Compliance is Cash - Where to Begin with CPCSC
CPCSC can be overwhelming, so let us start with the basics
Feature your business in Canadian Cyber in Context through sponsorship.
The Canadian Program for Cyber Security Certification (CPCSC) is still in development and is subject to change. The information in this will be updated as the CPCSC Secretariat releases more information.
I’m Andrew Laliberte. For years, I worked inside the Canadian Armed Forces and Department of National Defence networks, deploying and sustaining technical capabilities under strict governance, risk, and compliance constraints. It was not glamorous work. It was long hours, rapid learning curves, and constant pressure to keep complex systems stable in environments where resources were scarce and the rules were rigid… except when they weren’t.
That experience gave me something invaluable. A practical understanding of how compliance frameworks shape architecture, operations, procurement, and organizational survival.
Today, I work with organizations across the defence industrial base (DIB), from primes to specialized subcontractors, who are entering a new era. An era where compliance is not optional, not theoretical, and not negotiable.
Here is what many still miss.
Compliance is no longer a checkbox buried in the back of a contract.
In the defence industrial base, it is becoming the price of entry.
The defence industrial base is becoming one of the most compliance-driven sectors in North America. While it may not entail the liquidity and capital controls of banking, its cybersecurity requirements are increasingly mandatory, enforceable, and directly tied to revenue.
Over the next few years, mandatory frameworks like CMMC in the United States and Canada’s evolving CPCSC requirements will determine who can bid, who can handle controlled information, and ultimately who gets paid.
Compliance is not just a cost center.
Done properly, it is a market filter.
Market filters create competitive advantage.
This series breaks down what the coming compliance landscape means for your business and how to turn governance requirements into strategic leverage.
Because in the DIB, compliance is not paperwork.
It is cash.
The 101 on CPCSC Level 1
Who
Program governance is distributed across federal authorities:
• Program Manager: Public Services and Procurement Canada (PSPC)
• Defence Authority: Department of National Defence (DND)
• Standards Development: Canadian Centre for Cyber Security (CCCS)
• Accreditation Authority: Standards Council of Canada (SCC)
What
The Canadian Program for Cyber Security Certification (CPCSC) is the Government of Canada’s official cybersecurity certification program for defence suppliers.
It safeguards unclassified Specified/Sensitive Information that flows from federal departments to industry under defence contracts.
Specified/Sensitive Information is categorized as:
• SI Low
• SI Medium
• SI High
These categories align with specified/sensitive information data types such as Protected A, Protected B, and certain Controlled Goods contexts, as well as several others. Organizations must understand how their data maps to these operational impact levels.
When
Beginning in Spring 2026, PSPC will introduce contractual language requiring self-attested CPCSC Level 1 compliance for award on most DND contracts.
Where
If non-commercial off-the-shelf (COTS) activity or Specified/Sensitive Information (SI) is involved, CPCSC applicability and level will be determined through the Industry Contract Cyber Security Risk Assessment, CCSRA.
SI Low, aligned to CPCSC Level 1, includes:
• Protected A information
• Low sensitivity Dual Use Goods technical data
• Non-critical sensitive supplier financial information
• Low sensitivity procurement documentation such as RFQs, purchase orders, and schedules
Why
CPCSC is Canada’s response to systemic cybersecurity risk across the Defence Industrial Base. It marks a shift from compliance on paper to structured, enforceable cybersecurity maturity requirements.
Three realities drive this shift.
The threat environment has evolved. Smaller subcontractors are often the easiest path into larger defence programs.
Self-attestation alone proved insufficient. Documentation did not always reflect operational reality.
Verification is now built into the model, but in a graduated form. Level 1 remains self-attested. Levels 2 and 3 introduce formal assessments to validate implementation and operational effectiveness.
The direction is clear. Canada is moving toward higher assurance requirements for higher sensitivity work.
Cybersecurity in Canadian defence contracting is no longer an honour system. It is becoming a tiered eligibility framework.
