CPCSC: Canada’s new certification for defence suppliers

The Canadian Program for Cyber Security Certification started appearing in select DND contracts in summer 2026. If your pipeline touches Canadian defence work, this is now a bid-eligibility question.

What it is

CPCSC is the Government of Canada's cyber certification for suppliers handling specified information in defence contracts. Its underlying standard is ITSP.10.171 — the Canadian Centre for Cyber Security's adaptation of NIST SP 800-171 Rev 3 — which makes it Canada's counterpart to the US CMMC program.

Three levels: Level 1 is an annual self-assessment against 13 baseline controls, attested through the government's online tool. Level 2 is a third-party assessment every three years against the full ITSP.10.171 control set, by a certification body accredited through the Standards Council of Canada. Level 3, for the most sensitive work, is assessed by National Defence directly.

Who actually needs it

Companies bidding on — or subcontracting into — Government of Canada defence contracts that involve specified information. Level 1 clauses began appearing in select DND contracts in summer 2026; Level 2 requirements arrive in select contracts from spring 2027. The requirement is a contract gate: no certification, no eligibility, no grace period once the clause applies.

What it takes

Level 1 is genuinely light for a company with basic security hygiene — 13 controls and an annual attestation, due at contract award. Its real value is diagnostic: if Level 1 feels hard, that says something important about your Level 2 readiness.

Level 2 is a different animal: the full control set, externally assessed, with the scoping decision — enclave or whole company — as the single biggest cost driver. Realistic readiness timelines run six to twelve months, so companies with 2027 defence pipeline should be doing gap assessments now.

How it maps to what you may already have

If CMMC is also in your future, read the full analysis: CPCSC vs CMMC — the Canadian supplier's guide to doing both. The short version: same NIST 800-171 roots, zero mutual recognition, one revision-gap trap (Rev 3 here, Rev 2 there) — build one program to the newer baseline and treat both certifications as wrappers. A SOC 2 or ISO 27001 program gives you a meaningful head start on the control set.

The Canadian angle

This one is the Canadian angle — but note the data-sovereignty layer: specified information is expected to remain under Canadian jurisdictional control. If your environment runs on US-headquartered cloud services, that raises real questions about deployment regions, encryption key custody, and CLOUD Act exposure that contractual assurances don't answer. Solve it architecturally and the same answer serves your non-defence enterprise customers, who increasingly ask too.

How I help

Scoping decisions, the Level 1 self-assessment as a diagnostic, and a Level 2 readiness roadmap sequenced against your actual contract dates — including the build-once-attest-twice structure if CMMC is also coming. This runs through the compliance readiness engagement.

A CPCSC clause in your pipeline?

The next step is a 30-minute conversation — no pitch, no obligation. An honest read on where you stand and what actually matters next.