.svg)
CPCSC vs CMMC: What Dual-Jurisdiction Contractors Need to Know
Companies operating in both the Canadian and U.S. defence supply chains face a question that does not have a simple answer: how do you satisfy two national cybersecurity certification programs without building two separate security programs?
Canada's Canadian Program for Cyber Security Certification (CPCSC) and the U.S. Cybersecurity Maturity Model Certification (CMMC) share a common ancestor in NIST SP 800-171, but they diverge in ways that matter for planning, budgeting, and execution. No mutual recognition agreement exists between the two countries. A CMMC certificate does not satisfy CPCSC, and a CPCSC certification does not satisfy CMMC. Companies that need both must plan for both.
This post breaks down the structural differences, maps the overlap, and outlines how to build one effective security program that satisfies both certification requirements without duplicating effort.
Common Origin, Different Implementation
Both CPCSC and CMMC exist because defence departments realized that contractual security clauses were not producing actual security. The U.S. Department of Defense (DoD) launched CMMC after years of self-attestation under DFARS 252.204-7012 produced inconsistent results. Canada's Department of National Defence (DND) followed a similar path, building CPCSC to impose verifiable requirements on the Canadian defence supply chain.
Both programs draw from NIST SP 800-171, the foundational standard for protecting Controlled Unclassified Information (CUI) in non-federal systems. Canada's technical standard, ITSP.10.171, developed by the Canadian Centre for Cyber Security (CCCS), aligns with NIST 800-171 Revision 3 but adapts terminology, scoping, and assessment methodology for the Canadian procurement context.
Key Takeaway
The shared lineage creates significant control overlap. The divergence is in how each country implements, assesses, and enforces those controls.
Side-by-Side Comparison
| Element | CMMC 2.0 (United States) | CPCSC (Canada) |
| Governing Body | Department of Defense (DoD) | Public Services and Procurement Canada (PSPC) |
| Technical Standard | NIST SP 800-171 Rev 2 (transitioning to Rev 3) | ITSP.10.171 (aligned with NIST 800-171 Rev 3) |
| Accreditation Body | Cyber AB | Standards Council of Canada (SCC) |
| Level 1 Scope | Federal Contract Information (FCI) only | All Protected A / specified information |
| Level 1 Controls | 15 practices from FAR 52.204-21 | ~13 requirements (expected, based on CMMC alignment) |
| Level 1 Assessment | Annual self-assessment | Annual self-attestation via Canada Buys |
| Level 2 Scope | Controlled Unclassified Information (CUI) | Controlled Information (CI) |
| Level 2 Controls | 110 practices (NIST 800-171 Rev 2) | 97 controls across 17 families (ITSP.10.171) |
| Level 2 Assessment | Self-assessment option for some contracts; C3PAO assessment for others | Mandatory third-party audit by SCC-accredited body |
| Level 3 Scope | Highest-sensitivity CUI programs | Highest-sensitivity DND contracts |
| Level 3 Assessment | DIBCAC assessment (government-led) | DND-conducted assessment |
| Level 3 Threshold | Approximately 1% of the defence industrial base | Broader application expected |
| Full Implementation | Phased through November 2028 | Level 1 by April 2026, Level 2 by April 2027 |
| Mutual Recognition | None established | None established |
Need to Satisfy Both Programs?
We help companies build one security program that maps to CPCSC and CMMC.
Assessment Methodology: Where the Programs Diverge
The most consequential difference between CPCSC and CMMC is not in the controls themselves. It is in how each program validates compliance.
Level 1: Similar on Paper, Different in Detail
Both programs allow self-assessment at Level 1, but the scope differs. CMMC Level 1 covers 15 practices derived from FAR 52.204-21, focused narrowly on Federal Contract Information. CPCSC Level 1 is expected to apply approximately 13 requirements with around 71 assessment objectives, based on its alignment with CMMC, covering all specified information at the Protected A level and below. The official Level 1 control list has not yet been published by the government. The Canadian scope is broader in terms of what information triggers the requirement.
For companies that handle both FCI and Protected A information, Level 1 work overlaps substantially, but the attestation processes are independent. CMMC Level 1 self-assessments feed into the Supplier Performance Risk System (SPRS). CPCSC Level 1 attestations go through Canada Buys.
Level 2: The Critical Divergence
This is where planning gets complicated. CMMC Level 2 offers a self-assessment pathway for contracts that do not involve prioritized CUI, with only a subset requiring third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO). CPCSC Level 2 requires mandatory third-party certification by an SCC-accredited certification body for all contracts in scope.
Budget Impact
A company that qualifies for CMMC Level 2 self-assessment but needs CPCSC Level 2 certification faces a third-party audit on the Canadian side regardless. Planning and budgeting need to account for the more rigorous assessment path.
