Skip to content

Meet CPCSC Compliance Requirements

Three levels of CPCSC

Canada's new cybersecurity certification program requires defense contractors to protect Controlled Information (CI) across every system that it touches, including your SaaS applications.

StratoKey's CDP Platform tokenizes CI before it enters your cloud applications, keeping it under your control and out of scope for SaaS vendors, reducing your CPCSC compliance burden without disrupting your operations.


Learn How StratoKey Can Help Support CPCSC Compliance

Please provide details so we can best assist you.

What is CPCSC?

The Canadian Program for Cyber Security Certification (CPCSC) is Canada's mandatory cybersecurity certification program for defence suppliers, built on ITSP.10.171 (Canada's version of NIST SP 800-171 Rev. 3).

Like the US CMMC program it mirrors, CPCSC requires prime contractors and subcontractors to implement and certify specific cybersecurity controls protecting CI across every system that processes, stores, or transmits it, including SaaS applications.

Requirements flow down through the supply chain. A Contract Cyber Security Risk Assessment (CCSRA) determines the certification level required for each participant based on what CI they handle and their associated risk profile.

CPCSC operates across three levels:

  • 1Level 1
    Annual self-assessment. Mandatory for new Department of National Defence (DND) contracts from April 2026.
  • 2Level 2
    External assessment by an accredited certification body, plus annual affirmation. Implementation timeline to be confirmed.
  • 3Level 3
    Assessment conducted by National Defence, plus annual affirmation. Phased into select contracts from April 2027.

StratoKey Can Help Reduce CPCSC Compliance Scope With Tokenization 

StratoKey's CDP Platform sits between you and your SaaS applications. Before any CI reaches a SaaS system, the CDP Platform, which is deployed to your environment, intercepts and replaces the CI with a token. The token is what is transmitted to the SaaS application. 

  • Your SaaS applications leave CPCSC scope entirely. Vendors receive tokens, not CI.
  • Your CI never leaves your environment. Real data stays under your control, always.
  • Your team keeps working the way they already do. StratoKey operates in the background, invisibly.

StratoKey is Your Complete Cloud Data Protection Platform to Help Meet A Wide Range of ITSP.10.171 Controls

The StratoKey CDP platform goes beyond tokenization and encryption of CI to provide features that help organizations meet a wider range of compliance requirements, not merely a small subset.

Tokenization

Secure Controlled Information (CI) with tokenization. CI remains securely encrypted (FIPS 140-3 validated) and stored in a vault, keeping sensitive data out of SaaS environments. Supports ITSP.10.171 03.13.08, 03.13.10, and 03.13.11 (cryptographic protection and transmission confidentiality). 

Access Control 

 Enforces user identification, group policies, and advanced authentication to keep access to CI within your control. Supports ITSP.10.171 03.01.02 and 03.01.03 (access control enforcement and information flow enforcement). 

Audit Controls

 Logs every user interaction with secured CI, supporting audit and reporting requirements and enabling rapid incident response. Supports ITSP.10.171 03.03.01 and 03.03.02 (event logging and audit record review). 

Monitoring & Policy Enforcement

 Logs every user interaction with secured CI, supporting audit and reporting requirements and enabling rapid incident response. Supports ITSP.10.171 03.03.01 and 03.03.02 (event logging and audit record review). 

Frequently Asked Questions About CPCSC

Does CPCSC apply to foreign companies bidding on Canadian defense contracts?

What is the difference between CPCSC and CMMC? Can I use my CMMC certification?

Does CPCSC apply to my SaaS applications?

 Is Your SaaS Stack Ready for CPCSC Compliance?

Level 1 CPCSC requirements apply to new National Defence contracts starting April 2026. If your team uses SaaS applications to handle CI, you need a plan before your next request for proposal (RFP) lands. StratoKey removes your SaaS applications from CPCSC scope entirely, so you can bid with confidence.

Learn How StratoKey Can Help Support NIS2 Compliance

Please provide details so we can best assist you.

CPCSC Canada version of CMMC

CPCSC Canada’s Cybersecurity Bar for Defense Contractors

Sian Parany | January 9, 2026

On 12 March 2025, the Canadian Program for Cyber Security Certification (CPCSC) officially launched, marking a turning point for Canadian firms that..

Read More

dod finalizes dfars rule with cmmc requirement for contractors

DoD Finalizes DFARS Rule with CMMC Requirement for Contractors

Sian Parany | September 19, 2025

On September 10, 2025, the DoD issued its final rule amending DFARS to make the Cybersecurity Maturity Model Certification (CMMC) a contractual..

Read More

Meeting NIST Encryption Standards in the Cloud with StratoKey Cloud Data Protection Platform

Meeting NIST Encryption Standards with the Cloud Data Protection Platform

Sian Parany | September 2, 2025

The shift to cloud services has brought speed and flexibility, but it has also raised the stakes for data security. Regulators and customers now..

Read More