Additional information and support for suppliers about cyber security

The requirement for Canadian Program for Cyber Security Certification (CPCSC) will be implemented in phases, starting with inclusion in National Defence contracts. This is designed to give the Canadian defence industry the necessary time to adapt to evolving cyber security standards.

How to meet Level 1 cyber security certification requirements

On this page

• Implementation milestones for Levels 2 and 3
• Cyber security risk assessments
• Contractual clauses
• Accredited third-party assessors
• Help for suppliers
• Related links

Implementation milestones for Levels 2 and 3

Levels 2 and 3 are currently under development. Once they are established, a standardized cyber security risk assessment will evaluate each National Defence contract and determine which certification level is required. The required level of certification for defence suppliers will be set on a contract-by-contract basis and will be clearly communicated in Requests for Proposals (RFPs) and contract clauses.

This process will help procurement teams to apply the appropriate CPCSC level to ensure consistent, transparent security expectations for suppliers.

Cyber security requirements may be applied to many contracts outside the defence domain. As such, all Government of Canada suppliers are encouraged to continue to proactively assess and evaluate their current cyber security readiness. Defence suppliers should review the CPCSC ITSP.10.171 standard and contact the CPCSC if they are certified under the U.S. Cybersecurity Maturity Model Certification.

Once Level 2 and 3 certifications become available:

• Level 2 will consist of 98 controls, and require triannual external cyber security assessments led by an accredited certification body, plus an annual affirmation
• Level 3 will require 200 controls, and will require triannual cyber security assessments conducted by the Government of Canada, plus an annual affirmation

Levels 2 and 3 will be introduced in a phased approach.

April 2026 to March 2027

• The Government of Canada introduces a Level 1 self-assessment tool and support materials to help suppliers to prepare for Level 1 certification
• National Defence contracts will be assessed using a new contract “Cyber Security Risk Assessment”
• The Standards Council of Canada will start accepting applications from organizations that want to help certify compliance and build the level 2 certification system
• Level 1 to 3 certification requirements may be identified in select defence contracts as early as summer 2026; we will require compliance at a later date
• Guidance for levels 2 and 3 will be shared

April 2027 to March 2028

• The requirement to have Level 2 or 3 certification will be gradually incorporated into select defence contracts 
• Level 3 requirements and certification compliance activities will be conducted by Government of Canada authorities
• Requirements for levels 1 and 2 may be applied to all Government of Canada defence contracts, based on industry feedback

Cyber security risk assessments

The process will identify defence contracts with mandatory requirements and will determine the level of certification needed by:

• enabling procurement teams to consistently assess CPCSC requirements for each contract
• serving as an addendum to the Security Requirements Checklist to document CPCSC requirements in the contract
• providing clear definitions of different types of sensitive information
• supporting transparency and consistency in applying cyber security standards across procurement activities

Contractual clauses

These mandatory sections or provisions included within National Defence procurement documents, such as RFPs, will implement the following CPCSC requirements:

• specify the required CPCSC certification level for suppliers
• outline obligations for protecting sensitive information throughout the contract lifecycle
• provide clear definitions and expectations for compliance, helping suppliers understand and meet security standards

Accredited third-party assessors

To obtain Level 2 certification when it becomes available, suppliers will need to undergo a tri-annual assessment by an accredited third party.

Third-party assessors will:

• be accredited by the Standards Council of Canada, as the chosen accreditation body for the CPCSC
• assess and certify level 2 (moderate) cyber security certification requirements for suppliers

If you are interested in becoming a third-party assessor for the CPCSC, please contact accreditation@scc.ca

Help for suppliers

• Procurement Assistance Canada: provides procurement support for businesses and helps them learn how to identify their responsibilities as a supplier in meeting security requirements
• Canadian Centre for Cyber Security: advises and guides small and medium-sized enterprises on cyber security
• Information for small and medium businesses: provides cyber security advice and guidance tailored to small and medium businesses
• Canadian industrial security standard (ITSP.10.171): outlines baseline security controls and best practices for protecting sensitive information for small and medium-sized suppliers

Related links

• Government of Canada helping defence industry protect itself from cyber security threats (May 31, 2023)
• National Cyber Security Action Plan
• National Cyber Security Strategy
• Digital Governance Council
• Business Benefits Finder