CPCSC For Canadian Defense Contractors: What We Know Today

Last updated August 22, 2025.

With cybersecurity threats evolving rapidly, local governments are taking steps to protect sensitive but unclassified information that they must share with their suppliers. This is a critical undertaking, as hackers can use sensitive information to inform their strategies—plus they can execute supply chain attacks by gaining access to one system, then moving upstream to compromise a more sensitive system.

The Government of Canada recognizes how these risks apply to their relationships with suppliers, and they’ve taken steps to develop a cybersecurity standard for defense contractors. This standard, known as the Canadian Program for Cyber Security Certification (CPCSC), is still being developed—but it’s not too early for suppliers to start learning what it will mean for them.

Here’s what we know today about the CPCSC.

Key takeaways:

• The CPCSC will go into effect sometime in the winter of 2025.
• There are three levels of CPCSC compliance, depending on the sensitivity of the information handled.
• You can prepare now by familiarizing your organization with NIST 800-171 and 800-172.

What is the CPCSC?

The CPCSC is a new cybersecurity standard that will apply to suppliers who bid on defense contracts for the Government of Canada. Naturally, it will also apply to organizations that win the contracts and work on them.

Why comply with the CPCSC?

Simply put, if you want to bid on Canadian defense contracts, you’ll need to comply with the CPCSC. That’s a great reason to pursue compliance.

More broadly speaking, adhering to the CPCSC will also make your organization more secure. This means the benefits of compliance go far beyond Canadian defense contracts for organizations that work with multiple customers or other national governments. Simply put, the CPCSC will reduce the attack surface and strengthen the security posture of any organization that strives to comply with it.

When does the CPCSC go into effect?

The Government of Canada’s documentation indicates that the CPCSC will go into effect sometime during the winter of 2025. The Government is not providing a specific date at this point, but we’re guessing that information will come out later this year or early next year.

As of this writing, Public Services and Procurement Canada (PSPC) has conducted a request for information (RFI) process that closed on June 28, 2024. Companies that participated in the RFI process had the opportunity to “significantly influence the development and implementation of the program.”

While it’s too late to participate in the RFI process, the fact that PSPC engaged in it is great news for defense contractors. It means that suppliers had a seat at the table to help shape policy in a way that keeps both their organizations and the Government secure.

Key features of the CPCSC

While the CPCSC is still being created, the Government has released quite a bit of information about their intentions. Here’s what we know so far.  

• The CPCSC will create a new Canadian cybersecurity standard that’s based on the NIST 800-171 and 800-172 standards developed in the US. Basing the CPCSC on these NIST standards will keep Canadian requirements closely aligned with US requirements. This is good news as the two countries and their businesses continue to pursue mutually advantageous relationships.
• The CPCSC will dictate specific cybersecurity controls required for companies that wish to engage in federal contracting with the Government of Canada.
• The CPCSC will provide structure and standards for the secure handling of Controlled Unclassified Information by non-governmental organizations.
• The CPCSC will establish a risk assessment process to allow contracted projects to move forward with the appropriate balance of maximum security and maximum efficiency.
• The CPCSC will establish contractual clauses that will be required in all defense-related RFPs.
• The CPCSC will establish accreditation processes for third-party assessors who will audit organizations to determine their level of compliance with the standard.

CPCSC certification levels

The CPCSC won’t require all organizations to meet the same certification levels. Rather, the standard will allow for the fact that different contractors handle information with different levels of sensitivity. There will be 3 levels of certification.

• Level 1: Requires an annual cybersecurity self-assessment, which the organization can conduct internally.
• Level 2: Requires a cybersecurity assessment conducted by an accredited certification body—basically a cybersecurity audit. 
• Level 3: Requires a cybersecurity assessment conducted directly by the Department of National Defence rather than by a third-party assessor.

How can you prepare now?

While the CPCSC hasn’t been finalized, that doesn’t mean you have to wait to start preparing. Forward-thinking companies can begin evaluating themselves today.

The key is to look at NIST 800-171 and 800-172. These two US standards will form the basis for the CPCSC, which means they can help organizations develop an early picture of how they may stand in relation to the CPCSC.

What does this look like specifically?

An expert cybersecurity partner can help you conduct a compliance audit for NIST 800-171 and/or 800-172. This process will provide specific findings that need to be addressed to align with NIST standards. While it’s not the same thing as a CPCSC assessment, it’s a great way to uncover any of the larger initiatives that may be required to comply with the CPCSC—plus you can increase your security today, before the CPCSC is finalized.

Here at Corsica Technologies, we’re ready to help you take those preliminary steps. Get in touch with us today to chart your path forward.