What is CPCSC? Complete Guide for Canadian Defence Suppliers

What is CPCSC?

CPCSC stands for the Canadian Program for Cyber Security Certification. It is a three-tiered compliance certification framework designed by the Canadian Department of National Defence (DND) to protect "Controlled Information" within the Canadian defence supply chain. CPCSC is based on ITSP.10.171, Canada's adaptation of the NIST SP 800-171 Rev 3 security controls.

In simple terms: CPCSC is how the Canadian government ensures that companies handling sensitive defence data meet minimum cyber security standards. If you are a defence supplier working with DND contracts, CPCSC is mandatory.

Why Was CPCSC Created?

The Canadian defence supply chain includes hundreds of prime contractors and thousands of subcontractors. Many handle "Controlled Information"—defence technical data, procurement plans, contract terms, security postures, and other information critical to Canada's military capability. If this information is compromised, stolen, or altered, it puts Canada's defence at risk.

CPCSC was created to:

Verify minimum cyber security standards across all suppliers (from large primes to small subcontractors)
Create a consistent framework so every supplier uses the same 97 controls
Build trust in the supply chain by having independent assessors certify compliance
Comply with international defence standards (NATO, Five Eyes, bilateral agreements)
Reduce the risk of APT (Advanced Persistent Threat) infiltration into Canadian defence networks

Without CPCSC, every defence prime would have to conduct its own security assessment of every supplier—a fragmented, expensive process with zero consistency. CPCSC centralises this compliance requirement.

The Three CPCSC Certification Levels

CPCSC has three certification levels. Each level requires progressively more controls, more rigorous assessment, and higher security maturity.

Level 1

Self-Assessment

13 core controls across 6 families. You assess yourself. Mandatory at contract award starting April 2026.

Cost: Free on Solymus

Level 2

Third-Party Certification

97 full ITSP.10.171 controls. Certified by Standards Council of Canada (SCC) assessors. Required April 2027.

Cost: C$10K–15K/year

Level 3

Advanced Maturity

97 controls + 6 maturity domains. For highest-security contracts. Includes continuous monitoring.

Cost: C$10K–30K/year

How CPCSC Relates to ITSP.10.171 and NIST 800-171

CPCSC is not a separate framework—it is a certification program built on top of ITSP.10.171.

NIST SP 800-171 Rev 3: US security control standard for protecting "Controlled Unclassified Information" (CUI) in US defence suppliers.
ITSP.10.171: Canadian Centre for Cyber Security's adaptation of NIST 800-171 for Canada. Uses "Controlled Information" (CI) instead of CUI. 97 controls across 17 families.
CPCSC: The certification program that uses ITSP.10.171. It defines three tiers (Level 1, 2, 3) and a third-party assessment process.

Think of it this way:

ITSP.10.171 is the "what" (97 security controls)
CPCSC is the "how to certify" (three levels, timelines, assessor requirements)

The CPCSC Timeline: Three Phases

Phase 1: Planning (Mar 2025 – Mar 2026) — COMPLETED

Standard published. Level 1 guidance available. Suppliers begin planning.

Phase 2: Level 1 Enforcement (Apr 2026 – Mar 2027) — CURRENT

Level 1 is now mandatory. All DND defence primes must verify that all contractors have a Level 1 self-assessment. Level 2 assessor training begins.

Phase 3: Level 2+ Enforcement (Apr 2027 onwards) — UPCOMING

Level 2 third-party certification required. Level 3 in high-sensitivity contracts. Early assessments begin.

Who Must Comply with CPCSC?

CPCSC applies to anyone in the Canadian defence supply chain:

DND-registered defence primes (600 companies) — must be Level 1 by April 2026
Prime suppliers of DND prime contractors — must verify their subcontractors' compliance
All subcontractors handling Controlled Information — must meet Level 1, then Level 2 standards
System integrators, technology vendors, consultants who touch defence data — must have CPCSC certification

If your company has a DND contract or is on a defence prime's supplier list, CPCSC applies to you.

What Happens If You Don't Comply?

Contract Loss

DND defence primes cannot award contracts to suppliers without Level 1 CPCSC certification (as of April 2026). Without certification, you lose the contract. Without the contract, your business is at risk.

This creates a compliance cascade:

Defence primes require suppliers to be Level 1 → suppliers must achieve Level 1
When Level 2 enforcement arrives (April 2027), primes will require Level 2 → suppliers must upgrade
Suppliers with Level 2 primes will require their subcontractors to be Level 2 → cascade continues

There is no way around CPCSC if you work in the Canadian defence supply chain.

How to Prepare for CPCSC

Preparing for CPCSC involves three steps:

Assess your current controls against the Level 1 checklist (13 controls) or full ITSP.10.171 (97 controls)
Collect evidence showing that your systems meet each control (policies, logs, configurations, test results)
Document and verify your evidence with cryptographic proofs so assessors can validate independently

Solymus automates this entire process. You upload evidence, Solymus maps it to controls, generates cryptographic receipts, and exports a compliance package ready for assessors.

Next Steps

If you are a Canadian defence supplier, here is what you should do now:

Read the CPCSC Level 1 Checklist to understand the 13 core controls
Assess your readiness — which controls do you already meet? Which need work?
Start collecting evidence — policies, logs, system configurations, test results
Use Solymus to map evidence to controls and generate audit-ready compliance packages

Ready to Get CPCSC-Ready?

Start free with Solymus Level 1 today. Build your evidence chain and prepare for certification.

Start Free (No Card) View Level 1 Checklist

Frequently Asked Questions

Everything you need to know about CPCSC compliance

Controlled Information is any defence-related data marked as protected—technical specifications, procurement plans, security assessments, personnel records, and configuration data. It is not classified (not SECRET or TOP SECRET) but is controlled because it is sensitive to DND operations. If your company handles defence data, you are handling CI.

No. CPCSC is Canada's framework (based on ITSP.10.171). CMMC is the US framework (based on NIST 800-171). Both protect defence data and both are mandatory, but they are different frameworks with different timelines and assessors. If you do business in both Canada and the US, you need both certifications. See our CPCSC vs CMMC comparison for details.

Not practically. Level 1 is mandatory at contract award (April 2026). Level 2 is required a year later (April 2027). All defence primes will audit Level 1 readiness first. Starting with Level 2 skips the proof-of-concept phase. We recommend starting with Level 1 now, then upgrading to Level 2 when mandatory.

If you fail Level 2 assessment or your certificate expires, you lose the ability to bid on defence contracts. The prime contractor will remove you from their supplier list. Re-certification can take 6–12 months. This is why continuous evidence collection matters—you never want to be caught unprepared.

No. CPCSC certification means you meet minimum security standards at the time of assessment. It does not guarantee future security or protect you from all attacks. It is a baseline, not a guarantee. Defence primes still conduct security audits independently. CPCSC is table stakes—you need it to be in the game, but it does not eliminate all risk.

What is CPCSC? A Complete Guide for Canadian Defence Suppliers