What is CPCSC and who needs it

CPCSC is Canada's mandatory cybersecurity standard for suppliers to the Department of National Defence. If your company sells to or contracts with National Defence, you need to meet CPCSC requirements before you can bid on or hold covered contracts. The first deadline landed in April 2026.

What CPCSC stands for

CPCSC stands for the Canadian Program for Cyber Security Certification. The federal government created it to bring a consistent cybersecurity baseline to the defence supply chain, similar to what the U.S. CMMC program does for American defence contractors.

The program is built on established cybersecurity frameworks, primarily Canada's own ITSP.10.171 guidance and NIST SP 800-171. It sets the minimum controls that a defence supplier must implement and, for higher levels, have independently verified.

Who needs CPCSC certification

Any organization that holds or intends to bid on a contract with Canada's Department of National Defence needs to comply with CPCSC. The program applies to prime contractors and, in many cases, their subcontractors.

Small and mid-sized suppliers are not exempt. The program is specifically designed to address the weakest links in the defence supply chain, which are often the smaller firms that feed into larger prime contracts.

• Aerospace and defence companies
• Defence IT and software providers
• Engineering and manufacturing firms
• Professional services companies supporting DND programs
• Telecommunications providers
• Research and development organizations
• Cybersecurity and intelligence firms
• Logistics and supply chain providers

The three certification levels

CPCSC has three levels of increasing rigor. Most suppliers will need Level 1 or Level 2.

Level 1 covers 13 controls that form a cyber-hygiene baseline. It is self-assessed annually and requires self-attestation through Canada Buys before a contract is awarded. Level 1 has been live since April 2026 and is mandatory in select DND contracts from summer 2026.

Level 2 covers 98 controls and requires a third-party assessment by an SCC-accredited certification body. A Level 2 certification is valid for three years, with annual affirmation required. Level 2 mandates begin in spring 2027.

Level 3 covers 200 controls and is conducted by the government, not private certification bodies. It applies to weapons systems, critical infrastructure, and Five Eyes intelligence sharing programs. Most commercial suppliers will not reach Level 3.

The timeline that matters

The first Level 1 deadline landed in April 2026. From summer 2026, select DND contracts are requiring Level 1 self-attestation before award. Level 2 requirements begin rolling into contracts from spring 2027.

This timeline is tighter than it looks. If your business depends on National Defence contracts, you need to start a gap assessment now. The gap between where most suppliers currently sit and where Level 2 requires them to be is significant, and implementation takes time.

What happens if you don't comply

Suppliers without valid CPCSC attestation cannot bid on covered contracts. There is no grace period once a contract requirement is set. If you are mid-contract and a renewal or extension requires CPCSC and you don't have it, the conversation with your DND contact becomes very difficult.

How to get started

The right first step is a gap assessment: map your current controls against the Level 1 or Level 2 requirements and identify what needs to be built, documented, or changed. This typically takes two weeks and gives you a prioritized implementation plan.

HuCortex runs CPCSC readiness assessments for Canadian defence suppliers. If you're not sure where you stand against the program requirements, book a 45-minute readiness call to find out.