CMMC vs CPCSC: Canadian Defence Contractor Compliance Guide
If you are a Canadian defence supplier searching for CMMC, you may be looking for the Canadian requirement instead. The U.S. program is CMMC. Canada's defence-supplier program is CPCSC, the Canadian Program for Cyber Security Certification.
The two programs are aligned at the control level, but the contract triggers, evidence path, attestation process, and acceptance rules are different. Treat CMMC as useful context. Treat CPCSC as the Canadian procurement requirement to confirm against your contract.
Quick Answer
What is the difference between CMMC and CPCSC?
CMMC applies to U.S. Department of Defense contracts. CPCSC applies to selected Canadian defence contracts. Canada aligned CPCSC with NIST-based CMMC controls, and may accept valid CMMC status case by case after checking scope. Canadian suppliers still need to confirm CPCSC applicability, prepare CanadaBuys attestation records, and retain evidence for the Canadian contract.
Who this applies to
Canadian defence suppliers, subcontractors, and cross-border teams working with DND, PSPC, U.S. DoD, or defence primes
Timeline
CPCSC Level 1: available April 2026 and introduced in select defence contracts beginning summer 2026
Investment
Budget depends on scope, current controls, evidence quality, and whether the supplier also needs CMMC
Practical answer
The practical answer for Canadian suppliers.
A Canadian supplier should ask three questions before starting any CMMC or CPCSC work:
- Which contract is driving the requirement? Canadian defence contract language points you toward CPCSC. U.S. DoD contract language points you toward CMMC.
- What sensitive information is in scope? CPCSC centers on federal Specified Information. CMMC centers on FCI and CUI.
- Can one control program support both? Often, yes. Shared controls can reduce duplicate work, but the evidence package and submission path still need to match each program.
Side by side
CMMC and CPCSC compared.
| Question | CPCSC | CMMC |
|---|---|---|
| Primary market | Canadian defence procurement, especially selected DND and PSPC contracts. | U.S. Department of Defense contracts and defence-prime flow-downs. |
| Information protected | Federal Specified Information handled on supplier systems, networks, and applications. | Federal Contract Information and Controlled Unclassified Information tied to U.S. DoD work. |
| Level 1 | Annual self-assessment against 13 controls. Available April 2026 and introduced in select defence contracts beginning summer 2026. | Annual self-assessment for Level 1 status, with results entered in SPRS under DoD rules. |
| Higher levels | Level 2 is under development: 98 controls, external assessment every three years by an accredited certification body, annual affirmation, and select defence contract use beginning spring 2027. Level 3 has 200 controls and is assessed by National Defence. | Under 32 CFR Part 170, Level 2 uses self-assessment for non-prioritized Level 2 contracts and C3PAO certification assessment for prioritized Level 2 acquisitions. Level 3 requires DCMA DIBCAC assessment after Level 2 C3PAO status. |
| Where proof lives | Proof of self-attestation, including expiry date, is lodged in CanadaBuys when Level 1 applies. | CMMC status and affirmations are checked through U.S. government systems such as SPRS and CMMC eMASS. |
| CMMC reuse for CPCSC | Canada may accept valid CMMC status case by case after scope confirmation and may verify specific controls. | A CPCSC status should not be assumed to satisfy a U.S. CMMC contract requirement. |
Process
A clean readiness path.
1. Confirm the contract driver
Read the solicitation or flow-down language. A Canadian DND or PSPC clause should be evaluated for CPCSC. A U.S. DoD clause should be evaluated for CMMC.
2. Scope the data and systems
Map where contract information is stored, processed, and transmitted. Include Microsoft 365, Google Workspace, endpoints, cloud accounts, backups, tickets, and vendors.
3. Build evidence before attesting
Do not treat self-assessment as a checkbox exercise. Retain control statements, screenshots, configuration exports, access reviews, diagrams, and remediation notes.
Reuse
Can existing CMMC work help with CPCSC?
Yes, but only if the scope matches. Canada says valid CMMC status may be accepted case by case after confirming the assessment covers the required Canadian scope. Canada may also verify specific controls.
That means a Canadian supplier with CMMC should prepare a mapping pack, not a shortcut claim. Show which systems were assessed, which contract information they cover, which controls are shared, and what remains Canadian-specific, including CanadaBuys proof of self-attestation when Level 1 applies.
CMMC can also flow down through U.S. prime and subcontractor chains when FCI or CUI is processed, stored, or transmitted. Subcontractors that only provide commercially available off-the-shelf items are treated differently under FAR flowdown language, so check the clause before assuming every supplier tier has the same obligation.
If you already hold CMMC status and want Canada to assess it for CPCSC, Canada says proof of CMMC certification can be sent to tpsgc.pacertcybersecur-apcybersecurcert.pwgsc@tpsgc-pwgsc.gc.ca for verification and assessment.
Frequently asked
Frequently asked questions
Is CPCSC the Canadian version of CMMC?
CPCSC is Canada's domestic cyber security certification program for defence suppliers. It is closely aligned with U.S. CMMC because both programs use NIST-based controls, but it is not a legal copy of CMMC. CPCSC has Canadian contract language, CanadaBuys attestation, Canadian scope terms, and Canadian oversight.
Can a CMMC certification satisfy CPCSC?
Not automatically. Canada says it may accept a contractor's valid CMMC status case by case after confirming the assessment covers the required scope. Canada may also verify specific controls when needed, so Canadian suppliers should still prepare CPCSC scope, evidence, and CanadaBuys attestation records.
Do Canadian suppliers need CMMC?
Canadian suppliers may need CMMC when they contract with U.S. Department of Defense buyers or defence primes and the contract requires a CMMC level. CPCSC applies to selected Canadian defence procurements. Cross-border suppliers may need both programs for different contracts.
When does CPCSC Level 1 apply?
CPCSC Level 1 became available in April 2026 and is being introduced in select Canadian defence contracts beginning in summer 2026. During the initial phase, Level 1 certification is required at contract award rather than throughout the bidding process.
What should Canadian suppliers do first?
Start by identifying whether your near-term contract is Canadian, U.S., or both. Then define the information scope, map where sensitive contract data lives, compare your current controls against CPCSC Level 1 and applicable CMMC requirements, and retain evidence before you attest.
Need help deciding which path applies?
Pilotcore helps Canadian defence suppliers scope CPCSC and CMMC requirements, map shared controls, prepare evidence, and plan readiness work. CPCSC is still rolling out, so we provide readiness support only. We help you prepare before self-assessment, C3PAO assessment, or future accredited CPCSC assessment. We do not issue official certifications or replace the assessor.
30-minute discussion to identify your likely contract driver, scope, and next evidence step.
References