:37:42+00:00

      Rizkly cybersecurity compliance advisors will work with you through the entire lifecycle of your compliance initiative.  We will scale up/down depending on specific need, and we co-create our involvement in the early stages of the project.  Typical project activities include:

      • Gain an understanding of your business, your clients, your system(s), and your anticipated compliance requirements
      • Educate your team members on compliance requirements, how to leverage the Rizkly app and what will be expected throughout the effort 
      • Develop the system ‘boundary’, and what will be in scope for compliance purposes
      • Draft a system architecture diagram that clearly depicts the system boundary
      • Review existing documentation and work with your team members to understand system and process specifics
      • Perform a high level gap assessment to determine what controls are in place and operating effectively, and where there are gaps
      • For each gap determine a detailed plan of action to remediate
      • Collaborate as needed with personnel (staff and/or your vendors) during remediation. 
      • Provide advisory support, develop documentation, design controls, review evidence, audit prep, etc.
      • Ensure that all artifacts and control implementation statements are effectively captured in Rizkly
      • Educate your team on how to leverage Rizkly to generate audit-ready documentation such as SSPs, POAM reports and SPRS scoring
      • Post-remediation ensure that all controls are in place and operating effectively


      Go to Top