CMMC Canada: A Guide to CPCSC for Defense Contractors

June 3, 2026

On April 14, 2026, the Government of Canada announced new mandatory cybersecurity standards for defense contractors handling sensitive government information. The standard, known as the Canadian Program for Cyber Security Certification (CPCSC), is part of a broader $6.6 billion commitment under Canada’s Defense Industrial Strategy — a generational effort to protect Canada’s domestic defense supply chain against increasingly sophisticated cyberattacks targeting contractors to obtain sensitive government data.

For Canadian defense contractors, this is not a future concern. CPCSC Level 1 is already active. Requirements are beginning to appear in select Department of National Defense contracts this summer. Companies that cannot demonstrate compliance will be locked out of defense contracts entirely. No certification, no contract.

This blog covers everything you need to know about CPCSC: what it is, who it applies to, what the three certification levels require, how it differs from the U.S. CMMC program, and how to get started on the path to compliance.

What Is CPCSC and Why Does It Exist?

Canadian defense contractors are targets of cyber criminals. Canada’s National Cyber Threat Assessment states that attacks against digital supply chains will almost certainly continue to increase — and companies handling sensitive government defense information are among the most targeted. CPCSC is Canada’s direct response to that threat.

The Canadian Program for Cyber Security Certification (CPCSC) is Canada’s mandatory cybersecurity certification for defense contractors and their supply chains. Managed by Public Services and Procurement Canada (PSPC) and the Department of National defense (DND), the program establishes the cybersecurity standards that any company must meet to remain eligible for defense contracts.

Those standards are defined in ITSP.10.171 — a security standard published by the Canadian Centre for Cyber Security that specifies the controls contractors must implement. It is Canada’s adaptation of the same NIST 800-171 standard that underpins the US CMMC program.

What ITSP.10.171 is designed to protect is called Specified Information (SI) — Canada’s equivalent of the US term Controlled Unclassified Information (CUI). Specified Information is any sensitive unclassified data that the government identifies in a contract as requiring safeguarding. In practice this includes technical drawings, statements of work, pricing, schedules, and Controlled Goods data. If your company stores, processes, or transmits Specified Information under a DND contract, CPCSC applies to you.

Who Needs to Comply with CPCSC?

CPCSC applies to any organization that bids on or performs work under a Department of National defense contract involving Specified Information. In practice, this includes a wide range of Canadian businesses — not just large defense primes. If your company manufactures components, provides IT services, handles logistics, or performs any function under a DND contract that involves sensitive government information, CPCSC likely applies to you.

Three questions to ask yourself:

• Do you currently hold or bid on DND contracts?
• Does your work involve access to sensitive government information — technical drawings, statements of work, pricing, or Controlled Goods data?
• Are you a subcontractor to a prime that holds DND contracts?

If the answer to any of these is yes, you need to be thinking about CPCSC now — not when your next contract renewal arrives.

The Three Levels of CPCSC

CPCSC is structured around three certification levels, each reflecting a progressively higher degree of cybersecurity maturity and risk. Importantly, the levels build on each other — the 13 controls required at Level 1 are a subset of the 98 required at Level 2, which are in turn a subset of the 200 required at Level 3. Work you do at one level is not discarded at the next.

Level 1 – Self Assessment

Level 1 requires suppliers to assess and document their implementation of 13 baseline security controls drawn from ITSP.10.171. It is completed annually through the Government of Canada’s online self-assessment tool. No third-party assessor is required. Level 1 became available to suppliers on April 1, 2026 and will be mandatory in select DND contracts beginning summer 2026. This is where most Canadian defense SMEs will start.

Level 2 -Third-Party Assessment

Level 2 requires an independent assessment conducted by an accredited third-party certification body, accredited through the Standards Council of Canada. According to PSPC program documentation, it covers 98 security controls and is required every three years, with an annual affirmation in between. Level 2 applies to contracts involving controlled defense information or more complex cyber-sensitive work. It will be mandatory in select DND contracts beginning in spring 2027.

Level 3 – Government-Led Assessment

Level 3 is reserved for the highest risk scenarios — work involving weapon systems, critical infrastructure, or sensitive information shared with Five Eyes partners. According to PSPC program documentation, it covers 200 security controls. Assessments are conducted directly by the Government of Canada every three years with annual affirmation. Timelines for Level 3 mandatory requirements have not yet been announced.

