CPCSC vs CMMC: the Canadian supplier’s guide to doing both
If your company sells — or wants to sell — into both Canadian and American defence supply chains, 2026 is the year the paperwork got real on both sides of the border. Canada’s CPCSC began appearing in select DND contracts this summer. The US CMMC program has been landing in DoD solicitations since last November, with its stricter second phase arriving this November.
Here’s the situation in one sentence: the two programs are built on essentially the same security controls, they were deliberately designed to align, and yet there is no mutual recognition between them — certifying for one gets you exactly nothing, formally, toward the other.
That sounds like bureaucratic bad news, and administratively it is. But if you approach it correctly, it’s mostly one engineering and governance effort with two attestation processes bolted on top. This post explains how the programs differ, where the traps are, and how to sequence the work so you don’t build everything twice.
The short version
- CPCSC (Canadian Program for Cyber Security Certification) governs suppliers handling specified information in Government of Canada defence contracts. Level 1 — an annual self-assessment against 13 baseline controls — became available in April 2026 and is being written into select DND contracts starting this summer. Level 2, a third-party assessment against the full control set, enters select contracts in spring 2027.
- CMMC (Cybersecurity Maturity Model Certification) governs contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) in US DoD contracts. Its contract clauses went live in November 2025. Phase 2 begins November 10, 2026, when third-party (C3PAO) assessments become the standard requirement for Level 2 contracts involving CUI.
- Both are contract gates. In both countries, if the clause is in the contract and you don’t hold the required status, you are not eligible. There is no partial credit and no grace period once the clause applies to you.
- Both are ultimately built on NIST SP 800-171. Canada’s underlying standard, ITSP.10.171, is the Canadian Centre for Cyber Security’s adaptation of it. The controls overlap heavily — but the certifications are entirely separate.
What each program actually requires
CPCSC has three levels. Level 1 is a self-assessment: you evaluate your implementation of 13 security requirements drawn from ITSP.10.171 and attest annually through the Government of Canada’s online tool. No external assessor. When a contract requires Level 1, the attestation is due at contract award, not during bidding — a small mercy that gives you the bid period to close gaps, though counting on that window is a strategy I’d call brave.
Level 2 requires an external assessment every three years by a certification body accredited through the Standards Council of Canada, covering the full ITSP.10.171 control set. It’s intended for contracts involving controlled defence information or more sensitive work, and starts appearing in contracts in spring 2027. Level 3 is reserved for the most sensitive scenarios — think weapon systems or Five Eyes information — and is assessed by National Defence directly.
CMMC also has three levels. Level 1 covers companies handling only FCI: fifteen basic safeguards, self-assessed annually. Level 2 is the one that matters for most suppliers with real technical involvement: the 110 requirements of NIST SP 800-171, assessed — from Phase 2 onward — by an accredited third-party assessment organization (C3PAO), with results reported into the DoD’s Supplier Performance Risk System (SPRS). Certifications are valid for three years, with annual affirmations in between. Level 3 adds two dozen enhanced requirements from NIST SP 800-172 and a government-led assessment, for the most critical programs.
One practical note on CMMC that surprises people: a “conditional” Level 2 status is possible — you can be awarded with an open Plan of Action & Milestones, but you get 180 days to close it out. That’s a scoping and prioritization exercise, not an escape hatch.
The overlap — and the trap
Ottawa was explicit that CPCSC was designed to harmonize with US requirements, and it shows: ITSP.10.171’s controls are technically aligned with NIST SP 800-171, the same standard underneath CMMC Level 2. The two governments share the goal of interoperable supply-chain security across allies.
So the natural assumption — “we’ll get certified once and it’ll count in both places” — is wrong, and it’s the single most expensive misunderstanding a company can carry into this. There is currently no mutual recognition. A CMMC Level 2 certificate does not satisfy a CPCSC Level 2 clause, and vice versa. You will complete two attestation or assessment processes, maintain two sets of affirmations, and deal with two accreditation ecosystems.
There’s a second, subtler trap: the revision gap. CMMC Level 2 currently assesses against NIST SP 800-171 Revision 2 — the familiar 110 requirements. ITSP.10.171 is Canada’s adaptation of Revision 3, which restructured the catalogue (which is why you’ll see CPCSC materials reference 97 controls rather than 110). Rev 3 isn’t dramatically different in substance, but it is organized differently, includes updated requirements, and most of the compliance guidance floating around online still assumes Rev 2. If your gap assessment, policies, and evidence library are all keyed to Rev 2 control numbers, mapping them to a Rev 3-derived standard is straightforward — but it’s real work someone has to actually do, and it’s where a purely tool-driven compliance effort tends to quietly fall over.
