Cyber security certification for defence suppliers in Canada

Explore upcoming cyber security requirements for suppliers that bid or work on Government of Canada defence contracts. The requirements help to protect networks, systems and applications from malicious cyber activity.

On this page

About upcoming changes

Beginning in spring 2025, suppliers seeking to bid or work on select Government of Canada defence contracts may require certification under the Canadian Program for Cyber Security Certification (CPCSC). Further information on which contracts will be impacted will be released as it becomes available. The CPCSC will complement our efforts to strengthen cyber security. It will do this by better securing the federal contracting process.

Launch of phase 1

On March 12, 2025, the Government of Canada launched the first phase of the CPCSC, which involves the new Canadian industrial security standard, the opening of the accreditation ecosystem and a pilot program focusing on select defence contracts through self-assessment. This first phase will help businesses understand the program before a wider rollout later in 2025. To obtain a copy of the standard, please visit the Canadian industrial security standard (ITSP 10.171) .

Upcoming level 1 guidance document: Spring 2025

The CPCSC is committed to supporting industry in navigating the certification process. This spring, we will be releasing a level 1 guidance document that will provide further details on the steps required to achieve level 1 certification. This resource will help organizations understand expectations and prepare for certification with greater clarity.

Overview of program

Once the CPCSC is fully implemented, it will:

  • protect federal contractual information held below the classified level on contractors’ systems, networks and applications
  • maintain Canadian industry’s access to international procurement opportunities with similar cyber security certification requirements
  • boost the basic level of cyber security for Canada’s defence industry
  • ensure that the supplier system stays strong and reliable for Canadian Armed Forces capabilities and readiness
  • increase Canadian industrial participation in the cyber security certification program

The CPCSC ecosystem is a structured framework ensuring that cyber security certification in Canada is handled by accredited bodies, certified assessors and government oversight. It aligns with international standards, while also supporting national security initiatives. The CPCSC will include the following key features: cyber security controls, risk assessments, contractual clauses and accredited third-party assessors.

Cyber security controls

These will outline requirements for federal contracting based on a new Canadian cyber security standard. The standard is adapted closely from the United States Department of Commerce’s National Institute of Standards and Technology Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations ITSP.10.171, and Special Publication 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information.

Risk assessments

The comprehensive process will identify defence contracts with mandatory requirements and will determine the level of certification needed

Contractual clauses

These mandatory sections or provisions included within defence procurement documents, such as requests for proposals (RFPs), will implement the CPCSC requirements.

Accredited third-party assessors

Third-party assessors will:

  • be accredited by the Standards Council of Canada, as the sole accreditation body for the CPCSC
  • assess and certify level 2 (moderate) cyber security certification requirements for suppliers

Certification levels

The program’s mandatory cyber security certification requirements will be made up of 3 levels:

  • level 1: requiring an annual cyber security self-assessment
  • level 2: requiring external cyber security assessments, led by an accredited certification body
  • level 3: requiring cyber security assessments conducted by National Defence

Benefits to Canada

The CPCSC will help safeguard the Government of Canada’s unclassified contractual information. It will also increase the cyber security capabilities of Canada’s defence supply chain. The change in requirements will ensure alignment with the National Cyber Security Action Plan and the National Cyber Security Strategy.

Benefits for suppliers

A single successful malicious cyber incident has the potential to cause widespread impacts.

The CPCSC will help strengthen the cyber security resilience of the industry. This will help suppliers better identify, assess and manage potential risks to Canada’s supply chain.

Timing of upcoming requirements

Starting in spring 2025, mandatory cyber security requirements from the CPCSC will be part of certain defence-related RFPs.

Changes to the certification requirements will be introduced in phases. The phased approach is designed to give the Canadian defence industry the necessary time to adapt to evolving cyber security standards. In the interim, we encourage defence suppliers to proactively assess and evaluate their current cyber security readiness.

Key milestones in the CPCSC rollout will include:

  • Phase 1 (March 2025): A new cyber security standard for levels 1 and 2 will be available for businesses, with a level 1 self-assessment tool to be launched by full program implementation
    • The Standards Council of Canada will start accepting applications from organizations that want to become certification bodies to support the evaluation and certification of standard compliance
    • Support systems will be set up to help businesses get level 2 certification through third-party assessments
    • During this phase, certification will only be required at the time of contract award and not during the bidding process
  • Phase 2 (fall 2025): Some defence contracts will require:
    • level 1 certification through a self-assessment
    • level 2 certification will be tested in certain defence contracts
    • level 3 certification will be accessible to companies
  • Phase 3 (spring 2026): While some defence contracts will start requiring level 2 certification, level 3 certification will officially begin following publication of the additional level 3 controls
  • Phase 4 (2027): For a small number of contracts, level 3 certification requirements will gradually be incorporated into select defence RFPs. Level 3 certification will be conducted by National Defence

Contact us

Email the Government of Canada’s cyber security program at tpsgc.pacertcybersecur-apcybersecurcert.pwgsc@tpsgc-pwgsc.gc.ca

Resources for suppliers

Explore resources available to small and medium-sized suppliers:

Related links

Page details

Date modified: