Cyber security certification for defence suppliers in Canada

Explore cyber security requirements for suppliers that bid or work on Government of Canada defence contracts. These tools help to protect networks, systems and applications from malicious cyber activity.

On March 12, 2025, the first phase of the Canadian Program for Cyber Security Certification (CPCSC) was launched. This phase introduces a new Canadian industrial security standard, the opening of the accreditation ecosystem and a pilot program focusing on select defence contracts through self-assessment. This phased approach helps businesses prepare before a full rollout later in 2026. Find out more about the Canadian industrial security standard (ITSP.10.171) and obtain a copy of the standard.

On this page

• Overview of program
• Certification levels
• Benefits for Canada
• Benefits for suppliers
• Timing of upcoming requirements
• Contact us
• Resources for suppliers
• Related links

Overview of program

The CPCSC is an official cyber security certification in Canada for defence suppliers. Managed by Public Services and Procurement Canada, the program is made up of accredited bodies, certified assessors and government oversight. It aligns with international best practices and standards and supports national security priorities. Beyond compliance, it strengthens Canada’s defence industrial base and supports interoperability with key allies, including partners in the Five Eyes community.

The certification will include the following key features:

• cyber security controls
• cyber security risk assessments
• contractual clauses
• accredited third-party assessors

Once fully implemented, it will:

• protect federal contractual sensitive information below the classified level
• maintain Canadian industry’s access to international procurement opportunities
• boost the basic level of cyber security for Canada’s defence industry
• ensure that the supplier system stays strong and reliable for Canadian Armed Forces capabilities and readiness
• increase Canadian industrial participation in the cyber security certification program

Cyber security controls

The cyber security controls will outline requirements for federal contracting based on a new Canadian cyber security standard. The standard:

• is closely adapted from the following Special Publications by the National Institute of Standards and Technology of the United States (U.S.) Department of Commerce:
  • 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations ITSP.10.171
  • 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information
• sets out cyber security controls to protect sensitive government information in non-government systems
• was developed by the Canadian Centre for Cyber Security
• reflects Canada’s commitment to strong security practices while aligning with international best practices
• provides guidance for defence suppliers on implementing safeguards that meet Canadian national defence requirements for confidentiality, integrity and availability of sensitive data, helping businesses remain secure and trusted partners in Canada’s defence and security supply chain

Cyber security risk assessments

The process will identify defence contracts with mandatory requirements and will determine the level of certification needed by:

• enabling procurement teams to consistently assess CPCSC requirements for each contract
• serving as an addendum to the Security Requirements Checklist to document CPCSC requirements in the contract
• providing clear definitions of different types of sensitive information
• supporting transparency and consistency in applying cyber security standards across procurement activities

Contractual clauses

These mandatory sections or provisions included within National Defence procurement documents, such as requests for proposals (RFPs), will implement the following CPCSC requirements:

• specify the required CPCSC certification level for suppliers
• outline obligations for protecting sensitive information throughout the contract lifecycle
• provide clear definitions and expectations for compliance, helping suppliers understand and meet security standards

Accredited third-party assessors

Third-party assessors will:

• be accredited by the Standards Council of Canada, as the chosen accreditation body for the CPCSC
• assess and certify level 2 (moderate) cyber security certification requirements for suppliers

Certification levels

The program’s mandatory cyber security certification requirements are organized into 3 levels:

• level 1: requiring an annual cyber security self-assessment
• level 2: requiring external cyber security assessments led by an accredited certification body, plus an annual affirmation
• level 3: requiring cyber security assessments conducted by National Defence, plus an annual affirmation

Benefits for Canada

The CPCSC strengthens Canada’s ability to safeguard sensitive contractual information and enhances the cyber security posture of the defence supply chain. By introducing clear, risk-based requirements, the program ensures alignment with the National Cyber Security Action Plan and the National Cyber Security Strategy, supporting national security priorities and interoperability with international partners.

Benefits for suppliers

The CPCSC helps suppliers build stronger cyber security resilience by providing a clear framework to identify, assess and manage risks. This not only protects Canada’s supply chain, but also positions suppliers as trusted partners in defence procurement.

Timing of upcoming requirements

As of spring 2026, new RFPs identified by their cyber security risk assessment and initiated in support of National Defence will need mandatory cyber security requirements from the CPCSC.

The CPCSC is currently being implemented in phases, starting with National Defence contracts, which is designed to give the Canadian defence industry the necessary time to adapt to evolving cyber security standards.

Cyber security requirements can be applied to many contracts outside the defence domain. As such, all Government of Canada suppliers are encouraged to continue to proactively assess and evaluate their current cyber security readiness. Defence suppliers should review the CPCSC ITSP.10.171 standard and contact the CPCSC if they are certified under the U.S. Cybersecurity Maturity Model Certification.

Key milestones in the CPCSC rollout will include:

Phase 1 (March 2025 to March 2026)

• A new cyber security standard for levels 1 and 2 will be available, and level 1 certification requirements and guidance materials will be made publicly available

Phase 2 (April 2026 to March 2027)

• National Defence contracts will be assessed using a new Contract Cyber Security Risk Assessment
• Level 1 requirements apply starting April 2026
• Businesses must self-assess and provide self-attestation in their Canada Buys profile
• The Standards Council of Canada will start accepting applications from organizations that want to help certify compliance and build the level 2 certification system
• Guidance for levels 2 and 3 will be shared
• Level 1 self-attestation will be required at contract award, and not during the bidding process

Phase 3 (April 2027 to March 2028)

• Level 3 certification requirements will gradually be incorporated into select defence contracts 
• Level 3 requirements and certification compliance activities will be conducted by National Defence authorities
• Requirements for levels 1 and 2 may be applied to all Government of Canada defence contracts, based on industry feedback
• Additional industry tools and resources will be made available

Contact us

For more information, email the Government of Canada’s cyber security program office at tpsgc.pacertcybersecur-apcybersecurcert.pwgsc@tpsgc-pwgsc.gc.ca.

Resources for suppliers

Discover resources available to small and medium-sized suppliers:

• Procurement Assistance Canada: provides procurement support for businesses and helps them learn how to identify their responsibilities as a supplier in meeting security requirements
• Canadian Centre for Cyber Security: advises and guides small and medium-sized enterprises on cyber security
• Information for small and medium businesses: provides cyber security advice and guidance tailored to small and medium businesses
• Canadian industrial security standard (ITSP.10.171): outlines baseline security controls and best practices for protecting sensitive information for small and medium-sized suppliers

Related links

• Government of Canada announces first phase of Canadian Program for Cyber Security Certification (March 12, 2025)
• Summary report: Canadian Program for Cyber Security Certification request for information
• Canadian Program for Cyber Security Certification request for information
• Government of Canada helping defence industry protect itself from cyber security threats (May 31, 2023)
• National Cyber Security Action Plan
• National Cyber Security Strategy
• Communications Security Establishment Canada
• Digital Governance Council
• Standards Council of Canada