CPCSC: Canada’s Cyber Security Certification for Defence Suppliers

By Rodrigo Lamadrid 10 July, 2026

CPCSC determines whether your company is eligible to compete for Department of National Defence contracts, or to subcontract with a company that does. Despite being announced recently, parts of it are already live. Companies that ignore it are likely to lose contracts they’ve held for years without seeing it coming.

Announced on April 14, 2026 by Minister Joël Lightbound, it’s part of a $6.6 billion CAD commitment under Canada’s Defence Industrial Strategy. Level 1 is already active today, with requirements beginning to appear in contracts as early as this summer, according to Public Services and Procurement Canada officials.

In this article, we’ll explain: 

  • What is it in plain terms?
  • Who does it apply to? 
  • What do the three certification levels require? 
  • How does it line up against the equivalent U.S. framework? 
  • What should you do about it right now, before a solicitation catches you unprepared?
  • How Mindsec can help you speed through its adoption with simplified evidence collection and automated cross-mapping across a dozen other frameworks.

None of this is theoretical for companies already bidding on National Defence work. The clock is running whether or not your organization is paying attention yet.

What Is CPCSC?

CPCSC stands for the Canadian Program for Cyber Security Certification. It is described by the federal government as an official cyber security certification for defence suppliers in Canada.

It’s managed by Public Services and Procurement Canada (PSPC) and built around accredited bodies, certified assessors, and government oversight. It applies to any company in the defence supply chain handling federal contractual or Specified Information.

The program didn’t appear overnight. Budget 2023 allocated $25 million over three years to build it. It was introduced to the public on March 12, 2025, well before Level 1 became available to suppliers on April 1, 2026.

The goal, according to the PSPC, is to strengthen the defence industrial base and support interoperability among allies, including the Five Eyes.

Who Must Comply With CPCSC?

Organizations that supply (or plan to supply) the Government of Canada through defence contracts. Primarily companies in defence, aerospace, and related infrastructure sectors.

This covers small and mid-sized businesses entering the defence supply chain for the first time and established, larger companies with a track record in defence. The required level depends on the sensitivity of the information involved in any given contract, not the size of the company.

Executives responsible for risk, compliance, and revenue growth need to understand this specific program, since missing the certification can result in exclusion from bidding altogether, regardless of how strong a company’s underlying security practices are.

The Three CPCSC Levels

CPCSC is structured around three certification levels, each reflecting a progressively higher degree of maturity in cybersecurity. The levels build on each other: the controls required at Level 1 are a subset of Level 2, which are in turn a subset of Level 3.

  • Level 1 (13 controls): an annual self-assessment against baseline security requirements, completed through the government’s online tool. No third-party guidance is required. This is where most Canadian defence SMEs will start.
  • Level 2 (98 controls): an external assessment led by a certification body accredited by the Standards Council of Canada (plus an annual affirmation), required every three years for contracts involving controlled defence information. Starting at this level, Mindsec can help you simplify and accelerate the compliance process through our compliance automation platform and expert guidance.
  • Level 3 (200 controls): the highest tier, with assessments conducted directly by National Defence, reserved for the most sensitive work (including weapon systems and information shared with the Five Eyes).

Work completed at one level isn’t discarded when you move to the next one under CPCSC. Each level builds on the evidence and controls already documented and verified before, so nothing goes to waste as your maturity increases over time.

CPCSC Timeline: What’s Active and What’s Coming

Level 1 became available to suppliers on April 1, 2026, and Level 1 requirements began appearing in select Department of National Defence contracts starting summer 2026. Attestation is necessary the moment the contract is awarded, rather than during the bidding as is common.

Level 2 is expected to become mandatory in select contracts starting spring 2027, once the Standards Council of Canada finishes accrediting a working pool of third-party assessment bodies in the meantime.

Level 3 follows from April 2027 onward. Levels 1 and 2 may expand to cover most if not all Government of Canada defence contracts over time.

The takeaway: while not every solicitation requires this certification already, it’s important that you get familiar with and implement the basic, Level 1 requirements, and scale from there if needed.

The Technical Backbone: ITSP.10.171

The controls behind CPCSC come from ITSP.10.171, Canada’s industrial cyber security standard, developed by the Canadian Centre for Cyber Security (part of the Communications Security Establishment).

ITSP.10.171 is a close adaptation of NIST SP 800-171 Revision 3, the same U.S. standard that underpins the American Cybersecurity Maturity Model Certification (CMMC) program, with no substantial changes to the controls.

The differences are regulatory, not technical: Canada uses “Specified Information” instead of “Controlled Unclassified Information”. This program sits under Treasury Board policy and Canadian privacy law rather than U.S. federal acquisition rules.

Consequences of Non-Compliance

Companies that can’t demonstrate the required certification level are excluded from bidding on contracts entirely. No certification, no contract.

There’s no grace period once a contract clause requires a given level. Unlike some compliance regimes, non-compliance doesn’t bring a fine, but the loss of eligibility for revenue your business may depend on.

How to Start Your CPCSC Compliance

  • Confirm whether your contracts, existing or upcoming, include a certification clause and at which level.
  • Start with Level 1 if you’re a small supplier. It’s the fastest path to attestation using the self-assessment tool.
  • Map where Specified Information lives before you scope any assessment.
  • If work touches controlled defence information, start preparation for Level 2 now, given how limited the accredited assessor pool still is.
  • Treat this program as a continuous operation, not a one-time project. It requires ongoing governance and monitoring to pass continuous audits.

CPCSC vs. CMMC

CPCSC is often described as Canada’s answer to the U.S. Cybersecurity Maturity Model Certification (CMMC), and the comparison is fair: 

  • Both use the same underlying NIST-based technical controls.
  • Both function as a pass/fail gate for defence contract eligibility
  • Both are rolling out in phases, rather than all at once.

The differences that matter most show up in assessor availability, cost, and the level for each contract. These details are easy to get wrong if you’re only familiar with one of the two countries and assume the two programs are interchangeable (they’re not. They’re only complimentary at best).

That confusion gets expensive fast for companies that sell in both markets. Preparing for the wrong level or the wrong assessor type can waste months of otherwise useful compliance work.

For a full breakdown of how the two programs compare: levels, timelines, and what to do if you sell in both the Canadian and American defence markets, see: CPCSC vs CMMC Certification: Comparing Canada and the U.S..

How Mindsec Helps

Mindsec is a compliance automation platform that helps organizations document, monitor, and produce evidence for the security controls that programs like this or CMMC require.

Our platform has support for dozens of frameworks, including ISO 27001, NIST CSF, SOC 2, and our cross-mapping technology allows you to comply with multiple certifications at once with the same piece of overlapping evidence, in a single effort.

Want to see it in action? Book a 15-minute demo to learn how Mindsec keeps your organization audit-ready 24/7 as defence procurement requirements evolve.

Rodrigo Lamadrid

Mindsec staff

Why Stall? Book A Call

Need to comply with CPCSC, CMMC, and other regulations? Book a call with our team and learn how we streamline this for you.

See Mindsec In Action