Canadian Cyber in Context is sponsored by

All views expressed belong to Canadian Cyber in Context and do not reflect the position of any sponsor.

On March 12, the Government of Canada launched Phase 1 of the Canadian Program for Cyber Security Certification (CPCSC). Since then, very little information has been released about CPCSC's progress or updates. According to the CPCSC Secretariat’s official website, Phase 2 is scheduled to begin in Fall 2025, which means some defence contracts will start to include level 1 certification, that level 2 certification will be tested in certain contracts, and companies will have access to get level 3 certification. However, this timeline has not been met because a significant amount of materials and information have yet to be released, which limits the defence industry’s ability to prepare their controlled environments adequately.

Despite potential delays in these phases, the CPCSC Secretariat continues to work hard to operationalize the program. As part of this work, the CPCSC Secretariat held workshops with stakeholders in early October to discuss the Contract Cyber Security and Risk Assessment (CCSRA). As the CPCSC Secretariat explains, the CCSRA “will be used by the Government of Canada to determine the selection of the required CPCSC level for a contract, as well as by industry, who will be required to effectively flow down CPCSC level requirements throughout its supply chain.” The CCSRA is the framework used to scope which information or data is included in the CPCSC controlled environment and essentially dictates everything you need to be concerned about for CPCSC.

I attended one of these workshops to try to get a better understanding on the current status of the CPCSC program and any changes or updates. The workshop was focused on the CCSRA, which is the mechanism dealing with the scoping of an organization’s controlled environment that would receive CPCSC certification.

For this article, I am joined by Andrew Laliberte, one of Canada’s top experts on CMMC and the owner of Andyman Tech Solutions Ltd. Andrew is quickly becoming one of the top CPCSC experts and will help us break down the good, the bad, and the ugly about the CPCSC information thus far and what we have learned from the workshop.

The purpose of this workshop was to “provide industry with an overview of the Criteria as well as provide guidance on how to effectively identify the requisite level for their subcontractors.” In other words, this is not final, and DND/PSPC recognize that there may be issues with the current form. As a result, the information contained here is subject to change as DND and PSPC use the workshop findings and ongoing consultations to improve the program.

While we can understand the frustration and concern of many about CPCSC, but malicious anger should not be directed at the CPCSC secretariat. These workshops and engagement opportunities by the CPCSC secretariat are part of a consultation process to receive feedback and input from industry. This is a program in development, and they are trying to work with industry and stakeholders to ensure the program works as intended. Being adversarial towards the secretariat diminishes their ability to improve the program and acts as a disincentive for them to seek feedback or continue such activities in the future.

CPCSC 101

It has been two years since Canadian Cyber in Context’s first CPCSC 101 article, so let us do a refresher.

The CPCSC is a cyber security supply chain certification program that the Government of Canada will soon be requiring for certain defence contracts. The idea behind CPCSC is to develop a structured cyber security framework that all defence firms can adopt to ensure a baseline level of cyber security protections amongst Canada’s defence industrial base.

CPCSC uses the ITSP.10.171 Protecting specified information in non-Government of Canada systems and organizations cyber security standard, which is based on the National Institute of Standards and Technology’s (NIST) Special Publication 800-171 that is used with the United States’ Cybersecurity Maturity Model Certification (CMMC). As a result, CPCSC is built based on the United States’ CMMC. The Government of Canada/PSPC originally hoped to achieve some level of recognition for CPCSC under CMMC by adopting parallel systems, but CPCSC unfortunately will not have any recognition under CMMC or United States law anytime soon. In the end, the purpose of CPCSC is not to provide a vehicle for American procurement, but to ensure that Canada’s most sensitive national defence supply chain

CPCSC will have three levels, each imposing stronger security requirements and requiring auditing to verify that a firm is adhering to them.

• Level 1 requires only a self-assessment.

• Level 2 requires a verification audit by a third-party assessor certified by the Standards Council of Canada. Level 2 certifications are valid for three years.

• Level 3 will require a verification audit by DND’s Digital Services Group. Level 3 certifications are valid for three years.

