CPCSC

 

CPCSC Compliance for Canadian Defence Contractors

Effective security programs for defence supply chain companies facing mandatory certification. Compliance with ITSP 10.171 is the byproduct.

Defence Contracts Now Require CPCSC Certification

CPCSC Phase 3 arrives Spring 2026 with mandatory Level 2 third-party certification for applicable defence RFPs. If your company bids on Canadian defence contracts, compliance is no longer optional.

Whether your environment runs in the cloud, on-premise, or across hybrid infrastructure, CPCSC readiness requires controls mapped to ITSP 10.171 and evidence that covers your entire environment.

That's exactly where we operate.

  • The Defence Compliance Gap

  • CPCSC requires controls mapped to ITSP 10.171 across your entire environment: cloud, on-premise, hybrid, and secure enclaves. Generic compliance checklists don't cover the specifics.

icon-8

Dual-Jurisdiction Requirements

Canadian contractors bidding on both DND and US DoD contracts face simultaneous CPCSC (ITSP 10.171) and CMMC (NIST SP 800-171) obligations. Two frameworks, overlapping controls, different certification bodies. Most advisors handle one or the other.

icon-7

Any Infrastructure, Full Coverage

Defence supply chain companies run workloads across cloud, on-premise, hybrid, and secure enclaves. CPCSC compliance requires evidence collection that covers all of it. We design programs that work across your entire environment, not just the parts that cloud tools can automate.

icon-9

Mandatory Deadlines Are Fixed

CPCSC Phase 2 (Level 1 self-assessment) is already in effect. Phase 3 (Level 2 third-party certification) arrives Spring 2026. Missing the deadline means losing eligibility for applicable defence RFPs.

Our Three-Phase Methodology for CPCSC Readiness

Effective security first. CPCSC certification follows. Designed for any infrastructure type.

01

Assess

Gap analysis against ITSP 10.171 controls across your full environment: cloud workloads, on-premise systems, and secure enclaves. Evidence source inventory, scoping recommendation, and certification level determination.

02

Build

Control implementation for identified gaps. Two key deliverables: a Security Program Manual with CPCSC-specific policies covering sensitive information handling, access controls, and incident response, and a Security Posture Report giving leadership clear visibility into certification readiness.

03

Operate (Ongoing)

Continuous compliance monitoring and evidence collection. Pre-audit readiness reviews. Auditor coordination for Level 2 third-party certification. Security Posture Report updated quarterly.

01 Assess

Goal: Establish the scope and find the gaps in your current security posture.

  • CPCSC Gap Assessment

  • System & Data Scoping

  • System Description Development

  • Prioritized Remediation Roadmap

  • Technical Remediation Playbooks

MILESTONES

  • Gap Assessment Report

  • ITSP 10.171 Controls Mapping

02 Build

Goal: Implement controls and automate processes for audit readiness.

  • GRC Platform Setup & Integration

  • Policy Customization 20+

  • Tailoring of Controls 100+

  • Customized Mapping of Tests to Controls

  • Fix Automated Evidence Collection Issues

  • Manual Evidence Collection

  • Company Risk Assessments

  • Vendor Risk Assessments

  • Security Awareness Training

  • Access Reviews

  • Penetration Testing

  • Internal Audit

  • Full External Audit Management

MILESTONES

  • Customized Policies 20+

  • Internal Audit Report

  • Penetration Test Report

  • CPCSC Level 2 Certification

03 Operate

Goal: Maintain and improve your compliance posture year-round.

  • Weekly Cadence Calls 

  • Active Compliance Program Management

  • Access to Security & Compliance SME

  • Security Architecture Advisory

  • Continuous Control Monitoring

  • Continuous Evidence Collection

  • Ongoing Company Risk Assessments

  • Ongoing Vendor Risk Assessments

  • Security Awareness & Training

  • Quarterly Access Reviews

  • Annual Policy Updates & Acknowledgement

  • Annual Internal Audit

  • Annual Penetration Testing

  • Annual External Audit Management

MILESTONES

  • Updated Policies 20+

  • Penetration Test Report

  • Internal Audit Report

  • CPCSC Level 2 Certification Maintained

Warning: Most Compliance Advisors Don't Understand Defence Requirements.

Generic advisors apply standard compliance templates without accounting for CPCSC-specific controls, CUI handling requirements, or the infrastructure diversity typical in defence supply chains.

The Checkbox Consultant

  • Applies SOC 2 or ISO 27001 templates to defence requirements without CPCSC-specific adaptation.

  • No experience with CUI handling, secure enclaves, or classified information controls.

  • Cannot address dual-jurisdiction CPCSC + CMMC requirements from a single engagement.

  • Generic policies that don't account for the full range of infrastructure in defence environments.

