Canadian defence and federal contractors will soon face new cybersecurity compliance requirements under the Canadian Program for Cyber Security Certification (CPCSC).
Developed by the Canadian Centre for Cyber Security, CPCSC is Canada’s counterpart to the U.S. DoD’s CMMC. Starting in March 2025, companies handling sensitive government data will need certification to qualify for certain contracts.
This article outlines CPCSC’s rollout phases, certification levels, strategic implications, and how to start preparing today.
What is the CPCSC?
The CPCSC is a national cyber security certification framework for contractors handling protected government information, particularly in the defence sector. Modeled after the U.S. CMMC, CPCSC is tailored to Canadian standards, including ITSP.10.171 and ITSG-33. It supports Canada’s cyber resilience goals and safeguards Controlled Unclassified Information (CUI).
CPCSC Rollout Timeline
The Honourable Jean-Yves Duclos, Minister of Public Services and Procurement, announced the launch of the first phase of the Canadian Program for Cyber Security Certification (CPCSC). Starting March 2025, the CPCSC will establish a cyber security standard for companies handling government information in defence contracting. The phased rollout will include a new industrial standard, an accreditation process, and a self-assessment tool for Level 1 certification. Certification will initially be required only after contracts are awarded. Therefore, this will give businesses time to adjust and ensure the resilience of Canada’s defence supply chains.
• Phase 1 (March 2025): Launch of CPCSC Levels 1–2 standards and self-assessment tool. SCC begins accrediting third-party assessment bodies
A new cyber security standard for levels 1 and 2 will be available for businesses with a level 1 self-assessment tool to be launched by full program implementation. The Standards Council of Canada will start accepting applications from organizations that want to become certification bodies to support the evaluation and certification of standard compliance. Support systems will be set up to help businesses get level 2 certification through third-party assessments.
• Phase 2 (Fall 2025): Level 1 required for some contracts; pilot testing for Level 2
Some defence contracts will require level 1 certification, achieved through a self-assessment. Level 2 certification, which is achieved through a third-party assessment, will be tested in certain defence contracts.
• Phase 3 (Spring 2026): Some contracts require Level 2; Level 3 standards published.
While some defence contracts will start requiring level 2 certification, level 3 certification will officially begin following publication of the additional level 3 controls.
• Phase 4 (2027): Level 3 certification required for select defence procurements, assessed by National Defence.
For a small number of contracts, level 3 certification requirements will gradually be incorporated into select defence requests for proposals. Level 3 certification will be conducted by National Defence.
Public Services and Procurement Canada (PSPC) completed a request for information (RFI) process in June 2024. Companies that took part in the RFI had the chance to “significantly influence the development and implementation of the program.”
It’s encouraging for defence contractors that PSPC conducted the RFI process. This indicates that suppliers had an opportunity to contribute to shaping policies that prioritize the security of both their organizations and the Government.
There are three CPCSC Certification Levels
As it’s currently written, there will be three levels of certification companies will need to attain before bidding on these projects, that will also in turn increase their information security posture. Please refer to the guidelines provided by the Government of Canada for the most up to date information.
The new requirements, which also provide protection for the federal government’s unclassified contractual information, are broken down into three certification levels:
- Level 1: requires annual cyber security self-assessments
- Level 2: requires external cyber security assessments performed by an accredited certification body
- Level 3: requires high level cyber security assessments conducted by National Defence
To cover all the bases, you’ll need to engage with your Chief Information Security Officer (CISO), or a company that provides virtual CISO (vCISO) services. Risk assessments, analyses and validation of technical controls, strategy development and execution, executive-level reporting – all support achieving CPCSC certification.
Key benefits of CPCSC certification for businesses
The CPCSC aligns with the National Cyber Security Action Plan and the National Cyber Security Strategy, while helping suppliers improve their resilience to cyber threats, better manage risks, and ensure a more secure supply chain.
The Canadian Program for Cyber Security Certification (CPCSC) delivers critical advantages for both the Government of Canada and defence suppliers by enhancing national cyber resilience and strengthening Canada’s position in global defence markets.
1. Improved Cyber Security for the Canadian Defence Supply Chain
CPCSC establishes a standardized cybersecurity framework across the defence industrial base. By enforcing consistent security requirements for contractors handling sensitive government information, the program reduces the risk of cyberattacks, data breaches, and supply chain vulnerabilities.
