What Does CPCSC Mean for Canadian Defence Contractors?
- Terry Telford
- Apr 6
- 3 min read
Safeguarding Canadian security and economic stability is paramount, and vulnerabilities in our defence supply chains have become a critical point of concern. The intricate web of contractors and subcontractors that handle controlled information (CI) is a target for malicious actors. To combat this threat, the Canadian government is taking decisive action, unveiling the Canadian Program for Cyber Security Certification (CPCSC), a multi-phased initiative designed to protect our defence supply chains.
This program, announced by the Honourable Jean-Yves Duclos, Minister of Public Services and Procurement, represents a significant stride towards increasing Canada's cybersecurity posture. The CPCSC aims to establish a standardized framework, ensuring that businesses handling CI data adhere to specific security practices.
A Gradual Evolution, Not a Sudden Shift
Understanding the complexities of implementing sweeping cybersecurity changes, the government has adopted a phased approach. This strategy acknowledges the need for businesses to adapt and integrate new security practices without disrupting their operations. The initial phase, introduced in March 2025, lays the groundwork for the program's broader rollout.
On March 12, 2025, the Government of Canada launched the first phase of the CPCSC, which involves the new Canadian industrial security standard, the opening of the accreditation ecosystem and a pilot program focusing on select defence contracts through self-assessment. Additionally, the Standards Council of Canada will begin accrediting certification bodies, organizations that will play a pivotal role in evaluating and certifying compliance with the new standard. To empower businesses in their journey towards compliance, a user-friendly self-assessment tool for Level 1 certification will be introduced.
During the early stages, certification will not be a prerequisite for bidding on government contracts. Instead, it will become a requirement only upon contract award. This allows businesses the necessary time to familiarize themselves with the program and implement the necessary security measures.
A Three-Tiered Defence Strategy
The CPCSC is structured around a three-tiered certification system, each level representing increasing levels of security assurance.
Level 1: Self-Assessment: This foundational level requires businesses to conduct an annual self-assessment of their cybersecurity practices. This empowers organizations to identify and address potential vulnerabilities within their systems.
Level 2: External Assessment: Moving beyond self-evaluation, Level 2 requires an external cybersecurity assessment conducted by an accredited certification body. This independent evaluation provides a more objective assessment of an organization's security posture.
Level 3: National Defence Assessment: The highest level of certification involves assessments conducted directly by National Defence. This level is reserved for contracts involving the most sensitive information and requires the most stringent security controls.
A Roadmap to Enhanced Security
The CPCSC's implementation unfolds across four distinct phases:
Phase 1 (March 2025): The cornerstone of this phase is the release of the new cybersecurity standard and the launch of the Level 1 self-assessment tool. The Standards Council of Canada will also begin accepting applications from organizations seeking to become accredited certification bodies.
Phase 2 (Fall 2025): This phase marks the introduction of Level 1 certification requirements for select defence contracts. Level 2 certification will also be piloted in specific contracts, allowing for a gradual transition.
Phase 3 (Spring 2026): As the program matures, Level 2 certification will become a mandatory requirement for certain contracts. The controls for Level 3 certification will also be published, paving the way for its eventual implementation.
Phase 4 (2027): In this final phase, Level 3 certification requirements will be progressively integrated into a limited number of defence requests for proposals. National Defence will conduct these assessments, ensuring the highest level of security for the most critical contracts.
Beyond Compliance: Building Resilience
The CPCSC is not merely about achieving compliance; it's about building resilience. By empowering businesses to identify and address potential vulnerabilities, the program aims to create a more secure and robust defence ecosystem.
A Strategic Investment in Cybersecurity
The CPCSC represents a strategic investment in Canada's cybersecurity infrastructure. By strengthening the security of its defence supply chains, the government is not only protecting sensitive information but also bolstering the country's overall economic and national security.
Looking Ahead: A Continuous Journey
The CPCSC is not a static program; it's a living, evolving framework that will adapt to the changing threat landscape. The government is committed to continuous improvement, ensuring that the program remains effective and relevant for years to come.
References
![How to Build an Incident Response Plan [with examples]](https://static.wixstatic.com/media/2ada9a_624cced3f1c448ca83246f6fe732be3a~mv2.png/v1/fill/w_980,h_980,al_c,q_90,usm_0.66_1.00_0.01,enc_avif,quality_auto/2ada9a_624cced3f1c448ca83246f6fe732be3a~mv2.png)