Add one more Canadian wrinkle: data sovereignty. Specified information under CPCSC is expected to remain under Canadian jurisdictional control, which raises real architectural questions if your environment runs on US-headquartered cloud services — questions about deployment region, encryption key custody, and legal exposure under the US CLOUD Act that a contractual assurance doesn’t answer. Enterprise customers outside defence are starting to ask the same questions, so solving this properly pays off beyond these programs.
Build once, attest twice
The right mental model: one security program, two certification wrappers. In practice, for a company that needs (or will need) CMMC Level 2 and CPCSC Level 2:
- Scope ruthlessly first. The single biggest cost driver in both programs is the boundary of the assessed environment. Most small and mid-sized suppliers should seriously evaluate an enclave approach — a contained environment where FCI/CUI/specified information lives, so the whole company doesn’t fall in scope. Decide this before buying tools or writing policies, because everything downstream depends on it.
- Implement to the stricter, newer baseline. Build your control set against NIST SP 800-171 Rev 3 / ITSP.10.171, and maintain a mapping back to Rev 2’s 110 requirements for CMMC purposes. That way the CMMC side is a mapping exercise on top of a current program, rather than the Canadian side being a retrofit on top of an aging one. (When CMMC eventually moves to Rev 3 — and the direction of travel is clear — you’ll already be there.)
- Build one evidence library. System Security Plan, policies, and evidence should be written once, tagged to both control catalogues. Two thin, framework-specific overlays on one body of truth. This is also the structure that later absorbs SOC 2 or ISO 27001 with marginal effort instead of another standalone project.
- Sequence by your actual pipeline. If your near-term revenue is DND, CPCSC Level 1 is cheap and fast — do it now, and prepare for Level 2 against the spring 2027 horizon. If your near-term revenue is US DoD (directly or as a subcontractor — primes are actively flowing requirements down), the November 2026 Phase 2 milestone is the forcing function, and C3PAO capacity is already a bottleneck: assessors book out months ahead. Realistically, reaching Level 2 readiness takes six to twelve months for most organizations. Count backward from your contract dates and be honest about the answer.
- Don’t treat this as an IT project. Both programs fail companies in the same place: documented governance. The technical controls are usually the easier half. What assessors — and, in the US, False Claims Act exposure — actually test is whether your practices are documented, consistently applied, and evidenced. That needs an accountable owner with the seniority to make scoping and investment decisions, not a shared spreadsheet and good intentions.
What to do this quarter
If any of your 2026–2027 pipeline touches DND or DoD work: confirm whether specified information, FCI, or CUI flows through your systems (if you’re not sure, resolving that uncertainty is step zero). Make the enclave-or-whole-company scoping decision. Complete the CPCSC Level 1 self-assessment if Canadian defence work is in play — it’s a low-cost way to find your gaps against the standard that Level 2 will formally test. And if CMMC Level 2 is in your future, get a realistic gap assessment against 800-171 now and get in an assessor’s queue early rather than late.
Both programs are still evolving — phase dates have shifted before and details will continue to firm up — so verify current requirements against PSPC and DoD sources when a specific contract is on the table.
FAQ
Does CMMC certification count toward CPCSC, or vice versa?
No. Despite deliberately aligned controls, there is no mutual recognition today. Each program requires its own attestation or assessment. The overlap means the work transfers; the certificates don’t.
We only ever handle Canadian defence information. Do we care about CMMC?
Only if US DoD work — including as a subcontractor to a prime — is plausibly in your future. But primes flow CMMC requirements down their supply chains, so “we don’t contract with the DoD directly” is not the same as “CMMC will never apply to us.”
Is CPCSC Level 1 hard?
For a company with basic security hygiene, no — it’s 13 controls and a self-assessment. Its real value is as a diagnostic: if Level 1 feels hard, that’s important information about your readiness for Level 2, and for the security expectations of enterprise customers generally.
Can a compliance automation platform handle this for us?
Platforms help with evidence collection and continuous monitoring, and I use them with clients. They don’t make scoping decisions, design enclaves, resolve the Rev 2/Rev 3 mapping, or sit across from an assessor. Somebody senior still has to own the program.