What Is the Canadian Version of CMMC? CPCSC Explained
Canada's closest counterpart to CMMC is the Canadian Program for Cyber Security Certification, or CPCSC. This article explains how CPCSC compares to CMMC, where the programs align, where they differ, and what Canadian defence suppliers should prepare for.
By Nelson Ford - CMMC CCP / CISSP • • Reviewed May 20, 2026 • 12 min read Need Help With CMMC Compliance?
Our experts can help you implement these strategies in your organisation. Get a free consultation today.
The Canadian version of CMMC is the Canadian Program for Cyber Security Certification, usually shortened to CPCSC.
Quick answer: CPCSC is Canada’s cyber security certification program for defence suppliers that handle federal Specified Information outside Government of Canada systems. It is the closest Canadian counterpart to CMMC, but it is governed by Canadian procurement rules, Canadian terminology, and ITSP.10.171.
That is the simplest answer. The more accurate answer is that CPCSC is Canada’s closest counterpart to CMMC for defence supplier cyber security, but it is not a one-for-one legal substitute. CPCSC is Canada’s own certification program, built around Canadian procurement, Canadian security terminology, and the Canadian industrial security standard ITSP.10.171.
The distinction matters. A supplier working on a U.S. Department of Defense contract must meet the CMMC requirement stated in that contract. A supplier working on a Canadian defence contract must meet the CPCSC requirement stated in that procurement. The control families are closely related, and Canada may accept valid CMMC status in some cases, but the two programs are not mutually interchangeable.
Why Canada needed a CMMC-style program
CMMC was created for the U.S. defence industrial base. It is used to assess whether contractors have the required cyber security protections for systems that process, store, or transmit Federal Contract Information, or FCI, and Controlled Unclassified Information, or CUI. Under the U.S. DFARS rules, contracting officers must not award a contract unless the offeror has current CMMC status at the level required by the solicitation for the relevant contractor information systems. DFARS Subpart 204.75
Canada faces a similar supply chain problem. Defence suppliers may receive sensitive federal information that sits outside Government of Canada systems, often in supplier email, file storage, cloud platforms, ticketing systems, endpoints, backup systems, and subcontractor environments. CPCSC is Canada’s answer to that risk.
Public Services and Procurement Canada describes CPCSC as cyber security requirements for suppliers that bid or work on Government of Canada defence contracts. These measures are intended to protect networks, systems, and applications from malicious cyber activity. Cyber security certification for defence suppliers in Canada
CPCSC is being phased in. Level 1 became available in April 2026, while Levels 2 and 3 are still under development and will be introduced gradually. PSPC says Level 2 and Level 3 requirements may appear in select defence contracts as early as summer 2026, with compliance required later, and that Level 2 or 3 certification will be gradually incorporated into select defence contracts from April 2027 to March 2028. Additional information and support for suppliers about cyber security
CPCSC in plain English
CPCSC is Canada’s phased cyber security certification program for defence suppliers. It is intended to protect federal Specified Information, or SI, when that information is handled, processed, stored, or transmitted by non-Government of Canada organizations.
PSPC says CPCSC protects federal Specified Information on suppliers’ networks, systems, and applications. It defines SI as sensitive, non-classified government information that must be protected when handled, processed, or stored by non-Government of Canada organizations. Examples may include non-public contract details between a contractor and the Department of National Defence, controlled goods information, and protected information. How to meet Level 1 cyber security certification requirements
The technical foundation is ITSP.10.171, the Canadian Centre for Cyber Security’s standard for protecting specified information in non-Government of Canada systems and organizations. The Cyber Centre describes ITSP.10.171 as a standard for protecting the confidentiality of specified information when it is handled outside Government of Canada systems. ITSP.10.171
Is CPCSC equivalent to CMMC?
CPCSC is Canada’s functional equivalent to CMMC in the defence procurement context. It addresses a similar problem: how does a government verify that suppliers are protecting sensitive unclassified information on contractor-operated systems?
But equivalence has limits.
Canada says CPCSC aligns with U.S. CMMC requirements, but does not duplicate the U.S. certification system. PSPC also says the Government of Canada may accept a contractor’s valid CMMC certification on a case-by-case basis, after confirming that the assessment covers the required scope. Canada also reserves the right to verify specific CMMC controls when necessary. How to meet Level 1 cyber security certification requirements
That creates an important asymmetry. Canada may accept valid CMMC status for CPCSC purposes in some cases, but the U.S. does not currently offer the same reciprocal recognition for CPCSC.