Level 3: Government-Led on Both Sides
Both programs reserve Level 3 for government-conducted assessments on the highest-sensitivity contracts. In the U.S., the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) handles Level 3. In Canada, DND conducts the assessment directly. Companies at this level are typically already operating under significant security oversight and will have dedicated teams managing both programs.
Governance Structure
The organizational structures behind each program reflect different approaches to standards development and accreditation.
| Function | CMMC (U.S.) | CPCSC (Canada) |
| Program Management | DoD (OUSD A&S) | PSPC |
| Standard Development | NIST (via SP 800-171) | CCCS (via ITSP.10.171) |
| Assessor Accreditation | Cyber AB | SCC |
| Contract Integration | Contracting officers via DFARS | PSPC via Canada Buys procurement |
| Level 3 Assessment | DIBCAC | DND |
One practical difference: CMMC's Cyber AB is a purpose-built accreditation body for the program. Canada routes accreditation through the Standards Council of Canada, the same national body that accredits testing and certification organizations across all industries. This means CPCSC assessor accreditation follows established ISO/IEC 17020 inspection body standards rather than a program-specific accreditation model.
Timeline Comparison
Canada is moving faster.
| Milestone | CMMC | CPCSC |
| Rulemaking / standard published | Final rule December 2024 | ITSP.10.171 published March 2025 |
| Level 1 requirements in contracts | Phased rollout starting 2025 | April 2026 |
| Level 2 third-party assessments | Phased, full implementation by November 2028 | April 2027 |
| Full enforcement | November 2028 | Accelerated relative to CMMC |
The compressed Canadian timeline creates urgency for dual-jurisdiction contractors. A company that planned its CMMC compliance roadmap around a 2028 full-implementation date needs to account for CPCSC Level 2 requirements arriving more than a year earlier. Companies approaching CPCSC for the first time should be planning now, not waiting for contract language to appear.
The Mutual Recognition Gap
There is no mutual recognition agreement between CPCSC and CMMC. A CMMC Level 2 certification does not satisfy CPCSC Level 2, and vice versa. Each program requires independent assessment, independent attestation, and independent evidence.
Planning Assumption
Companies that have invested in CMMC readiness sometimes expect that work to count on the Canadian side. The controls overlap significantly, but the assessment, attestation, and governance processes are entirely separate. Plan to satisfy both programs independently.
Whether mutual recognition will emerge over time is an open question. The Five Eyes intelligence alliance creates a natural pathway for security standard harmonization, and both programs derive from NIST 800-171. But as of March 2026, no formal equivalence has been proposed by either government. Planning around a future recognition agreement would be speculative.
Building One Program That Maps to Both
The most efficient approach for dual-jurisdiction contractors is not to build two compliance programs. It is to build one effective security program and map both frameworks onto it.
Both CPCSC and CMMC require the same operational capabilities: access control, incident response, configuration management, audit logging, risk assessment, and supply chain oversight. The controls express these requirements in slightly different structures, but the underlying security operations are the same.
Step 1: Anchor on the Superset
Start with ITSP.10.171 as the baseline. It aligns with NIST 800-171 Rev 3, which is where CMMC is heading as well. Building to the Rev 3 standard positions you for both programs without rework. Map your existing controls to both frameworks simultaneously. A single access review process satisfies access control requirements in both ITSP.10.171 and NIST 800-171. A single incident response plan, properly documented, produces evidence for both assessments.
Step 2: Separate the Evidence Streams
Maintain a unified evidence repository, but create separate assessment packages for each program. For CMMC: System Security Plan (SSP) aligned with NIST 800-171, POA&M documentation, SPRS score submission for Level 1, or C3PAO assessment package for Level 2. For CPCSC: Self-attestation through Canada Buys for Level 1, or assessment-ready documentation for SCC-accredited certification body at Level 2. The evidence itself, such as access review records, vulnerability scan reports, incident response logs, and configuration baselines, is the same. The packaging differs.
Step 3: Account for Canada-Specific Requirements
ITSP.10.171 is not a direct copy of NIST 800-171. There are areas where Canada's standard includes requirements or scoping decisions that do not have a direct CMMC equivalent. Companies familiar with CMMC Level 1 should review ITSP.10.171 for differences in how controls are grouped, how assessment objectives are structured, and what evidence the Canadian program considers sufficient.
Step 4: Plan Assessment Windows
With CPCSC Level 2 arriving by April 2027 and CMMC Level 2 phasing in through November 2028, the assessment calendar needs coordination. Running both assessments in proximity reduces the risk of evidence going stale, but also concentrates the operational burden. Some organizations find it practical to schedule the more demanding assessment first (CPCSC, given the mandatory third-party requirement) and then use the fresh evidence for the CMMC assessment shortly after.
