CPCSC Readiness

Your next defence contract has a new requirement.

From summer 2026, defence suppliers without CPCSC compliance lose eligibility for a growing set of National Defence contracts. HuCortex gets you assessed, attested, and continuously compliant, with senior operators on the hook for the outcome.

No commitment. A 45-minute call with a certified HuCortex consultant.

April 2026
Level 1 is live
Summer 2026
Mandatory in select DND contracts
Spring 2027
Level 2 mandate begins
13 / 98 / 200
Controls across Levels 1, 2, and 3

What is CPCSC

Canada's mandatory cybersecurity standard for defence suppliers.

The Canadian Program for Cyber Security Certification sets the cybersecurity bar suppliers must meet to win and keep National Defence contracts. It rolls out in three levels, and the first deadlines are already here. We make readiness practical, provable, and ongoing.

Live, April 2026

Level 1

  • 13 controls, a cyber-hygiene baseline
  • Self-assessed annually
  • Self-attestation in Canada Buys before contract award
  • Mandatory in select DND contracts from summer 2026

Mandate from spring 2027

Level 2

  • 98 controls, third-party assessed
  • Valid for three years with annual affirmation
  • Requires an SCC-accredited certification body

From April 2027

Level 3

  • 200 controls, government-conducted assessments
  • For weapons systems, critical infrastructure, and Five Eyes intelligence sharing
  • Not available through private firms

Not ready for a call yet?

See where you stand against Level 1 in about 3 minutes.

A free, no-login self-check across the 13 cyber-hygiene controls. Get a score and your biggest gaps, no commitment.

Take the Level 1 self-check

How we help

Everything you need to get compliant, and stay compliant.

Readiness Assessment

We map your gaps against the 13 Level 1 and 98 Level 2 controls, and hand you a prioritized plan.

System Security Plan

We develop or review your System Security Plan so it stands up to assessment.

Level 1 Self-Attestation

Guided self-attestation and Canada Buys profile preparation, done right the first time.

Level 2 Preparation

Hands-on preparation with mock assessments, so there are no surprises on the day.

Continuous Compliance Monitoring

Our managed security service keeps your posture compliant and provable between assessments.

CMMC Bridge Advisory

For U.S. suppliers, we bridge CMMC and CPCSC so one program of work satisfies both.

Who it is for

Built for Canadian defence suppliers, especially small and mid-sized ones.

  • Aerospace and Defence
  • Defence IT
  • Engineering and Manufacturing
  • Professional Services
  • Telecommunications
  • Research and Development
  • Cybersecurity and Intelligence
  • Logistics

How we engage

From first call to ongoing compliance.

  1. 01

    Discovery call

    A 45-minute call to understand your contracts, your timeline, and your current posture.

  2. 02

    Gap assessment

    A two-week turnaround that maps you against the controls and prioritizes the work.

  3. 03

    Implementation support

    We do the work with you: policies, controls, the System Security Plan, and the evidence.

  4. 04

    Attestation and monitoring

    We get you attested or assessed, then keep you compliant with continuous monitoring.

Why HuCortex

The right partner for Canadian compliance.

  • Deep NIST and ITSP.10.171 expertise, aligned with the Canadian standard
  • Certified zero-trust architects who implement, not just advise
  • Governance built in from the start, not bolted on
  • Real-time posture monitoring between assessments
  • Focused on small and mid-sized suppliers
  • Pursuing SCC accreditation for Level 2

Certified team

The people doing your readiness work are certified across zero trust and cloud security, with the NIST and ITSP.10.171 expertise the Canadian program is built on. Meet the team.

  • Zero Trust Certified Architect (Zscaler)
  • Microsoft Azure Security Engineer Associate (AZ-500)
  • ISC2 Certified in Cybersecurity (CC)
  • Certified Ethical Hacker (CEH)
  • CyberArk Certified
  • Certified EU GDPR Foundation

What clients say

Real results, in their own words.

Our experience was nothing short of exceptional. Their professionalism and in-depth knowledge about IT and Cybersecurity paved the way for a seamless digital transformation. Highly recommended for any business looking to thrive in the digital age.

Andrea Sy, CPA CA

Andrea Sy, CPA CA

Partner

Working with this team has been an absolute game-changer for our organization. Their unparalleled expertise in IT infrastructure and cybersecurity seamlessly fortified our systems.

Arun Kaushal

Arun Kaushal

Founder and Broker Owner

Their innovative solutions and unwavering dedication have propelled our organization to new heights of efficiency and security.

Alka Shangari

Alka Shangari

Director, Operations

They went above and beyond to solve IT security issues quickly and efficiently. Their expertise and professionalism were evident from our first interaction.

Vartika Satija, CPA CA

Vartika Satija, CPA CA

Founder

Common questions

Questions about CPCSC.

What is CPCSC?
CPCSC is the Canadian Program for Cyber Security Certification. It is Canada's mandatory cybersecurity standard for suppliers to the Department of National Defence (DND). Suppliers must meet its control requirements before they can bid on or hold National Defence contracts.
Who needs CPCSC certification?
All suppliers bidding on or holding contracts with Canada's Department of National Defence need CPCSC compliance. This includes aerospace and defence companies, defence IT providers, engineering and manufacturing firms, professional services companies, telecom providers, and research organizations. Level 1 applies to select DND contracts from summer 2026; Level 2 mandates begin spring 2027.
What is the difference between CPCSC Level 1 and Level 2?
CPCSC Level 1 covers 13 cyber-hygiene controls, is self-assessed annually, and requires self-attestation through Canada Buys. Level 2 covers 98 controls and requires a third-party assessment by an SCC-accredited certification body, valid for three years with annual affirmation. You cannot self-certify for Level 2.
When does CPCSC become mandatory?
Level 1 is live as of April 2026 and mandatory in select DND contracts from summer 2026. Level 2 mandates begin spring 2027. Level 3 (for weapons systems and critical infrastructure) follows from April 2027 and is government-conducted only.
Can I self-certify for CPCSC Level 2?
No. CPCSC Level 2 requires a third-party assessment by an SCC-accredited certification body. Only Level 1 allows self-attestation in Canada Buys.
How many controls does each CPCSC level require?
Level 1 requires 13 controls, which form a cyber-hygiene baseline. Level 2 requires 98 controls. Level 3 requires 200 controls and is government-conducted, not available through private firms.
How long does CPCSC Level 2 preparation take?
Preparation time depends on your starting posture. HuCortex begins with a two-week gap assessment that maps your controls and produces a prioritized plan. Implementation support, System Security Plan development, and mock assessments follow before formal third-party assessment. Starting before the spring 2027 mandate is strongly recommended.
What is a System Security Plan?
A System Security Plan (SSP) is a formal document that describes your security controls, how they are implemented, and who is responsible for them. Level 2 assessment requires a complete, defensible SSP. HuCortex develops and reviews SSPs as part of Level 2 preparation.

Start here

Find out where you stand, in 45 minutes.

Book a no-commitment readiness call with a certified HuCortex consultant, or send a note and we will come back within one business day.

The first Level 1 deadlines land in summer 2026.

Confidential. A certified consultant replies within one business day.