CPCSC for Canadian Defence Suppliers: What's Active in 2026
CPCSC is no longer a future plan. Level 1 is available, and CPCSC requirements may appear in select defence contracts as early as summer 2026.
By Nelson Ford - CMMC CCP / CISSP • • 9 min read Need Help With CMMC & CPCSC Compliance?
Our experts can help you implement these strategies in your organisation. Get a free consultation today.
The Canadian Program for Cyber Security Certification (CPCSC) is now an active part of defence procurement, not a future plan.
CPCSC Level 1 became available to suppliers on April 1, 2026. PSPC says Level 1 to 3 requirements may be identified in select defence contracts as early as summer 2026, but it will “require compliance at a later date”; when a defence contract does require Level 1, PSPC’s Level 1 guidance says the self-assessment is required at “contract award, and not during the bidding process.”
This page is the overview. If you already know CPCSC exists and you need practical readiness steps, scope definition, evidence to retain per control, and the CanadaBuys attestation walk-through, read the companion piece: CPCSC Level 1 Readiness: What Canadian Defence Suppliers Need to Do Before Attesting.
What is CPCSC?
CPCSC is Canada’s framework for standardising cyber security requirements for organisations that handle federal Specified Information on supplier networks, systems, and applications. The Canadian Centre for Cyber Security, part of the Communications Security Establishment, developed the Canadian cyber security standard, ITSP.10.171, that forms the foundation of CPCSC controls. Public Services and Procurement Canada manages CPCSC implementation across government, while the Department of National Defence conducts Level 3 assessments and works with PSPC on defence requirements (Government of Canada program overview).
CCCS describes the technical baseline directly: ITSP.10.171 “provides GC departments and agencies with recommended security requirements for protecting the confidentiality of specified information when it resides in non-GC systems and organizations” (Canadian Centre for Cyber Security). That is the substance suppliers must implement; CPCSC is the procurement wrapper that turns it into a contract requirement.
CPCSC was developed alongside the United States’ Cybersecurity Maturity Model Certification (CMMC) and shares the same goal of protecting sensitive unclassified information across the defence supply chain. It is tailored to the Canadian regulatory environment, including Controlled Goods, Canadian privacy law, and the CCCS technical publication ITSP.10.171, Protecting Specified Information in Non-Government of Canada Systems and Organizations.
What information does CPCSC protect?
CPCSC protects federal Specified Information (SI) stored, processed, or transmitted on supplier infrastructure. SI is the Canadian-defined category for CPCSC and should not be treated as identical to US Controlled Unclassified Information. SI may include:
- Non-public contract details (statements of work, pricing, schedules, technical drawings)
- Controlled goods information regulated under the Defence Production Act
- Protected information (Protected A and B)
A Government of Canada authority identifies and qualifies, in the contract, which information requires safeguarding. If a contract identifies any of those categories as SI and the supplier handles it on its own networks, systems, or applications, that environment may be in scope.
Current CPCSC timeline
The rollout is staged. The clearest current public timeline is split across PSPC’s program overview, the Level 1 supplier guidance, and the additional information and support page:
- Level 1 became available to suppliers on April 1, 2026.
- From April 2026 to March 2027, the Government of Canada is introducing the Level 1 self-assessment tool and support materials, assessing National Defence contracts through a new Cyber Security Risk Assessment, and building the Level 2 certification system.
- PSPC says Level 1 to 3 requirements may be identified in select defence contracts as early as summer 2026, but it will “require compliance at a later date.”
- PSPC’s Level 1 supplier guidance also says that when a defence contract requires Level 1, self-assessment is required at “contract award, and not during the bidding process.”
- From April 2027 to March 2028, Level 2 and Level 3 certification requirements are expected to be gradually incorporated into select defence contracts.
The practical takeaway: do not assume every defence solicitation now requires CPCSC, and do not assume the compliance date is identical for every contract. Read the RFP and contract clauses. Use the transition window to define scope, close gaps, and get evidence in order before compliance dates arrive.
Certification levels
CPCSC uses a three-tier structure:
- Level 1 - Annual self-assessment against 13 security requirements from ITSP.10.171. Self-attestation; no third-party assessor required.
- Level 2 - 98 controls, triannual external cyber security assessments led by an accredited certification body, plus annual affirmation.
- Level 3 - 200 controls, triannual cyber security assessments conducted by the Government of Canada, plus annual affirmation.
The control counts above are the exact counts PSPC publishes in its program overview. The triannual Level 2 and Level 3 assessment cadence is stated in PSPC’s supplier support and implementation milestones.