Where Existing Controls Transfer
Companies with established security programs will find substantial overlap. The following control areas transfer cleanly between both frameworks:
- Access control and identity management: MFA, least privilege, session management, and remote access controls map directly between ITSP.10.171 and NIST 800-171.
- Audit and accountability: Log collection, review processes, and tamper protection requirements are functionally equivalent.
- Incident response: Both frameworks require documented incident response plans, testing, and reporting procedures.
- Configuration management: Baseline configurations, change control, and least-functionality requirements align closely.
- Risk assessment: Vulnerability scanning, risk analysis, and response planning carry across both programs.
Where They Do Not Transfer
Several areas require careful attention because the programs handle them differently:
- Scoping and information categorization: CMMC distinguishes between FCI and CUI. CPCSC uses specified information and controlled information. The categories do not map one-to-one, and the scoping exercise for each program must be done independently.
- Assessment rigor at Level 2: CMMC allows self-assessment for some Level 2 contracts. CPCSC does not. This means a company that handles controlled information in both supply chains needs to budget for third-party assessment on the Canadian side even if the U.S. contracts qualify for self-assessment.
- Assessment body ecosystems: The C3PAO ecosystem in the U.S. is more mature and larger. Canada's SCC-accredited certification body market is still developing. Availability and scheduling should be factored into planning, particularly for companies aiming to meet the April 2027 CPCSC Level 2 deadline.
- NIST revision alignment: CMMC currently references NIST 800-171 Rev 2 but is transitioning to Rev 3. ITSP.10.171 already aligns with Rev 3. During the transition period, companies may need to demonstrate compliance against slightly different control baselines depending on which version each program is referencing at the time of assessment.
The Revenue Implication
This is ultimately about contract eligibility. Companies that operate in both the Canadian and U.S. defence supply chains are there because those contracts represent significant revenue. Losing eligibility on either side because of a missed certification deadline or a failed assessment has a direct financial impact.
The investment in building a unified security program that maps to both CPCSC and CMMC is smaller than the cost of losing access to either market. It is also significantly smaller than building and maintaining two independent compliance programs.
For companies already operating in one supply chain and looking to enter the other, an effective security program becomes the bridge. The controls are already in place. The gap is in documentation, scoping, and assessment preparation, not in rebuilding security operations from the ground up.
Operating in Both Countries?
Build one effective security program that maps to both CPCSC and CMMC.
Frequently Asked Questions
Does a CMMC certification satisfy CPCSC requirements?
No. There is no mutual recognition agreement between CMMC and CPCSC. Each program requires independent assessment and attestation. A CMMC Level 2 certificate from a C3PAO does not satisfy CPCSC Level 2 requirements, and a CPCSC certification does not satisfy CMMC. Companies operating in both supply chains must complete both certification processes independently.
Can I use the same evidence for both CMMC and CPCSC assessments?
Yes, in most cases. The underlying security controls overlap significantly because both programs derive from NIST SP 800-171. A single access review process, incident response plan, or vulnerability scan report can serve as evidence for both assessments. The difference is in how evidence is packaged and submitted: CMMC uses SPRS and C3PAO assessment processes, while CPCSC uses Canada Buys attestation and SCC-accredited certification bodies.
Which standard should I build to if I need both certifications?
Build to ITSP.10.171 (aligned with NIST 800-171 Rev 3) as your baseline. Since CMMC is transitioning from Rev 2 to Rev 3, building to the newer revision positions you for both programs without rework. ITSP.10.171's 97 controls across 17 families encompass the security capabilities required by both frameworks.
Is CPCSC harder than CMMC?
The programs are not directly comparable in terms of difficulty, but CPCSC is more demanding in specific ways. CPCSC Level 2 requires mandatory third-party certification for all in-scope contracts, while CMMC Level 2 allows self-assessment for some contracts. Canada's timeline is also more aggressive, with Level 2 requirements arriving by April 2027 compared to CMMC's full implementation by November 2028. The control sets are comparable in scope; the assessment and timeline requirements create the difference.
Will Canada and the U.S. eventually recognize each other's certifications?
No formal mutual recognition agreement has been proposed as of March 2026. Both programs share a common foundation in NIST 800-171, and the Five Eyes alliance creates a plausible pathway for future harmonization. However, planning around a future agreement would be speculative. Companies should plan to satisfy both programs independently until a formal equivalence is established.
Ready to Start Your Compliance Journey?
Get a clear, actionable roadmap with our readiness assessment.
About the Author
Former security architect for Bank of Canada and Payments Canada. 20+ years building compliance programs for critical infrastructure.
Ready for CPCSC Level 1?
Score your readiness across the 6 expected control families. Free.
Take the Scorecard