Earlier this year, the Government of Canada launched the first phase of the Canadian Program for Cyber Security Certification (CPCSC). Seeking to protect unclassified government information on contractors' systems, networks, and applications, the CPCSC is expected to closely align to the U.S. Government's Cybersecurity Maturity Model Certification (CMMC).
What are the Key Features of the CPCSC?
Canada's February 2024 filing to the U.S. Department of Defense (DoD) outlined key features of the CPCSC:
- The upcoming Canadian Industrial Cyber Security Standards will be technically identical to the 172 standards in NIST 800-171 and NIST 800-172 as assessed in the U.S. CMMC.
- The CPCSC will be implemented through contract clauses in select defence contracts.
- The Standards Council of Canada will serve as the accreditation body.
- The government is building capacity to conduct certain CPCSC assessments.
Risk assessments will identify which level of CPCSC certification a contractor requires, mirroring CMMC's three tiers. Prime contractors will be responsible for flow down of and compliance with the requirements by their supply chain. The Standards Council of Canada will establish accreditation processes for third-party assessors, enabling the assessors to certify suppliers up to Level 2 cyber security certification requirements.
What is the CPCSC Implementation Timeline?
Implementation of the CPCSC, as of May 2025, is as follows:
|
Phase |
Objectives |
Anticipated Commencement |
|---|---|---|
|
1 |
Release of Canadian industrial security standard (ITSP 10.171) which contains "no substantial technical differences" from the U.S. NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Later this Spring, the Government will release guidance and a self-assessment tool for level 1 certification. |
Completed |
|
2 |
Some defense contracts will require level 2 certification and level 3 certification. |
Fall 2025 |
|
3 |
Release of level 3 certification and the publication of level 3 controls. |
Spring 2026 |
|
4 |
Level 3 certification requirements incorporated in certain procurements and level 3 certification conducted by DND. |
2027 |
What Does this Mean for Federal Contractors?
The launch of Phase 1 of the CPCSC marks a significant step towards enhancing the security of unclassified government information within the defence supply chain. By aligning with U.S. standards, the CPCSC ensures that Canadian defence contractors and suppliers are well-equipped to protect sensitive data and meet stringent security requirements. As the program progresses through its subsequent phases, staying informed and compliant will be crucial for securing contracts and maintaining a competitive edge in the industry.
Additional Information available here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