What we learned from the Workshop

When first published, ITSP 10.171 was concerned with the protection of Controlled information (CI), including data rated as Protected A and Protected B, and controlled goods information that is not classified. However, the documents released by the CPCSC Secretariat now focus on Specified Information (SI). The CPCSC Secretariat have not made clear why this change has occurred, but it is important to note that this is a work in progress and information is subject to change based on new information and ensuring compliance with broader federal government law and regulation. This change is broadly neutral in nature because it is just a change in terminology. However, we have reviewed all the information from the documents and the workshop to give an overall summary of the good, the bad, and the ugly of CPCSC based on the October workshop:

The Good

• Partial recognition of CMMC

  • The CPCSC Secretariat stated they are looking to include partial recognition of CMMC towards CPCSC. The current idea is for firms with CMMC would simply need to meet the CPCSC requirements that CMMC does not address, but this partial recognition will be a significant advantage and help avoid some of the challenges of having both CMMC and CPCSC.
    

• The CPCSC secretariat is compiling scoping and assessment guides for SI. This will help to identify the information that a contractor must account for and scope into their CPCSC controlled environment.

The Bad

• CPCSC will have no “teeth”

  • If an organization lies about being CPCSC compliant, remedies or actions will be determined by contract law. It is unclear whether PSPC or DND can (or will) refer organizations to the RCMP for fraud. Initial statements appear that this will not be the case.
    
    This should be a concern based on the level of fraud that has already occurred under the CMMC in the United States. Fraud related to CMMC can lead to significant fines under the False Claims Act. The United States takes such fraud so seriously that whistleblowers are potentially eligible to receive up to 25% of the fine. Examples of CMMC fraud that have led to a fine include:

    • $4.1 million fine for Verizon Business Network Services

    • $930K fine for Comprehensive Health Services

    • $300K fine for Jelly Bean Communications Design

    The CPCSC secretariat has stated they want to assume organizations have the best of intentions, but unfortunately, we must also recognize that there will be bad actors and free riders. The entire point of requiring third-party assessors for level 2 and DND verification for level 3 is to confirm that the level 1 self-assessments are correct and that organizations have taken the required actions to protect even sensitive level data at levels 2 and 3. These CPCSC levels will be applied to some of the most sensitive and important defence contracts, meaning that failures or fraud could compromise Canada’s national security.
    
    Update: As has been clarified to me: CPCSC views enforcement as “collaborative” rather than “punitive,” which relies on contract remedies, incident handling and working with assessors and relevant departments. They do not want CPCSC to just be a system to refer organizations to the RCMP. This is a commendable and good approach to building a certification system. However, this potentially overlooks the degree to which organizations are not seeking collaboration, but seek the easy route to save money and maliciously avoid compliance. It is harmful to build a program on the assumption that organizations will be malicious, but it is dangerous to assume there will be no bad actors, which would risk degrading and damaging trust in the system.

• A severe lack of program definitions and details, with timeline milestones being missed under radio silence. The implementation timeline for CPCSC was already very ambitious, and it is currently unclear if they will be able to maintain this pace or schedule.

  • It is unclear what could help with this, aside from more personnel support to work and support the CPCSC program overall.
    

• CPCSC level 1 includes more data types than CMMC. A contract with CPCSC provisions means you will have to control and protect a broad range of internal business information in a compliant environment which may very well result in the need to duplicate most of your core business functions or scope in more of your corporate systems for assessment, likely depending on which method is least costly.

  • At a minimum, you will need to transition to a compliant email service or block all emails from DND because you cannot predict what DND/CAF will send you nor guarantee they will not include Protected A data in the email, which could be as simple as including a personal email address, personal contact info, DOB, worksite rosters, attendance lists or other unclassified staff information. This is a significant change to information-handling rules that Canada’s defence industrial base is likely not ready to adopt to a quick or inexpensive manner.
    

• It is not explicitly stated how existing cloud security profiles will be required or recognized under CPCSC

  • The Canadian Centre for Cyber Security Cloud Profile (low, medium, high) is required for any workload that operates in a cloud environment. CPCSC defines a lot of low, medium, and high data types in its categories. As a result, it is likely that ITSP 50.103 and the cloud profiles are to be applied for any SI of the appropriate level processed, stored or transmitted in the cloud. However, this is based on inferences of existing information and not based on CPCSC provided information.

The Ugly

• Although not new, it is important to remind readers that CPCSC will not receive any recognition from the United States government under CMMC for the foreseeable future. As Canadian Cyber in Context previously reported, the final rulemaking of CMMC does not include international recognition of programs that achieve the same or stronger requirements.

  • This makes the entire process even more complicated because CMMC uses the outdated version of the NIST standard, and the CPCSC will inherently be viewed as disruptive for not adopting the same outdated standard.
    

