CPCSC — Canadian Program for Cyber Security Certification
Canada’s cyber security certification program for defence suppliers handling sensitive unclassified government information.
- Canadian Equivalent to CMMC
- Based on ITSP.10.171
- Aligned with NIST & CMMC
What is CPCSC?
The Canadian Program for Cyber Security Certification (CPCSC) is the Government of Canada’s cyber security certification program for defence suppliers whose systems, networks and applications handle sensitive unclassified federal information.
CPCSC creates a standardized, risk-based framework—similar to the U.S. CMMC program—that verifies whether suppliers have implemented adequate cyber security controls before they are awarded certain defence contracts.
The program is built around a Canadian industrial cyber security standard (ITSP.10.171 – Protecting Controlled Information in Non-Government of Canada Systems) and is aligned with internationally recognized standards such as NIST SP 800-171 and the U.S. CMMC requirements.
Who Needs Cyber Essentials Certification?
Typical Organisations
- UK SMEs, IT service providers and SaaS vendors handling client data.
- Managed service providers (MSPs) and consultancies supporting multiple clients.
- Charities and non-profits that process personal or sensitive data.
- Public sector suppliers, including local authorities, NHS suppliers and education institutions.
Government & Supply Chain Requirements
- Becomes a requirement for bidding on or executing select defence contracts.
- Provides a clear, structured roadmap for improving cyber security maturity.
- Reduces confusion by using a single Canadian framework recognized by government and primes.
- Positions suppliers for cross-border opportunities where similar certification is needed.
Why CPCSC Matters
For Canada
- Protects sensitive unclassified contractual information held by defence suppliers.
- Strengthens cyber resilience across Canada’s defence industrial base.
- Supports the National Cyber Security Strategy and related action plans.
- Aligns with allied requirements (e.g., U.S. CMMC) and maintains access to global defence procurement opportunities.
For Suppliers
- Becomes a requirement for bidding on or executing select defence contracts.
- Provides a clear, structured roadmap for improving cyber security maturity.
- Reduces confusion by using a single Canadian framework recognized by government and primes.
- Positions suppliers for cross-border opportunities where similar certification is needed.
Who Needs CPCSC Certification?
CPCSC will apply to Canadian and international suppliers that bid on, or work on, selected Government of Canada defence contracts where sensitive unclassified information is handled on contractor systems.
- Prime contractors bidding on defence procurements that reference CPCSC requirements.
- Subcontractors and key suppliers who receive, process, store, or transmit sensitive unclassified federal information.
- IT, engineering, manufacturing, maintenance, and cyber service providers integrated into defence programs.
Requirements will be phased in and tied to the sensitivity and risk profile of each contract.
CPCSC Certification Levels
CPCSC uses a three-level model to match requirements with risk. Higher levels introduce more demanding controls and assessment requirements.
Level 1
Basic Cyber Security – Self Assessment
- Annual cyber security self-assessment against the CPCSC Level 1 control set.
- Focused on foundational controls (access, patching, backup, awareness, basic logging, etc.).
- Intended for lower risk contracts and suppliers handling limited sensitive information.
- Self-attested compliance documented by the supplier and subject to oversight.
Level 2
Moderate Cyber Security – Third-Party Assessment
- Formal external assessment led by an accredited certification body (3rd-party assessment organization).
- Based on ITSP.10.171 and aligned with NIST SP 800-171-style controls.
- Applied to contracts where more sensitive unclassified information and higher cyber risk are present.
- Certification is valid for a defined period with ongoing surveillance or re-assessment requirements.
Level 3
Enhanced Cyber Security – National Defence Assessment
- Cyber security assessment conducted by the Department of National Defence.
- Introduces additional, more stringent controls for higher-risk programs and critical capabilities.
- Intended for a smaller set of high-value, high-criticality defence contracts.
- Phased into requests for proposals as Level 3 controls are finalized and published.
CPCSC vs U.S. CMMC — How They Align
CPCSC uses a three-level model to match requirements with risk. Higher levels introduce more demanding controls and assessment requirements.
| CPCSC | Roughly Comparable CMMC Level | Primary Focus |
|---|---|---|
|
Level 1 – Self-Assessment |
CMMC Level 1 (Foundational) |
Basic safeguarding for less sensitive unclassified contractual information; foundational practices and hygiene.
|
|
Level 2 – Third-Party Assessment |
CMMC Level 2 (Advanced) |
NIST 800-171-style controls for protecting controlled information in non-government systems; external certification.
|
|
Level 3 – National Defence Assessment |
CMMC Level 3 (Expert) / Enhanced protection |
Higher-tier controls and government-led assessments for critical programs and elevated threat environments.
|
At the control level, CPCSC draws heavily on ITSP.10.171 and the same NIST family of standards used by CMMC, allowing suppliers to rationalize their security investments across both Canadian and U.S. requirements.