PSPC’s own evaluation of CPCSC says the U.S. CMMC Final Program rule would not allow bilateral reciprocity certification programs between another country and the U.S. Department of Defense. The same evaluation notes industry concern that the lack of reciprocity may force contractors to carry duplicate costs and effort when they need both CPCSC and CMMC. Evaluation of the Canadian Program for Cyber Security Certification
The U.S. procurement rules reinforce that practical result. DFARS requires current CMMC status at the required level, posted in SPRS, for each contractor information system that will process, store, or transmit FCI or CUI. DFARS 204.7503 Procedures
So the working rule is this: a supplier with CMMC may have a path to Canadian recognition, depending on scope and contract language. A supplier with CPCSC should not assume CPCSC will satisfy a U.S. DoD CMMC requirement.
CPCSC compared with CMMC
| Topic | CMMC | CPCSC |
|---|---|---|
| Country | United States | Canada |
| Main use case | U.S. defence contractor cyber security certification | Canadian defence supplier cyber security certification |
| Procurement context | U.S. Department of Defense contracts | Government of Canada defence contracts, starting with National Defence |
| Protected information | Federal Contract Information and Controlled Unclassified Information | Federal Specified Information |
| Technical foundation | FAR 52.204-21, NIST SP 800-171, and selected NIST SP 800-172 requirements depending on level | ITSP.10.171, closely adapted from NIST SP 800-171 and NIST SP 800-172 |
| Program status | U.S. rule structure in place, with phased contractual implementation | Phased rollout, with Level 1 available and Levels 2 and 3 still maturing |
| Assessment model | Self-assessment, third-party assessment, or government assessment depending on level and contract | Level 1 self-assessment; planned third-party assessment for Level 2; Government of Canada assessment for Level 3 |
| Recognition | U.S. rules require current CMMC status for applicable DoD awards | Canada may accept valid CMMC status case by case, subject to scope and verification |
| Practical takeaway | Required when a U.S. DoD contract says so | Required when a Canadian procurement says so |
The three CPCSC levels
CPCSC has three levels, but they are not all equally mature as of 2026.
Level 1 is the entry point. PSPC says Level 1 confirms the implementation status of 13 security requirements and controls from ITSP.10.171. These controls cover basic cyber hygiene activities such as account management, access enforcement, use of external systems, publicly accessible content, identification and authentication, MFA, media sanitization, physical access control, boundary protection, flaw remediation, and malicious code protection. Program overview
Level 2 is currently defined as a higher-assurance level. PSPC says that once Level 2 becomes available, it will consist of 98 controls and require triannual external cyber security assessments led by an accredited certification body, plus an annual affirmation. Additional information and support for suppliers about cyber security
Level 3 is currently defined as the highest CPCSC level. PSPC says that once available, Level 3 will require 200 controls and triannual cyber security assessments conducted by the Government of Canada, plus an annual affirmation. PSPC also says Level 3 certification compliance activities will be conducted by Government of Canada authorities. Additional information and support for suppliers about cyber security
Those numbers, 13, 98, and 200, should be read as current CPCSC program definitions. They are not a clean one-for-one count of NIST controls, and they may be refined as the program matures.
How CPCSC will show up in procurement
CPCSC becomes real when it appears in procurement documents. At that point, it is a contract requirement, not a badge.
PSPC says that once Levels 2 and 3 are established, a standardized Cyber Security Risk Assessment will evaluate each National Defence contract and determine which certification level is required. The required level will be set contract by contract and communicated in RFPs and contract clauses. Additional information and support for suppliers about cyber security
That risk assessment will also serve as an addendum to the Security Requirements Checklist, or SRCL, to document CPCSC requirements in the contract. PSPC says contractual clauses in National Defence procurement documents will specify the required CPCSC level, outline obligations for protecting sensitive information throughout the contract lifecycle, and define compliance expectations. Additional information and support for suppliers about cyber security
For suppliers, this means the certification question will usually start with the procurement documents. The contract should identify the required level, the information that needs protection, and the obligations that apply during performance.
