Canadian defence and federal contractors are starting to face new cybersecurity compliance requirements under the Canadian Program for Cyber Security Certification (CPCSC).
Developed by the Canadian Centre for Cyber Security, CPCSC is Canada’s counterpart to the U.S. DoD’s CMMC.
Phase 1 was launched in March 2025 – here is the latest on the introduction of Level 1:
- The Honourable Joël Lightbound, Minister of Government Transformation, Public Works and Procurement and Quebec Lieutenant, announced in April 2026 the introduction of Level 1 of the Canadian Program for Cyber Security Certification (CPCSC), which will be required in select defence contracts beginning in Summer 2026.
- To become certified, suppliers will complete, and attest to meeting, all Level 1 criteria. It is the first of three levels of certification to be introduced in the coming years.
- Leaders should start preparing now to ensure their teams understand the requirements and can demonstrate compliance when contracts are awarded.
This article outlines CPCSC’s rollout phases, certification levels, strategic implications, and how to start preparing today. For the most up to date information, please visit the official Government of Canada website, “Cyber security certification for defence suppliers in Canada“.
What is the CPCSC?
The CPCSC is a national cyber security certification framework for contractors handling protected government information, particularly in the defence sector. Modeled after the U.S. CMMC, CPCSC is tailored to Canadian standards, including ITSP.10.171 and ITSG-33. It supports Canada’s cyber resilience goals and safeguards Controlled Unclassified Information (CUI).
CPCSC Rollout Timeline
On April 14, 2026, per a Government of Canada news release, the Honourable Joël Lightbound, Minister of Government Transformation, Public Works and Procurement and Quebec Lieutenant, announced the introduction of Level 1 of the CPCSC which will be required in select defence contracts beginning in Summer 2026. To become certified, suppliers will complete, and attest to meeting, all Level 1 criteria. It is the first of three levels of certification to be introduced in the coming years.
Changes to the certification requirements will be introduced in a phased approach to give suppliers and the cyber security community time to adapt. During the initial phase, certification will not be required throughout the bidding process, rather, only upon contract award.
• Phase 1 (March 2025 – March 2026): Launch of CPCSC Levels 1–2 standards and self-assessment tool. SCC begins accrediting third-party assessment bodies
A new cyber security standard for levels 1 and 2 will be available for businesses with a level 1 self-assessment tool to be launched by full program implementation. The Standards Council of Canada will start accepting applications from organizations that want to become certification bodies to support the evaluation and certification of standard compliance. Support systems will be set up to help businesses get level 2 certification through third-party assessments.
• Phase 2 (April 2026 – March 2027): Level 1 required for some contracts; pilot testing for Level 2
As announced April 14, 2026, the introduction of Level 1 will be required in select defence contracts beginning in Summer 2026. To become certified, suppliers will complete, and attest to meeting, all Level 1 criteria.
• Phase 3 (April 2027 – March 2028): Some contracts require Level 2; Level 3 standards published.
While some defence contracts will start requiring level 2 certification, level 3 certification will officially begin following publication of the additional level 3 controls.
Public Services and Procurement Canada (PSPC) completed a request for information (RFI) process in June 2024. Companies that took part in the RFI had the chance to “significantly influence the development and implementation of the program.”
It’s encouraging for defence contractors that PSPC conducted the RFI process. This indicates that suppliers had an opportunity to contribute to shaping policies that prioritize the security of both their organizations and the Government.
There are three CPCSC Certification Levels
As it’s currently written, there will be three levels of certification companies will need to attain before bidding on these projects, that will also in turn increase their information security posture. Please refer to the guidelines provided by the Government of Canada for the most up to date information.
The new requirements, which also provide protection for the federal government’s unclassified contractual information, are broken down into three certification levels:
- Level 1: requires annual cyber security self-assessments. Read more here: “How to meet Level 1 cyber security certification requirements” (13 controls)
- Level 2: requiring external cyber security assessments led by an accredited certification body, plus an annual affirmation (98 controls)
- Level 3: requires high-level cyber security assessments conducted by National Defence, plus an annual affirmation (200 controls)
To cover all the bases, you’ll need to engage with your Chief Information Security Officer (CISO), or a company that provides virtual CISO (vCISO) services. Risk assessments, analyses and validation of technical controls, strategy development and execution, executive-level reporting – all support achieving CPCSC certification.
Key benefits of CPCSC certification for businesses
The CPCSC aligns with the National Cyber Security Action Plan and the National Cyber Security Strategy, while helping suppliers improve their resilience to cyber threats, better manage risks, and ensure a more secure supply chain.
