Does CPCSC apply to every Canadian business?

No. CPCSC applies through contract requirements. It is relevant when a Canadian defence or sensitive federal contract requires a CPCSC level and the supplier handles federal Specified Information in supplier systems, networks, or applications.

Does CPCSC apply to subcontractors?

It can. If contract requirements flow down and the subcontractor handles Specified Information, the subcontractor should confirm the clause, data scope, and evidence expectations with the prime or the contracting officer.

Does CMMC mean CPCSC applies?

No. CMMC is a U.S. Department of Defense program. CPCSC is the Canadian defence-supplier program. The controls are aligned, and Canada may accept valid CMMC status case by case after scope review, but the contract driver still matters.

Does CPCSC Apply to Your Canadian Defence Contract?

CPCSC applies because a contract says it applies. Start with the solicitation, then trace the information and systems in scope.

Quick Answer

Does CPCSC apply to me?

CPCSC may apply if your organisation bids on, wins, supports, or subcontracts into selected Canadian defence contracts and handles federal Specified Information on supplier systems. Level 1 is available as of April 2026 and appears in select defence contracts beginning summer 2026. In the initial phase, Level 1 certification is required at contract award, not at bid submission.

Who this applies to

Canadian defence suppliers, subcontractors, IT providers, MSPs, software vendors, cloud operators, engineering firms, and manufacturers in a Canadian defence supply chain

Timeline

Check now if you expect a summer 2026 or later Canadian defence award

Investment

Start with a scope review before buying tools or hiring an assessor

Decision test

The five-question test.

Is there Canadian defence or sensitive federal contract language?

Look for a CPCSC clause, a cyber security certification requirement, or references to ITSP.10.171.

Do you handle federal Specified Information?

Specified Information may include non-public contract details, controlled goods information, Protected A or Protected B information when the contract designates it, or technical data named by the contract. Protected C or higher-risk information should be reviewed against the contract's security requirements and any separate PSPC, DND, or industrial security obligations.

Does that information touch your systems?

Email, SharePoint, Google Drive, CAD, ticketing, endpoints, backups, MSP tools, and SaaS platforms can all bring a system into scope.

Are you a subcontractor or service provider?

Prime contractors may flow requirements down when your work touches in-scope information or systems.

Do you already have CMMC status?

CMMC may help, but Canada reviews valid CMMC status case by case after confirming scope. It is not automatic.

Cross-border

If you searched for "does CMMC apply to me".

Use the buyer and contract as the decision point. U.S. Department of Defense work points you toward CMMC. Canadian DND or PSPC defence work points you toward CPCSC. A cross-border supplier may need both, but each requirement should map to a real contract and a real data scope.

The safest first move is not to declare a program. It is to read the contract language, name the information category, and map where that information lives. PSPC's Level 1 scoping guide is the official reference for deciding which assets, systems, people, facilities, and external providers belong in scope.

Next steps

What to do next.

Collect the solicitation, prime flow-down, or supplier questionnaire.
Mark every clause that mentions CPCSC, CMMC, ITSP.10.171, NIST 800-171, SI, FCI, or CUI.
Map the systems and vendors that touch the contract information.
Compare the scope against CPCSC Level 1 or the required CMMC level.
Build evidence before attesting in CanadaBuys or any U.S. system.

Pilotcore

Need a second read on the contract?

Pilotcore provides CPCSC and CMMC readiness support for Canadian suppliers. We help with applicability review, scope mapping, control gaps, and evidence planning. We do not issue official certifications or replace an accredited assessor.

References