Canada Just Made CPCSC Mandatory. Your Next Defence Contract Depends on It

Level 1 certification landed in select defence contracts yesterday. Here’s what that means for your business and what you need to do before summer.

On April 14, 2026, the Government of Canada formally introduced Level 1 of the Canadian Program for Cyber Security Certification. Level 1 will be required in select defence contracts beginning in Summer 2026. To become certified, suppliers must complete and attest to meeting all Level 1 criteria. That’s not a distant deadline. For companies that haven’t started preparing, it’s closer than it looks.

CPCSC has been years in the making, but it’s now operational. Here’s what it is, why it matters, and what defence suppliers need to do before the window closes.

The Program at a Glance

Canada’s defence supply chain has long operated on a degree of trust. If you were a software developer in Waterloo or a systems integrator in Calgary, attesting that your cybersecurity practices met a reasonable standard was largely enough to stay in the procurement game. That era is over.

The Canadian defence industry faces regular cyberattacks aimed at contractors and subcontractors, putting unclassified federal information at risk. CPCSC is the government’s structured response to that reality. The program is administered by Public Services and Procurement Canada, with support from the Department of National Defence, the Standards Council of Canada, the Canadian Centre for Cyber Security, and Treasury Board Secretariat.

The program’s mandatory cybersecurity certification requirements are made up of three levels:

• Level 1 requires an annual cybersecurity self-assessment;
• Level 2 requires external cybersecurity assessments led by an accredited certification body; and
• Level 3 requires cybersecurity assessments conducted by National Defence.

If you’re a supplier handling sensitive unclassified government information, this program applies to you. The question isn’t whether you’ll need to comply. It’s whether you’ll be ready when a contract clause or a prime contractor requirement shows up in front of you.

How the Rollout Is Structured

Understanding the phased implementation matters because the deadlines are real and the sequencing is unforgiving.

Phase 1, launched in March 2025, released a new Canadian industrial cybersecurity standard, opened the accreditation process, and introduced a self-assessment tool for Level 1 certification, helping businesses understand the program before a wider rollout.

Phase 2, originally scheduled for Fall 2025, saw some defence contracts begin requiring Level 1 certification through self-assessment, with Level 2 certification tested in certain defence contracts. Implementation timelines shifted somewhat, but the direction has not.

Level 1 became available to suppliers on April 1, 2026, with mandatory requirements introduced in select defence contracts beginning Summer 2026. Level 2 will be added to select defence contracts beginning in Spring 2027, intended for contracts involving controlled defence information or more complex cyber-sensitive work. Level 3, reserved for the highest-risk programs involving weapon systems and Five Eyes intelligence sharing, follows after that.

What this means practically: if you’re planning to bid on defence work in the second half of 2026, your Level 1 self-assessment should already be underway. If you’re handling controlled defence information or working with prime contractors who are, Level 2 readiness needs to be on your roadmap now.

The Connection to CMMC

If you’ve been tracking the U.S. Department of Defense’s Cybersecurity Maturity Model Certification program, CPCSC will look familiar. Canadian industrial cybersecurity standards are technically identical to the 172 controls in NIST Special Publications 800-171 and 800-172, which form the backbone of the U.S. CMMC program.

That alignment is deliberate. Canada and the U.S. share deeply integrated defence procurement relationships and standardizing on the same underlying controls makes cross-border contracting more coherent. The CPCSC gives Canadian suppliers a clear, domestic pathway to meet expectations already required to access the U.S. defence market, and Canada may accept a contractor’s valid CMMC status on a case-by-case basis.

For Canadian suppliers already working with U.S. primes or bidding on U.S. contracts, CPCSC readiness and CMMC readiness are largely the same work. Getting ahead of CPCSC now positions you for CMMC requirements at the same time. Familiarity with NIST-aligned frameworks is a head start. It’s not a substitute for CPCSC compliance.

