CMMC and NIST 800-171 from the Canadian side

The US defence supply chain’s contract gate — and "we’re Canadian" is not an exemption. Primes flow the requirement down to subcontractors on both sides of the border.

What it is

CMMC — Cybersecurity Maturity Model Certification — governs US Department of Defense contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Contract clauses went live in November 2025; the stricter Phase 2 begins November 10, 2026.

Three levels: Level 1 (15 basic safeguards, self-assessed, FCI only), Level 2 (the 110 requirements of NIST SP 800-171 Rev 2, assessed by an accredited C3PAO from Phase 2 onward, results reported into SPRS), and Level 3 (enhanced requirements from 800-172, government-assessed). Certificates run three years with annual affirmations; a conditional Level 2 with an open POA&M must close out within 180 days.

Who actually needs it

Anyone in a DoD contract chain that touches FCI or CUI — including Canadian subcontractors. You don't need a direct DoD contract to be caught: primes are actively flowing CMMC requirements down their supply chains, and "the clause is in the subcontract" is the moment it becomes real. No certification, no eligibility, no partial credit.

What it takes

For Level 2: a ruthless scoping decision first (an enclave for CUI usually beats bringing the whole company in scope), then six to twelve months of readiness for most organizations — gap assessment against 800-171, remediation, a System Security Plan, and evidence discipline. C3PAO capacity is a real bottleneck; assessors book out months ahead, so get in a queue early. In the US, False Claims Act exposure makes self-assessment scores a legal matter, not a formality.

How it maps to what you may already have

If Canadian defence work is also in your future, read the full analysis: CPCSC vs CMMC — the Canadian supplier's guide to doing both. Same NIST 800-171 roots as CPCSC, no mutual recognition, and a revision gap (CMMC assesses Rev 2; Canada's ITSP.10.171 derives from Rev 3). Build one program to the newer baseline, keep a Rev 2 mapping, and treat both certifications as wrappers. A SOC 2 or ISO 27001 program covers a meaningful share of the controls.

The Canadian angle

Canadian companies get assessed under the same rules as US ones — but add the cross-border wrinkles: where CUI is stored and who can access it, US-persons requirements in some contracts, and Canada's Controlled Goods Program sitting alongside. Architecture decisions (enclave location, cloud regions, key custody) should be made with both CMMC and CPCSC in view, once.

How I help

Scoping and enclave design, the gap assessment against 800-171, readiness sequenced against your contract dates, and the build-once-attest-twice structure if CPCSC is also coming. This runs through the compliance readiness engagement.

CMMC flowing down from your prime?

The next step is a 30-minute conversation — no pitch, no obligation. An honest read on where you stand and what actually matters next.