.svg)
CPCSC: What Canadian Defence Contractors Need to Know Before April 2026
Canada's defence supply chain is about to change. Starting April 2026, companies bidding on Department of National Defence (DND) contracts will need to demonstrate cybersecurity certification under the Canadian Program for Cyber Security Certification, known as CPCSC. This isn't a recommendation or a best practice. It's a procurement requirement, and companies that aren't certified won't be eligible to bid.
The program has been in development for years, but the timeline is now concrete. Phase 1 launched in March 2025 with the publication of the underlying standard. Phase 2 begins April 2026 with mandatory Level 1 certification. And by April 2027, Level 2 third-party assessments start appearing in contracts.
For companies already embedded in the defence supply chain, this is a planning exercise. For those with informal security practices that have worked fine until now, it's a structural shift in how they'll need to operate.
Key Deadline
Starting April 2026, companies without Level 1 attestation risk losing eligibility for DND procurements. Level 2 third-party certification requirements follow in April 2027.
What Is the CPCSC?
The CPCSC is Canada's answer to the U.S. Cybersecurity Maturity Model Certification (CMMC). It establishes a tiered certification framework for companies that handle sensitive government information through defence contracts.
Four organizations run the program:
Public Services and Procurement Canada (PSPC)
Manages the overall program and contract requirements.
Canadian Centre for Cyber Security (CCCS)
Developed the underlying technical standard, ITSP.10.171.
Standards Council of Canada (SCC)
Accredits the certification bodies that will conduct Level 2 assessments.
Department of National Defence (DND)
Identifies which contracts require certification and conducts Level 3 assessments directly.
The technical backbone is ITSP.10.171, Canada's equivalent of NIST SP 800-171 Revision 3. It defines 97 security controls across 17 families, covering everything from access control and incident response to supply chain risk management. If you're familiar with NIST 800-171 or CMMC, the control structure will feel recognizable, but there are meaningful differences in how Canada applies it.
Three Certification Levels
The CPCSC uses a tiered model. Each level corresponds to the sensitivity of information a contractor handles and the rigor of assessment required.
| Level | Assessment Type | Scope | Controls |
| Level 1 | Annual self-assessment | Federal contractual information (unclassified) | 13 requirements, 71 assessment objectives |
| Level 2 | Third-party certification (SCC-accredited body) | Controlled Information (CI) | 97 controls across 17 families |
| Level 3 | DND-conducted assessment | Highest-sensitivity contracts | ITSP.10.171 + additional controls (TBD) |
Level 1: Self-Assessment
Level 1 is the baseline. It covers federal contractual information below the classified level, what the program calls specified information. Companies complete an annual self-assessment against 13 security requirements drawn from 6 of the 17 ITSP.10.171 control families, covering 71 assessment objectives in total.
The self-assessment must be attested through the contractor's Canada Buys profile. Starting April 2026, this attestation becomes a condition for bidding on most DND contracts.
Level 1 at a Glance
13 security requirements from 6 control families: Access Control, Identification and Authentication, Physical Protection, System and Communications Protection, System and Information Integrity, and Media Protection. The self-assessment covers 71 assessment objectives and requires annual renewal.
Level 1 is not trivial. For companies that have operated without documented security controls, even this baseline will require real work.
Free Report: The CPCSC Compliance Playbook
We're building a comprehensive guide to CPCSC compliance across cloud, on-prem, and hybrid environments. Join the waitlist for a free copy.
Level 2: Third-Party Certification
Level 2 is where the full weight of ITSP.10.171 applies. Companies must implement all 97 security controls across all 17 families and undergo assessment by an SCC-accredited certification body. This is not a self-assessment. An independent assessor evaluates the company's security program against the standard.
Level 2 applies when contracts involve Controlled Information (CI), which is the Canadian equivalent of Controlled Unclassified Information (CUI) in the U.S. context.
The SCC began accepting applications from prospective certification bodies in Phase 2 (April 2026), so the assessor ecosystem is still being built. This is worth watching closely, because assessor availability will directly affect how quickly companies can schedule and complete their certifications.
Level 3: DND-Conducted Assessment
Level 3 is reserved for the highest-sensitivity contracts. DND conducts the assessment directly, and the requirements go beyond the standard ITSP.10.171 controls. Additional Level 3-specific controls are expected to be published as the program matures.
Only a small number of contracts will require Level 3, but for companies in the most sensitive parts of the defence supply chain, it represents the most rigorous cybersecurity evaluation the Canadian government has ever applied to contractors.
