CPCSC Certification Isn't One-Size-Fits-All. Here's How to Know Which Level You Need.

Not every defence supplier needs the same certification. Here’s how the levels work, what each one requires, and how to figure out where your business fits.

On April 14, 2026, the Government of Canada officially introduced Level 1 of the Canadian Program for Cyber Security Certification, known as CPCSC. Mandatory requirements begin appearing in select defence contracts this summer, with more to follow in 2027. If you hold defence contracts or plan to bid on them, this program applies to you.

CPCSC exists because Canada’s defence supply chain has become a consistent target for cyberattacks. Contractors and subcontractors handle sensitive, unclassified government information every day, and the era of self-declaration as a sufficient security standard is over. The government now requires suppliers to demonstrate that their cybersecurity controls meet a defined standard and to certify that status formally before contracts are awarded.

The program is organized into three tiers, each calibrated to the sensitivity of the work involved. Most suppliers will operate at Level 1 or Level 2. Level 3 applies to a narrow set of high-risk national security programs. Which tier applies to you depends on the type of information you handle and the nature of your contracts.

Here’s how each level works.

Level 1: The Baseline Every Defence Supplier Needs

Level 1 is the entry point. It became available to suppliers on April 1, 2026, and mandatory requirements begin appearing in select defence contracts starting Summer 2026.

At this level, suppliers complete an annual self-assessment confirming that they meet 13 security controls drawn from the Canadian industrial cybersecurity standard, ITSP.10.171. The controls are adapted from NIST Special Publication 800-171, the same framework underpinning the U.S. Cybersecurity Maturity Model Certification. They cover foundational practices most organizations recognize, even if they haven’t formally documented them: managing who can access your systems, verifying users and devices, protecting data and equipment, controlling how external systems connect to your environment, and defending against common cyber threats.

The Government of Canada has published an online self-assessment tool to guide suppliers through the process. For organizations that already have a reasonable handle on their security posture, the assessment can take less than an hour.

One important timing detail: Level 1 certification is required at contract award, not during the bidding process. That sounds like breathing room. It isn’t. Winning a contract and then scrambling to complete a self-assessment creates unnecessary risk. The better approach is to complete it before a contract requirement shows up.

Who needs Level 1: Practically every supplier participating in Government of Canada defence contracts. If you’re bidding on defence work or already hold defence contracts, this level applies to you.

Level 2: Third-Party Verification for Higher-Stakes Work

Level 2 is where the program shifts from self-attestation to external validation. It is scheduled to be incorporated into select defence contracts beginning Spring 2027.

At Level 2, an accredited third-party assessment organization, certified through the Standards Council of Canada, evaluates whether your organization has implemented the required cybersecurity controls. The assessment covers 98 controls rather than 13, and certification must be renewed every three years with an annual affirmation in between.

This level is triggered when a contract involves controlled defence information or more complex, cyber-sensitive work. In practice, that means Level 2 applies to suppliers handling information that goes beyond general unclassified content: subcontractors embedded in major defence programs, organizations with access to sensitive procurement details, or companies building or maintaining systems that touch sensitive government infrastructure.

The preparation involved at Level 2 is substantially more involved than Level 1. It requires organizations to have a documented System Security Plan, a clear understanding of their control implementation status across all 98 requirements, and evidence that supports the assessor’s review. Scheduling an accredited assessment body takes time as well. The Standards Council of Canada began accepting applications from certification bodies in 2026, and assessor availability will be a real constraint as demand increases ahead of the 2027 mandate.

For suppliers with prior investments in frameworks like ISO 27001, SOC 2, or existing NIST-aligned controls, Level 2 is a meaningful exercise but not a starting-from-scratch one. The work you’ve already done maps to a significant portion of what’s required. The gap is typically in documentation and formal assessment readiness, not in the underlying security practices themselves.

Who needs Level 2: Suppliers handling controlled defence information, subcontractors embedded in major defence programs, and any organization whose contract scope involves more sensitive government systems or data.

Level 3: Reserved for the Highest-Risk Programs

Level 3 applies to a narrow set of defence work, and most suppliers in Canada’s broader defence industrial base will never need it.

At this level, the assessment is conducted directly by the Government of Canada, specifically by National Defence, rather than by a third-party certification body. It covers 200 controls and applies to the most sensitive defence programs, including those involving weapons systems, critical infrastructure, and information shared with Five Eyes intelligence partners. Like Level 2, it requires reassessment every three years with an annual affirmation.

If Level 3 applies to your work, you’ll know. It will be clearly identified in Requests for Proposals and contract clauses.

Who needs Level 3: Organizations working on weapons platforms, Five Eyes-linked programs, or contracts involving the most sensitive categories of national security information.

How to Figure Out Which Level Applies to You

The government determines the required certification level on a contract-by-contract basis through a Cyber Security Risk Assessment process. The required level will be specified in the RFP and contract documentation. You won’t need to guess; it will be stated.

That said, waiting for an RFP to tell you where you stand is the wrong posture. The better approach is to assess your readiness now against the level you’re most likely to need, and close the gap before a contract deadline creates pressure.

A few questions can help point you in the right direction:

Does your work involve sensitive, unclassified government information? If the answer is yes, Level 1 applies, and your self-assessment should already be underway.

Are you handling controlled defence information, or are you embedded in a program where sensitive contract details flow through your systems? Level 2 readiness should be on your roadmap now, ahead of the Spring 2027 mandate.

Are you working on, or planning to bid on, programs involving weapons systems or Five Eyes-linked intelligence? Confirm with your contracting authority whether Level 3 applies.

For most Canadian defence suppliers, the practical question right now is not whether to pursue certification, but how quickly they can close the gap between where their cybersecurity program sits today and where it needs to be. Level 1 is the immediate priority. Level 2 readiness is the medium-term one.

The Levels Build on Each Other

CPCSC levels are additive. The 13 controls required at Level 1 are a subset of the 98 required at Level 2, which in turn are a subset of the 200 required at Level 3. Work you do at one level isn’t discarded at the next. It becomes the foundation for what follows.

That has a practical implication. Organizations that approach Level 1 with Level 2 already in mind, particularly those handling or expecting to handle controlled defence information, will find the transition significantly smoother. Getting your documentation, control implementation, and internal policies pointed in the right direction from the start is far less disruptive than retrofitting them later under deadline pressure.

Level 1 is in effect. The Standards Council of Canada is building out the certification body infrastructure for Level 2 now, ahead of the 2027 mandate. The time to get oriented is before a contract clause forces the issue.

If you’re unsure where your organization fits within the framework, or want to understand what a readiness assessment would involve, the team at SAV Associates is happy to help you think it through.

SAV Associates | Cybersecurity Assurance & Advisory | savassociates.ca