Which Canadian Companies must undergo Cybersecurity Maturity Model Certification (CMMC) Assessment?

U.S Department of Defense (DOD) imposed new requirements for Canadian suppliers who are working with DOD or plans to work in the future with them.

Canada has significant income streams associated with Defense exports to the U.S.
The new requirements have the following effects:

  • CMMC is currently in the rollout phase. The goal is that its requirements will be incorporated, as part of the Request For Information (RFI), making uncertified members potentially ineligible to respond to or participate in DOD bids.
  • Organizations who mean to work with the DOD should make the whole system—or possibly the chunk of the organization that processes, stores, and communicates Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)—compatible with the degree of CMMC Framework as ordered by DOD.
  • Canadian suppliers will have difficulties in Defense Industrial Base (DIB) sector providing the appropriate assurance of securing the CUI without being a formal CMMC certified by a third-party assessor.

Cybersecurity Maturity Model Certification (CMMC) overview:


CMMC 2.0 has 3 increasingly progressive levels i.e., Foundational / Level 1 which has 17 practices and it is for companies with FCI only, where information requires protection but is not critical to national security.
Level 2 / Advanced level consists of 110 practices based in NIST SP 800-171and is for companies with CUI.
CMMC Level 3/ Expert level will be based on a subset of NIST SP 800 – 172 requirements and it is for the highest priority programs with CUI

Cybersecurity Maturity Model Certification (CMMC) VS National Institute of Standards and Technology (NIST):

NIST is a self-compliance framework whereas CMMC requires third-party audit and certification.

  • NIST framework and CMMC have a significant overlap. They share an equivalent general objective: protect CUI (controlled unclassified information).  In fact, CMMC is derived from NIST publications for some of the criteria for its maturity levels and CMMC combines many best practices and plans directly to security controls published in different publications including NIST SP 800-171, NIST SP 800-53, ISO 270001 and ISO 27032, among others.
  • For organizations that are already compliant with NIST, the existing control practices and frameworks can be leveraged when moving to CMMC.
  • However, CMMC goes beyond the NIST framework to make sure data is protected. The approach the NIST framework and CMMC take to validating an organization’s cybersecurity effort is separate too.
  • For further information please visit the respective websites. www.CMMCAB.org and www.NIST.gov
  • CMMC requires that organizations attain and retain cyber maturity commensurate with the sensitivity of the information they exchange. Organizations can no longer think in terms of checking a box; instead, they must focus on getting and staying secure.

Why choose Canadian Cyber Inc


Canadian Cyber Inc is RPO (Registered Provider Organization) trained and authorized by CMMC Accreditation body AB. We provide CMMC Readiness Assessment and CMMC Gap Assessments Analysis, Assistance with Remediating Gaps identified during CMMC Assessment.

  • Canadian Cyber professionals have been providing cybersecurity services, SOC1, SOC2, HITRUST, NIST and ISO 27001 Consultation for more than 20 years. Experienced in working around the globe e.g., Canada, USA, Norway, UAE, France, Germany, GCC, Pakistan etc.
  • We are a Canadian company. Our lead consultant Waqar Mehboob has implemented several Information Security compliance projects for clients in Canada and USA including NIST, ISO 27001, SOC1, SOC2, and CIS.
  • In addition to the compliance services, Canadian Cyber has a team of consultants to provide additional implementation services such as the implementation of SIEM solutions, MDM solutions, and several others. We are experienced in both on-premises and cloud infrastructures.
  • Canadian Cyber Inc is a Microsoft Partners, a secure suite member with CIS and a partner for the Tugboat Logic system.

Lets Talk. Our CMMC Consulting services can help you understand CMMC better and start the process of developing a complete CMMC program for you.

Waqar Mehboob
CEO / Senior Cybersecurity Consultant

Rafia Rizwan
Cybersecurity Analyst