As part of the federal government’s efforts to improve Canada’s cyber security resilience, The Canadian Centre for Cyber Security just published a suite of voluntary guidelines for critical infrastructure providers, which could also provide inspiration for security strategy in other sectors and for small- and medium-sized businesses (SMBs).

Aimed at banks, utilities, municipalities, and hospitals, among others, the centre’s Cyber Security Readiness Goals (CRGs) toolkit outlines 36 cross-sector cyber security practices that are in line with other jurisdictions, including the U.S. Cross-Sector Cybersecurity Performance Goals and the U.K.’s Cyber Assessment Framework. The toolkit includes goals related to cloud computing and artificial intelligence (AI).

The CRGs are voluntary, according to the Cyber Centre, and their intent is to establish a foundational standard for cybersecurity practices, a baseline that connects with other existing frameworks and guidance, both in Canada and from the country’s international partners. The centre emphasizes that the CRGs are not to be viewed as a comprehensive cybersecurity framework or a one-size-fits-all approach to cyber security.

For the most part, the CRGs align with existing frameworks already employed by CIOs and IT leaders, including the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, through a “govern” pillar, which includes a cyber-related privacy goal, while providing Canadian context for existing centre cybersecurity guidelines. Notably absent from this version of the CRGs is “vulnerability disclosure,” which the centre says is a valuable practice that will be considered for future updates.

The release of the CRGs toolkit comes advance of Bill C-26, pending legislation that would alter Canada’s Telecommunications Act for telcos and implement the Critical Cyber Systems Protection Act (CCSPA) that would require federally regulated telecommunications, transportation, energy pipeline, and financial services companies to establish and implement cyber security programs, report cyber security incidents, comply with cyber security directions from the government, and mitigate supply-chain and third-party risks.

Bill C-26 has already been passed by the House of Commons and is before the senate. If it becomes law, it won’t likely come into effect for another year as regulations and reporting deadlines have yet to be determined.

While the CRGs are aimed at critical infrastructure providers, the centre said they can be adopted by any public or private organization, and if you’re an organization that’s looking to bolster your cybersecurity practices, a managed services provider can help.