For Canadian companies that sell into the US defence supply chain, the past two years have been a study in regulatory parallel processing. The US Department of Defense finalized its CMMC 2.0 rules in late 2024, and requirements are now being phased into DoD contracts through November 2028. Canada launched CPCSC Level 1 in April 2026, with Level 2 third-party assessment requirements arriving by spring 2027. Dual-jurisdiction contractors are suddenly managing two national cybersecurity programs, on two different timelines, run by two different accreditation ecosystems.
The natural assumption—especially for organizations that have invested heavily in CMMC readiness—is that one program carries over to the other. After all, both draw from NIST SP 800-171 as their technical foundation. The assumption is understandable. It’s also wrong.
Same Ancestor, Different Programs
Both CMMC and CPCSC were built because self-attestation under defence contracts wasn’t producing real security. The US DoD launched CMMC after years of inconsistent results under the older DFARS 252.204-7012 clause. Canada followed a parallel path through PSPC and National Defence, building CPCSC to impose verifiable requirements on the Canadian supply chain.
The shared ancestor is NIST SP 800-171, the standard for protecting sensitive government information in non-federal systems. But here’s the revision gap that trips up dual-jurisdiction contractors: CMMC 2.0’s Level 2 is built on NIST 800-171 Revision 2, which contains 110 practices. Canada’s technical standard, ITSP.10.171, developed by the Canadian Centre for Cyber Security, aligns with NIST 800-171 Revision 3—a newer version that restructures and, in some areas, expands the control baseline. The result is 97 controls across 17 families on the Canadian side, compared to 110 practices on the American one. Different structure, different evidence expectations, different assessment methodology.
The control families overlap substantially, but scoping language and assessment objectives differ enough that CMMC evidence doesn’t automatically satisfy CPCSC. Both need to be addressed independently.
What “Reciprocity” Actually Means Here
The reciprocity picture is more nuanced than most guides suggest, and getting it right matters for planning. At Level 1, the official CPCSC guidance states that Canada may accept a valid CMMC certification on a case-by-case basis, after confirming the assessment covers the required scope. This is not automatic reciprocity—it’s a discretionary review that Canada reserves the right to conduct, and scope verification can still be required. A CMMC holder who wants to rely on that pathway needs to proactively contact the CPCSC program office; it doesn’t happen by default.
At Level 2, no such recognition pathway has been published. CPCSC Level 2 requires mandatory third-party assessment by an SCC-accredited certification body. A CMMC Level 2 certificate from a C3PAO does not satisfy that requirement. The two accreditation ecosystems are independent—the Cyber AB in the US, the Standards Council of Canada for CPCSC—and produce certifications that are not automatically interchangeable at Level 2.
The practical implication: if you hold CMMC Level 2 or higher and are bidding on a CPCSC Level 1 contract, it’s worth engaging the CPCSC program office to explore case-by-case acceptance. But that’s a conversation to have early, not an assumption to build a bid around. For Level 2 and above, plan for independent certification on both sides of the border.
Where the Programs Diverge Most
- At Level 2, the assessment paths split. CMMC allows self-assessment for some contracts; only higher-priority programmes require a C3PAO third-party assessment. CPCSC requires mandatory third-party assessment by an SCC-accredited certification body for every Level 2 contract, no exceptions. A company that qualifies for CMMC Level 2 self-assessment still faces a mandatory external certification on the Canadian side regardless of its CMMC status.
- The timelines don’t align. CMMC’s full implementation runs through November 2028. CPCSC Level 2 third-party requirements begin in spring 2027—more than a year ahead. Dual-jurisdiction contractors who built their compliance roadmaps around the CMMC timeline need to recalibrate for Canadian requirements arriving on a compressed schedule.
- Scoping terminology is different. CMMC uses Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) as scope triggers. CPCSC uses “specified information” and “controlled information.” These categories don’t map one-to-one, and each program requires an independent scoping exercise to determine what information is in scope under each framework.
- The assessor market is less mature in Canada. The C3PAO ecosystem in the US has been developing for several years. Canada’s SCC-accredited certification body market is still building out. Organizations planning for CPCSC Level 2 assessments in 2027 should be identifying assessors now—availability will be constrained as the deadline approaches.
Building One Program That Maps to Both
The good news is that dual-jurisdiction compliance doesn’t require two separate security operations. The foundational capabilities—access control, incident response, configuration management, audit logging, vulnerability management, supply chain oversight—are required on both sides of the border. What differs is how they’re scoped, documented, and assessed.
The efficient approach is to anchor the program on ITSP.10.171 as the baseline standard. Since ITSP.10.171 aligns with NIST 800-171 Rev 3, and CMMC is transitioning in that direction as well, building to the newer revision positions you for both programs without rework. Map control implementations to both frameworks simultaneously. A single access review process satisfies access control requirements in both ITSP.10.171 and NIST 800-171. A single incident response plan, properly documented, produces evidence for both assessments.
The difference is packaging. CMMC evidence feeds into SPRS and C3PAO assessment packages. CPCSC Level 1 evidence supports the self-attestation in Canada Buys; CPCSC Level 2 evidence goes to the SCC-accredited certification body. Same underlying controls—different wrapping for each program’s requirements.
For organizations that have done significant CMMC compliance work, the path to CPCSC is not a rebuild from scratch. It’s a gap analysis against ITSP.10.171—mapping existing controls and evidence to the Canadian framework, identifying what doesn’t transfer cleanly, and closing those gaps before the assessment clock runs out. Plurilock has been operating on both sides of this equation: a mature CMMC practice and direct CPCSC readiness assessment experience. If you’re figuring out how to navigate both programs without doubling your compliance workload, that conversation is worth having. ■
Key Takeaways
- CMMC (US) and CPCSC (Canada) share a NIST 800-171 ancestor but are separate certifications—at Level 1, Canada may accept a valid CMMC cert on a case-by-case basis; at Level 2, no recognition pathway exists, and independent SCC-accredited assessment is required
- CMMC Level 2 is built on NIST 800-171 Revision 2 (110 practices); CPCSC Level 2 aligns with ITSP.10.171 and NIST 800-171 Revision 3 (97 controls across 17 families)—control structures and evidence expectations differ between the two
- CPCSC Level 2 requires mandatory third-party assessment for every in-scope contract; CMMC Level 2 allows self-assessment for some—meaning dual-jurisdiction contractors face a harder assessment requirement on the Canadian side regardless of CMMC status
- Canada’s timeline is faster: Level 2 requirements arrive in spring 2027, over a year ahead of CMMC’s November 2028 full implementation—roadmaps built around the US timeline need to be recalibrated
- The efficient path is one security program anchored on ITSP.10.171, with evidence mapped to both frameworks—the underlying controls are largely the same; only scoping, documentation, and packaging differ
Already pursuing CMMC and wondering how CPCSC fits your roadmap? Plurilock works across both programs—CMMC practice and CPCSC readiness assessment experience in one place. We can map your existing controls against ITSP.10.171, identify the gaps, and build a remediation roadmap that covers both certifications without duplicating effort. Contact us to get started.