The further up the ladder, the more independent verification is required and the more SI sensitivity is in scope.
What level 1 requires
Level 1 is an annual self-assessment that confirms implementation status for 13 security controls drawn from ITSP.10.171. The supplier:
- Defines the scope of systems that handle SI.
- Identifies implementation status for each of the 13 controls and supports attestation once the required controls are implemented in that scope.
- Retains the self-assessment results and supporting evidence.
- Records proof of self-attestation, including the expiry date, in CanadaBuys when the organization is bidding on or working under a defence contract that requires CPCSC Level 1.
- Provides that proof when submitting a bid where Level 1 applies.
The Level 1 supplier guidance says the online self-assessment results page includes an expiry date, that suppliers must print or save the page, and that proof of self-attestation and expiry date must be provided to the supplier’s CanadaBuys profile and when submitting a bid if the organization is bidding on, or working under, a defence contract that requires CPCSC Level 1. The self-assessment is annual, so renewal tracking matters.
The 13 level 1 controls
The 13 controls come from ITSP.10.171, the CCCS publication that mirrors NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations with no substantial technical changes, and are published as the Government of Canada CPCSC Level 1 criteria on canada.ca. They cover the basic-safeguarding posture: who can touch the system, how they authenticate, how the system is protected at the boundary, how media is handled, and how flaws and malicious code are addressed.
| # | Control | ITSP.10.171 ID |
|---|---|---|
| 1 | Account management | 03.01.01 |
| 2 | Access enforcement | 03.01.02 |
| 3 | Use of external systems | 03.01.20 |
| 4 | Publicly accessible content | 03.01.22 |
| 5 | User identification, authentication, and re-authentication | 03.05.01 |
| 6 | Device identification and authentication | 03.05.02 |
| 7 | Multi-factor authentication | 03.05.03 |
| 8 | Media sanitization | 03.08.03 |
| 9 | Physical access authorizations | 03.10.01 |
| 10 | Physical access control | 03.10.07 |
| 11 | Boundary protection | 03.13.01 |
| 12 | Flaw remediation | 03.14.01 |
| 13 | Malicious code protection | 03.14.02 |
The companion piece, CPCSC Level 1 Readiness, walks each control with practical implementation notes for small supplier environments and lists the evidence you should retain before you attest.
Scope, cloud services, and external providers
Scope is the part suppliers underestimate. CPCSC scope is “the systems that store, process, or transmit SI”, which in a modern environment almost always reaches:
- Endpoints used by employees who touch SI
- Email and file-sharing systems where SI moves
- Cloud platforms (Microsoft 365, Google Workspace, AWS, Azure, GCP) where SI lands
- SaaS tools (project management, CAD, ERP, ticketing) that store SI
- Managed service providers and consultants with access to SI
A supplier cannot move SI into a third-party SaaS or cloud tenancy and then claim that tenancy is out of scope. The supplier is still accountable. Where a provider’s own controls are being relied on, that needs to be documented as part of scope, not assumed.
CanadaBuys and self-attestation
PSPC’s Level 1 supplier guidance says suppliers must retain their self-assessment results and, when the requirement applies, provide proof of self-attestation and the expiry date to the supplier’s CanadaBuys profile and with the bid submission. Practically, that means:
- The internal self-assessment package (scope, control-by-control implementation statement, evidence pointers) stays with the supplier and is retained for audit.
- The CanadaBuys profile and bid submission carry the proof PSPC asks for when the contract requires CPCSC Level 1.
- The internal evidence and the procurement-facing proof must stay aligned through the annual renewal cycle.
CPCSC and CMMC
Canadian suppliers who also work with US defence primes ask the obvious question: does a CMMC certification cover CPCSC?
The current posture from Canada: a valid CMMC certification may be accepted case by case, after confirming scope, and Canada may verify specific controls if needed. A CMMC certificate is not automatic CPCSC certification. The technical controls are closely aligned, since ITSP.10.171 is the Canadian counterpart to NIST SP 800-171, so CMMC work can reduce duplicate effort. But scope, attestation paperwork, procurement process, and Canadian verification all remain separate. CMMC Level 1 covers a similar basic-safeguarding posture to CPCSC Level 1 but is not a one-for-one mapping.
Cross-border suppliers should expect:
- CPCSC scope and CMMC scope to be the same logical environment in most cases, but the attestation paperwork is separate.
- Canadian proof, scope confirmation, and procurement records to be handled separately from CMMC verification.
- Spot verification of specific controls when Canada exercises the case-by-case acceptance path.