• A lot of the CPCSC’s ambitious timeline hinges on the Standards Council of Canada being ready to oversee the standup of an entire certification and assessment ecosystem.

  • The CPCSC is already struggling to keep up with the timeline while producing supporting assessment and guidance documents to help organizations properly scope their controlled environments. Without certified assessors, it can be challenging for organizations, especially small and medium businesses, to understand the full scope of the data they manage and ensure it is in a controlled environment under CPCSC.
    
    Parallel to this, the Standards Council of Canada must be able to identify what an assessor must know, test and certify potential assessors, and do so at a pace that keeps up with the current high demand. Currently, the Standards Council has been unable to keep up with this demand, and there are concerns that the organization may contribute to a delay in Canada’s defence industrial base to become certified and thereby delay the implementation of the CPCSC.
    
    Importantly, these assessors are not just there to audit and certify organizations for meeting level 2; they often help organizations scope their controlled environments and consult with them on how to obtain certification. This can be a time consuming and complicated process. As a result, even if the CPCSC secretariat meets its ambitious timeline, many elements beyond its control will likely slow its implementation.
    

• CPCSC appears to introduce CCCS low cloud profile for level 1, where CMMC does not have extra cloud requirements for federal contract information (FCI). By designating data types as low-impact SI, CPCSC appears to introduce the CCCS Low profile for cloud services which process, store or transmit that level 1 SI. This makes the burden of effort for CPCSC level 1 self-attestation much higher than CMMC. This also risks for greater fraud because there will be no need to provide evidence of their compliance in level 1.

  • Update: This is wrapped up in confusion about which other standards CPCSC overlaps with and which must be adhered to in which contexts. Specifically, it is unclear whether cloud service providers need to comply only to the 13 controls of CPCSC level 1, or whether adopting cloud with CPCSC requires adopting the CCCS cloud profiles. Apparently, the CCCS and CPCSC are aware of the need for additional clarification here, and the CCCS has been told they need to do more.
    

• Two new categories of services in level 3 of CPCSC. “Support for Cybersecurity” and “Managed Security Service Providers.” According to PSPC this means that if you’re working a level 3 contract, such as NORAD Modernization collaboration, an organization will need your level 3 enterprise security compliance in place.

  • Anyone providing cyber security or managed security services to you will also need to be Level 3 certified. The number of available services that will be able to meet this criteria is going to be incredibly small in Canada and few will be able to attempt it with the cost of compliance a steep barrier of entry.

  • The Canadian ecosystem will struggle to provide services at this level, or will be entirely composed of large, likely foreign-owned defence contractors already positioned to monopolize these contracts. This level of compliance in level 3 could cost in the millions to achieve.

Why is such granularity needed for the CPCSC?

As Andrew describes it: A controlled environment in the Governance, Risk, and Compliance (GRC) domain parallels a commercial kitchen in both structure and purpose.

Each depends on a supply chain where inputs must be carefully selected, processed, and verified. In a commercial kitchen, sourcing safe meats and produce minimizes the probability of foodborne illness. In a cyber security context, sensitive information and data are the inputs to be carefully managed. Rigorous vetting of technology vendors and software components reduces the likelihood of supply chain compromise, protecting sensitive information and preserving operational integrity.

Effective kitchens adhere to strict sanitation protocols to prevent contamination. Even with these controls, Canada still experiences millions of foodborne illnesses annually, leading to thousands of hospitalizations and hundreds of deaths. Over the past century, systematic regulation and inspection have become the backbone of modern public health and consumer trust. By comparison, Canada’s cybersecurity hygiene remains in an early developmental phase—akin to the fragmented food safety landscape of the 1920s. Current practices are inconsistent and largely self-regulated.

CPCSC aims to change this for Canada’s defence industry. This mirrors the historical expansion of food inspection programs from limited beginnings to universal adoption. The introduction of mandatory cybersecurity certification represents Canada’s transition from a loosely governed digital environment to one that is systematically controlled and independently validated. In this analogy, cyber assessors function as digital “health inspectors,” ensuring that organizations handling government data maintain environments that are properly secured, maintained, and auditable.

However, for these digital inspectors to do their job, they need to understand which inputs need to be in the controlled environment and how it is to be managed.

