No business is immune to cyber threats, and Canada’s defence supply chain is a high-profile target. Malicious actors, from sophisticated state-sponsored hackers to criminal ransomware gangs, are increasingly exploiting supply chain relationships to bypass organizations’ defenses. The Canadian Centre for Cyber Security warns that adversaries “will almost certainly continue to develop their capability to compromise organizations through supply chains.”
In practical terms, this means a vulnerability in a subcontractor’s network can become a conduit for attacks on larger defense projects. The result can be theft of sensitive intellectual property, exposure of unclassified yet sensitive government information, and disruption of critical manufacturing processes.
Why is this such a concern now? The Canadian defense sector contributes technology and components to national security projects and allied defense programs. An attack on a small parts manufacturer could jeopardize not only that company but also the wider project and even Canada’s military readiness.
“Threats are evermore intricate and in a state of constant change. In defence procurement, cyber incidents can jeopardize the safety of unclassified federal information,” said the Hon. Jean-Yves Duclos, Canada’s Minister of Public Services and Procurement.
What is the Canadian Program for Cyber Security Certification (CPCSC)?
The CPCSC is a new cybersecurity certification program established by the Government of Canada to safeguard sensitive information in federal defense contracts. At its core, CPCSC creates a structured framework of cybersecurity requirements that defense contractors must meet. According to the official announcement, the CPCSC “ensures that cyber security certification in Canada is handled by accredited bodies, certified assessors and government oversight”, and it “aligns with international standards while also supporting national security initiatives”by setting clear security standards for the industry this program helps third-party assessors and government agencies wor together to certify compliance.
What are the Objectives of the CPCSC?
The program has several key objectives that benefit both Canada and businesses in the defense sector. According to the Government of Canada, once fully implemented, CPCSC will:
- Protect sensitive federal data: It will protect federal contractual information held below the classified level on contractors’ systems, networks, and applications, reducing the risk of breaches.
- Boost baseline cybersecurity: By setting mandatory requirements, Canada’s defence industry will have a higher basic level of cybersecurity, making every supplier more resilient.
- Ensure a resilient supply chain: The aim is to ensure the supplier system stays strong and reliable for Canadian Armed Forces capabilities and readiness. A more secure supply chain means fewer disruptions to critical military projects.
- Maintain access to global contracts: CPCSC maintains Canadian industry’s access to international procurement opportunities with similar cybersecurity requirements. In particular, it aligns with allied standards (like the U.S. model) so Canadian businesses won’t be shut out of foreign defense contracts due to cybersecurity gaps.
- Grow Canada’s cyber sector: The program fosters an ecosystem of accredited certification bodies and cybersecurity professionals. The government has committed to supporting the country’s growing cybersecurity sector, particularly within defence procurement, meaning more opportunities for cybersecurity service providers and experts.
The 3 Levels of Cybersecurity Maturity under the CPCSC
The CPCSC introduces a certification system with three levels of cybersecurity maturity. Each level corresponds to a greater degree of security rigor:
- Basic Cyber Hygiene (Level 1): This level requires the company to perform an annual cybersecurity self-assessment. It is intended to cover fundamental practices (similar to basic IT security policies, antivirus, access controls, etc.). Companies will attest that they meet the Level 1 standard each year.
- Enhanced/Moderate Security (Level 2): This level requires an external cybersecurity assessment led by an accredited certification body (third-party auditor). An independent assessor will evaluate the company’s practices against the new Canadian standard and certify compliance. This level is more rigorous and is roughly equivalent to having all core security controls in place and validated.
- Advanced Security (Level 3): This involves a cybersecurity assessment conducted by the Government (National Defence) for the highest-sensitivity contracts. This top tier is reserved for companies handling the most critical data, and the government will verify the stringent controls (comparable to advanced threat protection measures).
These levels closely mirror the approach used in other frameworks, like the U.S. Department of Defense’s Cybersecurity Maturity Model Certification, which also uses a multi-level model. By structuring the program into tiers, Canada ensures that the requirements can be scaled to the sensitivity of each contract. Not all projects need the highest level, but even the smallest contracts need a baseline of protection.
What’s Included in Phase 1 of the CPCSC?
The announcement on March 12, 2025, marked the launch of Phase 1 of the CPCSC. Rather than imposing all requirements at once, the government is gradually phasing in the program to give businesses time to adapt. Here’s what happens in Phase 1 and which businesses need to pay attention:
- New Cyber Security Standard (Levels 1 & 2): If your company handles sensitive unclassified Government of Canada information in a defence contract, this standard is the benchmark you’ll be measured against. It has been adapted from proven frameworks (notably, it’s closely based on NIST 800-171 for protecting sensitive information). Manufacturing and defense firms should obtain a copy of this standard (the government has it available through the Canadian Centre for Cyber Security) and start reviewing the controls.
- Self-Assessment Tool for Level 1: To help companies get started, Phase 1 includes the introduction of a Level 1 self-assessment tool. Businesses will be able to use this tool to evaluate their own cybersecurity practices against the Level 1 requirements. This is essentially a guided checklist or questionnaire that identifies any gaps to fix. During the initial rollout, certification itself is not immediately mandatory just to bid – rather, companies will only need the certification by the time a contract is awarded.. The self-assessment tool in Phase 1 allows companies to familiarize themselves with the certification process. If you plan to seek defense contracts, you should use this tool as early as possible to gauge your readiness.