Why This Is a Revenue Protection Issue

Most executives reading this understand cybersecurity risk in the abstract. The more immediate issue for defence suppliers is operational. Once a contract clause requires certification and you can’t produce it, you don’t get the contract. When a prime contractor is building out its supply chain and a subcontractor can’t demonstrate compliance, that subcontractor gets replaced. The risk isn’t theoretical. It’s lost revenue, lost relationships, and displacement from programs that can take years to re-enter.

In its National Cyber Threat Assessment 2025-2026, the Canadian Centre for Cyber Security states that Canada is confronting an expanding and complex cyber threat landscape and that attacks against digital supply chains will almost certainly continue in the next two years. CPCSC is how the government intends to harden that landscape. Compliance is how suppliers stay in the game.

The program is also designed to maintain Canadian industry’s access to international procurement opportunities with similar cybersecurity certification requirements. For companies entering the defence supply chain for the first time, certification is not just a compliance threshold. It’s a qualifier that opens doors with both Canadian and allied procurement bodies.

What the Certification Levels Actually Require

Level 1 is the baseline. It requires that suppliers identify the implementation status of 13 security requirements and controls, with the Government of Canada providing an online self-assessment tool to help suppliers understand the requirements. The controls are drawn from NIST 800-171, and while the self-assessment process is designed to be accessible, organizations without a clear picture of their current cybersecurity posture will find it difficult to complete accurately and confidently.

Level 2 is where third-party verification comes in. Level 2 assessments will be conducted by accredited third-party assessment organizations through the Standards Council of Canada, evaluating an organization’s implementation of the required cybersecurity controls. This level applies when a contract involves handling controlled defence information or more complex cyber-sensitive work. Third-party assessments take time to schedule and prepare for. Organizations that assume they can compress this into a few weeks will find themselves without a certified assessor and a contract deadline looming.

Level 3 is reserved for the highest-risk scenarios, with assessments conducted by the Government of Canada rather than third parties. This level applies to sensitive work that may involve weapon systems, critical infrastructure access, or sensitive information shared with Five Eyes partners. Most suppliers in the broader defence industrial base will not need to pursue Level 3, but subcontractors in high-priority national security programs should confirm whether it applies to their work.

Where Most Suppliers Are Getting Stuck

The honest challenge for most Canadian defence suppliers is not an unwillingness to comply. It’s a lack of internal expertise to interpret what compliance actually requires. Many organizations have IT teams that manage day-to-day security operations but have never mapped their controls against NIST 800-171, documented a System Security Plan, or prepared for a third-party cybersecurity assessment.

This isn’t a criticism. It’s simply a different kind of work than keeping systems running. The gap between operational IT security and certified compliance readiness is real, and closing it requires a structured approach: understand where you currently stand, identify what controls are missing or undocumented, build a remediation roadmap, and then prepare for the assessment itself.

It’s also worth noting that during the initial phase, certification will not be required throughout the bidding process, but only upon contract award. That sounds like breathing room. It isn’t. Winning a contract and then scrambling to certify before the award is finalized is not a strategy. The time to prepare is before you’re in that position.

The phased approach is designed to give both the government and businesses the necessary time and resources to adapt to evolving cybersecurity standards. But that window assumes you’re moving. Suppliers who wait for a contract requirement to trigger the work will be scrambling.

The Bottom Line

CPCSC is not a future regulatory concern. It’s a present one. Level 1 is required in select defence contracts starting this summer. Level 2 requirements arrive in 2027. The accreditation infrastructure is live. The certification bodies are coming online.

The suppliers that will compete effectively in Canada’s defence procurement landscape over the next three years are the ones treating cybersecurity certification as a business priority today, not a compliance exercise for later.

If you have questions about what CPCSC means for your organization, or want to understand where you stand against Level 1 or Level 2 requirements, reach out to the team at SAV Associates. We work with defence suppliers and technology companies navigating cybersecurity certification, and we’re happy to talk through what the path forward looks like for your situation.