The Canadian Program for Cyber Security Certification (CPCSC) delivers critical advantages for both the Government of Canada and defence suppliers by enhancing national cyber resilience and strengthening Canada’s position in global defence markets.
1. Improved Cyber Security for the Canadian Defence Supply Chain
CPCSC establishes a standardized cybersecurity framework across the defence industrial base. By enforcing consistent security requirements for contractors handling sensitive government information, the program reduces the risk of cyberattacks, data breaches, and supply chain vulnerabilities.
2. Alignment with Canada’s National Cyber Security Strategy
CPCSC supports Canada’s National Cyber Security Strategy and the National Cyber Security Action Plan. The program ensures that federal defence contractors implement security controls aligned with Canadian-specific regulatory and privacy standards, including ITSP.10.171 and ITSG-33.
3. Enhanced Competitiveness for Canadian Defence Contractors
CPCSC certification will soon become a requirement to bid on select Government of Canada defence contracts. Early adopters will gain a competitive advantage in federal procurement by demonstrating compliance with rigorous cybersecurity standards, boosting credibility and trust.
4. Increased Access to International Defence Opportunities
CPCSC aligns with international cybersecurity frameworks, such as the U.S. Cybersecurity Maturity Model Certification (CMMC). This strategic alignment helps Canadian contractors working with U.S. primes or within the Five Eyes alliance meet cross-border compliance requirements, increasing access to global defence supply chains.
5. Streamlined Compliance Through a Unified Cybersecurity Framework
By creating a single national standard, CPCSC helps reduce the burden of managing multiple cyber security frameworks. This simplifies compliance, particularly for small and mid-sized businesses, and promotes consistent implementation of cybersecurity best practices across the industry.
6. Stronger Risk Management and Business Resilience
Certification requires robust cyber hygiene practices, including risk assessments, technical controls, and incident response planning. These measures help businesses proactively manage cyber risks, reduce the likelihood of successful attacks, and recover more quickly from incidents.
7. Protection of Controlled Unclassified Information (CUI) and Government Data
CPCSC directly addresses the need to secure controlled unclassified information and other protected government data. This is essential for protecting Canada’s national interests, military projects, and critical technologies from espionage, sabotage, and cybercrime.
Why was the CPCSC developed?
The CPCSC was developed to secure the federal contracting process, in order to strengthen the defense supply chain.
When contracting on defence projects, contractors have to deal with sensitive data. But until now, they haven’t been held to the same security clearance standards as the Department of National Defence. So, it’s all too common for Canadian companies to be more susceptible to cyber crime because they haven’t allocated enough resources to protect against threats. Companies that become certified for CPCSC will have much stronger security defences in place.
CPCSC makes it clear that information security isn’t just for tech companies – it matters for everybody. Organizations must remember that we all have data that cyber criminals find value in, even if it’s not “ours”.
CMMC and CPCSC
The Canadian government has made significant efforts to establish reciprocity between CMMC and CPCSC. This alignment will facilitate Canadian contractors in working with US primes or the US Department of Defense. It will also enable them to comply with both standards at the same time. Additionally, countries such as New Zealand, Australia, and the UK—part of the “Five Eyes” network—are also exploring the development of their own CMMC-like standards.
| Feature | CPCSC (Canada) | CMMC (U.S.) |
|---|---|---|
| Authority | CCCS, DND, SCC | DoD, CMMC-AB |
| Levels | 3 | 3 (updated from 5 in CMMC 1.0) |
| Based on Standards | ITSP.10.171, ITSG-33, CSE Top 10 | NIST SP 800-171, DFARS |
| Assessor Model | SCC-accredited certification bodies | C3PAOs via CMMC-AB |
| Cross-border status | Partial reciprocity planned | Aligned through Five Eyes collaboration |
Affected businesses will likely need assistance in achieving certification with CPCSC
For a deeper understanding of the significance of the new CPCSC requirements, conduct a self-assessment of your current security policies and systems. You should also know whether or not your business has enough cyber insurance – quantify your liability using this free calculator.
The CPCSC will affect any company seeking to bid or work on select Government of Canada defence contracts. They will be required to be certified under the CPCSC before doing work for the Department of Defence.
This isn’t such a large departure from bidding requirements. For example, we’re rapidly approaching a point where COR certification is a requirement to win any contract. We’ve been predicting for years that something similar was going to happen with cyber security. Therefore, we expect this will be the first stage of more requirements moving forward.
It’s essential to recognize that it’s not just about technology; it’s about safeguarding all forms of information. Businesses need to consider every aspect, including administrative policies (ex. cyber awareness training policy), as well as physical security measures.
📢 Tip: Start with a strong Incident Response Plan (IRP). It’s not only a CPCSC compliance requirement—it’s your first line of defence against real-world threats.
