The Canadian Program for Cyber Security Certification (CPCSC) is Canada’s federal cyber certification program for defence suppliers and related contractors. As a Canadian CPA firm and ISO certification body, we help organizations understand CPCSC, align their cyber controls, and prepare for third‑party assessments in a way that supports both compliance and business resilience.
CPCSC is Canada’s answer to prograams like the U.S. CMMC, designed to protect sensitive government information across the defence supply chain through clear, risk‑based cyber security requirements
The Canadian Program for Cyber Security Certification (CPCSC) is a federal initiative that defines cyber security requirements for companies handling sensitive defence information for the Government of Canada. It establishes a multi‑level certification framework that suppliers must meet to bid on and perform certain defence contracts, with independent assessments by accredited organizations and oversight by the Government of Canada.
CPCSC is based on ITSP.10.171 (Protecting Controlled Information in Non‑Government of Canada Systems) and draws from standards such as NIST SP 800‑171 to define technical and organizational controls. The program is being rolled out iteratively, with ongoing engagement and phased adoption in defence procurements starting in 2025.
Official information: You can read the Government of Canada’s current overview of CPCSC here: Read More
CPCSC applies to companies that want to work on designated defence contracts where they will handle sensitive government information, including controlled information related to Canada’s defence supply chain. This includes:
Prime contractors bidding directly on Department of National Defence (DND) and related federal defence contracts.
Subcontractors and suppliers that support those primes and handle controlled information as part of contract delivery.
Canadian and foreign companies participating in Canada’s defence industrial base and critical supply chains.
Over time, CPCSC certification will become a prerequisite for many defence procurements, similar to how CMMC is embedded in U.S. Department of Defense contracts. Suppliers that cannot demonstrate the appropriate CPCSC level may face barriers to bidding, contract award, and ongoing eligibility
CPCSC uses a three‑level model, with progressively stronger requirements and assurance as the risk and sensitivity of information increase.
|
CMMC Level
|
Target data
|
Typical assessment type
|
Core requirements & focus
|
|---|---|---|---|
|
Level 1 |
Baseline cyber hygiene for lower‑risk defence contracts. |
Annual cyber security self‑assessment by the supplier. |
Foundational controls to protect controlled information in non‑GC systems; structured self‑evaluation and documentation. |
|
Level 2 |
Enhanced controls for higher‑risk contracts and more sensitive data. |
Third‑party assessment by an accredited certification body (3PAO) recognized by the Standards Council of Canada. |
More comprehensive implementation of ITSP.10.171 / NIST‑aligned controls, with independent verification and evidence‑based reviews. |
|
Level 3 |
Highest assurance for the most sensitive or mission‑critical contracts. |
Government‑led assessments conducted by the Department of National Defence. |
Advanced cyber resilience and oversight, including robust monitoring, incident management, and governance of critical systems. |
CPCSC is risk‑based: the level applicable to your organization will be determined by the risk profile of the work, not only by the type of data, and that methodology is still being refined by the federal government. Program guidance continues to evolve as standards, tools (like Level 1 self‑assessment), and accreditation schemes for certification bodies are finalized.
Important note: Detailed requirements and accreditation criteria for certification bodies and assessors are still being finalized and may be updated as the program matures.
We help defence suppliers prepare for CPCSC in a way that leverages existing investments in ISO, SOC, and other cyber frameworks.
Our CPCSC‑related services include:
CPCSC readiness assessments
High‑level and detailed gap analyses against emerging CPCSC levels and underlying standards (e.g., ITSP.10.171, NIST SP 800‑171), tailored to your contracts and risk profile.
Control design and remediation roadmaps
Practical recommendations and prioritized remediation plans to close identified gaps, integrated with your current security program and business constraints.
Policy, procedure, and evidence development
Support in drafting and upgrading policies, SOPs, and evidence packages that will be needed for self‑assessments or third‑party reviews at CPCSC Levels 1 and 2.
Mock CPCSC assessments / simulations
Pre‑assessment reviews that simulate a Level 2 third‑party audit, preparing your team, documentation, and systems for formal certification.
CPCSC–CMMC–ISO mapping and integration
Cross‑walking CPCSC requirements with CMMC, ISO 27001, and SOC 2 so that control sets are unified, not duplicated, across multiple jurisdictions.
While formal CPCSC certifications at Level 2 and 3 will ultimately be conducted by accredited third‑party assessment organizations and DND, advisory and readiness work are critical to achieving certification efficiently.
CPCSC will operate as an ongoing certification lifecycle rather than a one‑time checklist.
Typical steps include:
Determine applicable CPCSC level
Review your current and target defence contracts, information types, and risk profile to identify which CPCSC level is likely to apply.
Conduct a self‑assessment / readiness review
For Level 1, complete the official self‑assessment tool once released; for higher levels, perform an internal or assisted gap assessment against CPCSC controls.
Develop documentation and remediation plans
Prepare or update your cyber security program documentation, including control narratives, risk assessments, and remediation plans aligned with ITSP.10.171 and related guidance.
Implement and test controls
Roll out technical, administrative, and physical controls; train staff; and test effectiveness through internal reviews and mock audits.
Engage with a certification body (for Level 2)
When the certification body framework is fully operational, coordinate with an accredited 3PAO and prepare evidence for their assessment.
Undergo formal assessment and maintain certification
Complete the required assessment (self, third‑party, or government), address any findings, and maintain controls and documentation for ongoing certification cycles.
Because CPCSC is still rolling out, timelines, tools, and detailed criteria may change; staying current with federal guidance is essential.
CPCSC sits at the intersection of cyber security, assurance, and public‑sector procurement, which is where our experience is strongest.
We offer:
Assurance‑grade perspective
As a CPA firm, we understand evidence, documentation, and testing approaches that stand up to external audit and government scrutiny.
Framework integration
As an ISO certification body and cyber audit firm, we help you align CPCSC with ISO 27001, CMMC, SOC 2, and other frameworks, reducing overlap and cost.
Defence and supply‑chain focus
Our work is rooted in defence, aerospace, and critical supply‑chain environments, where contractual obligations and security expectations are tightly linked.