Program Overview
The Canadian Program for Cyber Security Certification (CPCSC) is an official cyber security certification in Canada for defence suppliers. Managed by Public Services and Procurement Canada, the program is made up of accredited bodies, certified assessors and government oversight. It aligns with international best practices and standards and supports national security priorities.
Beyond compliance, the CPCSC strengthens Canada’s defence industrial base and supports interoperability with key allies, including partners in the Five Eyes community.
On this page
- About the Canadian Program for Cyber Security Certification
- Level 1 criteria document
- The 3 certification levels
- Benefits for Canada and suppliers
- Cyber security controls
- Overview of 13 controls for Level 1 certification
- Departments and Organizations Involved in the Canadian Program for Cyber Security Certification
About the Canadian Program for Cyber Security Certification
The certification will include the following key features:
- cyber security controls
- cyber security risk assessments
- contractual clauses
- accredited third-party assessors
Once fully implemented, it will:
- protect federal contractual sensitive information below the classified level
- maintain Canadian industry’s access to international procurement opportunities
- boost the basic level of cyber security for Canada’s defence industry
- ensure that the supplier system stays strong and reliable for Canadian Armed Forces capabilities and readiness
- increase Canadian industrial participation in the cyber security certification program
Find out more about the Canadian industrial security standard (ITSP.10.171) and obtain a copy of the standard.
The CPCSC is designed to keep up with changing cyber threats. To ensure the program remains effective, credible, and sustainable over the long term, the Government of Canada will take a risk‑based and adaptive approach to managing and updating requirements.
This approach includes:
- applying cyber security requirements the same way across defence contracts and making them clear in procurement processes
- making sure accredited certification bodies have the capacity and expertise they need
- strong governance and coordination with the Standards Council of Canada
- staying aligned with international standards and the practices of our allies
We will review and update the standards, guidance, and processes regularly to keep pace with new cyber threats and what we learn as the program rolls out.
Level 1 criteria document
Access the Canadian version of NIST SP 800-171A Rev. 3 Assessing Security Requirements for Controlled Unclassified Information.
Canadian Program for Cyber Security Certification: Level 1 criteria
The 3 certification levels
The program’s mandatory cyber security certification requirements are organized into 3 levels, with Level 1 becoming available in April 2026
- level 1: requiring an annual cyber security self-assessment (13 controls)
- level 2: requiring external cyber security assessments led by an accredited certification body, plus an annual affirmation (98 controls)
- level 3: requiring cyber security assessments conducted by National Defence, plus an annual affirmation (200 controls)
Benefits for Canada and suppliers
The CPCSC strengthens Canada’s ability to safeguard sensitive contractual information and enhances the cyber security posture of the defence supply chain. By introducing clear, risk-based requirements, the program ensures alignment with the National Cyber Security Action Plan and the National Cyber Security Strategy, supporting national security priorities and interoperability with international partners.
The CPCSC strengthens Canada’s Defence Industrial Strategy (DIS) by ensuring all defence suppliers meet robust, standardized cybersecurity requirements, reinforcing a secure, resilient and robust domestic defence supply chain. Under Canada’s Defence Industrial Strategy, cyber assurance is now a core national requirement, ensuring secure systems, trusted suppliers, and readiness for global markets.
The CPCSC helps suppliers build stronger cyber security resilience by providing a clear framework to identify, assess and manage risks. This not only protects Canada’s supply chain, but also positions suppliers as trusted partners in defence procurement.
Cyber security controls
The cyber security controls will outline requirements for federal contracting based on a new Canadian cyber security standard. The standard:
- is closely adapted from the following Special Publications by the National Institute of Standards and Technology of the United States (U.S.) Department of Commerce:
- 800-171, Protecting Controlled Unclassified Information in Non-federal Systems and Organizations ITSP.10.171
- 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information
- sets out cyber security controls to protect sensitive government information in non-government systems
- was developed by the Canadian centre for Cyber security
- reflects Canada’s commitment to strong security practices while aligning with international best practices
- provides guidance for defence suppliers on implementing safeguards that meet Canadian national defence requirements for confidentiality, integrity and availability of sensitive data, helping businesses remain secure and trusted partners in Canada’s defence and security supply chain
Overview of 13 controls for Level 1 Certification
These are the 13 controls from ITSP.10.17 that make up CPCSC Level 1.