CPCSC and CMMC: What Canadian Contractors Need to Know

If you’re already familiar with the US Cybersecurity Maturity Model Certification (CMMC), CPCSC will feel recognizable. Both programs are designed to protect sensitive government defense information, both use a three-level certification structure, and both are built on the same underlying NIST 800-171 technical framework. The alignment is intentional — Canada designed CPCSC to minimize duplication for companies operating in both the US and Canadian defense markets.

But they are not the same program, and CMMC certification does not satisfy CPCSC — and vice versa. Here’s what’s different:

Canadian companies doing US defense work need CMMC. Canadian companies doing Canadian defense work need CPCSC. If you do both — and many Canadian SMEs do — you need both certifications. The good news is that the shared NIST foundation means a significant portion of the compliance work overlaps. You are not starting from scratch twice.

CPCSC Timeline and Enforcement — Where Things Stand Today

CPCSC is not a future requirement — it is already active. Here is where the program stands and what is coming next.

• March 2025 — Program launched. ITSP.10.171 published, accreditation ecosystem opened, Level 1 self-assessment framework introduced.
• April 1, 2026 — Level 1 available. Suppliers can complete their self-assessment and record attestation in their Canada Buys profile.
• Summer 2026 — Level 1 mandatory in select contracts. Attestation required at contract award, not during bidding.
• Spring 2027 — Level 2 mandatory in select contracts. Third-party assessments required for contracts involving controlled defense information.
• April 2027 onward — Level 3 introduced. Levels 1 and 2 may expand to all Government of Canada defense contracts.

How to Get Started with CPCSC

CPCSC compliance may feel overwhelming, but the path forward is straightforward — especially for Level 1, which is where most Canadian defense contractors need to focus right now.

Step 1 — Familiarize yourself with the framework

Start with the official sources. The PSPC CPCSC program page and the Canadian Centre for Cyber Security’s ITSP.10.171 standard are your primary references. These should be your go-to sources as the program evolves.

Step 2 — Scope your compliance boundary

Identify where Specified Information lives in your organization. Which systems store it? Which employees access it? Which third parties touch it? A smaller, well-defined scope makes compliance simpler and less expensive. You can’t protect what you haven’t mapped.

Step 3 — Complete your Level 1 self-assessment

Use the Government of Canada’s online self-assessment tool to assess your implementation of the 13 baseline controls. This gives you a clear picture of where you stand and what gaps need to be addressed.

Step 4 — Record your attestation in Canada Buys

Once your self-assessment is complete, record your attestation in your CanadaBuys supplier profile. This is the mechanism the Government of Canada uses to verify Level 1 compliance at contract award.

Step 5 — Start thinking about Level 2 now

Level 2 isn’t mandatory until spring 2027 — but it requires 98 controls and a third-party assessment. Companies that start scoping the gap now will be significantly better positioned than those who wait for a contract clause to force the issue.

How PreVeil Can Help

CPCSC requires cryptographic protection of Specified Information at rest and in transit. That means the tools your team uses to share files and communicate — email, file sharing, collaboration platforms — need to meet the standard. Standard commercial platforms like Microsoft 365 or Google Workspace are not designed for this.

PreVeil is purpose-built for exactly this problem. Trusted by thousands of defense contractors for CMMC compliance, PreVeil protects sensitive information with end-to-end encryption and customer-held keys — meaning neither PreVeil nor any third party can access your data. It works alongside your existing email and file sharing tools, with no rip and replace required.

For Canadian defense contractors navigating both CMMC and CPCSC, PreVeil offers a single platform for both frameworks — protecting your CUI for US contracts and your Specified Information for Canadian ones.

Not sure where to start? Schedule a free 15-minute consultation with our compliance team.

Or you may wish to learn more by reading PreVeil’s white papers and blogs:

• Complying with CMMC: A Guide for Defense Contractors
• Case Study: Defense contractor achieves CMMC with perfect 110 score using PreVeil
• CMMC Compliance Checklist: 12 Steps to Help You Assessment-Ready
• To access additional white papers, blogs and videos, please visit PreVeil’s resources page.

Frequently Asked Questions

To learn more, summarize in AI: