Book a free readiness call
Canadian Defence Compliance

CPCSC is mandatory for DND contracts. Here is what it takes to get there.

If your company handles Specified Information under a DND contract, CPCSC Level 1 is required before your next contract can be awarded. Use Carbide's free assessment tools to find out where you stand today.

Take the free CPCSC self-assessment Download the CPCSC readiness checklist
Mandatory date
April 2026
CPCSC Level 1 required for DND contract awards
Level 1 scope
13 controls
71 determination statements — ITSP.10.171 Level 1 requirements for self-attestation
Infrastructure
Canadian cloud
CPCSC requires data hosted in Canada — U.S. infrastructure does not qualify
Free assessment tools

Find out where you stand before you engage anyone

Both tools are free and take 5 minutes each. Complete one and you will have a gap report you can act on before any other conversation.

Free tool 5 min
CPCSC Level 1 Assessment
Maps your posture against the 13 Level 1 controls and flags exactly where the gaps are. Results delivered on-screen the moment you complete it.
Start the CPCSC Assessment →
Free tool 5 min · if DoD contracts also apply
CMMC 2.0 Level 1 Assessment
Maps your posture against the 17 CMMC Level 1 practices. Use this alongside the CPCSC assessment if your contracts touch both DND and DoD.
Start the CMMC Assessment →
Note CPCSC and CMMC are separate programs with no mutual recognition. If your contracts touch both DND and DoD, you need both certifications. The assessments above show the full picture for each — and where the same work satisfies both frameworks.
What CPCSC requires

CPCSC and NIST 800-171 Rev 3 — what the program actually covers

CPCSC is Canada's certification program for defence contractors. Its control requirements are drawn from ITSP.10.171, which is the Canadian Centre for Cyber Security's publication of NIST 800-171 Rev 3. Canada adopted the NIST standard as its baseline and published it under this designation — so when assessors evaluate your CPCSC program, they are checking your controls against the same NIST Rev 3 requirements. Here is what each part of that structure means for your compliance program.

CPCSC Certification program
NIST 800-171 Rev 3 Underlying standard
Governing body
Public Services and Procurement Canada (PSPC)
National Institute of Standards and Technology (NIST) — U.S.-authored standard adopted by Canada
What it covers
Canada's mandatory certification program for contractors handling Specified Information under DND contracts
Canada's Centre for Cyber Security published NIST 800-171 Rev 3 as ITSP.10.171. CPCSC assessments are built on this document. The two are the same standard — ITSP.10.171 is the Canadian designation for Rev 3.
Who it applies to
Any contractor or subcontractor handling Specified Information under a DND contract — regardless of company headquarters
All companies in scope for CPCSC must satisfy Rev 3. No exemptions based on company size or contract value.
Assessment levels
Level 1: self-assessment plus affirmation. Level 2: third-party assessment by a certified assessor.
All requirements apply at every level. CPCSC level determines how they are assessed, not which ones apply.
Mandatory date
Level 1 mandatory for DND contract awards from April 2026. Level 2 applies for higher-sensitivity contracts.
Rev 3 is the active standard. Rev 2 (used in CMMC) has different requirements — the two cannot be substituted.
Data residency
Cloud infrastructure must be hosted in Canada. FedRAMP-authorized U.S. infrastructure does not qualify.
Specified Information must reside on Canadian-hosted infrastructure. This is a hard requirement, not a recommendation.
Carbide coverage
Full — Canadian cloud stack, advisors credentialed on Rev 3, Level 1 and Level 2 assessment prep.
Full — Rev 3 control mapping, policy drafting, evidence platform, and advisor review before assessor submission.
Important CPCSC applies to subcontractors as well as prime contractors. If your company supplies a DND prime, the CPCSC obligation flows down through the contract.
Take the free CPCSC Level 1 Assessment
Is this your situation?

Four scenarios where CPCSC requirements are already in play

CPCSC applies across the entire Canadian defence supply chain. These are the most common situations where the compliance requirement is real and the timeline is tighter than it looks.

Canadian contractor
CPCSC appeared in a recent RFP or subcontract
A DND solicitation or prime contractor subcontract includes a CPCSC compliance clause. You handle Specified Information but have no compliance program in place, and you need to understand what Level 1 requires and whether the certification is achievable before the contract award date.
April 2026 is the contract award date, not the compliance deadline. The work needs to be complete before the contract arrives. For a company starting from zero, Level 1 takes several months.
Canadian contractor
Already working toward CMMC, now facing CPCSC
Your company has U.S. DoD contracts and has been working toward CMMC certification. You have just learned CPCSC is a separate requirement, and that your CMMC work does not transfer. You need to understand the control gap between Rev 2 and Rev 3 and stand up a Canadian-hosted compliance environment alongside your existing program.
The revision difference between NIST 800-171 Rev 2 (CMMC) and Rev 3 (CPCSC) creates real control gaps. These must be mapped and remediated independently. Some work transfers. Some does not.
Foreign-owned Canadian subsidiary
Parent company handles U.S. compliance — Canada is separate
Your parent company is CMMC-certified or has a U.S.-compliant program in place. Your Canadian operations have DND contracts and need CPCSC independently. The parent's FedRAMP environment does not satisfy Canadian data residency, and the compliance program needs to be scoped and built for the Canadian entity.
CPCSC assesses the Canadian entity independently. A parent company's U.S. certification provides no coverage for the subsidiary's DND contracts.
U.S. contractor
Existing DND exposure, CMMC already in place
Your company holds or is bidding on DND contracts alongside your U.S. DoD work. You have CMMC, but CPCSC requires a separate Canadian cloud environment and your existing infrastructure does not qualify. You need a Canadian compliance environment without rebuilding your entire program.
CPCSC applies to all contractors handling DND Specified Information, regardless of company headquarters. Canadian data residency is a hard requirement.

