What is CPCSC and Does My Canadian Company Need It?

What is CPCSC?

CPCSC stands for the Canadian Program for Cyber Security Certification. It is Canada's answer to the United States' CMMC (Cybersecurity Maturity Model Certification) program — a mandatory cybersecurity certification framework for companies that work with the Canadian Department of National Defence (DND) and handle sensitive federal contract information.

The program is administered by Public Services and Procurement Canada (PSPC) and is designed to protect the Defence Industrial Base (DIB) from cyber threats. As cyberattacks on defence supply chains increase globally, Canada requires its contractors to demonstrate a minimum level of cybersecurity maturity.

Who Needs CPCSC?

You likely need CPCSC certification if your company:

• Has a contract or is bidding on a contract with the Department of National Defence (DND)
• Handles Federal Contract Information (FCI) — information provided by or generated for the government under a contract
• Handles Controlled Unclassified Information (CUI) — sensitive government information that requires protection
• Is a subcontractor to a prime contractor who holds a DND contract

If you are unsure whether your contract requires it, check the contract requirements or look for references to CPCSC, NIST SP 800-171, or cyber certification in your solicitation documents.

CPCSC Level 1 vs Level 2

CPCSC has two certification levels. Understanding which one applies to you is critical.

CPCSC Level 1

15 controls based on FAR 52.204-21 (Federal Acquisition Regulation basic safeguarding requirements).

• Covers basic cyber hygiene practices
• Annual self-assessment — you assess yourself, no third party required
• Suitable for companies that handle only Federal Contract Information (FCI)
• Domains covered: Access Control, Identification & Authentication, Media Protection, Physical Protection, System & Communications Protection, System & Information Integrity

CPCSC Level 2

110 controls based on NIST SP 800-171 (Protecting Controlled Unclassified Information).

• Covers advanced cybersecurity practices across 14 control families
• Requires a third-party assessment by a certified C3PAO (CPCSC Third Party Assessment Organization)
• Required for companies that handle Controlled Unclassified Information (CUI)
• Much more rigorous — covers areas like Audit & Accountability, Configuration Management, Incident Response, Risk Assessment, and more

What Are the 14 Control Families in CPCSC Level 2?

CPCSC Level 2 is based on NIST SP 800-171 and covers:

• Access Control (AC) — who can access your systems
• Awareness & Training (AT) — security awareness for staff
• Audit & Accountability (AU) — logging and monitoring
• Configuration Management (CM) — secure system configurations
• Identification & Authentication (IA) — passwords and MFA
• Incident Response (IR) — handling security incidents
• Maintenance (MA) — secure system maintenance
• Media Protection (MP) — protecting storage devices
• Personnel Security (PS) — screening and termination procedures
• Physical Protection (PE) — physical access to systems
• Risk Assessment (RA) — identifying and managing risks
• Security Assessment (CA) — evaluating your security controls
• System & Communications Protection (SC) — network security
• System & Information Integrity (SI) — malware protection and patching

How to Get CPCSC Certified

For Level 1:

• Review the 15 required controls
• Implement any controls you are missing
• Document your implementation for each control
• Complete your annual self-assessment
• Submit your attestation

For Level 2:

• Conduct a gap assessment against all 110 NIST SP 800-171 controls
• Create a System Security Plan (SSP) documenting your environment
• Create a Plan of Action & Milestones (POA&M) for any gaps
• Remediate gaps
• Engage a certified C3PAO to conduct your third-party assessment
• Receive your certification

How Long Does It Take?

Level 1: 2–4 weeks if you have basic security practices already in place.

Level 2: 3–12 months depending on your current security maturity. Companies with no existing security program will take longer. The assessment itself (by a C3PAO) typically takes 2–4 weeks after you are ready.

What Happens If You Don't Get Certified?

Without CPCSC certification, you will not be eligible to bid on or hold contracts that require it. As the program matures, more DND contracts will include CPCSC as a mandatory requirement. Starting early is strongly recommended — do not wait until you lose a contract to begin.

How SecuritComply Helps

SecuritComply is the only Canadian GRC platform with native CPCSC support:

• CPCSC Level 1 — all 15 controls mapped and ready for self-assessment
• CPCSC Level 2 — all 110 NIST SP 800-171 controls across all 14 families
• Evidence collection — upload your policies, screenshots, and configs against each control
• Auditor portal — give your C3PAO read-only access to your evidence package
• Canadian data residency — your compliance data never leaves Canada
• AI Virtual CISO — get plain-language explanations of every control

All of this at 70–85% less than US-based compliance tools — and with frameworks that US tools simply do not support.

Bottom Line

If you are a Canadian company working with DND or planning to, CPCSC is not optional — it is becoming a condition of doing business with the Canadian government defence sector. Level 1 is achievable in weeks. Level 2 takes planning but is manageable with the right tools.

Start by identifying which level applies to your contracts, then work through the controls systematically. SecuritComply makes this process significantly faster and more affordable than traditional approaches.