The Canadian government has introduced the Canadian Program for Cyber Security Certification (CPCSC) to strengthen its cybersecurity posture. This initiative addresses the frequent cyberattacks targeting the country’s defense industry, which threaten the security of unclassified federal information held by contractors and subcontractors. Starting this month, a new industrial standard will be implemented to protect sensitive government data in defense contracts.
The Canadian defense sector frequently encounters cyberattacks targeting contractors and subcontractors, jeopardizing unclassified federal information. Protecting these critical supply chains is crucial. With cyberattacks on defense suppliers and subcontractors increasing, this program seeks to fortify supply chain resilience by setting clear, progressive security standards, similar to the U.S. CMMC.
The implementation of the CPCSC will be phased in gradually, allowing companies to adapt their operations to meet new requirements. The first phase will involve releasing a new Canadian industrial cybersecurity standard, opening the accreditation process, and introducing a self-assessment tool for level 1 certification. This will help businesses understand the program before a wider rollout later in the year.
During the initial phases, certification will not be required during the bidding process, rather, only when the contract is awarded. The phased approach is designed to strengthen the resilience and security of Canada’s defence supply chains, giving the government and businesses the necessary time and resources to adapt to evolving cybersecurity standards.
“Cyber security is national security and threats are evermore intricate and in a state of constant change,” Jean-Yves Duclos, Canada’s minister of public services and procurement and Quebec lieutenant, said in a Wednesday statement. “In defence procurement, cyber incidents can jeopardize the safety of unclassified federal information. To address this, we are thrilled to launch the first phase of the Canadian Program for Cyber Security Certification. We are committed to safeguarding the integrity of the defence sector, and we look forward to working with businesses to ensure robust cybersecurity practices.”
Once the CPCSC is fully implemented, it will protect federal contractual information held below the classified level on contractors’ systems, networks, and applications and maintain the Canadian industry’s access to international procurement opportunities with similar cybersecurity certification requirements. It will also boost the basic level of cybersecurity for Canada’s defence industry, ensure that the supplier system stays strong and reliable for the Canadian Armed Forces’ capabilities and readiness, and increase Canadian industrial participation in the cybersecurity certification program.
The CPCSC ecosystem is a structured framework ensuring that cybersecurity certification in Canada is handled by accredited bodies, certified assessors, and government oversight. It aligns with international standards while also supporting national security initiatives. The CPCSC will include cybersecurity controls, risk assessments, contractual clauses, and accredited third-party assessors.
The program’s mandatory cybersecurity certification requirements will be made up of three levels. Level 1 requiring an annual cybersecurity self-assessment; level 2 requiring external cybersecurity assessments, led by an accredited certification body; and level 3 requiring cybersecurity assessments conducted by National Defence.
The Canadian government has outlined key milestones in the rollout of the Canadian Program for Cyber Security Certification. Phase 1 (March 2025) will introduce a new cybersecurity standard for levels 1 and 2. Businesses will have access to a level 1 self-assessment tool, which will be launched by the full program implementation. The Standards Council of Canada will begin accepting applications from organizations that wish to become certification bodies to support the evaluation and certification of standard compliance. Additionally, support systems will be established to assist businesses in obtaining level 2 certification through third-party assessments.
Moving onto Phase 2 (fall 2025) will see some defense contracts requiring level 1 certification, which can be achieved through a self-assessment. Level 2 certification, obtained through a third-party assessment, will be tested in certain defence contracts. Phase 3 (spring 2026) will require some defense contracts to have level 2 certification. Level 3 certification will officially commence following the publication of additional level 3 controls.
Coming to Phase 4 (2027) will gradually incorporate level 3 certification requirements into select defense requests for proposals for a small number of contracts. Level 3 certification will be conducted by National Defence.
The government outlined that the comprehensive process will identify defence contracts with mandatory requirements and will determine the level of certification needed. These mandatory sections or provisions included within defence procurement documents, such as requests for proposals (RFPs), will implement the CPCSC requirements.
Third-party assessors will be accredited by the Standards Council of Canada, as the sole accreditation body for the CPCSC, and assess and certify level 2 (moderate) cybersecurity certification requirements for suppliers.
Last month, the Communications Security Establishment Canada (CSE) and its Canadian Centre for Cyber Security (Cyber Centre) urged Canadian organizations to stay alert and enhance their defenses against malicious cyber threats as the third anniversary of Russia’s full-scale invasion of Ukraine nears. Over the last three years, the Cyber Centre has observed pro-Russia cyber hackers targeting organizations in countries, including Canada, that have provided support to Ukraine. This activity has included cyber campaigns targeting critical infrastructure and distributed denial-of-service (DDoS) attacks on government and business websites.