CPCSC is not the Controlled Goods Program
Many Canadian defence suppliers already know the Controlled Goods Program, or CGP. CPCSC is different.
The Controlled Goods Program is about controlled goods, including components and technical data with military or national security significance. PSPC says organizations must register in the Controlled Goods Program, unless excluded or exempt, to legally examine, possess, or transfer controlled goods listed in the Defence Production Act schedule. What are controlled goods
CPCSC is about cyber security controls for protecting specified federal information on supplier systems, networks, and applications.
The programs can overlap in practice because controlled goods information may also be sensitive information handled in electronic systems. But the legal and operational focus is different. CGP is about controlled goods access and safeguarding. CPCSC is about information system security for specified information.
A supplier may need one, both, or neither, depending on the contract.
Cloud, SaaS, and data residency considerations
CPCSC does not create one universal cloud rule for every supplier. It does, however, force suppliers to understand where specified information lives and moves.
PSPC’s Level 1 guidance tells suppliers to gather information about where Government of Canada information is stored, which systems, devices, and people access it, and which cloud services and tools handle it. How to meet Level 1 cyber security certification requirements
That makes cloud and SaaS scoping unavoidable. If SI is stored in Microsoft 365, Google Workspace, AWS, Azure, a managed service provider portal, a ticketing platform, a backup system, or an endpoint management tool, those services become part of the security discussion.
The practical questions are not abstract. They include:
- Which cloud services store or process SI?
- Which administrators can access those services?
- Is MFA enforced for users and administrators?
- Are sharing settings restricted?
- Are logs retained and reviewed?
- Are backups protected?
- Are subcontractors or managed service providers in the SI path?
- Is data stored in Canada, outside Canada, or across multiple regions?
- Does the contract impose specific data residency or handling restrictions?
CPCSC readiness should not be reduced to “we use a major cloud provider.” Shared responsibility still applies. The supplier must understand which controls the provider supports and which controls remain the supplier’s responsibility.
What if your company already has CMMC?
If your company already has CMMC, CPCSC readiness may be easier. It does not mean every Canadian requirement is automatically satisfied.
Canada’s current guidance says the Government of Canada may accept a contractor’s valid CMMC certification on a case-by-case basis, after confirming that the assessment covers the required scope. Canada also reserves the right to verify specific CMMC controls. How to meet Level 1 cyber security certification requirements
That wording is useful, but it is not a blanket waiver. A U.S. CMMC assessment may have been performed against a particular CMMC scope, with particular systems, users, enclaves, and information flows. A Canadian contract may involve different specified information, different systems, different subcontractors, or different contract handling requirements.
Suppliers should be ready to map their CMMC evidence to CPCSC and ITSP.10.171, then confirm acceptance through the Canadian procurement or program channel. PSPC says proof of CMMC certification can be sent to the CPCSC contact address for verification and assessment. How to meet Level 1 cyber security certification requirements
The reverse is more constrained. A Canadian CPCSC certification should not be assumed to satisfy a U.S. CMMC requirement. U.S. contracting officers must check SPRS for current CMMC status at the required level for each applicable CMMC UID. DFARS 204.7503 Procedures
Assessment ecosystem maturity
Suppliers should also pay attention to market capacity.
Level 2 is expected to rely on accredited third-party assessors. PSPC says third-party assessors will be accredited by the Standards Council of Canada and will assess and certify Level 2 requirements once Level 2 certification becomes available. Additional information and support for suppliers about cyber security
That ecosystem is still forming. Early suppliers may have to deal with assessor shortages, uneven interpretations, and changing evidence expectations. This is one reason suppliers should not treat CPCSC as a last-minute formality.
Even Level 1 takes work if the organization has not already formalized its controls. Level 2 and Level 3 will likely demand tighter scoping and better proof, not just more paperwork.
What Canadian suppliers should do now
Start by identifying whether you handle federal Specified Information. Do not limit that exercise to obvious contract files. Look at email, SharePoint, Teams, Google Drive, file shares, endpoint backups, ticketing systems, project management tools, accounting attachments, removable media, paper records, and managed service provider systems.
Then define the scope. Identify which people, devices, systems, cloud services, facilities, and subcontractors handle SI. The goal is not to make the scope artificially small. The goal is to make it honest, defensible, and controlled.