The Truvo Partnership

  • Led by CISSP and GIAC-credentialed engineers with direct experience securing Canada's critical infrastructure, including payment systems under OSFI oversight.

  • Builds an effective security program mapped to ITSP 10.171 controls, designed for your specific infrastructure and operational context.

  • Evidence collection designed for your full environment: cloud, on-premise, hybrid, and secure enclaves.

  • Security Program Manual and Security Posture Report tailored to CPCSC certification requirements and auditor expectations.

Why Our Effective Security Approach Works for Defence

A certification that doesn't reflect your actual security posture fails the first time a prime contractor or DND auditor looks closely.

Preserve Contract Eligibility

CPCSC Level 2 certification will be required for applicable defence RFPs starting Spring 2026. Getting certified before the deadline means you're bidding while competitors are still scrambling.

Cover Both Jurisdictions

Bidding on both Canadian DND and US DoD contracts? CPCSC and CMMC share significant control overlap (both draw from NIST frameworks). We design your security program to satisfy both from a single effort.

Cover Every Environment

Cloud workloads, on-premise systems, secure enclaves, hybrid deployments. We design evidence collection across your entire infrastructure so nothing falls through the gaps during certification.

The All-in-One Solution for CPCSC Readiness

Fixed-price package: Assess + Build + Operate. Security Program Manual, Security Posture Report, and continuous compliance management through Level 2 certification and beyond.

Get a Quote for CPCSC Readiness

  • Everything in Build

  • Everything in Operate

  • GRC Platform License

  • Annual Penetration Test

  • External Audit

  • Internal Audit

Trusted by Canada's Critical Infrastructure

They don’t just provide recommendations; they ensure we meet our stringent ISO 27001 and SWIFT compliance goals. We trust them with projects of national importance, and they deliver.

Matt Charette

CISO at Payments Canada

CPCSC Compliance: Frequently Asked Questions

The Canadian Program for Cyber Security Certification (CPCSC) is Canada's cybersecurity certification standard for defence supply chain companies. It launched in March 2025 based on ITSP 10.171, the Canadian Centre for Cyber Security's cybersecurity standard. Phase 2 (Level 1 self-assessment) is already in effect for applicable contracts. Phase 3, which introduces mandatory Level 2 third-party certification for applicable defence RFPs, arrives Spring 2026.

CPCSC is Canada's defence cybersecurity certification program, based on ITSP 10.171. CMMC is the US equivalent, based on NIST SP 800-171. Both protect sensitive information in the defence supply chain, and both use a tiered certification model. The control frameworks overlap significantly since ITSP 10.171 draws from NIST standards. Canadian companies bidding on US DoD contracts need CMMC in addition to CPCSC, which is why a dual-jurisdiction approach that addresses both frameworks simultaneously is more efficient than handling them separately.

Yes. CPCSC and CMMC are separate certification programs administered by different countries. CMMC certification does not satisfy CPCSC requirements, and vice versa. However, since both frameworks draw from NIST standards, much of the underlying security work transfers. A company with CMMC Level 2 will find that many CPCSC Level 2 controls are already satisfied. The additional effort is in mapping to ITSP 10.171 specifically and working with CPCSC-accredited assessors.

CPCSC has three levels. Level 1 requires an annual self-assessment and applies to contracts involving basic federal contracting information. Level 2 requires third-party certification by an accredited assessor and applies to contracts involving more sensitive information. Level 3 involves a Department of National Defence audit for the most sensitive contracts. Most defence supply chain companies will need Level 2 certification when Phase 3 takes effect in Spring 2026. The specific level required will be stated in individual RFPs.

Typically 4-6 months from assessment to certification readiness, depending on your current security posture and the gaps identified. The Assess phase takes 2-4 weeks, the Build phase 6-12 weeks depending on gap size and infrastructure complexity, and audit preparation 2-4 weeks. Companies that already have mature security programs or existing CMMC compliance will move faster. Given the Spring 2026 Phase 3 deadline, starting now provides comfortable margin for Level 2 certification.

Ready to Build an Effective Security Program?

Free assessment for your defence supply chain organization against CPCSC requirements.

Group 39868
Free Assessment

From the Blog: CPCSC and Defence Compliance

Readiness guides for Canadian defence contractors navigating CPCSC and CMMC requirements.

CPCSC Audit Preparation: What Canadian Payment Processors Need

What Is the CPCSC? The CPCSC is Canada’s equivalent to the U.S. Cybersecurity Maturity Model Certification (CMMC), designed to safeguard federal ...

Learn More

CMMC 2.0: What It Is, Who Needs It, and How to Get Started

Most companies first hear about CMMC when a solicitation lands with a clause they have never seen before, or when a prime contractor asks a ...

Learn More