The Timeline: Four Phases
The CPCSC is rolling out in four phases, giving industry time to prepare before the full mandatory requirements take effect.
Phase 1 (March 2025 - March 2026)
The ITSP.10.171 standard was published. Level 1 guidance was released publicly. This was the preparation window.
Phase 2 (April 2026 - March 2027)
Level 1 self-assessment becomes mandatory for DND contracts. The SCC begins accepting Level 2 certifier applications. New RFPs identified through cyber security risk assessment will include CPCSC requirements.
Phase 3 (April 2027 - March 2028)
Level 2 certification requirements appear in contracts involving Controlled Information. Level 3 begins on select contracts following publication of additional controls.
Phase 4 (2028+)
Full program maturity. Level 3 certification requirements gradually incorporated into the most sensitive defence RFPs.
The key deadline for most defence contractors is April 2026. After that date, companies without Level 1 attestation risk losing eligibility for DND procurements.
ITSP.10.171: The 17 Control Families
The technical standard underpinning CPCSC at Level 2 organizes security requirements into 17 families. Each family addresses a distinct security domain:
ITSP.10.171 Control Families (97 controls total)
- Access Control - user permissions, least privilege, remote access
- Awareness and Training - security education, role-based training
- Audit and Accountability - logging, audit records, review and analysis
- Configuration Management - baselines, change control, least functionality
- Identification and Authentication - MFA, identifier and authenticator management
- Incident Response - handling, monitoring, reporting, testing
- Maintenance - controlled maintenance, tools, personnel
- Media Protection - access, marking, storage, sanitization
- Personnel Security - screening, termination, access agreements
- Physical Protection - facility access, monitoring, visitor controls
- Risk Assessment - vulnerability scanning, risk response
- Security Assessment and Monitoring - assessments, continuous monitoring, plan of action
- System and Communications Protection - boundary protection, encryption, transmission integrity
- System and Information Integrity - flaw remediation, malware protection, system monitoring
- Planning - security planning, system security plans
- System and Services Acquisition - procurement safeguards, developer configuration management
- Supply Chain Risk Management - supplier assessments, acquisition controls
For companies already certified under SOC 2 or ISO 27001, there is significant overlap, but ITSP.10.171 includes controls specific to government-classified environments (physical protection, media handling, personnel screening) that commercial frameworks don't typically address.
CPCSC vs. CMMC: Similar, but Not Equivalent
The comparison to CMMC is inevitable, and the structural similarities are obvious. Both programs tier certification levels, both are rooted in NIST 800-171, and both apply to defence supply chains. But there are critical differences that companies operating in both jurisdictions need to understand.
| Element | CMMC 2.0 (U.S.) | CPCSC (Canada) |
| Standard | NIST SP 800-171 Rev 2 (moving to Rev 3) | ITSP.10.171 (aligned with NIST Rev 3) |
| Level 1 scope | Federal Contract Information only | All specified information |
| Level 2 assessment | Self-assessment option available for some contracts | Mandatory third-party assessment |
| Level 3 threshold | ~1% of contractors | Broader application planned |
| Timeline | Full implementation by November 2028 | Accelerated: Level 2 by April 2027 |
| Mutual recognition | Not yet established | No equivalence with CMMC |
No Mutual Recognition
There is currently no mutual recognition between CPCSC and CMMC. A company certified under CMMC is not automatically certified under CPCSC, and vice versa. Companies bidding on both Canadian DND and U.S. DoD contracts need to maintain dual compliance programs.
Canada has explored the possibility of unilateral CMMC recognition under specific conditions (matching information flow definitions and Canadian data residency requirements), but nothing formal exists.
For companies bidding on both Canadian DND and U.S. DoD contracts, the good news is that the underlying control requirements overlap significantly because both trace back to NIST 800-171. The challenge is that each program has its own assessment methodology, accreditation body, and certification process.
What This Means in Practice
The CPCSC is not a distant regulatory proposal. Phase 2 begins in weeks. Here's what's actually changing:
Already in the defence supply chain
Level 1 self-assessment becomes a procurement gate in April 2026. Review the 13 Level 1 requirements, conduct your self-assessment, and attest through Canada Buys. Don't wait for the compliance documentation to be published on March 31, 2026, to start understanding what's required.
Have existing security programs (SOC 2, ISO 27001)
You have a significant head start. Many ITSP.10.171 controls map directly to controls you've already implemented. The gaps will likely be in government-specific domains: physical protection, media handling, personnel screening, and supply chain risk management. A gap assessment against ITSP.10.171 will identify exactly where to extend your existing program.
