Cyber security certification for defence suppliers in Canada
Explore upcoming cyber security requirements for suppliers that bid or work on Government of Canada defence contracts. The requirements help to protect networks, systems and applications from malicious cyber activity.
On this page
- About upcoming changes
- Overview of program
- Certification levels
- Benefits for Canada
- Benefits for suppliers
- Timing of upcoming requirements
- Contact us
- Resources for suppliers
- Related links
About upcoming changes
Beginning in spring 2025, suppliers seeking to bid or work on select Government of Canada defence contracts may require certification under the Canadian Program for Cyber Security Certification (CPCSC). Further information on which contracts will be impacted will be released as it becomes available. The CPCSC will complement our efforts to strengthen cyber security. It will do this by better securing the federal contracting process.
Launch of phase 1
On March 12, 2025, the Government of Canada launched the first phase of the CPCSC, which involves the new Canadian industrial security standard, the opening of the accreditation ecosystem and a pilot program focusing on select defence contracts through self-assessment. This first phase will help businesses understand the program before a wider rollout later in 2025. To obtain a copy of the standard, please visit the Canadian industrial security standard (ITSP 10.171) .
Upcoming level 1 guidance document: Spring 2025
The CPCSC is committed to supporting industry in navigating the certification process. This spring, we will be releasing a level 1 guidance document that will provide further details on the steps required to achieve level 1 certification. This resource will help organizations understand expectations and prepare for certification with greater clarity.
Overview of program
Once the CPCSC is fully implemented, it will:
- protect federal contractual information held below the classified level on contractors’ systems, networks and applications
- maintain Canadian industry’s access to international procurement opportunities with similar cyber security certification requirements
- boost the basic level of cyber security for Canada’s defence industry
- ensure that the supplier system stays strong and reliable for Canadian Armed Forces capabilities and readiness
- increase Canadian industrial participation in the cyber security certification program
The CPCSC ecosystem is a structured framework ensuring that cyber security certification in Canada is handled by accredited bodies, certified assessors and government oversight. It aligns with international standards, while also supporting national security initiatives. The CPCSC will include the following key features: cyber security controls, risk assessments, contractual clauses and accredited third-party assessors.
Cyber security controls
These will outline requirements for federal contracting based on a new Canadian cyber security standard. The standard is adapted closely from the United States Department of Commerce’s National Institute of Standards and Technology Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations ITSP.10.171, and Special Publication 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information.
Risk assessments
The comprehensive process will identify defence contracts with mandatory requirements and will determine the level of certification needed
Contractual clauses
These mandatory sections or provisions included within defence procurement documents, such as requests for proposals (RFPs), will implement the CPCSC requirements.
Accredited third-party assessors
Third-party assessors will:
- be accredited by the Standards Council of Canada, as the sole accreditation body for the CPCSC
- assess and certify level 2 (moderate) cyber security certification requirements for suppliers
Certification levels
The program’s mandatory cyber security certification requirements will be made up of 3 levels:
- level 1: requiring an annual cyber security self-assessment
- level 2: requiring external cyber security assessments, led by an accredited certification body
- level 3: requiring cyber security assessments conducted by National Defence
Benefits to Canada
The CPCSC will help safeguard the Government of Canada’s unclassified contractual information. It will also increase the cyber security capabilities of Canada’s defence supply chain. The change in requirements will ensure alignment with the National Cyber Security Action Plan and the National Cyber Security Strategy.
Benefits for suppliers
A single successful malicious cyber incident has the potential to cause widespread impacts.
The CPCSC will help strengthen the cyber security resilience of the industry. This will help suppliers better identify, assess and manage potential risks to Canada’s supply chain.
Timing of upcoming requirements
Starting in spring 2025, mandatory cyber security requirements from the CPCSC will be part of certain defence-related RFPs.
Changes to the certification requirements will be introduced in phases. The phased approach is designed to give the Canadian defence industry the necessary time to adapt to evolving cyber security standards. In the interim, we encourage defence suppliers to proactively assess and evaluate their current cyber security readiness.
Key milestones in the CPCSC rollout will include:
- Phase 1 (March 2025): A new cyber security standard for levels 1 and 2 will be available for businesses, with a level 1 self-assessment tool to be launched by full program implementation
- The Standards Council of Canada will start accepting applications from organizations that want to become certification bodies to support the evaluation and certification of standard compliance
- Support systems will be set up to help businesses get level 2 certification through third-party assessments
- During this phase, certification will only be required at the time of contract award and not during the bidding process
- Phase 2 (fall 2025): Some defence contracts will require:
- level 1 certification through a self-assessment
- level 2 certification will be tested in certain defence contracts
- level 3 certification will be accessible to companies
- Phase 3 (spring 2026): While some defence contracts will start requiring level 2 certification, level 3 certification will officially begin following publication of the additional level 3 controls
- Phase 4 (2027): For a small number of contracts, level 3 certification requirements will gradually be incorporated into select defence RFPs. Level 3 certification will be conducted by National Defence
Contact us
Email the Government of Canada’s cyber security program at tpsgc.pacertcybersecur-apcybersecurcert.pwgsc@tpsgc-pwgsc.gc.ca
Resources for suppliers
Explore resources available to small and medium-sized suppliers:
- Procurement Assistance Canada: provides procurement support for businesses
- Canadian Centre for Cyber Security: advises and guides small and medium-sized enterprises on cyber security
- Information for small and medium businesses: provides cyber security advice and guidance tailored to small and medium businesses
- Canadian industrial security standard (10.171)
Related links
- Government of Canada announces first phase of Canadian Program for Cyber Security Certification (March 12, 2025)
- Summary report: Canadian Program for Cyber Security Certification request for information
- Canadian Program for Cyber Security Certification request for information
- Government of Canada helping defence industry protect itself from cyber security threats (May 31, 2023)
- National Cyber Security Action Plan
- National Cyber Security Strategy
- Communications Security Establishment Canada
Page details
- Date modified: