An Introduction to the Canadian Program for Cyber Security Certification (CPCSC)

An Introduction to the Canadian Program for Cyber Security Certification (CPCSC)

An Introduction to the Canadian Program for Cyber Security Certification (CPCSC) 1600 1068 Darryl MacLeod
At the end of 2024, a significant policy shift is set to transform the cybersecurity landscape within Canada’s defence industry. Vying for select Government of Canada defence contracts will require suppliers to be certified under the Canadian Program for Cyber Security Certification (CPCSC). This initiative enhances cybersecurity within Canada’s federal contracting processes, ultimately bolstering the nation’s defence capabilities. Primarily, the CPCSC is designed to protect federal contractual information that is held on contractors’ systems, networks, and applications but falls below the classified level. This initiative will ensure that Canada's defence industry maintains a high level of cybersecurity, safeguarding both vital information and operational capabilities. The program will also ensure that Canadian industry retains access to international procurement opportunities that necessitate similar cybersecurity certification requirements. By aligning with international standards, the CPCSC ensures that the Canadian defence industry remains competitive on the global stage. The CPCSC aims to raise the bar for cybersecurity within Canada’s defence industry. The program promises to deliver a robust and reliable supplier system that underpins the capabilities and readiness of the Canadian Armed Forces. As the digital landscape continues to evolve, maintaining a high level of cybersecurity is crucial to national defence. The CPCSC also seeks to increase Canadian industrial participation in cybersecurity certification programs. By fostering a culture of cybersecurity, the program ensures that the defence industry is well-equipped to tackle emerging threats, bolstering Canada’s overall cybersecurity resilience.

Key Features of the CPCSC

At its core, the CPCSC will introduce several key features designed to bolster cybersecurity. The program will outline specific cybersecurity controls for federal contracting. These controls will be based on a new Canadian cybersecurity standard, closely adapted from the United States Department of Commerce’s National Institute of Standards and Technology Special Publications 800-171 and 800-172. These publications provide guidelines for protecting Controlled Unclassified Information in non-federal systems and organizations, and Enhanced Security Requirements for the same. A comprehensive risk assessment process will be integral to the CPCSC. This process will identify defence contracts with mandatory requirements and determine the level of certification needed. Through these risk assessments, the program will ensure that cybersecurity measures are appropriately tailored to specific contracts, maximizing protection while maintaining efficiency. The CPCSC will also introduce mandatory contractual clauses within defence procurement documents, including Requests for Proposals (RFPs). These clauses will ensure the full implementation of CPCSC requirements, reinforcing the commitment to cybersecurity within the contracting process. The Standards Council of Canada will accredit third-party assessors who will conduct and certify level 2 (moderate) cybersecurity assessments for suppliers. These assessors will play a crucial role in verifying that suppliers meet the CPCSC requirements, further ensuring the integrity of defence contracts.

The CPCSC Certification Levels

The CPCSC will incorporate three certification levels:

Level 1 will require an annual cybersecurity self-assessment, enabling suppliers to evaluate their own cybersecurity practices.

Level 2 will necessitate external cybersecurity assessments led by an accredited certification body. This external perspective will provide an added layer of scrutiny, ensuring robust cybersecurity practices are in place.

Level 3 will consist of cybersecurity assessments conducted by the Department of National Defence, providing the highest level of assurance.

Benefits to Canada and Suppliers

The introduction of the CPCSC offers substantial benefits for both Canada and its suppliers. The program will help safeguard the Government of Canada’s unclassified contractual information and enhance the cybersecurity capabilities of Canada’s defence supply chain. This will ensure alignment with the National Cyber Security Action Plan and the National Cyber Security Strategy. The CPCSC offers suppliers an opportunity to strengthen their cybersecurity resilience. A single successful cyber-attack can have widespread impacts. Therefore, the CPCSC will assist suppliers in better identifying, assessing, and managing potential risks, ensuring the integrity of Canada’s supply chain.

Implementation Timeline

Starting at the end of 2024, CPCSC requirements will become mandatory for certain defence-related RFPs. However, these changes will be introduced in phases to allow suppliers and the cybersecurity community ample time to adapt. During this interim period, defence suppliers are encouraged to assess and evaluate their current cybersecurity readiness proactively. By preparing for these changes, suppliers can ensure a smooth transition to the new requirements.


The introduction of the Canadian Program for Cyber Security Certification (CPCSC) marks a pivotal moment for suppliers within Canada's defence industry. If your organization is involved in supplying the Government of Canada's defence sector, now is the time to assess and enhance your cybersecurity measures. Don't wait until the last minute—start preparing today to navigate this transition smoothly and maintain your competitive edge in the global defence market.

Want to Learn More?

How can Lares help you align your business to support the new CPCSC requirements? Please reach out to our experts today and we'll walk you through our iterative process to assess your gaps and provide a detailed roadmap on how to get your organization ready by year end.

Empowering Organizations to Maximize Their Security Potential.

Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing, and coaching since 2008.

16+ Years

In business


Customers worldwide



Where There is Unity, There is Victory

[Ubi concordia, ibi victoria]

– Publius Syrus

Contact Lares Consulting logo (image)

Continuous defensive improvement through adversarial simulation and collaboration.

Email Us

©2024 Lares, a Damovo Company | All rights reserved.

Error: Contact form not found.

Error: Contact form not found.

Privacy Preferences

When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Some types of cookies may impact your experience on our website and the services we are able to offer. It may disable certain pages or features entirely. If you do not agree to the storage or tracking of your data and activities, you should leave the site now.

Our website uses cookies, many to support third-party services, such as Google Analytics. Click now to agree to our use of cookies or you may leave the site now.