For DIB firms, CPCSC is not a policy update. It is a structural shift in how eligibility, competitiveness, and trust are determined.
Those who treat compliance strategically will find it does more than protect contracts.
It positions them to win.
How
The best way to keep your costs and timelines down is accurate scoping. You must first identify the systems, services, people, and workflows that touch defence contracts or Specified/Sensitive Information.
Once scoped, apply the 13 CPCSC Level 1 controls to that environment and build a controlled operating model that integrates people, process, policy, facilities, and technology.
Level 1 is not advanced security engineering.
It is just the minimum acceptable standard in 2026.
In 2026, we are 38 years removed from the first major internet worm (Morris Worm). Thirty-eight years of warnings. Thirty-eight years of incidents. Thirty-eight years to get the basics right.
There is no strategic justification left for ignoring technical debt, postponing governance, or hoping regulators will look the other way.
CPCSC Level 1 is not an innovation burden. It is the baseline cost of doing business in the modern defence ecosystem. Align with it or step aside for organizations that will.
It forces clarity on who has access, what systems matter and whether they are maintained. For some organizations, this will feel like overhead. For disciplined organizations, it becomes structured.
And structure scales.
Feature your business in Canadian Cyber in Context through sponsorship.
Where to Start with CPCSC
In CPCSC level 1, there are 13 security requirements from 6 of the 17 security requirements families found in ITSP.10.171.
All of that translates into 71 assessment objectives (AO), which is really the only thing you should focus on applying to your organization’s scope.
The AO are the questions on the open-book test. If you can confirm you’ve applied them to every applicable part of your scope, then you pass the test.
To make life interesting, of course, you also need to track and insert various “organization-defined parameters” or ODPs
Direct from ITSP.10.171 Sec. 2.2:
“ODPs are an important part of specifying a security requirement. ODPs provide both the flexibility and the specificity needed by organizations to clearly define their specified information security requirements according to their particular missions, business functions, operational environments and risk tolerance. In addition, ODPs support consistent security assessments to determine if specified security requirements have been satisfied. If a GC department or agency, or a group of departments or agencies, does not specify a particular value or range of values for an ODP, non-GC organizations must assign the value or values to complete the security requirement.”
And
“The term ‘organization’ is used in many security requirements, and its meaning depends on context. For example, in a security requirement with an ODP, an organization can refer to either the GC department or agency or to the non-GC organization establishing the parameter values for the requirement.”
Which means that so far, unlike CMMC for which the DoD released an official list of ODP values you can just plug in and plan for, the ODPs in CPCSC will be left up to whichever government entity wants to take a stab at defining it before ultimately leaving the rest up to you.
How will that shake out? Will it be regulatory chaos? Time will tell but the most practical thing you can do is take those DoD-defined values as your starting point when planning as it would be unlikely to require much modification once you get your official values on a contract.
Now, let’s run through a couple of the most impactful security requirements to get a sense of what your new day-to-day reality looks like.
Family: 3.1 Access control
Security Requirement: 03.01.01 Account management
AO:
A.03.01.01.d.01: access to the system is authorized based on a valid access authorization
A.03.01.01.d.02: access to the system is authorized based on intended system usage
Impact: For the average defence contractor, these CPCSC Level 1 objectives represent a shift from a “convenience-first” to a “compliance-first” operational mindset. Meeting A.03.01.01.d.01 requires a formal administrative process where identity is verified before a single login is generated; gone are the days of informal account creation or shared credentials.
Meanwhile, A.03.01.01.d.02 introduces the concept of Least Privilege, mandating that access isn’t granted simply because a person is “on the team,” but only because their specific role requires it. For a small-to-mid-sized firm, this means an increased administrative burden for which you’ll need documented evidence of who has access and why.
In practice, this forces contractors to tighten their internal HR and IT workflows, ensuring that when an employee’s role changes or they leave the company, their access is adjusted or revoked immediately to prevent unauthorized data exposure.