Not sure which situation applies to you? The free assessment takes 5 minutes and tells you exactly where you stand.

Take the free CPCSC Level 1 Assessment → Talk to us
If you also have U.S. DoD contracts

CPCSC and CMMC are separate programs. The work does not transfer.

Many Canadian defence contractors hold both DND and DoD contracts. When that is the case, both CPCSC and CMMC apply — with no mutual recognition between them. Here is where the two programs align and where they diverge.

CPCSC vs CMMC 2.0
Where the work transfers — and where it does not

Where they align

Both built on NIST 800-171 — shared conceptual foundation and control families
Both require documented evidence per control, not just self-attestation
Both require third-party assessment at Level 2 — similar audit model, different assessors
Shared control families: access control, incident response, configuration management

Where they diverge

CPCSC is assessed against ITSP.10.171 — Canada's version of NIST 800-171 Rev 3. Rev 3 organizes requirements across 17 control families; CMMC (Rev 2) uses 14. The two revisions are not interchangeable.
CPCSC requires Canadian data residency. CMMC requires FedRAMP-authorized U.S. cloud. The same infrastructure cannot satisfy both.
No mutual recognition. Holding CPCSC does not satisfy CMMC, and vice versa.
Governed by separate bodies — PSPC (Canada) for CPCSC, DoD (U.S.) for CMMC.
If your company holds both DND and DoD contracts: Carbide handles both programs in one engagement. The platform maps controls across CPCSC and CMMC simultaneously, so you remediate once where possible and only address framework-specific gaps separately. You do not need two vendors.
How Carbide works

One engagement covers CPCSC end to end

Carbide pairs a compliance platform with a credentialed advisory team. The platform handles evidence collection, control mapping, and gap tracking. Your advisor handles interpretation, assessment prep, and document review from scoping through certification.

01
Scope your controlled environment
A Carbide advisor maps which systems, people, and workflows touch DND Specified Information. Accurate scoping is the most important cost lever in any compliance engagement. Over-scoping drives remediation work you do not actually need.
02
Map controls and identify gaps
The Carbide platform maps your current posture against all NIST 800-171 Rev 3 requirements. If your company is also pursuing CMMC, the advisor identifies which controls transfer between Rev 2 and Rev 3 so you are not rebuilding work that already counts.
03
Build evidence in the platform
The platform collects and organizes evidence against the full Rev 3 control set. Your advisor reviews every document before it is submitted as audit evidence. Nothing reaches an assessor without a credentialed sign-off.
04
Prepare for assessment and certify
Your advisor runs pre-assessment walkthroughs, identifies any remaining gaps, and prepares your team for the assessor's review. For Level 1, the advisor prepares your affirmation documentation. For Level 2, they coordinate with the third-party assessor.
1 engagement
Covers scoping, remediation, evidence, and assessment prep — for CPCSC and CMMC if both apply
Canadian stack
Carbide's platform is hosted in Canada. CPCSC data residency is satisfied from day one.
Rev 3 advisory
Advisors with deep NIST 800-171 Rev 3 expertise — the specific standard CPCSC assessments are built on
Resources

Tools and reading on CPCSC compliance

Start with the free assessment tools. They give you a gap report you can act on before any conversation with Carbide. The articles below cover the specific questions that come up most often.

Free tools — start here
Free assessment tool
CPCSC Level 1 Readiness Assessment
Find your gaps against all Rev 3 requirements in under 5 minutes.
Free assessment tool
CMMC 2.0 Level 1 Readiness Assessment
If your contracts also touch U.S. DoD, use this assessment to map your posture against CMMC Level 1 requirements.
Articles and guides
Article
Canada Launches First Phase of the CPCSC
What the phased rollout means for defence suppliers, how CPCSC aligns with CMMC, and what contractors should do now.
Checklist
CPCSC Checklist for 2026
A breakdown of the certification timeline, what Level 1 requires, and how CPCSC differs from CMMC — including the Rev 2 vs Rev 3 distinction.
Article library
All CPCSC articles and guides
Browse all CPCSC content on carbidesecure.com — Level 1 requirements, the ITSP.10.171 standard, data residency, and dual-framework compliance.
Article library
All CMMC articles and guides
Relevant for companies managing both programs — covers CMMC Level 1 and Level 2, compliance for Canadian organizations, and dual-program considerations.
Get started

Start with the free assessment. Talk to an advisor when you're ready.

The free Level 1 assessment gives you a clear gap report in 5 minutes. When you book a readiness call, your advisor uses those results to build a realistic roadmap to certification — with Carbide's advisory team doing the heavy lifting from scoping through self-attestation.

Take the free CPCSC Level 1 Assessment → Talk to us