CPCSC vs CMMC: Practical Comparison for Defence Contractors Working Across Canada and the U.S.

Cross-border defence contractors serving both Canadian DND/PSPC and US DoD need to understand both CPCSC (Canadian Program for Cyber Security Certification) and CMMC (Cybersecurity Maturity Model Certification). While both derive from NIST SP 800-171, they have distinct requirements, timelines, and assessment processes.

What's the difference between CPCSC and CMMC?

CPCSC (Canadian Program for Cyber Security Certification) applies to Canadian DND/PSPC defence contracts, while CMMC (Cybersecurity Maturity Model Certification) applies to US DoD contracts. Both derive from NIST SP 800-171, but CPCSC uses Rev 3 (2024) while CMMC uses Rev 2 (2021). CPCSC Level 1 becomes mandatory Spring 2026; CMMC Level 2 mandatory 2026-2028. Assessment bodies differ: Canadian 3PAOs (Standards Council of Canada) vs US C3PAOs (Cyber-AB). No reciprocity agreement exists yet between programs.

Who This Applies To

Cross-border defence contractors serving both Canadian and US government

Timeline

CPCSC: 3-12 months, CMMC: 12-18 months

Investment Range

Costs vary by scope and assessor availability; use CPCSC and CMMC ranges as planning estimates, not fixed quotes

Detailed Side-by-Side Comparison

Aspect CPCSC (Canada) CMMC (United States)
Governing Body PSPC (Public Services and Procurement Canada) DoD (Department of Defence)
Standard Basis NIST SP 800-171 Rev 3 (CCCS ITSP.10.171) NIST SP 800-171 Rev 2 (migrating to Rev 3)
Information Classifications Protected A/B/C, Specified Information (SI) FCI (Federal Contract Information), CUI (Controlled Unclassified Information)
Level 1 Self-assessment, annual (Low-Sensitivity SI) Self-assessment, annual (FCI only)
Level 2 3PAO assessment, ~every 3 years (Moderate-Sensitivity SI) C3PAO assessment, every 3 years (CUI)
Level 3 DND assessment, ~every 3 years (High-Sensitivity SI) Government assessment, TBD (critical programs)
Assessment Bodies 3PAO (Standards Council of Canada accredited) C3PAO (Cyber-AB accredited)
Mandatory Timeline Level 1 & 2: Spring 2026, Level 3: 2027 Level 2: Phased 2026-2028 (full rollout)
Implementation Timeline L1: 3-6 months, L2: 6-12 months, L3: 12-18 months L1: 2-4 months, L2: 12-18 months, L3: 18-24 months
Reciprocity Status Under discussion with DoD, NO FORMAL AGREEMENT Under discussion with PSPC, NO FORMAL AGREEMENT
Primary Contracts DND, PSPC, Canadian government agencies US DoD, defence primes and subs handling CUI
Number of Controls L1: 17 practices, L2: 110 practices, L3: 134+ practices L1: 17 practices, L2: 110 practices, L3: 134+ practices

Cross-Border Implementation Strategy

If you serve both Canadian and US defence contracts, implement both certifications efficiently by leveraging their shared NIST SP 800-171 foundation:

  1. Assess both requirements simultaneously - Single gap analysis covers ~80% of both frameworks
  2. Implement shared technical controls first - Network segmentation, MFA, encryption, logging work for both
  3. Maintain separate documentation - System Security Plans (SSPs) must match each framework's format
  4. Schedule assessments strategically - Complete CPCSC L1 first (faster), then pursue CMMC L2
  5. Track framework-specific requirements - CPCSC Rev 3 has enhanced supply chain controls; CMMC has specific CUI marking requirements
  6. Plan for no reciprocity - Even if agreements emerge, separate assessments will likely remain required

Cost Efficiency: Shared infrastructure and controls implementation can reduce duplicated effort across both frameworks. Actual program cost and timing depend on scope, inherited controls, assessor availability, and contract requirements.

Key Technical Differences

CPCSC-Specific Requirements

  • NIST SP 800-171 Rev 3 (2024) - includes enhanced supply chain risk management
  • CCCS cloud security profiles for cloud workloads (Low, Medium, High profiles)
  • Canadian personnel security screening requirements (Reliability Status, Secret clearance)
  • Integration with DIBCAC registration for defence contractor listing

CMMC-Specific Requirements

  • NIST SP 800-171 Rev 2 (2021) - CMMC 2.0 will adopt Rev 3 controls in future
  • Specific CUI marking and handling procedures per DoD requirements
  • Plan of Action and Milestones (POA&M) submitted through SPRS (Supplier Performance Risk System)
  • Integration with SAM.gov registration and DFARS clause 252.204-7012

Frequently Asked Questions

Can CPCSC certification count toward CMMC or vice versa?

