CPCSC is the Canadian Program for Cyber Security Certification. It is Canada's cyber security certification program for defence suppliers that handle federal Specified Information on supplier systems, networks, or applications.

Who needs CPCSC Level 1?

Level 1 may apply when a defence contract requires it and the supplier handles federal Specified Information. Government guidance says Level 1 begins appearing in select defence contracts in summer 2026 and is required at contract award in the initial phase.

How many CPCSC Level 1 controls are there?

CPCSC Level 1 uses 13 security requirements and controls from ITSP.10.171. Suppliers complete an annual self-assessment and keep proof for CanadaBuys when a contract requires it.

How do CPCSC Level 2 and Level 3 work?

Current Government of Canada guidance describes Level 2 as 98 controls, external assessment every three years by an accredited certification body, and annual affirmation. Level 3 is described as 200 controls, assessment by National Defence, and annual affirmation. Level 2 is planned for select defence contracts beginning in spring 2027.

Is Pilotcore an official CPCSC certification body?

No. Pilotcore provides readiness, scope, evidence, and implementation support. We do not issue official CPCSC certifications and we do not replace an accredited assessor.

What is CPCSC?

Q: Can CMMC work help with CPCSC?

It can help when the assessed scope matches. Canada may accept a valid CMMC certification case by case after confirming scope, and it may still verify specific controls.

CPCSC is the Canadian Program for Cyber Security Certification, Canada's cyber security certification path for defence suppliers that must protect federal Specified Information.

Quick Answer

What is CPCSC, in one breath?

CPCSC applies through contract requirements. Level 1 is available as of April 2026, uses 13 controls from ITSP.10.171, and begins appearing in select defence contracts in summer 2026. In the initial phase, suppliers need Level 1 certification at contract award, not at bid submission.

Who this applies to

Canadian defence suppliers handling federal Specified Information on their own systems

Timeline

Level 1 available April 2026; appears in select defence contracts beginning summer 2026

Investment

Annual self-attestation against 13 ITSP.10.171 controls, recorded in CanadaBuys

Scope

What information does CPCSC protect?

CPCSC protects federal Specified Information on supplier-owned or supplier-operated systems. Government guidance describes Specified Information as sensitive, non-classified government information that must be protected when handled, processed, or stored outside Government of Canada systems.

For a supplier, the practical question is where that information lives: email, SharePoint, Google Drive, CAD tools, endpoints, ticketing systems, backups, MSP tools, cloud accounts, and subcontractor systems can all matter.

Levels

CPCSC levels.

Level	Assessment model	Planning note
Level 1	Annual self-assessment against 13 controls.	Available April 2026 and introduced in select defence contracts beginning summer 2026.
Level 2	98 controls. External assessment every three years by an accredited certification body, plus annual affirmation.	Under development and planned for select defence contracts beginning in spring 2027.
Level 3	200 controls. National Defence assessment every three years, plus annual affirmation.	Reserved for higher-risk defence scenarios identified through contract risk assessment.

Attestation

CanadaBuys proof for Level 1.

PSPC's Level 1 supplier guidance says suppliers must provide proof of self-attestation and the expiry date to their CanadaBuys profile when bidding on, or working under, a defence contract that requires CPCSC Level 1.

The same guidance names the CanadaBuys organizational supplier profile questionnaire as the place where self-assessment results and expiration date are confirmed. Keep the saved assessment result, expiry date, scope notes, and control evidence together so the CanadaBuys entry can be renewed before it expires.

Cross-border

CPCSC and CMMC.

CPCSC is Canadian. CMMC is the U.S. Department of Defense program. The two programs use aligned technical controls, but they are not the same certification path.

Canada may accept a valid CMMC certification case by case after scope confirmation and may verify specific controls. Treat that as a scope and evidence question, not an automatic shortcut.

Next step

Start with scope and evidence.

If a contract may require CPCSC, start by reading the clause, naming the Specified Information, mapping the systems that touch it, and collecting proof for the Level 1 controls.

Download the CPCSC Level 1 Guide

Related CPCSC pages.

References