Cisco Blogs

A Modern Approach to Cybersecurity & Privacy in the U.S.-Mexico-Canada Agreement

October 12, 2018 - 2 Comments

As was noted in a companion blog by my colleague Jen Sanford, the new U.S.-Mexico-Canada-Agreement (USMCA) covers a wide range of trade issues between these nations.  We are particularly excited for the provisions around cybersecurity which address what our customers and the industry have been saying for a while: that regulatory and compliance-driven security doesn’t work. Along those lines, the Digital Trade Chapter of USMCA calls for risk-based cybersecurity mechanisms over prescriptive regulations. While not mentioning the document by name, the USMCA agreement actually calls out the five core functions in the NIST Framework—identify, protect, detect, respond, recover.

This result demonstrates all three governments share a common vision and commitment to effective cyber-risk management. Our three nations are connected in many ways physically via our roads, railways, and energy distribution systems. Those critical systems, in turn, increasingly leverage information technology underscoring the importance of developing a harmonized approach to cybersecurity. Therefore, a coordinated approach to cyber risk management—using a common set of tools—makes tremendous sense.

The inclusion of these new digital trade provisions will also facilitate the development of a unified market for cybersecurity products and services. Developers of these technologies can be confident that they will have access to selling into all three countries. Buyers of these technologies will in turn have greater certainty about how to map their capabilities to a commonly used approach to cyber risk management.

USMCA also establishes a series of important protections against non-tariff trade barriers around digital services. These include: 1) ensuring that data can flow freely within the trade bloc; 2) restricting the use of data storage or processing localization requirements; advancing the development of interoperable data protection mechanisms—specifically referencing the APEC Cross Border Privacy Rules under which Cisco is certified; and 4) limiting the ability of governments to demand source code as a precondition for the sale of technology in a market.

Cisco looks forward to to working with the three governments to turn the USMCA’s commitments around cybersecurity, privacy, and more into action once it is implemented.


In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Here is a link to Article 19 of the USMCA. The cybersecurity provision is in Paragraph 15, quoted below.

    Article 19.15: Cybersecurity
    1. The Parties recognize that threats to cybersecurity undermine confidence in digital trade. Accordingly, the Parties shall endeavor to:
    (a) build the capabilities of their national entities responsible for cybersecurity incident response; and
    (b) strengthen existing collaboration mechanisms for cooperating to identify and mitigate malicious intrusions or dissemination of malicious code that affect electronic networks and use those mechanisms to swiftly address cybersecurity incidents, as well as the sharing of information for awareness and best practices.
    2. Given the evolving nature of cybersecurity threats, the Parties recognize that risk-based approaches may be more effective than prescriptive regulation in addressing those threats. Accordingly, each Party shall endeavor to employ, and encourage enterprises within its jurisdiction to use, risk-based approaches that rely on consensus-based standards and risk management best practices to identify and protect against cybersecurity risks and to detect, respond to, and recover from cybersecurity events.

  2. Thanks for sharing the descriptive information on Cyber Security.It’s really helpful to me since I'm taking Cyber Security Training. Keep doing the good work and if you are interested to know more on Cyber Security, do check this Cyber Security Tutorial.:-