As of this writing, there is no formal reciprocity agreement. While PSPC and DoD have discussed reciprocity, organisations should plan for separate assessments unless official guidance changes. Both derive from NIST SP 800-171, but CPCSC uses Rev 3 while CMMC uses Rev 2. Assessment bodies differ: Canadian 3PAOs (Standards Council of Canada accredited) vs US C3PAOs (Cyber-AB accredited). If you have one certification, implementing the other is often faster due to shared control baseline, but separate assessments and documentation are still typically required.

Which should I pursue first if I work with both Canadian and US defence contracts?

Prioritize the framework tied to your most material near-term contracts first. If contract value is similar, many organisations start with CPCSC Level 1 to establish baseline controls, then stage CMMC Level 2 using shared control work where possible. Both use NIST SP 800-171 as a foundation, so controls implemented for CPCSC can support CMMC requirements. The main differences are documentation formats and assessment processes.

Do Canadian companies need CMMC to contract with US DoD?

Yes, if the contract involves Controlled Unclassified Information (CUI). CMMC applies to ALL DIB (Defence Industrial Base) contractors regardless of country. Canadian companies serving US DoD must achieve CMMC certification just like US companies. However, being CPCSC-certified demonstrates existing NIST SP 800-171 implementation, which significantly reduces CMMC implementation time.

What are the cost differences between CPCSC and CMMC certification?

Typical costs vary by scope, inherited controls, and assessor availability. Many programs see CPCSC Level 1 as primarily internal implementation with annual self-assessment, while CPCSC Level 2 adds third-party assessment costs on a multi-year cycle. CMMC Level 2 generally includes both implementation and C3PAO assessment costs. Cross-border contractors can often share a substantial portion of infrastructure and control implementation effort between both frameworks. Treat all ranges as planning estimates, not firm quotes.

Are CPCSC and CMMC timelines different?

Yes. CPCSC Level 1 becomes mandatory Spring 2026 for Low-Sensitivity contracts, and Level 2 Spring 2026 for Moderate-Sensitivity contracts. CMMC Level 2 becomes mandatory throughout 2026-2028 (phased rollout by contract type). Implementation timelines also differ: CPCSC Level 1 often takes 3-6 months, Level 2 often takes 6-12 months, and CMMC Level 2 often takes 12-18 months. Delaying preparation can compress timelines and increase bid risk once requirements are active.

What information classifications do CPCSC and CMMC protect?

CPCSC protects Canadian classified information: Protected A (Low sensitivity), Protected B (Medium sensitivity), Protected C (High sensitivity), plus Specified Information (SI) with sensitivity levels. CMMC protects US classified information: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Despite different names, protection requirements are similar - both derive from NIST SP 800-171 baseline controls for handling sensitive government information.

Are the technical controls different between CPCSC and CMMC?

Mostly similar with minor differences. Both use NIST SP 800-171 as foundation. CPCSC uses Rev 3 (updated 2024), CMMC uses Rev 2 (2021). Rev 3 adds enhanced supply chain risk management and insider threat controls. The 17 control families are identical: Access Control, Awareness Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Planning, Risk Assessment, Security Assessment, System & Communications Protection, System & Information Integrity, System & Services Acquisition, Supply Chain Risk Management.

Need Help with CPCSC and CMMC?

Pilotcore can assist with cross-border defence contractor compliance. With CMMC CCP certified staff and experience implementing both frameworks, we help you achieve both certifications efficiently.

Single gap analysis covering both frameworks
Shared infrastructure implementation (70-80% overlap)
Framework-specific documentation for each assessment
3PAO and C3PAO assessment preparation support

30-minute technical discussion to assess your Canadian and US defence contract requirements and build a roadmap for both certifications.

Ready to Get Started?

Choose how you'd like to begin your journey with Pilotcore

Full Consultation

Discuss your complete cloud and security strategy with our experts. Perfect for comprehensive transformations and enterprise initiatives.

Popular Choice

Start with a Pilot

Test our expertise with a focused 1-4 week engagement. See real results before committing to larger initiatives.

View Pilot Projects →