Canada’s defence industry has been watching CPCSC come down the pipe for two years. As of April 2026, it’s here. The Canadian Program for Cyber Security Certification —managed jointly by Public Services and Procurement Canada (PSPC) and National Defence—is now embedding mandatory cyber requirements directly into defence contracts. Level 1 self-assessments are required now. Level 2 third-party certifications follow in spring 2027.
If you bid on or subcontract under DND work and you’re just now hearing the acronym, here’s what you need to know.
What CPCSC Is
CPCSC is Canada’s official cybersecurity certification framework for the defence supply chain. It sets mandatory cyber hygiene and information protection requirements for suppliers when they handle what the government calls “specified information”—sensitive data that falls below the classified level but still needs protection: contract terms, technical specifications, system configurations, and export-controlled materials.
The program draws heavily from American precedent, most directly the US Cybersecurity Maturity Model Certification (CMMC) that the Department of Defense now requires of its own contractors. Canada’s technical standard, ITSP.10.171, developed by the Canadian Centre for Cyber Security, aligns with NIST Special Publication 800-171 Revision 3. The philosophy is the same on both sides of the border: self-attestation wasn’t producing real security, so governments are now requiring verifiable compliance.
Three Levels, Three Different Stakes
CPCSC organizes its requirements into three levels, each with escalating demands and consequences.
- Level 1 — Basic Cyber Hygiene. Thirteen security requirements drawn from foundational cyber controls. Suppliers self-assess annually and submit attestation through the Canada Buys procurement portal. No third-party assessment required. Level 1 requirements will begin landing in new National Defence RFPs starting summer 2026.
- Level 2 — Advanced Controls. Ninety-seven security controls from ITSP.10.171, organized across seventeen control families. Unlike Level 1, this is not self-assessment territory. Level 2 requires an external certification conducted by a certification body accredited by the Standards Council of Canada (SCC), plus an annual affirmation. Requirements begin appearing in select contracts in spring 2027, applying when a contract involves handling controlled defence information or more complex sensitive work.
- Level 3 — Expert-Level Assessment. Assessed directly by National Defence. Reserved for contracts involving weapons systems, critical infrastructure access, or sensitive information shared under the Five Eyes intelligence partnership. Level 3 requirements will be incorporated into select contracts beginning April 2027 with gradual rollout.
Most suppliers in the defence industrial base will land at Level 1 or Level 2. If you’re currently bidding DND work, that means at minimum you need to understand what Level 1 requires and whether you can honestly attest to it today.
Who’s Actually in Scope
The formal trigger is handling “specified information” under a Government of Canada defence contract. In practice, this is broader than many smaller suppliers realize.
Flow-down is real. If a prime contractor is required to meet CPCSC, that obligation passes to subcontractors who touch the relevant information. You don’t have to hold the prime contract to be in scope. If you’re in the defence supply chain—building components, providing technical services, managing IT systems—and your customer is protecting specified information under a DND contract, your customer’s contract likely already requires CPCSC compliance and they need to ensure you have it.
The sectors most directly affected include defence, aerospace, manufacturing, technology, and professional services. PSPC has also noted that cybersecurity requirements can be applied to contracts outside the strict defence domain, and all Government of Canada suppliers are encouraged to proactively assess their readiness.
The Trap: Attestation Happens at Contract Award, Not During Bidding
Here’s where a lot of suppliers are going to get caught. Under the current Phase 2 implementation, Level 1 self-attestation is required at contract award—not during the bidding process. That distinction matters more than it might appear.
By the time a solicitation appears in Canada Buys with a CPCSC requirement attached, you may have spent weeks or months preparing a bid. If you win, the attestation requirement arrives at the award table. If you can’t honestly attest to the 13 required controls at that moment, the choices are difficult: lose the contract, delay the award, or attest to something that isn’t accurate.
The practical implication is that preparation needs to happen before you see the requirement in a solicitation—not after. There’s no long runway between “we won the bid” and “please confirm your cybersecurity compliance.” Suppliers who wait until CPCSC language appears in an RFP to start their readiness work will, in many cases, be starting too late.
Where to Start
The Level 1 requirements cover six control families: access control, identification and authentication, media protection, physical protection, systems and communications protection, and system and information integrity. Notably absent at Level 1: incident response, configuration management, governance, and logging — those live at Level 2. For many organizations, some of this is already in place informally. The typical gap is in documentation and evidence—not intent.
For organizations bidding on contracts that will require Level 2, the calculus is more complex. Ninety-seven controls across seventeen families is a substantial body of work, and with the April 2027 timeline now inside a year, the window for orderly preparation is narrower than it looks. The question isn’t whether to prepare—it’s when to start, and the answer to that question is now.
The first step is an honest one: where do you actually stand? Not where you think you stand—where does the evidence say you stand? Plurilock works with defence suppliers at exactly this stage—before the solicitation arrives, not after—and a CPCSC readiness conversation costs you nothing. Reach out and let’s find out. ■
Key Takeaways
- CPCSC is Canada’s mandatory cybersecurity certification for defence suppliers, now actively embedded in National Defence contracts as of spring 2026
- Level 1 requires annual self-attestation against 13 security requirements via Canada Buys; Level 2 requires third-party assessment by an SCC-accredited body and arrives in select contracts spring 2027
- Flow-down is real—subcontractors who handle specified information under DND contracts are in scope even if they don’t hold the prime contract
- The key timing trap: Level 1 self-attestation is required at contract award, not during bidding—preparation must happen before the solicitation appears, not in response to it
- Level 2 covers 97 controls across 17 families aligned to ITSP.10.171; with spring 2027 inside twelve months, organizations handling controlled defence information need to begin gap assessment now
Not sure where you stand on CPCSC? Plurilock’s CPCSC Compliance Readiness Assessment evaluates your current controls against CPCSC Level 1 and Level 2 requirements, identifies gaps, and delivers a prioritized remediation roadmap—so you can attest with confidence, not guesswork. Contact us to start the conversation.