Where this will help most is to move Canada from the bad old days of kitchens without food preparation standards to a modern kitchen with effective sanitization and the assurance it brings. For anyone who wants to work on a Department of National Defence contract, and down the road potentially any federal contract, tying a contractor’s compliance to the ability to make money is the only way to ensure that the foundational requirements have been met, and the government’s sensitive information is being kept confidential.

Ultimately, the CPCSC will directly link a contractor’s eligibility for government work to their verified adherence to foundational cyber security standards. This alignment of compliance with economic incentives embeds accountability within Canada’s defence industrial base. The result should be a resilient cybersecurity ecosystem—one where trust, assurance, and risk management are institutionalized in the same way modern food safety regulation protects public well-being.

So What?

The CPCSC is a much needed program to ensure a baseline cyber security protection of Canada’s defence supply chain. However, the CPCSC program has been disadvantaged by a near-impossible task within the timeline they were given. The CPCSC Secretariat and associated personnel working on this program have done tremendous work in developing ITSP 10.171 in a timely fashion, but the CPCSC’s current resources do not appear sufficient to meet the implementation timeline.

The core challenge the CPCSC faces is the level of granularity required to inform Canada’s defence industrial base on which data must exist in a controlled environment and the specific conditions and controls required for that environment. Although the CPCSC may release its scoping and guidance documents on time, that is only the beginning. Defence primes will have to identify what data they manage that needs to comply with CPCSC and ensure their supply chains are compliant as well. This supply chain compliance will be the most time consuming and onerous of processes. In addition to being time consuming, this will be a expensive. This will be expensive because of the specific hardware and security compliance needs required, but also the ITSP 10.171 standardization compliance and assessment system is still being stood up and the initial small group of accredited assessors will be expensive to employ based purely on the market demand for their services and the initial small pool of assessors.

Currently, CPCSC is making significant progress in developing the program, but there is still a lot of guidance and scoping to be done, as well as reciprocal feedback from industry to fine-tune and make adjustments. CPCSC will have a major impact on Canada’s defence industrial base by adding greater levels of compliance and cyber security. However, the CPCSC secretariat understand this impact and are trying to remove all needless or overly-complicated pain as it can, but it will take some time to work through this. This time to work out the kinks or unforeseen complications will also add to timeline of achieving implementation of the CPCSC and certification of the defence industrial base.

Suffice to say: Things will remain painful until they are not. It will take time and collaboration between the CPCSC secretariat, industry, researchers, and all other stakeholders to achieve the desired end state. If you are a business that contracts with DND/CAF, or one that wants to, now is the time to get engaged and understand the potential impacts of CPCSC on your business and to communicate to the CPCSC secretariat overly onerous or complicated controls and how they could be improved.

Share

ANNEX

CMMC (FCI) vs CPCSC (SI)

100 Examples of CPCSC LEVEL 1 SI

SECTION A — PROTECTED A (30 examples)

(Low injury personal information tied to the contract)

1. Employee name + work address on a contract staffing form
   

2. A contractor’s phone number included on a DND correspondence
   

3. Email signature block containing employee personal contact info
   

4. A technician’s name + certification number on a service record
   

5. Employee shift roster submitted to DND for coordination
   

6. Contractor site access list with names and roles
   

7. DND contact list with internal emails (unclassified)
   

8. Visitor log containing visitor names related to the project
   

9. Security sign-in sheet for site personnel working on the contract
   

10. List of subcontractor employees authorized to receive materials
    

11. Contact list for a subcontractor team working on the deliverable
    

12. Employee travel itineraries for contract-related meetings
    

13. A technician’s business card attached to a work order
    

14. A contractor’s mobile number kept in DND liaison documents
    

15. Non-sensitive personnel directory shared internally for contract coordination
    

16. Name + company email of project manager in contract communication
    

17. Names on training attendance rosters for project-required courses
    

18. Basic onboarding form with work contact info (but no PB)
    

19. Performance evaluation that references contract work but has PA elements
    

20. Scheduling spreadsheet listing employee names and shifts
    

21. Team composition list for a contract deliverable
    

22. Employee emergency contacts if shared for on-site coordination
    

23. Roster of personnel with building access related to the contract
    

24. List of forklift-certified employees used on the contract
    

25. Names of employees cleared for material handling (PA only)
    

26. Site induction forms containing names and work emails
    

27. A list of individuals authorized to approve timesheets
    

28. Names of personnel attending a DND project kickoff
    

29. Contractor internal phone list shared with subcontractors
    

30. Contract org chart containing personal identifiers
    

SECTION B — DUAL USE GOODS TECHNICAL DATA (25 examples)

