.svg)
Canadian companies selling into the U.S. defence supply chain face a compliance requirement that is no longer theoretical. The Cybersecurity Maturity Model Certification (CMMC) is now appearing in DoD contract solicitations, and Phase 2, which extends CMMC Level 2 requirements to all contracts involving Controlled Unclassified Information (CUI), takes effect in late 2026.
For Canadian contractors, this creates a dual-framework problem. Canada has its own cybersecurity certification program for defence suppliers, the Canadian Program for Cyber Security Certification (CPCSC), built on ITSP.10.171. The U.S. has CMMC, built on NIST SP 800-171. Both programs share a common ancestor but diverge in implementation, assessment methodology, and enforcement. No mutual recognition agreement exists. A CPCSC certification does not satisfy CMMC. A CMMC certificate does not satisfy CPCSC.
The practical question for Canadian defence contractors: how do you satisfy both programs without building two separate security programs?
The Dual-Framework Reality
Canadian contractors operating exclusively in the domestic defence supply chain need only CPCSC. Companies selling exclusively into the U.S. DoD supply chain need only CMMC. But the companies caught in the middle, those with contracts on both sides of the border, need both.
This is not a niche scenario. Canada's defence industrial base has deep ties to the U.S. DoD supply chain. ITAR-controlled components, joint programs, and cross-border subcontracting relationships all create situations where Canadian companies must demonstrate compliance to both countries' requirements.
The Overlap Advantage
Both CPCSC and CMMC trace their technical requirements back to NIST SP 800-171. A security program built to satisfy one framework covers the majority of the other. The work is not building two programs. It is building one program and mapping it to both certifications.
CMMC Level 1 vs Level 2: What Applies
CMMC Level 1 applies to contracts involving Federal Contract Information (FCI) only. It maps to 17 practices derived from FAR 52.204-21. Compliance is demonstrated through annual self-assessment, with an affirmation signed by a senior company official and submitted to the Supplier Performance Risk System (SPRS).
Level 1 is straightforward but binary. There are no Plans of Action and Milestones (POA&Ms). All 17 practices must be fully implemented at the time of affirmation. Either the company passes or it does not.
CMMC Level 2 applies to contracts involving CUI. It maps to all 110 security requirements in NIST SP 800-171 Rev 2 (transitioning to Rev 3). Level 2 can require either self-assessment or third-party certification assessment by a CMMC Third Party Assessment Organization (C3PAO), depending on the contract.
Critical Distinction
Companies handling only FCI can often satisfy requirements with Level 1. Companies handling CUI, which includes most contracts involving technical data, engineering drawings, or controlled technical information, need Level 2. The contract language determines which level applies, not the contractor's preference.
Where CPCSC and CMMC Overlap
Both programs organize their requirements around the same NIST 800-171 control families. A company that implements these families to satisfy CMMC Level 2 will have covered the vast majority of CPCSC requirements.
| Control Family | CMMC Level 2 | CPCSC |
| Access Control | 22 requirements | Aligned via ITSP.10.171 |
| Audit and Accountability | 9 requirements | Aligned via ITSP.10.171 |
| Configuration Management | 9 requirements | Aligned via ITSP.10.171 |
| Identification and Authentication | 11 requirements | Aligned via ITSP.10.171 |
| Incident Response | 3 requirements | Aligned via ITSP.10.171 |
| Risk Assessment | 3 requirements | Aligned via ITSP.10.171 |
| System and Communications Protection | 16 requirements | Aligned via ITSP.10.171 |
| System and Information Integrity | 7 requirements | Aligned via ITSP.10.171 |
The shared lineage creates significant control overlap. A consultant who understands both frameworks can design one security program with one set of controls, one set of policies, and one set of evidence collection processes that maps to both certification requirements.
Where the Frameworks Diverge
Despite the common lineage, the frameworks differ in several operationally significant ways.
Assessment Methodology
CMMC uses C3PAOs accredited by the Cyber AB. CPCSC uses Certification Bodies accredited by the Standards Council of Canada (SCC). The assessment procedures, scoring methodology, and evidence presentation differ between the two.
Technical Standard Version
CMMC 2.0 currently references NIST 800-171 Rev 2 but is transitioning to Rev 3. CPCSC's ITSP.10.171 already aligns with Rev 3. Companies building to ITSP.10.171 are ahead of the CMMC curve on this transition.
Scoping and Boundary Definition
CMMC scoping follows DoD CUI scoping guidance with defined asset categories. CPCSC follows CCCS guidance on Specified Information with different terminology and boundary definitions. A dual-jurisdiction program needs one system boundary that satisfies both.
Enforcement Timeline
CMMC Phase 1 (Level 1 self-assessment) is active. Phase 2 (Level 2 third-party assessment) takes effect around November 2026. CPCSC follows its own timeline set by PSPC.
POA&M Treatment
CMMC Level 2 allows limited POA&Ms with conditions. Level 1 does not allow them at all. CPCSC's approach to remediation plans differs from the CMMC model. Understanding the differences is essential for realistic certification timelines.
The Dual-Framework Approach
Canadian contractors who need both certifications have an advantage if they approach the problem correctly. Building one program that maps to both frameworks costs significantly less than building two separate programs.
The Three-Step Approach
1. Assess against both simultaneously. A gap assessment evaluating the company against both CMMC and CPCSC identifies the total scope from the start. 2. Build to the more demanding standard. Where the frameworks overlap, implement controls once at the higher bar. Where they diverge, address additional requirements for each. 3. Operate with dual mapping. Ongoing cadences serve both certifications when designed with dual mapping from the start.
This is the Assess/Build/Operate model applied to dual-framework compliance. The Assess phase identifies the combined gap. The Build phase implements a unified program. The Operate phase maintains the program and prepares for both certification assessments.
Timeline Pressure: November 2026
The CMMC Phase 2 deadline creates urgency for Canadian contractors who have not started preparing.
| Phase | Timeline | Activities |
| Assess | Months 1-2 | Gap assessment against CMMC Level 2 and CPCSC. Scope definition, asset categorization, boundary mapping. |
| Build | Months 3-6 | Control implementation, policy development, technical configuration, GRC platform deployment. |
| Operate | Months 7-9 | Run the program through at least one full quarterly cycle. Access reviews, vulnerability scans, training. |
| Certify | Months 10-12 | Engage C3PAO for CMMC and/or SCC-accredited Certification Body for CPCSC. |
This timeline assumes the company starts with baseline security practices in place. Companies starting from a minimal baseline need more time for the Build phase, and that time is not available if they wait until mid-2026 to begin.
What to Look for in a CMMC Consultant
Finding a consultant who can manage dual-framework compliance requires specific expertise:
- Do they work with both CMMC and CPCSC? Many U.S.-based CMMC consultants have no familiarity with CPCSC. Many Canadian cybersecurity consultants have not worked with CMMC's specific assessment requirements.
- Have they worked with cross-border defence supply chain companies? The dual-jurisdiction scenario has specific complications around data flows, scoping boundaries, and ITAR considerations.
- What GRC platforms do they support? The platform needs control mapping for both frameworks. Not all platforms have CMMC and CPCSC libraries built in.
- Can they coordinate with both C3PAOs and SCC-accredited Certification Bodies? The assessment relationships for each framework are different.
- What is their approach to dual mapping? The answer should describe a single-program approach with framework-specific evidence mapping, not two separate implementations.
The Revenue Gate
For Canadian defence contractors, CMMC compliance is not a cost center. It is a market access requirement. Companies without the appropriate certification will be ineligible for contract awards. The contracts do not wait.
The companies that move early have a competitive advantage: they are certified when the solicitations require it, while competitors are still working through gap assessments. In a market where contract cycles are long and switching costs are high, being ready six months before the competition translates directly to revenue.
CPCSC represents the same dynamic for Canadian domestic defence contracts. Companies that earn both certifications through a unified program are positioned for the full range of Canadian and U.S. defence supply chain opportunities. Companies that address only one framework limit their addressable market. A Canadian security consultant who understands both frameworks builds one program that covers both.
Dual-Framework Readiness Check
Assess where your security program stands against CPCSC and CMMC with an effective security program designed for both.
Frequently Asked Questions
Does a CPCSC certification satisfy CMMC requirements?
No. There is no mutual recognition agreement between the Canadian and U.S. programs. A CPCSC certification does not satisfy CMMC, and a CMMC certificate does not satisfy CPCSC. Companies operating in both defence supply chains must achieve both certifications separately, though they can build one security program that maps to both.
What is the CMMC Level 2 deadline for Canadian contractors?
CMMC Phase 2, which extends Level 2 third-party assessment requirements to contracts involving CUI, takes effect around November 2026. Canadian contractors selling into the U.S. DoD supply chain with CUI obligations need to be prepared by that date to maintain contract eligibility.
How much overlap exists between CMMC and CPCSC?
Significant overlap. Both programs derive from NIST SP 800-171. The control families, technical requirements, and security objectives align closely. A program built to satisfy CMMC Level 2's 110 requirements covers the majority of CPCSC requirements. The divergence is in assessment methodology, scoping guidance, and enforcement mechanisms.
Can one consultant handle both CMMC and CPCSC?
Yes, if the consultant has experience with both frameworks and their respective assessment ecosystems. The key is finding a consultant who can design a single security program with dual mapping, not one who would build two separate programs. Ask specifically about experience with cross-border defence supply chain companies.
What does CMMC Level 1 require?
CMMC Level 1 maps to 17 security practices derived from FAR 52.204-21. It applies to contracts involving Federal Contract Information (FCI) and requires annual self-assessment with an affirmation submitted to SPRS. There are no POA&Ms at Level 1, so all 17 practices must be fully implemented at the time of affirmation.
How long does it take to achieve both CMMC and CPCSC certification?
For a company with baseline security practices, approximately 10 to 12 months: two months for gap assessment, four months for implementation, three months for operational maturity, and two to three months for the certification assessments. Companies starting from a minimal security baseline should plan for 12 to 18 months.
Ready to Start Your Compliance Journey?
Get a clear, actionable roadmap with our readiness assessment.
About the Author
Former security architect for Bank of Canada and Payments Canada. 20+ years building compliance programs for critical infrastructure.
Ready for CPCSC Level 1?
Score your readiness across the 6 expected control families. Free.
Take the Scorecard