Canadian Program for Cyber Security Certification (CPCSC)
New Cybersecurity Requirements Are Coming for Canada's Defence Supply Chain
The Government of Canada is introducing the Canadian Program for Cyber Security Certification (CPCSC) to strengthen cybersecurity across defence procurement. The program is expected to establish standardized cybersecurity requirements for organizations that handle sensitive government information and participate in defence-related contracts.
Whether you're already working with federal agencies or planning to pursue future opportunities, understanding CPCSC now will help you prepare for the evolving certification landscape.
What Is CPCSC?
The Canadian Program for Cyber Security Certification (CPCSC) is a proposed federal cybersecurity procurement framework designed to strengthen how organizations are assessed when participating in Canada’s defence and government supply chains. It is intended to establish standardized cybersecurity requirements for suppliers handling sensitive government-related information, particularly within defence-related contracts. CPCSC reflects a broader shift in government procurement toward formalized cybersecurity assurance and verifiable security controls, rather than self-attestation or questionnaire-based assessments.
Learn more about CPCSC requirements from the Government of Canada CPCSC program overview.
Why CPCSC matters
As cyber threats continue to evolve, the Government of Canada is moving toward a more consistent and evidence-based approach to evaluating the cybersecurity capabilities of organizations that support defence and government operations. CPCSC is intended to:
Improve consistency in cybersecurity assessments across suppliers
Strengthen assurance for sensitive federal and defence data
Reduce reliance on self-reported security questionnaires
Align procurement expectations with modern security frameworks and control-based verification
Who Will Be affected?
How CPCSC changes cybersecurity expectations
CPCSC represents a shift from questionnaire-based security assessments toward evidence-based cybersecurity assurance. Rather than simply stating that security practices exist, organizations may be expected to demonstrate that cybersecurity controls are documented, implemented, and operating effectively.
Implemented security controls aligned to recognized standards
Formal governance and risk management practices
Independent validation or audit-ready security posture
This aligns with broader global trends in cybersecurity assurance, including ISO/IEC 27001-based information security management systems and structured control frameworks.
The Canadian Program for Cyber Security Certification (CPCSC) is expected to apply to organizations that provide products or services to the Government of Canada and Canada's defence sector. As cybersecurity requirements become integrated into federal procurement, suppliers may need to demonstrate that they have implemented appropriate cybersecurity controls based on the sensitivity of the information they access, process, or store. Organizations that may be affected include but not limited to:
Defence Contractors
Aerospace and Aviation companies
Technology and Software Companies
Managed Service Providers (MSPs) and Cloud Providers
Understanding CPCSC Certification Levels
The Canadian Program for Cyber Security Certification (CPCSC) uses a tiered approach to cybersecurity assurance.
The certification levels are designed to recognize that organizations handle different types of information and operate in different risk environments. Each level introduces increasing expectations around cybersecurity controls, evidence, and assessment activities.
The certification level required for an organization will depend on factors such as the sensitivity of the information it handles, its role within the defence supply chain, and the cybersecurity requirements specified in applicable Government of Canada contracts.
Self-attestation
Documentation-based assessments
Independent third-party evaluations
This structure enables scalable oversight across a broad supplier base while maintaining consistent security expectations.
Level 1 is designed to establish a baseline level of cybersecurity practices for organizations participating in applicable supply chains.
This level focuses on demonstrating that fundamental cybersecurity safeguards are in place, including areas such as:
Security governance and accountability
Basic access controls
Protection of sensitive information
Cybersecurity policies and procedures
Employee awareness and security practices
Level 1 is intended to provide organizations with a starting point for demonstrating cybersecurity maturity.
Level 2 - Independent Cybersecurity Assessment
Level 2 introduces a higher level of assurance through independent assessment.
Organizations seeking Level 2 certification must demonstrate that cybersecurity controls are not only documented but implemented and operating effectively.
Assessment activities may include verification of:
Security processes and procedures
Risk management practices
Technical safeguards
Monitoring and incident response capabilities
Evidence demonstrating ongoing security operations
This level provides greater confidence that cybersecurity practices are actively maintained.
Level 3 - Advanced Cybersecurity Assurance
Level 3 represents the highest level of cybersecurity assurance within the CPCSC framework.
This level is intended for organizations handling more sensitive information or supporting higher-risk activities.
Organizations may be required to demonstrate more advanced cybersecurity capabilities, including:
Mature security governance
Advanced risk management
Enhanced monitoring and detection
Stronger protection measures
More comprehensive evidence of control effectiveness
Level 3 provides the highest level of confidence that cybersecurity practices are robust, repeatable, and continuously managed.
How the CPCSC Certification Process Works
Step 1: Determine Your Required Certification Level
The first step is identifying which CPCSC certification level applies to your organization. Your required level is determined by the sensitivity of the information you access, handle, or store, as well as the security requirements defined in your Government of Canada contracts.
Organizations working with more sensitive defence information will be required to meet higher certification levels and more comprehensive security controls. Understanding your required level early helps ensure you prepare for the appropriate assessment and avoid unnecessary work.
Step 2: Assess Your Current Security Posture and Address Gaps
Once your certification level has been established, your organization should evaluate its existing cybersecurity program against the applicable CPCSC requirements. This process identifies where current policies, procedures, and technical controls align with the program and where improvements may be needed.
Organizations typically use the results of this assessment to strengthen their cybersecurity program, update documentation, and address any identified gaps before pursuing certification. Organizations with mature security programs, particularly those aligned with frameworks such as ISO/IEC 27001, may find they already meet many of the required controls.
