New Canadian Cyber Security Certification CPCSC : what you need to know

On March 12, 2025, Canada introduced its Cybersecurity Certification Program (CPCSC) to strengthen the security of the national defense supply chain. This certification is inspired by the US CMMC and is based on the NIST 800-171 Rev3 and NIST 800-172 standards.

CPCSC: a mandatory certification for Canadian defense suppliers

All companies wishing to collaborate with the Department of National Defense (DND), whether Canadian or foreign, will be required to obtain CPCSC certification.

The requirement applies to the prime contractor and its subcontractors, following a model for the transmission of requirements similar to that of the CMMC.

CI: Canadian terminology for sensitive data

Unlike the CMMC, which uses the terms CUI (Controlled Unclassified Information) and FCI (Federal Contract Information), the CPCSC adopts the concept of Controlled Information (CI). This includes:

Protected A
Protected B
Information from the Controlled Goods Program

Three levels of CPCSC certification

Like its American counterpart, CPCSC has three levels:

CPCSC Level 1
CPCSC Level 2
CPCSC Level 3

Difference between CMMC and CPCSC: the standards used

CMMC 2.0 is based on NIST 800-171 Rev2
CPCSC is based on NIST 800-171 Rev3

Canada has adopted the most recent version of NIST 800-171, while the United States is still using an earlier version.

NIST 800-171 Rev2 vs Rev3: what are the differences?

Rev2 (CMMC) has 14 cybersecurity domains
Rev3 (CPCSC) has 17 cybersecurity domains

If you are already CMMC compliant, you will need to integrate these three new domains to be CPCSC compliant. (For more information, see this article.)

ITSP.10.171: the Canadian standard based on NIST 800-171 Rev3

Canada has developed its own cybersecurity standard, ITSP.10.171, which will be officially published soon. You can request a PDF copy from: partnerships-partenariats@cyber.gc.ca.

Phase 1: the priority is to obtain CPCSC Level 1

During the first implementation phase, National Defense requires that all its suppliers begin with the CPCSC Level 1, before progressing if necessary.

A certification adapted to risk assessment

Unlike CMMC, which is based on the type of data accessed, Canada adopts an approach based on risk. Your level of certification will be determined by an assessment of the risk associated with your activity. This methodology is still being defined.

Self-assessment or third-party certification: how do you get certified?

CPCSC Level 1: annual self-assessment
CPCSC Level 2: assessment by an accredited certification body (3PAO, equivalent to C3PAO of the CMMC)
CPCSC Level 3: audit conducted by the Canadian Department of National Defense

No automatic equivalence between CMMC and CPCSC

If you are a supplier to both the DoD (US Department of Defense) and the DND (Canadian Department of National Defense), you will need to obtain both certifications.

However, Canada has announced that it plans to grant CPCSC equivalence to Canadian organizations that hold CMMC certification, when the scope of the CMMC certification is the same as that of CPCSC. In other words:

The storage infrastructures (enclave) must be the same
The users accessing the data must be the same

We will keep you informed of progress on this potential equivalence.

Which certification to choose?

Your choice should be motivated by your business objectives:

If the DoD is your main customer: get CMMC
If the DND is your main customer: get CPCSC
If you work with both: get CMMC and CPCSC, making sure to align their scope for potential recognition.

How can StreamScan help you?

StreamScan, an expert in defense cybersecurity, supports companies in their compliance with NIST 800-171, CMMC and CPCSC standards. As a Registered Provider Organization (RPO) CMMC, we are authorized to guide organizations in their process.

Telephone: +1 877-208-9040
Email: info@streamscan.ai or via this form.