Canadian Program for Cyber Security Certification (CPCSC)

New Cybersecurity Requirements Are Coming for Canada's Defence Supply Chain

The Government of Canada is introducing the Canadian Program for Cyber Security Certification (CPCSC) to strengthen cybersecurity across defence procurement. The program is expected to establish standardized cybersecurity requirements for organizations that handle sensitive government information and participate in defence-related contracts.

Whether you're already working with federal agencies or planning to pursue future opportunities, understanding CPCSC now will help you prepare for the evolving certification landscape.

What is the Canadian Program for Cyber Security?

What Is CPCSC?

The Canadian Program for Cyber Security Certification (CPCSC) is a proposed federal cybersecurity procurement framework designed to strengthen how organizations are assessed when participating in Canada’s defence and government supply chains. It is intended to establish standardized cybersecurity requirements for suppliers handling sensitive government-related information, particularly within defence-related contracts. CPCSC reflects a broader shift in government procurement toward formalized cybersecurity assurance and verifiable security controls, rather than self-attestation or questionnaire-based assessments.

Learn more about CPCSC requirements from the Government of Canada CPCSC program overview.

Why CPCSC matters

As cyber threats continue to evolve, the Government of Canada is moving toward a more consistent and evidence-based approach to evaluating the cybersecurity capabilities of organizations that support defence and government operations. CPCSC is intended to:

  • Improve consistency in cybersecurity assessments across suppliers

  • Strengthen assurance for sensitive federal and defence data

  • Reduce reliance on self-reported security questionnaires

  • Align procurement expectations with modern security frameworks and control-based verification

Who Will Be affected?

How CPCSC changes cybersecurity expectations

CPCSC represents a shift from questionnaire-based security assessments toward evidence-based cybersecurity assurance. Rather than simply stating that security practices exist, organizations may be expected to demonstrate that cybersecurity controls are documented, implemented, and operating effectively.

  • Implemented security controls aligned to recognized standards

  • Formal governance and risk management practices

  • Independent validation or audit-ready security posture

This aligns with broader global trends in cybersecurity assurance, including ISO/IEC 27001-based information security management systems and structured control frameworks.

Canadian Program for Cyber Security Certification (CPCSC)

The Canadian Program for Cyber Security Certification (CPCSC) is expected to apply to organizations that provide products or services to the Government of Canada and Canada's defence sector. As cybersecurity requirements become integrated into federal procurement, suppliers may need to demonstrate that they have implemented appropriate cybersecurity controls based on the sensitivity of the information they access, process, or store. Organizations that may be affected include but not limited to:

  • Defence Contractors

  • Aerospace and Aviation companies

  • Technology and Software Companies

  • Managed Service Providers (MSPs) and Cloud Providers

Understanding CPCSC Certification Levels

The Canadian Program for Cyber Security Certification (CPCSC) uses a tiered approach to cybersecurity assurance.

The certification levels are designed to recognize that organizations handle different types of information and operate in different risk environments. Each level introduces increasing expectations around cybersecurity controls, evidence, and assessment activities.

The certification level required for an organization will depend on factors such as the sensitivity of the information it handles, its role within the defence supply chain, and the cybersecurity requirements specified in applicable Government of Canada contracts.

  • Self-attestation

  • Documentation-based assessments

  • Independent third-party evaluations

This structure enables scalable oversight across a broad supplier base while maintaining consistent security expectations.

Level 1 is designed to establish a baseline level of cybersecurity practices for organizations participating in applicable supply chains.

This level focuses on demonstrating that fundamental cybersecurity safeguards are in place, including areas such as:

  • Security governance and accountability

  • Basic access controls

  • Protection of sensitive information

  • Cybersecurity policies and procedures

  • Employee awareness and security practices

Level 1 is intended to provide organizations with a starting point for demonstrating cybersecurity maturity.

Level 2 - Independent Cybersecurity Assessment

Level 2 introduces a higher level of assurance through independent assessment.

Organizations seeking Level 2 certification must demonstrate that cybersecurity controls are not only documented but implemented and operating effectively.

Assessment activities may include verification of:

  • Security processes and procedures

  • Risk management practices

  • Technical safeguards

  • Monitoring and incident response capabilities

  • Evidence demonstrating ongoing security operations

This level provides greater confidence that cybersecurity practices are actively maintained.