Step 3: Prepare for the Certification Assessment
Before the assessment, organizations should ensure that required documentation, policies, procedures, and supporting evidence are complete and consistently implemented. Employees should understand their security responsibilities, and management should be prepared to demonstrate how cybersecurity controls are maintained in practice.
Thorough preparation helps the certification assessment proceed efficiently and reduces the likelihood of delays caused by missing or incomplete evidence.
Step 4: Complete the Certification Assessment
An authorized certification body conducts the certification assessment to determine whether your organization meets the applicable CPCSC requirements for its designated certification level. The assessment includes a review of documentation, interviews with key personnel, and evaluation of evidence demonstrating that required cybersecurity controls are effectively implemented and operating as intended.
If nonconformities are identified, the organization may be required to address them before certification can be granted.
How CPCSC Fits with Other Cybersecurity Frameworks
Many organizations pursuing CPCSC certification have already implemented recognized cybersecurity frameworks or completed security audits. While CPCSC has its own specific requirements, organizations with mature security programs often find that existing governance, policies, and security controls provide a strong foundation for certification.
Already Have a SOC 2 Report?
If you've completed a SOC 2 audit, you've likely established documented security policies, access controls, incident response procedures, and other governance practices. While SOC 2 does not satisfy CPCSC requirements on its own, much of this work can support your readiness for certification.
Already ISO/IEC 27001 Certified
If your organization is certified to ISO/IEC 27001, you've already implemented a risk-based Information Security Management System (ISMS) and many of the security controls expected of a mature cybersecurity program. This can provide a strong foundation when preparing for CPCSC certification.
Already Aligned with the NIST Cybersecurity Framework?
If your cybersecurity program is aligned with the NIST Cybersecurity Framework, you've likely established structured processes for managing cyber risk, implementing security controls, and responding to incidents. This existing foundation can help support your preparation for CPCSC certification.
Canadian Program for Cyber Security Certification FAQs
-
CPCSC requirements depend on applicable contracts, programs, and customer expectations.
Organizations working with government or defence - related supply chains should monitor requirements and determine whether certification will be required for current or future opportunities.
-
CPCSC is expected to impact organizations that:
Provide products or services to government or defence - related contracts
Handle sensitive information
Participate in controlled or regulated supply chains
Need to demonstrate cybersecurity maturity to customers or partners
Organizations should review contract requirements and customer expectations to determine whether CPCSC certification applies.
-
The Canadian Program for Cyber Security Certification (CPCSC) is being introduced through a phased rollout rather than a single release date.
The program is being implemented through multiple certification levels, allowing organizations time to understand requirements and prepare their cybersecurity programs.
The initial phase focuses on Level 1 certification requirements, including supplier self-assessment activities. More advanced certification levels will follow as the program matures.
The current rollout approach includes:
Level 1 — Self-Assessment
Organizations complete a cybersecurity self-assessment against defined requirements. Level 1 is the first certification level being introduced and will apply to selected defence contracts.Level 2 — Third-Party Assessment
Introduces external assessments conducted by recognized third-party assessment organizations. This level is intended to provide stronger independent verification of cybersecurity controls.Level 3 — Advanced Assessment Represents the highest assurance level and involves assessments conducted by National Defence.
Organizations that may be impacted by CPCSC requirements should begin preparing early by understanding applicable requirements, assessing current cybersecurity maturity, and identifying gaps before certification becomes contractually required.
-
Yes.
ISO/IEC 27001 certification is not necessarily a prerequisite for CPCSC certification.
However, organizations with an established ISMS may already have many foundational processes that support CPCSC requirements.
-
CPCSC certification is expected to follow a defined certification lifecycle, including ongoing monitoring, reassessment, or renewal requirements.
Organizations will need to maintain cybersecurity controls after certification, not just achieve certification once.
-
Organizations should begin preparing before CPCSC requirements become mandatory for their contracts.
Waiting until certification is required may create challenges, especially for organizations that need to implement new controls, update documentation, improve governance processes, or collect evidence of cybersecurity practices.
Early preparation allows organizations to align existing cybersecurity frameworks, such as ISO/IEC 27001, with CPCSC expectations and address gaps before assessment.
-
MHM is preparing to support organizations as CPCSC becomes available.
As a cybersecurity and assurance firm with experience in ISO-based certification programs, we are closely following the development of CPCSC requirements and the certification process.
Once the applicable requirements are finalized, MHM will confirm the services we can provide, including support for organizations preparing to achieve CPCSC certification.
In the meantime, organizations can begin preparing by evaluating their current cybersecurity maturity, identifying gaps, and strengthening their security practices.
-
The first step is understanding your current cybersecurity maturity.
A readiness assessment can help identify:
Existing controls
Gaps against CPCSC expectations
Required improvements
Evidence needed before certification
Why Organizations Should Start Preparing Now
Although CPCSC is still being introduced, building a mature cybersecurity program takes time. Developing policies, implementing technical controls, documenting governance processes, and gathering evidence can require several months depending on the size and complexity of an organization. Organizations that begin preparing early will be better positioned to respond as certification requirements become integrated into future Government of Canada procurement opportunities.
Whether you're evaluating how CPCSC may affect your organization or strengthening your cybersecurity program in anticipation of future certification requirements, MHM can help. Our team specializes in independent cybersecurity assurance services, including SOC 2, ISO/IEC 27001, and other recognized cybersecurity frameworks that can help organizations build a strong foundation for future certification.
Contact us to discuss your cybersecurity readiness and compliance objectives.