(Technical data for items with civilian + military applications, ECL Group 1)

31. CAD file of a dual-use bracket with both commercial and military application
    

32. Material specification sheet for an ECL Group 1 component
    

33. 3D model of a dual-use sensor housing
    

34. Tolerance drawing for a UAV component also used commercially
    

35. Heat-treatment requirements for a dual-use metal component
    

36. Repair instructions for a dual-use generator part
    

37. Assembly instructions for a dual-use avionics mount
    

38. Exploded diagram of a drone payload cradle
    

39. CNC machining file for a dual-use structural brace
    

40. Surface finishing requirements for an ECL dual-use part
    

41. Manufacturing process description for a dual-use actuator housing
    

42. Stress test report for a dual-use aluminum forging
    

43. Quality inspection criteria for a dual-use fastener
    

44. Commercial-military hybrid part drawings
    

45. Dimensional inspection plans for a dual-use steering linkage
    

46. Engineering notes describing tolerance stack-ups
    

47. Custom fixture drawings for machining a dual-use component
    

48. Thermal expansion charts for a dual-use alloy component
    

49. Plating instructions for a dual-use component
    

50. Step-by-step fabrication instructions for a dual-use piece of hardware
    

51. Revised drawing notes for minor modifications to a dual-use part
    

52. Photo documentation of a dual-use prototype
    

53. Engineering Change Request (ECR) affecting a dual-use part
    

54. Supplier datasheet annotated with DND-supplied dual-use tolerances
    

55. Work instructions referencing ECL Group 1 design details
    

SECTION C — LOW-SENSITIVITY SUPPLIER FINANCIAL INFORMATION (20 examples)

(Financial information exchanged with vendors in support of the contract)

56. Quote for custom-machined aluminum parts for the contract
    

57. Vendor invoice for contract-specific machining work
    

58. Rate sheet for subcontracted welding used on the deliverable
    

59. Cost estimate for outsourced finishing/coating tied to contract parts
    

60. Delivery charge breakdown for contract subcomponents
    

61. Non-public pricing for material used in a Government part
    

62. Supplier discount structure provided for contract work
    

63. Supplier billing statement referencing contract purchase order
    

64. Raw material cost sheet used to estimate project budgets
    

65. Payment terms negotiated specifically for the contract
    

66. Labor rates for subcontractors supporting the deliverable
    

67. Price escalation clause shared for contract sourcing
    

68. Transportation cost breakdown for contract items
    

69. Vendor quote package for specialty materials
    

70. Internal pro forma invoice for contract-linked procurement
    

71. Non-public extended warranty costs for a contract part
    

72. Tier-2 supplier quotes submitted to Tier-1 for contract build
    

73. Freight-forwarder invoice tied to contract materials
    

74. Bulk material price list (non-public) used in the contract BOM
    

75. Contract-specific batch pricing from a supplier

SECTION D — LOW-SENSITIVITY PROCUREMENT DOCUMENTATION (25 examples)

(Procurement documents tied to the contract, not general business purchasing)

76. Purchase order for custom washers made to DND spec
    

77. RFQ containing contract-linked specs
    

78. Order confirmation for subassemblies used in the deliverable
    

79. Packing slip referencing a contract number
    

80. Delivery schedule linked to contract timelines
    

81. Supplier catalogue excerpt marked up with contract requirements
    

82. Material requirement list (MRL) for contract-specific fabrication
    

83. Procurement approval form referencing the contract
    

84. Supplier capability info used in the bid response
    

85. Preferred supplier list for contract items
    

86. Procurement communication referencing contract materials
    

87. BOM containing contract-specific parts
    

88. Incoming inspection record for contract material
    

89. Purchase justification memo for contract-required tooling
    

90. Vendor comparison table for contract subcomponents
    

91. Supplier selection rationale referencing customer requirements
    

92. Updated PO reflecting contract design changes
    

93. Sub-tier supplier list used for contract fabrication
    

94. Material traceability sheet referencing contract code
    

95. Workflow ticket for contract-specific material onboarding
    

96. Subcontract sourcing request with contract component specs
    

97. Excel sheet of procurement quotes for contract tendering
    

98. Receiving documentation with contract tag numbers
    

99. Supplier questions about contract tolerances
    

100. Email requesting quote modifications for contract materials
     

—