Next, map the environment to CPCSC Level 1 and ITSP.10.171. Even if the immediate requirement is only Level 1 self-assessment, retain evidence. Evidence may include access control records, MFA enforcement screenshots, device inventories, network diagrams, configuration exports, vulnerability remediation records, endpoint protection coverage, media sanitization records, training records, and supplier management documentation.
Finally, monitor Level 2 and Level 3 rollout. PSPC has made clear that those levels are still under development and will be phased into select defence contracts over time. The suppliers that prepare early will have a better chance of avoiding rushed remediation, weak evidence, or missed procurement opportunities.
Bottom line
The Canadian version of CMMC is CPCSC, the Canadian Program for Cyber Security Certification.
But the precise answer is more nuanced. CPCSC is Canada’s CMMC-equivalent program for defence supplier cyber security, not a direct legal replacement for CMMC.
Canada may accept valid CMMC status for CPCSC purposes on a case-by-case basis, subject to scope and verification. The U.S. does not currently provide the same reciprocal path for CPCSC to replace CMMC in DoD procurement. That asymmetry matters for Canadian suppliers pursuing both Canadian and U.S. defence work.
For Canadian suppliers, the readiness question is concrete: what protected information do we handle, which contract requirement applies, which systems are in scope, and what evidence shows the controls are working?
About the author
Nelson Ford - CMMC CCP / CISSP
- CISSP
- CMMC Certified Professional
Nelson Ford is the principal at Pilotcore, based in Ottawa. He is a CISSP and CMMC Certified Professional, and works with Canadian defence suppliers on CPCSC readiness and US contractors on CMMC. He writes Pilotcore's compliance and zero-trust commentary.
Frequently asked questions
What is the Canadian version of CMMC?
The Canadian version of CMMC is the Canadian Program for Cyber Security Certification, or CPCSC. It is Canada's cyber security certification program for defence suppliers and is intended to protect sensitive federal information handled by contractors and subcontractors on non-Government of Canada systems.
Is CPCSC the same as CMMC?
No. CPCSC is Canada's closest counterpart to CMMC, but it is not a one-for-one replacement. The programs are closely aligned at the control level, but they use different contracting authorities, terminology, assessment methods, evidence expectations, and acceptance rules.
What information does CPCSC protect?
CPCSC protects federal Specified Information, or SI, when that information is handled, processed, stored, or transmitted by non-Government of Canada organizations. The contract and associated security requirements determine what information is in scope.
How many CPCSC levels are there?
CPCSC is currently structured around three levels. Level 1 is based on annual self-assessment. Level 2 is currently defined around external assessment by an accredited certification body. Level 3 is currently defined around Government of Canada assessment for higher-risk requirements. Levels 2 and 3 are still being phased in.
How does CPCSC compare to CMMC?
CMMC applies to US defence contracts and protects Federal Contract Information and Controlled Unclassified Information. CPCSC applies to Canadian defence procurement and protects federal Specified Information. Both programs are based on related NIST control foundations, but each uses its own national program structure and contracting process.
Does CPCSC apply outside defence contracts?
CPCSC is being introduced first through Canadian defence procurement, especially National Defence contracts. The Government of Canada has indicated that cyber security requirements may later apply to other sensitive federal contracts, but applicability depends on the specific procurement, information handled, and contract clauses.
Is CPCSC the same as the Controlled Goods Program?
No. The Controlled Goods Program is about controlled goods and related regulatory obligations. CPCSC is about cyber security controls for protecting sensitive federal information on supplier systems, networks, and applications. A defence supplier may need one, both, or neither depending on the contract.
Does a CMMC certification satisfy CPCSC requirements?
A valid CMMC certification may be accepted for CPCSC purposes on a case-by-case basis, depending on contract language, current CPCSC guidance, and confirmation that the CMMC assessment covers the required Canadian scope. The reverse is not currently equivalent: a CPCSC certification should not be assumed to satisfy a U.S. DoD CMMC requirement, because U.S. rules require current CMMC status in SPRS.
Are CPCSC and CMMC mutually recognized?
No, not fully. Canada may accept valid CMMC status on a case-by-case basis for CPCSC purposes, but current U.S. CMMC rules do not provide the same reciprocal path for accepting CPCSC as a substitute for CMMC. Canadian suppliers pursuing U.S. defence contracts should expect to meet the applicable CMMC requirement directly.