Level 3 - Advanced Cybersecurity Assurance

Level 3 represents the highest level of cybersecurity assurance within the CPCSC framework.

This level is intended for organizations handling more sensitive information or supporting higher-risk activities.

Organizations may be required to demonstrate more advanced cybersecurity capabilities, including:

  • Mature security governance

  • Advanced risk management

  • Enhanced monitoring and detection

  • Stronger protection measures

  • More comprehensive evidence of control effectiveness

Level 3 provides the highest level of confidence that cybersecurity practices are robust, repeatable, and continuously managed.

How the CPCSC Certification Process Works

Step 1: Determine Your Required Certification Level

The first step is identifying which CPCSC certification level applies to your organization. Your required level is determined by the sensitivity of the information you access, handle, or store, as well as the security requirements defined in your Government of Canada contracts.

Organizations working with more sensitive defence information will be required to meet higher certification levels and more comprehensive security controls. Understanding your required level early helps ensure you prepare for the appropriate assessment and avoid unnecessary work.

Step 2: Assess Your Current Security Posture and Address Gaps

Once your certification level has been established, your organization should evaluate its existing cybersecurity program against the applicable CPCSC requirements. This process identifies where current policies, procedures, and technical controls align with the program and where improvements may be needed.

Organizations typically use the results of this assessment to strengthen their cybersecurity program, update documentation, and address any identified gaps before pursuing certification. Organizations with mature security programs, particularly those aligned with frameworks such as ISO/IEC 27001, may find they already meet many of the required controls.

Step 3: Prepare for the Certification Assessment

Before the assessment, organizations should ensure that required documentation, policies, procedures, and supporting evidence are complete and consistently implemented. Employees should understand their security responsibilities, and management should be prepared to demonstrate how cybersecurity controls are maintained in practice.

Thorough preparation helps the certification assessment proceed efficiently and reduces the likelihood of delays caused by missing or incomplete evidence.

Step 4: Complete the Certification Assessment

An authorized certification body conducts the certification assessment to determine whether your organization meets the applicable CPCSC requirements for its designated certification level. The assessment includes a review of documentation, interviews with key personnel, and evaluation of evidence demonstrating that required cybersecurity controls are effectively implemented and operating as intended.

If nonconformities are identified, the organization may be required to address them before certification can be granted.

How CPCSC Fits with Other Cybersecurity Frameworks

Many organizations pursuing CPCSC certification have already implemented recognized cybersecurity frameworks or completed security audits. While CPCSC has its own specific requirements, organizations with mature security programs often find that existing governance, policies, and security controls provide a strong foundation for certification.

How CPCSC Fits with Other Cybersecurity Frameworks

Already Have a SOC 2 Report?

If you've completed a SOC 2 audit, you've likely established documented security policies, access controls, incident response procedures, and other governance practices. While SOC 2 does not satisfy CPCSC requirements on its own, much of this work can support your readiness for certification.

Already ISO/IEC 27001 Certified

If your organization is certified to ISO/IEC 27001, you've already implemented a risk-based Information Security Management System (ISMS) and many of the security controls expected of a mature cybersecurity program. This can provide a strong foundation when preparing for CPCSC certification.

Already Aligned with the NIST Cybersecurity Framework?

If your cybersecurity program is aligned with the NIST Cybersecurity Framework, you've likely established structured processes for managing cyber risk, implementing security controls, and responding to incidents. This existing foundation can help support your preparation for CPCSC certification.

Canadian Program for Cyber Security Certification FAQs

Why Organizations Should Start Preparing Now

Although CPCSC is still being introduced, building a mature cybersecurity program takes time. Developing policies, implementing technical controls, documenting governance processes, and gathering evidence can require several months depending on the size and complexity of an organization. Organizations that begin preparing early will be better positioned to respond as certification requirements become integrated into future Government of Canada procurement opportunities.

Whether you're evaluating how CPCSC may affect your organization or strengthening your cybersecurity program in anticipation of future certification requirements, MHM can help. Our team specializes in independent cybersecurity assurance services, including SOC 2, ISO/IEC 27001, and other recognized cybersecurity frameworks that can help organizations build a strong foundation for future certification.

Contact us to discuss your cybersecurity readiness and compliance objectives.