The controls can be grouped into 6 key best practices that help you manage good “cyber hygiene” and keep your information safe. These are:
- managing who can access computer systems
- controlling how computer systems and data are used
- verifying users and devices
- protecting data and equipment
- defending computer systems from cyber threats
The following chart lists each of the 13 controls and provides more information about the important best practices. Select each Best Practice to learn how to do this in your business.
|
Control |
Requirement |
Best Practice |
Control ID |
|---|---|---|---|
|
1 |
Access control - Managing who can access systems |
03.01.01 |
|
|
2 |
Access control - Managing who can access systems |
03.01.02 |
|
|
3 |
Access control - Controlling how systems and data are used |
03.01.20 |
|
|
4 |
Access control - Controlling how systems and data are used |
03.01.22 |
|
|
5 |
Identification and authentication - Verifying users and devices |
03.05.01 |
|
|
6 |
Identification and authentication - Verifying users and devices |
03.05.02 |
|
|
7 |
Identification and authentication - Verifying users and devices |
03.05.03 |
|
|
8 |
Media Protection - Protecting data and equipment |
03.08.03 |
|
|
9 |
Physical protection - Protecting data and equipment |
03.10.01 |
|
|
10 |
Physical protection - Protecting data and equipment |
03.10.07 |
|
|
11 |
Systems and communications protection - Defending systems from cyber threats |
03.13.01 |
|
|
12 |
Systems and communications protection - Defending systems from cyber threats |
03.14.01 |
|
|
13 |
Systems and communications protection - Defending systems from cyber threats |
03.14.02 |
Levels 2 and 3 are currently under development.
Departments and organizations involved in the Canadian Program for Cyber Security Certification
The CPCSC is a Government of Canada initiative led and supported by several federal departments and organizations that each play a distinct role in strengthening the cyber security posture of Canada’s defence supply chain.
Public Services and Procurement Canada
Public Services and Procurement Canada (PSPC) is the federal lead for the CPCSC, responsible for program coordination across government, development of certification processes, and overall implementation.
Department of National Defence
The Department of National Defence (DND) performs the highest level of cyber security assessments (Level 3) and collaborates with PSPC to ensure that cyber security requirements reflect the needs of the defence community.
Standards Council of Canada
The Standards Council of Canada (SCC) accredits the certification bodies that conduct external assessments (Level 2) and supports the establishment of a robust and credible certification ecosystem
Communications Security Establishment and the Canadian Centre for Cyber Security
The Canadian Centre for Cyber Security, part of the communications Security establishment (CSE), developed the Canadian cyber security standard (ITSP.10.171) that forms the foundation of CPCSC controls. It provides expert technical guidance to ensure the standard reflects international best practices.
Treasury Board of Canada Secretariat
The Treasury Board of Canada Secretariat (TBS) contributes to the governance and policy framework that underpins CPCSC implementation, ensuring alignment with broader Government of Canada cyber security policies.
Innovation, Science and Economic Development Canada
Innovation, Science and Economic Development Canada (ISED) supports the CPCSC in areas related to industry readiness, economic impacts, and alignment with Canadian innovation priorities.
Global Affairs Canada
Global Affairs Canada (GAC) supports the CPCSC’s objective of maintaining and expanding Canadian suppliers’ access to international markets, particularly in jurisdictions where allied nations require cyber security certification.
Public Safety Canada
Public Safety contributes through its focus on national cyber security and supply chain resilience, supporting CPCSC’s alignment with the National Cyber Security Strategy.