Budget 2023 allocated $25 million over three years to establish the Canadian Program for Cyber Security Certification (CPCSC). Led by Public Services and Procurement Canada and National Defence, the program mandates cyber security standards for defence contractors to protect sensitive information and maintain interoperability with allies.
On March 12, 2025, the CPCSC was officially introduced to the public. This launched a new Canadian industrial cyber security standard, the opening of the accreditation ecosystem and a pilot program focusing on select defence contracts through self-assessment.
The CPCSC is an official cyber security certification in Canada for defence suppliers. The program is made up of accredited bodies, certified assessors and government oversight. It aligns with international best practices and standards, while supporting national security priorities. Beyond compliance, it strengthens Canada's defence industrial base and supports interoperability with key allies, including partners in the Five Eyes community.
Once fully implemented, it will:
- protect federal contractual sensitive information below the classified level
- maintain Canadian industry's access to international procurement opportunities
- boost the basic level of cyber security for Canada's defence industry
- ensure that the supplier system stays strong and reliable for Canadian Armed Forces capabilities and readiness
- increase Canadian industrial participation in the cyber security certification program
Increasing the cyber security resilience of the Government of Canada's defence industrial base will reinforce the goals of Canada's National Cyber Security Strategy.
Levels of cyber security certification
The program's mandatory cyber security certification requirements will be made up of three levels:
- Level 1 (available to suppliers on April 1, 2026): requiring an annual cyber security self-assessment
- Level 2: requiring an external cyber security assessment every three years, led by an accredited certification body
- Level 3: requiring a cyber security assessment every three years, conducted by National Defence
The program is underpinned by the Canadian Centre for Cyber Security's Canadian industrial cyber security standard, which sets out requirements to safeguard specified information.
The phased approach, combined with a domestic accreditation system and alignment with the United States (U.S.) National Institute of Standards and Technology-based controls, is designed to minimize burden and help suppliers strengthen their cyber security in a cost-effective, predictable way.
Level 1
The CPCSC's Level 1 requires that suppliers identify the implementation status of 13 security requirements and controls. The Government of Canada is providing an online self-assessment tool to help suppliers understand the requirements. Level 1 requirements will be introduced in select defence contracts beginning in summer 2026.
Mandatory requirements will be introduced step by step so suppliers have time to prepare. They will first need to show they meet the new Level 1 controls by assessing and documenting their cyber security practices. More advanced requirements that need formal certification (Level 2 and 3) will be requested later during the procurement process and will align with the services offered by accredited third-party cyber security assessors.
Level 2 and 3
Level 2 assessments will be conducted by accredited third-party assessment organizations, accredited through the Standards Council of Canada (SCC). These assessments evaluate an organization's implementation of the required cyber security controls. Level 2 will be added to select defence contracts beginning in spring 2027. It is meant to be used when a contract involves handling controlled defence information or more complex cyber-sensitive work. Organizations interested in being accredited as third-party assessors for the CPCSC may contact the SCC directly.
Level 3 is reserved for the highest risk scenarios. These assessments will be conducted by the Government of Canada rather than third parties. This level applies to sensitive work that may involve weapon systems, critical infrastructure access or sensitive information shared with Five Eyes partners.
Assessing risk
For low-risk situations, self-assessments are an internationally accepted starting point, and this approach mirrors the U.S. model.
Low-risk situations could include:
- administrative or business support contracts
- unclassified, non‑technical communications
- basic information technology (IT) services with no sensitive data
- suppliers with limited network integration
- prototype or concept discussions without technical specifications
Higher-risk work will require accredited third-party or government-led assessments, once those levels are introduced.
High-risk situations could include:
- handling of controlled defence information
- work on weapon systems or military platforms
- access to critical infrastructure systems
- work involving cyber security or IT contractors with elevated privileges
- handling of information shared with Five Eyes partners
Alignment with the United States Cybersecurity Maturity Model Certification
While the CPCSC does introduce new requirements, it defines more clearly what is expected of suppliers and ensures Canadian companies remain competitive in international defence markets.
The CPCSC was intentionally designed to minimize duplication by closely aligning with U.S. requirements and standards. This allows Canadian suppliers and the Government of Canada to build on existing investments in cyber security safeguards, while maintaining Canadian sovereignty and access to key international defence procurement opportunities with cyber security requirements.
While Canada and the U.S. operate their own certification systems, the CPCSC uses the same underlying technical controls as the U.S. Cybersecurity Maturity Model Certification (CMMC). Canadian industrial cyber security standards are technically identical to the 172 controls in the National Institute of Standards and Technology Special Publications 800171 and 800172, which form the backbone of the U.S. CMMC program. The CPCSC gives Canadian suppliers a clear, domestic pathway to meet expectations already required to access the U.S. defence market.
Canada may accept a contractor's valid CMMC status on a case-by-case basis, after confirming that the assessment covers the required scope. Canada also reserves the right to verify compliance with specific CMMC controls, when necessary. Any verification would be carried out by the contract technical authority.