CPCSC Implementation Timeline & Phased Rollout
CPCSC is being rolled out in phases to give defence suppliers time to understand, implement, and certify against the new Canadian cyber security standard.
- Phase 1 – March 2025 : New industrial cyber security standard for Levels 1 and 2 released; accreditation ecosystem opens; Level 1 self-assessment tool introduced; initial pilot contracts.
- Phase 2 – Fall 2025 / Early 2026 : Selected defence contracts begin requiring Level 1 certification via self-assessment; Level 2 assessments piloted on specific contracts; Level 3 framework finalized.
- Phase 3 – 2026 : Level 2 certification requirements incorporated into more contracts as Level 3 controls are published and initial Level 3 assessments begin.
- Phase 4 – 2027 and beyond : Level 3 certification required for a small number of high-criticality contracts; CPCSC becomes a normal part of defence procurement requirements.
During early phases, certification may be required at contract award rather than at bidding, but over time CPCSC will become an integral prerequisite for participation in specified defence procurements.
The CPCSC Assessment Ecosystem
CPCSC uses an ecosystem of accredited bodies and government oversight to ensure assessments are consistent, trustworthy, and aligned with international best practices.
- Standards Council of Canada (SCC) : Accredits third-party assessment organizations (3PAOs) to perform Level 2 assessments, based on ISO/IEC 17020 and the CPCSC scheme.
- Accredited Certification Bodies : Conduct formal Level 2 assessments and issue certificates of compliance.
- Department of National Defence : Conducts Level 3 assessments for contracts with elevated national security risk.
- Public Services and Procurement Canada : Integrates CPCSC requirements into defence contracts and provides program oversight.
The result is a trusted, independently verified standard that assures Canada—and its allies—that defence suppliers meet a consistent cyber security bar.
What Defence Suppliers Should Do Now
- Confirm whether your current or target contracts are likely to reference CPCSC requirements.
- Determine which CPCSC level (1, 2, or 3) is most relevant to your business and data exposure.
- Map your current security controls to ITSP.10.171 / NIST 800-171-style requirements.
- Perform a readiness gap assessment and build a prioritized remediation plan.
- Develop or update your System Security Plan (SSP), policies, procedures, and technical standards.
- Establish evidence collection and documentation practices that support self-assessment and third-party audits.
- Plan for ongoing monitoring activities to keep certification valid over time.
How ComplySec360 Helps with CPCSC & CMMC
ComplySec360 is built to support both Canadian and U.S. defence cyber programs. It provides a single platform to manage CPCSC, CMMC, and NIST-based requirements, so you don’t maintain separate, disconnected compliance efforts.
- Unified Control Library : Mapped across ITSP.10.171, NIST 800-171, CMMC, and other frameworks to eliminate duplication.
- AI-powered Readiness Assessments : Quickly identify gaps for CPCSC Levels 1–3 and CMMC Levels 1–3.
- Automated Evidence Collection : Integrations with cloud, identity, endpoint, and DevOps tools to pull artefacts automatically.
- SSP, Policy & Procedure Automation : Generate and maintain Canadian- and U.S.-ready documentation sets from a single source of truth.
- POA&M and Remediation Tracking : Create, assign, and track remediation tasks with clear ownership and deadlines.
- Auditor & Assessor Workspace : Provide secure, structured access for third-party assessors and government reviewers.
- Continuous Monitoring Dashboards : Monitor control status, incidents, vulnerabilities, and evidence freshness across all frameworks.
- Designed for SMEs & Primes : Scales from small suppliers to large defence primes with pay-as-you-grow pricing.
CPCSC Resources & Downloadable Guides
Use these practical guides to understand scope, assessment activities, and evidence expectations for each CMMC level. Share them with your internal teams and external partners.
CPCSC Level 1 Self-Assessment Guide
- Step-by-step guidance, sample questions, and evidence suggestions to help you complete your annual Level 1 self-assessment with confidence.
- Format: PDF | Audience: IT, Compliance, Executives
CPCSC Level 2 Readiness Checklist
- A practical checklist covering policies, technical controls, logging, monitoring, and documentation needed for third-party Level 2 certification.
- Format: PDF / XLSX | Audience: Security, Compliance, IT Ops
CPCSC • CMMC • NIST Mapping Guide
- A crosswalk showing how CPCSC controls relate to CMMC Levels 1–3 and NIST 800-171 requirements, to simplify multi-jurisdiction compliance.
- Format: PDF / CSV | Audience: Architects, CISOs, Compliance Leads