Starting with informal security practices
This is the hardest starting position. Building a security program that satisfies 97 controls across 17 families is not a documentation exercise. It requires designing controls that actually work, implementing them across your systems and processes, and producing evidence that they operate effectively. Industry estimates put Level 2 preparation at 6 to 12 months and $80K to $400K depending on starting point and complexity.
Dual-jurisdiction (DND + DoD)
Build your security program once, map it to both ITSP.10.171 and NIST 800-171, and extend where each framework has unique requirements. The alternative, building separate compliance programs for each jurisdiction, is expensive and unsustainable.
The Assessor Ecosystem Is Still Forming
One factor that doesn't get enough attention: the certification body ecosystem for Level 2 assessments is still being established. The SCC began accepting applications from prospective assessors in April 2026, which means the pool of accredited certification bodies will be limited when Level 2 requirements start appearing in contracts in April 2027.
Companies planning for Level 2 should be tracking which certification bodies receive SCC accreditation and engaging early. Assessor bottlenecks were a real issue in the early CMMC rollout in the U.S., and Canada's accelerated timeline suggests similar capacity constraints are possible here.
Build the Program, Not Just the Certification
The companies that approach CPCSC well won't treat it as a standalone compliance project. They'll build an effective security program as the foundation, then map ITSP.10.171 onto it as one of several frameworks their program satisfies. That approach scales: the next framework becomes an extension of what's already in place, not a rebuild from scratch.
CPCSC Readiness Starts Here
We help companies build effective security programs that map to CPCSC, CMMC, and beyond.
Free Report: The CPCSC Compliance Playbook
We're building a comprehensive report on how Canadian companies can achieve CPCSC compliance across cloud, on-prem, and hybrid environments. It breaks down the practical steps for each certification level and maps ITSP.10.171 controls to real infrastructure decisions. Join the waitlist for a free copy.
Frequently Asked Questions
What is the CPCSC and who does it apply to?
The Canadian Program for Cyber Security Certification (CPCSC) is a mandatory cybersecurity certification framework for companies that bid on Department of National Defence contracts. It applies to any company in the Canadian defence supply chain that handles federal contractual information or Controlled Information through DND procurements.
When does CPCSC become mandatory?
Level 1 self-assessment becomes mandatory for DND contracts starting April 2026. Level 2 third-party certification requirements begin appearing in contracts involving Controlled Information in April 2027. The program is rolling out in four phases through 2028.
What is ITSP.10.171 and how does it relate to NIST 800-171?
ITSP.10.171 is the Canadian IT security standard developed by the Canadian Centre for Cyber Security. It is Canada's equivalent of NIST SP 800-171 Revision 3 and defines the 97 security controls that contractors must implement for CPCSC Level 2 certification. Both standards share the same 17 control families and similar control requirements.
Does CMMC certification satisfy CPCSC requirements?
No. There is currently no mutual recognition between CPCSC and CMMC. Companies bidding on both Canadian DND and U.S. DoD contracts need to comply with both programs independently. The underlying controls overlap significantly, but the certification processes are separate.
What is the difference between CPCSC Level 1 and Level 2?
Level 1 is an annual self-assessment covering 13 security requirements from 6 control families, designed to protect unclassified federal contractual information. Level 2 requires a third-party assessment by an SCC-accredited certification body against all 97 ITSP.10.171 controls, and applies when contracts involve Controlled Information.
How long does it take to prepare for CPCSC certification?
Level 1 preparation depends on your starting point but typically takes a few months for organizations with some security practices in place. Level 2 preparation is more substantial, with industry estimates ranging from 6 to 12 months and $80K to $400K depending on organizational complexity and existing security maturity.
This is the first in a series covering the CPCSC in depth. Upcoming posts will break down each of the 17 ITSP.10.171 control families with practical implementation guidance for Canadian defence contractors.
Ready to Start Your Compliance Journey?
Get a clear, actionable roadmap with our free readiness assessment.
About the Author
Ali Aleali, CISSP, CCSP
Co-Founder & Principal Consultant, Truvo Cyber
Former security architect for Bank of Canada and Payments Canada. 20+ years building compliance programs for critical infrastructure.
Explore Topics
Related Posts
Related Services
Special Report: The CPCSC Compliance Playbook
A practical, step-by-step guide to CPCSC certification that the official documentation doesn't provide.
Join the waitlist for a free copy when it's released.