Controlled goods and CPCSC
For suppliers already registered under the Controlled Goods Program (CGP), CPCSC is additive, not duplicative. CGP governs who can access controlled goods information; CPCSC governs the cyber security posture of the systems that hold that information. Most CGP-registered suppliers will find that their existing access-control and personnel-screening processes feed Level 1 evidence directly, but the IT controls (system hardening, malicious-code protection, audit logging) usually need explicit documentation that CGP alone never required.
What suppliers should do now
For Level 1, before CPCSC clauses become active in target contracts:
- Confirm whether the contracts you bid on are likely to carry a Level 1 clause, and whether the clause names an immediate or later compliance date.
- Draw the SI scope boundary. Identify which systems, tenancies, and providers actually touch SI.
- Walk the 13 controls against your current environment and record gaps honestly.
- Close the gaps that matter, then retain evidence so the self-assessment can be defended if Canada verifies a specific control.
- When Level 1 applies, record the self-attestation in CanadaBuys with a tracked expiry date and renewal calendar.
The companion article, CPCSC Level 1 Readiness, walks all of this with the per-control detail.
How pilotcore helps
Pilotcore runs a focused CPCSC Level 1 readiness assessment: scope definition, SI flow mapping, the 13-control walk, evidence pack, and the CanadaBuys attestation handoff. Nelson Ford, principal at Pilotcore and based in Ottawa, is a CISSP and CMMC Certified Professional, and works with Canadian defence suppliers on both CPCSC and the CMMC-side requirements when the supply chain spans both countries.
If you have a defence contract in front of you that may carry Level 1, the right move is a scoped readiness assessment now rather than rushed remediation after the clause appears. Book a CPCSC readiness conversation.
Sources checked
- Canadian Centre for Cyber Security: ITSP.10.171
- Government of Canada CPCSC program overview
- Government of Canada CPCSC Level 1 backgrounder
- Government of Canada supplier support and implementation milestones
- Government of Canada Level 1 supplier guidance
- Cybersecurity Maturity Model Certification (CMMC)
- NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- CPCSC Level 1 criteria on canada.ca
About the author
Nelson Ford - CMMC CCP / CISSP
- CISSP
- CMMC Certified Professional
Nelson Ford is the principal at Pilotcore, based in Ottawa. He is a CISSP and CMMC Certified Professional, and works with Canadian defence suppliers on CPCSC readiness and US contractors on CMMC. He writes Pilotcore's compliance and zero-trust commentary.
Frequently asked
Frequently asked questions
-
What is CPCSC?
CPCSC (Canadian Program for Cyber Security Certification) is Canada's framework for standardising cyber security requirements for organisations that handle federal Specified Information on supplier networks. The Canadian Centre for Cyber Security, part of the Communications Security Establishment, developed ITSP.10.171, and Public Services and Procurement Canada manages CPCSC implementation across government.
-
When does CPCSC Level 1 take effect?
CPCSC Level 1 became available to suppliers on April 1, 2026. PSPC says Level 1 to 3 requirements may be identified in select defence contracts as early as summer 2026, but it will require compliance at a later date. When a defence contract does require Level 1, PSPC's Level 1 guidance says the self-assessment is required at contract award, and not during the bidding process.
-
What information does CPCSC protect?
CPCSC protects federal Specified Information (SI) stored, processed, or transmitted on supplier infrastructure. SI is the Canadian-defined category for CPCSC and may include non-public contract details, controlled goods information regulated under the Defence Production Act, and Protected A and B information identified in the contract.
-
How is CPCSC different from CMMC?
CPCSC and CMMC share the goal of protecting sensitive unclassified information across the defence supply chain, and CPCSC's technical baseline (ITSP.10.171) mirrors NIST SP 800-171 with no substantial technical changes. The difference is operational. CPCSC is run by Canadian authorities, uses the Canadian SI category, and relies on Canadian procurement records when Level 1 self-assessment applies, while CMMC uses CUI and is registered through DoD systems.
-
Does a CMMC certification count as CPCSC certification?
Not automatically. Canada may accept a valid CMMC certification on a case-by-case basis after confirming scope, and may verify specific controls. Cross-border suppliers should expect Canadian proof, scope confirmation, and procurement records to be handled separately even when the underlying technical environment is the same.
-
What are the three CPCSC levels?
Level 1 is an annual self-assessment against 13 security requirements from ITSP.10.171. Level 2 requires 98 controls, triannual external cyber security assessments led by an accredited certification body, and annual affirmation. Level 3 requires 200 controls, triannual cyber security assessments conducted by the Government of Canada, and annual affirmation.