Family: 3.14 System and information integrity
Security Requirement: 03.14.01 – Flaw Remediation
AO:
A.03.14.01.a[03]: system flaws are corrected
Impact: For the average defence contractor, objective A.03.14.01.a[03] transforms patch management from a “best effort” IT task into a high-stakes compliance requirement. The primary impact is the loss of operational flexibility; contractors can no longer afford to delay updates for months out of fear of software instability. Instead, they must implement a disciplined vulnerability remediation lifecycle that includes identifying, testing, and applying security patches within specific timeframes.
For many firms, this necessitates a move away from manual updates toward automated patch management tools to ensure nothing slips through the cracks. Beyond the technical shift, there is a significant documentation burden. Assessors won’t just want to see that the system is currently updated; they will want to see historical logs proving that flaws were corrected consistently and promptly. This effectively raises the “floor” for cybersecurity maturity, forcing smaller contractors to invest in more robust IT support or managed service providers to keep pace with the constant stream of newly discovered software vulnerabilities.
Even if you’re assessing your own organization, this is the level of consistent organizational effort required to meet that attestation.
Family: 3.13 System and communications protection
Security Requirement: 03.13.01 Boundary protection
AO:
A.03.13.01.a[02]: communications at external managed interfaces to the system are controlled.
Impact: For the average defence contractor, objective A.03.13.01.a[02] marks the end of “open-door” networking and necessitates strengthening the digital perimeter. The impact is felt most acutely in how the company interacts with the outside world—specifically at the Managed Interface, which serves as the single, guarded gateway between the internal network and external entities such as the public internet or subcontractor portals.
Contractors must move away from ad hoc connectivity and instead implement strict Boundary Protection technologies, such as enterprise-grade firewalls or specialized gateways that perform deep packet inspection. This requirement often forces a structural redesign of the network to ensure that all data “traffic” is funnelled through controlled checkpoints where it can be monitored, filtered, and restricted based on pre-defined security policies.
For smaller firms, this typically means moving away from consumer-grade routing hardware toward more sophisticated managed security services, as the burden of constantly updating and auditing these interface controls requires specialized expertise to prevent unauthorized data exfiltration.
From Vibes to Verifiable
Seventy-one assessment objectives. ODPs that may or may not be pre-defined for you. Evidence trails. Role catalogs. Patch clocks. Firewall rules that now require justification instead of “vibes”. All of this at level one is your new reality. It is the methods and actions your organization will have to live by.
But here’s the uncomfortable truth: none of this is exotic. None of it is bleeding-edge cyber wizardry. It’s basic governance. It’s discipline. It’s documentation. It’s doing the boring fundamentals consistently enough that you can prove it.
CPCSC Level 1 doesn’t demand a security operations center or classified infrastructure. It demands that you stop running your defence business like a startup lab and start running it like a regulated supplier in a national security supply chain. Access must be justified. Vulnerabilities must be fixed. Network boundaries must be controlled, and you must be able to demonstrate that this isn’t aspirational, it’s operational.
Ultimately, the shift toward CPCSC Level 1 isn’t just about checking boxes or surviving an assessment. It’s about a fundamental change in how the defence supply chain operates. For the average contractor, these objectives move cybersecurity out of the IT basement and into the boardroom. Whether it’s formalizing who can log in, automating your patch cycles, or hardening your network boundaries, the common thread is verifiable control.
The tedious technical stuff is the baseline for doing business today. If you cannot prove you’re doing it, you technically aren’t doing it in the eyes of the Government of Canada. By aligning your ODPs with established benchmarks such as the DoD’s published values and treating the assessment objectives as your operational roadmap, you transform a regulatory obligation into a capability signal.
The transition is not light work. It requires structure, investment, and consistency. But what it builds is something far more valuable than compliance: a resilient, professional, and contract-ready organization positioned to compete in a regulated defence marketplace.
If you want to win defence-related contracts, accountability isn’t optional anymore. CPCSC will be the price of admission.