Carbide recently launched its own Self-Assessment Tool for CMMC Level 1. CMMC is the American equivalent to the Canadian CPCSC. Use our tool to help you evaluate your organization’s current security posture and identify areas for improvement.
- Accreditation of Certification Bodies: Another critical piece of Phase 1 is setting up the accreditation ecosystem. The Standards Council of Canada (SCC) will begin accepting applications from organizations that want to become certified third-party assessment bodies. These certifiers (often cybersecurity firms or consultancies) will be the ones conducting Level 2 assessments. For most suppliers, this detail may not directly affect daily operations, but it means that by the time you need a Level 2 certification, there will be authorized professionals available to perform it. Essentially, Phase 1 lays the groundwork so that the program can scale: training auditors, approving certification firms, and establishing support systems for businesses.
- Pilot on Select Contracts: During this initial phase, the government also runs a pilot program on select defence contracts using the self-assessment (Level 1). Only certain new Requests for Proposals (RFPs) will include a requirement to complete a cyber self-assessment. This pilot is limited in scope, targeting a few contracts as a proof of concept. Businesses in the defense sector should watch for any new tender documents or communications indicating a CPCSC requirement. If you are bidding on a Government of Canada defense contract in spring 2025, check if you’re part of the pilot group where a Level 1 certification (self-assessed) is needed at award. Most contracts won’t yet mandate this in Phase 1, but it’s a sign of what’s to come.
Importantly, in Phase 1, no company will be excluded from bidding due to not having a certification upfront. The phased approach is very much about learning and transition. The government intends to “give both the government and businesses the necessary time and resources to adapt to evolving cybersecurity standards”.
Who should be engaged now? If you are a supplier for Canada’s Department of National Defence or related agencies, especially one handling sensitive unclassified data (design schematics, supply chain details, communications, etc.), Phase 1 is aimed at you. Manufacturers producing components for defense projects, IT firms servicing defense contracts, and any other contractors in the defense industrial base should start preparing. Even if you’re a smaller subcontractor, you are part of the supply chain that this program seeks to secure.
How CPCSC Aligns with U.S. CMMC 2.0 and International Standards
Many Canadian defense contractors are already aware of the U.S. Cybersecurity Maturity Model Certification (CMMC) 2.0, the U.S. Department of Defense’s own cybersecurity requirement for suppliers. The good news is that Canada’s CPCSC was designed with these international standards in mind. The official announcement states that CPCSC “aligns with international standards”, and indeed, the program’s three-tier structure mirrors the CMMC 2.0 levels.
What does this mean in practice?
- Level 1 of CPCSC essentially corresponds to CMMC Level 1, focusing on basic cyber hygiene (like the well-known 17 controls from NIST SP 800-171’s basic safeguarding).
- Level 2 of CPCSC aligns with CMMC Level 2, which entails the full suite of NIST SP 800-171 security requirements and an external audit.
- Level 3 of CPCSC parallels the concept of CMMC Level 3, bringing in advanced controls (drawn from NIST SP 800-172) and government-led assessment for the most sensitive data.
This has a very practical benefit for Canadian businesses; work done to comply with CPCSC can help meet U.S. CMMC requirements, and vice versa. In fact, according to the U.S. Congress, “U.S. defense arrangements with Canada are more extensive than with any other country”. This suggests that a company obtaining CPCSC certification may simultaneously satisfy some requirements of CMMC since they are based on the same controls under NIST 800-171.
How to Prepare Your Business for the CPCSC
Businesses should be proactive now to stay ahead of the curve. Here’s what to do next and how to keep informed:
Even if you’re not yet required to certify, now is the time to conduct a self-assessment. Use the government’s Level 1 self-assessment tool once it’s available, or use Carbide’s CMMC Level 1 Assessment Tool. Since there is a strong alignment between CMMC and CPCSC, you have an advantage by getting an early assessment of where you stand with both frameworks. Identify gaps in areas like access control, incident response planning, data encryption, employee training, and vendor security. The government encourages defence suppliers to proactively assess and evaluate their current cybersecurity readiness during this interim period. By understanding where you stand, you can prioritize fixes before compliance deadlines hit.
Start addressing any deficiencies found. If, for example, the self-assessment finds you lack multi-factor authentication or regular data backups, put those in place. Level 1 controls are mostly basic cybersecurity practices that every business should have. Level 2 adds more rigorous controls, so consider gradually adopting those as well, especially if you are aiming for bigger contracts.
Finally, keep an eye on official communications as the program progresses through its phases:
- In Phase 2 (planned for Fall 2025), the government expects to start requiring Level 1 certification (self-assessed) for some defence contracts, and testing Level 2 on certain contracts.
- Phase 3 (Spring 2026) will see some contracts requiring Level 2 and the introduction of Level 3 requirements.
- By Phase 4 (2027), a few contracts will include Level 3 certification in their RFPs. These timelines mean you have a window to get ready, but don’t wait too long.
Mark these dates and plan backwards: for example, if you aim to bid on defense work in late 2025, plan to have at least your Level 1 self-assessment done by then. By engaging, you not only help your own understanding but can influence how the program rolls out in the later phases.
Prepare for CPCSC Certification with Confidence
Carbide’s hybrid platform helps Canadian defence contractors meet CPCSC requirements through automation, expert support, and tailored assessments. From Level 1 readiness to scalable support for Level 2 and beyond, we help you strengthen your cybersecurity and win compliant contracts.
Share