2. Alignment with Canada’s National Cyber Security Strategy
CPCSC supports Canada’s National Cyber Security Strategy and the National Cyber Security Action Plan. The program ensures that federal defence contractors implement security controls aligned with Canadian-specific regulatory and privacy standards, including ITSP.10.171 and ITSG-33.
3. Enhanced Competitiveness for Canadian Defence Contractors
CPCSC certification will soon become a requirement to bid on select Government of Canada defence contracts. Early adopters will gain a competitive advantage in federal procurement by demonstrating compliance with rigorous cybersecurity standards, boosting credibility and trust.
4. Increased Access to International Defence Opportunities
CPCSC aligns with international cybersecurity frameworks, such as the U.S. Cybersecurity Maturity Model Certification (CMMC). This strategic alignment helps Canadian contractors working with U.S. primes or within the Five Eyes alliance meet cross-border compliance requirements, increasing access to global defence supply chains.
5. Streamlined Compliance Through a Unified Cybersecurity Framework
By creating a single national standard, CPCSC helps reduce the burden of managing multiple cyber security frameworks. This simplifies compliance, particularly for small and mid-sized businesses, and promotes consistent implementation of cybersecurity best practices across the industry.
6. Stronger Risk Management and Business Resilience
Certification requires robust cyber hygiene practices, including risk assessments, technical controls, and incident response planning. These measures help businesses proactively manage cyber risks, reduce the likelihood of successful attacks, and recover more quickly from incidents.
7. Protection of Controlled Unclassified Information (CUI) and Government Data
CPCSC directly addresses the need to secure controlled unclassified information and other protected government data. This is essential for protecting Canada’s national interests, military projects, and critical technologies from espionage, sabotage, and cybercrime.
Why was the CPCSC developed?
The CPCSC was developed to secure the federal contracting process, in order to strengthen the defense supply chain.
When contracting on defence projects, contractors have to deal with sensitive data. But until now, they haven’t been held to the same security clearance standards as the Department of National Defence. So, it’s all too common for Canadian companies to be more susceptible to cyber crime because they haven’t allocated enough resources to protect against threats. Companies that become certified for CPCSC will have much stronger security defences in place.
CPCSC makes it clear that information security isn’t just for tech companies – it matters for everybody. Organizations must remember that we all have data that cyber criminals find value in, even if it’s not “ours”.
CMMC and CPCSC
The Canadian government has made significant efforts to establish reciprocity between CMMC and CPCSC. This alignment will facilitate Canadian contractors in working with US primes or the US Department of Defense. It will also enable them to comply with both standards at the same time. Additionally, countries such as New Zealand, Australia, and the UK—part of the “Five Eyes” network—are also exploring the development of their own CMMC-like standards.
| Feature | CPCSC (Canada) | CMMC (U.S.) |
|---|---|---|
| Authority | CCCS, DND, SCC | DoD, CMMC-AB |
| Levels | 3 | 3 (updated from 5 in CMMC 1.0) |
| Based on Standards | ITSP.10.171, ITSG-33, CSE Top 10 | NIST SP 800-171, DFARS |
| Assessor Model | SCC-accredited certification bodies | C3PAOs via CMMC-AB |
| Cross-border status | Partial reciprocity planned | Aligned through Five Eyes collaboration |
Affected businesses will likely need assistance in achieving certification with CPCSC
For a deeper understanding of the significance of the new CPCSC requirements, conduct a self-assessment of your current security policies and systems. You should also know whether or not your business has enough cyber insurance – quantify your liability using this free calculator.
The CPCSC will affect any company seeking to bid or work on select Government of Canada defence contracts. They will be required to be certified under the CPCSC before doing work for the Department of Defence.
This isn’t such a large departure from bidding requirements. For example, we’re rapidly approaching a point where COR certification is a requirement to win any contract. We’ve been predicting for years that something similar was going to happen with cyber security. Therefore, we expect this will be the first stage of more requirements moving forward.
It’s essential to recognize that it’s not just about technology; it’s about safeguarding all forms of information. Businesses need to consider every aspect, including administrative policies (ex. cyber awareness training policy), as well as physical security measures.
📢 Tip: Start with a strong Incident Response Plan (IRP). It’s not only a CPCSC compliance requirement—it’s your first line of defence against real-world threats.
