Skip to content

CPCSC Canada’s Cybersecurity Bar for Defense Contractors

CPCSC Canada version of CMMC

On 12 March 2025, the Canadian Program for Cyber Security Certification (CPCSC) officially launched, marking a turning point for Canadian firms that contract or subcontract for defense. CPCSC was created to ensure that companies working on Canadian defense contracts handle sensitive, unclassified federal information under a standardized cybersecurity regime.

CPCSC Structure: What Contractors Need to Know

  • Three certification levels: Level 1 (annual self-assessment), Level 2 (external assessment by an accredited certification body), and Level 3 (government-led assessment by national defense authorities).

  • Scope: CPCSC applies to any contractor or subcontractor, not just prime contractors working on Canadian defense procurement, where sensitive unclassified or controlled information is handled.

  • Standard applied: At the heart of CPCSC is the industrial security standard ITSP.10.171, which underpins how Controlled Information (CI) must be protected when processed, stored, or transmitted on non-Government systems.

  • Implementation Timeline: Phase 1 (March 2025) introduced Level 1 and laid the groundwork for certification bodies; broader adoption will ramp up through 2025 and beyond.

As of late 2025, many firms are still awaiting the formal release of a public “Level 1 guidance/control set.”

The U.S. Parallel, Cybersecurity Maturity Model Certification (CMMC)

For Canadian firms working on U.S. defense contracts, compliance with CMMC remains critical.  

  • CMMC 2.0 defines three levels. Level 2, the level most commonly required for contracts handling Controlled Unclassified Information (CUI), maps directly to the security requirements in NIST SP 800-171.

  • CMMC Level 1 is a more basic standard, for Federal Contract Information (FCI) only; Level 3 adds selected enhanced controls from NIST SP 800-172 for high-sensitivity programs.

  • As of 2025, CMMC 2.0 is being actively enforced under U.S. procurement rules (via DFARS clause 252.204-7021), making certification a requirement for DoD contractors.

Convergence & Divergence, Where CPCSC and CMMC Meet

CPCSC is built on ITSP.10.171, a "Canadian version of the National Institute of Standards and Technology NIST SP 800-171 Protecting Controlled Unclassified Information in Non-federal Systems and Organizations". As such, there is a strong overlap between CPCSC and CMMC requirements.

Commonalities:

  • Both aim to protect supply-chain and contract-related sensitive but unclassified/controlled information.

  • Both rely (directly or indirectly) on controls derived from NIST standards, especially SP 800-171.

Differences:

  • CPCSC is Canadian, applicable to Canadian federal defense procurement; CMMC is U.S.-centric, for DoD contracts.

    • CPCSC uses ITSP.10.171 which is based on NIST 800-171 R3; CMMC Level 2 currently uses NIST SP 800-171 R2.

  • CPCSC Level 1 is a lightweight self-assessment for unclassified contract data. CMMC Level 1 is geared to basic safeguarding of FCI.

  • Enforcement timing and mechanisms differ: CPCSC certification is required at contract award under Canadian procurement; CMMC compliance is driven by U.S. contract clauses (e.g., DFARS) and often requires third-party or government-led assessments.

What This Means for Canadian Defense Contractors & Subcontractors

Dual compliance likely for cross-border suppliers

Companies that do business with both Canadian Department of National Defense and U.S. DoD will need to satisfy both CPCSC and CMMC standards simultaneously. In practical terms, that means building cyber programs capable of satisfying ITSP.10.171 (for CPCSC) and NIST SP 800-171 (for CMMC Level 2), while also preparing for possible NIST SP 800-172 requirements if contracts demand Level 3.

Early adoption = competitive edge

Firms that invest now in documentation, enclave segmentation (for Controlled Information), identity and access controls, audit/logging, data protection (encryption / tokenization), and incident response stand a better chance of qualifying for both Canadian and U.S. defense contracts.

SMEs face resource and governance challenges

SMEs face resource and governance constraints. CPCSC Level 2 requires a formal third-party certification, and CMMC Level 2 audits demand a fully documented, evidence-driven compliance program. As of late 2025, CPCSC Level 1 guidance remains only partially published, creating ambiguity around what controls must be implemented and what evidence suppliers will be expected to produce.

Strategic compliance roadmap becomes essential

Contractors should:

  • Inventory the type of data handled (contractual information, Controlled Information, CUI/FCI),

  • Pre-segment workspaces/environments for specific data types.

  • Align their security controls and documentation to both ITSP.10.171 and NIST SP 800-171,

  • Construct evidence packages and policies,

  • Engage accredited certification bodies (for CPCSC Level 2) and/or qualified CMMC auditors / third-party assessors.

Conclusion: A Compliance-Driven Supply Chain Future

As of late 2025, CPCSC is active and evolving; Canadian defense suppliers must treat cybersecurity not as optional, but as a core contractual requirement. Meanwhile, CMMC compliance remains a firm requirement for U.S. defense work as of November 2025.

For any organization operating across both markets, dual compliance is essential. Those who move proactively to embed mature cyber hygiene, strong documentation, and audit readiness into their operations will stand to win contracts, mitigate risk, and position themselves as trusted partners in increasingly security-conscious markets.

Strengthen Your Compliance Posture for Both CPCSC and CMMC

Canadian defence suppliers now face a dual-standard operating landscape. StratoKey enables organizations to operationalize both CPCSC and CMMC requirements with unified controls that protect sensitive data before it leaves your environment. StratoKey's, encryption, tokenization, and identity-control gateways map directly to NIST SP 800-171 and ITSP.10.171 requirements, enabling suppliers to enforce data-handling controls required under both CPCSC and CMMC. Get in touch to position your organization to meet contract-level security obligations with greater operational certainty.

Get in Touch Anout CMMC and CPCSC

Please provide details with your inquiry so we can best assist you.