What is CPCSC?
CPCSC — the Canadian Program for Cyber Security Certification — is a Government of Canada program that requires suppliers to demonstrate cyber security controls to bid on and hold certain federal contracts, with a particular focus on the defence supply chain. In intent it is comparable to the United States CMMC program: it gives the government assurance that the companies in its supply chain protect sensitive information.
The program is administered by Public Services and Procurement Canada (PSPC). Because its requirements continue to roll out, always confirm the authoritative details against the official Government of Canada CPCSC program page and the specific contract you are pursuing.
Who needs CPCSC certification
CPCSC certification is aimed at organizations that bid on federal government contracts — especially defence and national-security procurements. If selling to the Government of Canada or to defence primes is on your roadmap, expect CPCSC to appear as a bid requirement. This is the single biggest reason Canadian contractors choose a Canadian platform: US-focused tools do not prioritize CPCSC. For related government-sales requirements, see our guides on what CPCSC is and whether your company needs it and what compliance you need to sell to government in Canada.
CPCSC levels and controls
CPCSC is being introduced across three levels, tiered to the sensitivity of the information a supplier handles. Level 1 — the first to roll out — focuses on foundational cyber-hygiene and requires suppliers to identify the implementation status of a defined set of security requirements (Level 1 covers 13 such requirements), supported by a Government of Canada self-assessment tool. Higher levels are expected to align to a broader set of controls for protecting more sensitive unclassified information.
Level 1 is being phased into select defence contracts starting in 2026. Because the exact level and control set you must meet are defined by each procurement, always confirm them against the contract and the official program materials before you scope your work. SecuritComply keeps the relevant control sets organized so you can track progress against the level you are targeting.
How SecuritComply gets you CPCSC-ready
- CPCSC control sets organized by level so you track exactly what applies
- Readiness view that surfaces your gaps before an assessment
- Policy templates aligned to the controls assessors expect to see
- One evidence repository for the artifacts that prove each control
- Risk register, vendor risk, and incident management in one platform
- Canadian data residency — essential for government and defence work
Need hands-on help implementing the controls or securing AI systems that fall in scope? Our sister companies Secur-IT Data Solutions (managed cybersecurity services) and SecuritAI (AI security and red teaming) work alongside SecuritComply as one Canadian security company.
CPCSC compliance FAQ
What is CPCSC?▾
CPCSC is the Canadian Program for Cyber Security Certification — a Government of Canada program that requires suppliers to demonstrate cyber security controls in order to bid on and hold certain federal contracts, particularly within the defence supply chain. It is broadly comparable in intent to the United States CMMC program.
Who needs CPCSC certification?▾
Organizations bidding on federal government contracts — especially defence and national-security-related procurements — may be required to hold CPCSC certification at the level specified in the solicitation. If your roadmap includes selling to the Government of Canada or to defence primes, CPCSC readiness is likely to become a requirement.
What are the CPCSC levels?▾
CPCSC is structured into tiers based on the sensitivity of the information handled. Lower levels focus on foundational cyber hygiene practices, while higher levels align to a broader set of controls for protecting more sensitive unclassified information. Always confirm the exact level and control set required against the specific contract and the official Government of Canada program materials.
How is CPCSC different from SOC 2 or ISO 27001?▾
SOC 2 and ISO 27001 are commercial, internationally recognized standards. CPCSC is a Canadian government certification program tied to federal procurement. The good news is that the underlying controls overlap heavily, so a strong security program built for SOC 2 or ISO 27001 gives you a major head start toward CPCSC.
How does SecuritComply help with CPCSC compliance?▾
SecuritComply includes CPCSC control sets, a readiness view that shows your gaps, policy templates, and one place to collect the evidence assessors will want — all hosted in Canada, which matters for government work.