The CMMC (Cybersecurity Maturity Model Certification) security assessment is for US Department of Defense (DoD) Contactors The latest CMMC 2.0 which was released in November 2021 is currently undergoing the rulemaking process and is likely to become mandatory in Summer 2023.

You might ask:

Which Canadian Companies must undergo The Cybersecurity Maturity Model Certification (CMMC) Assessment?

The US Department of Defense (DOD) imposed new requirements for Canadian suppliers working with DOD or planning to work in the future with them.

Canada has significant income streams associated with Defense exports to the US.

The new requirements have the following effects:

  • CMMC is currently in the rollout phase. The goal is that its requirements will be incorporated, as part of the Request for Information (RFI), making uncertified members potentially ineligible to respond to or participate in DOD bids.
  • Once the rule making process is complete, most organizations which process Controlled Unclassified Information CUI will need CMMC 2.0 Level 2 assessment and certification from a Certified Third-Party Assessment Organization C3PAO and those organizations which handle critical CUI will be audited for CMMC 2.0 Level 3 by DIBCAC.
  • Those organizations which only handle Federal Contract Information FCI will undergo a self-assessment in line with 17 practices of CMMC 2.0 Level 1.
  • While DoD is still codifying the CMMC as a rule, it’s a good time for you to be CMMC ready and implement the basic 17 Requirements and 110 practices of NIST SP-800 171, as doing so will give you a competitive edge over contractors which begin their certification after the rule making is completed.
  • Organizations who need to work with the DOD should make the complete system—or possibly the chunk of the organization that processes, stores, and communicates Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)—compatible with the degree of CMMC Framework as ordered by DOD.
  • Canadian suppliers will have difficulties in Defense Industrial Base (DIB) sector providing the appropriate assurance of securing the CUI without being a formal CMMC certified by a third-party assessor.

Cybersecurity Maturity Model Certification (CMMC) overview:

  • CMMC 2.0 has three increasingly progressive levels, i.e., Foundational / Level 1, which has 17 practices. It is for companies with FCI only, where information requires protection but is not critical to national security.
  • Level 2 / Advanced level consists of 110 practices based in NIST SP 800-171and is for companies with CUI.
  • CMMC Level 3/ Expert level will be based on a subset of NIST SP 800 – 172 requirements, and it is for the highest priority programs with CUI

Cybersecurity Maturity Model Certification (CMMC) VS National Institute of Standards and Technology (NIST):

NIST is a self-compliance framework, whereas CMMC requires third-party audit and certification.

  • The NIST framework and CMMC have a significant overlap. They share an equivalent general objective: protect CUI (controlled unclassified information). CMMC is derived from NIST publications for some of the criteria for its maturity levels. CMMC combines many best practices and plans directly with security controls published in different publications including
    NIST SP 800-171
    , NIST SP 800-53, ISO 270001 and ISO 27032, among others.
  • For organizations already compliant with NIST, the existing control practices and frameworks can be leveraged when moving to CMMC.
  • For further information, please visit the respective websites. and
  • CMMC requires that organizations attain and retain cyber maturity commensurate with the sensitivity of the information they exchange. Organizations can no longer think in terms of checking a box; instead, they must focus on getting and staying secure.

Why choose Canadian Cyber Inc for your CMMC needs?

Canadian Cyber Inc. is an RPO (Registered Provider Organization) trained and authorized by CMMC Accreditation body AB. We provide CMMC Readiness Assessment and CMMC Gap Assessments Analysis, Assistance with Remediating Gaps identified during CMMC Assessment.

        • Canadian Cyber professionals have been providing cybersecurity services, SOC1, SOC2, HITRUST, NIST and ISO 27001 Consultation for more than 20 years. They are experienced in working around the globe.
        • We are a Canadian company. Our lead consultant Waqar Mehboob has implemented several Information Security compliance projects for clients in Canada and USA, including NIST, ISO 27001, SOC1, SOC2, and CIS.
        • In addition to the compliance services, Canadian Cyber has a team of consultants to provide additional implementation services such as implementing SIEM solutions, MDM solutions, and several others. We are experienced in both on-premises and cloud infrastructures.


Remove sentence in bold “While DoD is still codifying the CMMC as a rule, it’s a good time for you to be CMMC ready and implement the basic 17 Requirements and 110 practices of NIST SP-800 171, as doing so will give you a competitive edge over contractors which begin their certification after the rulemaking is completed. The table below gives an overview of CMMC Model 2.0″

CMMC Services we offer

  • CMMC Gap Assessment: Canadian Cyber Consultants are experienced and trained to examine organizations existing controls against NIST 800-171, DFARs and CMMC 2.0 and make recommendations
  • CMMC Consultancy: We understand that not all organizations have a dedicated cybersecurity team to meet the ever-changing DoD compliance requirements. We can provide our trained staff to perform CMMC 2.0 documentation at very reasonable rates.
  • CMMC Readiness Assessment: We can also provide a CMMC readiness assessment to perform an independent audit to ensure all changes required are in line with CMMC and that there are no surprises when a C3PAO audits your organization
  • CMMC 2.0 White Label Service:Canadian Cyber has also partnered with several consulting firms including Big 4 consulting firms to provide our experienced staff to provide remote assistance. Our staff can provide the extra workforce to work on your client in the following domains:
    • CMMC Gap Assessment
    • CMMC Consulting Service
    • CMMC Readiness Assessment

Let’s Talk. Our CMMC Consulting services can help you understand CMMC better and start the process of developing a complete CMMC program for you.

Waqar Mehboob
CEO / Senior Cybersecurity Consultant

Rafia Rizwan
BD Marketing Manager