CPCSC

CPCSC Compliance for Canadian Defence Contractors

Effective security programs for defence supply chain companies facing mandatory certification. Compliance with ITSP 10.171 is the byproduct.

Defence Contracts Now Require CPCSC Certification

CPCSC Phase 3 arrives Spring 2026 with mandatory Level 2 third-party certification for applicable defence RFPs. If your company bids on Canadian defence contracts, compliance is no longer optional.

Whether your environment runs in the cloud, on-premise, or across hybrid infrastructure, CPCSC readiness requires controls mapped to ITSP 10.171 and evidence that covers your entire environment.

That's exactly where we operate.

  • The Defence Compliance Gap

  • CPCSC requires controls mapped to ITSP 10.171 across your entire environment: cloud, on-premise, hybrid, and secure enclaves. Generic compliance checklists don't cover the specifics.

icon-8

Dual-Jurisdiction Requirements

Canadian contractors bidding on both DND and US DoD contracts face simultaneous CPCSC (ITSP 10.171) and CMMC (NIST SP 800-171) obligations. Two frameworks, overlapping controls, different certification bodies. Most advisors handle one or the other.

icon-7

Any Infrastructure, Full Coverage

Defence supply chain companies run workloads across cloud, on-premise, hybrid, and secure enclaves. CPCSC compliance requires evidence collection that covers all of it. We design programs that work across your entire environment, not just the parts that cloud tools can automate.

icon-9

Mandatory Deadlines Are Fixed

CPCSC Phase 2 (Level 1 self-assessment) is already in effect. Phase 3 (Level 2 third-party certification) arrives Spring 2026. Missing the deadline means losing eligibility for applicable defence RFPs.

Our Three-Phase Methodology for CPCSC Readiness

Effective security first. CPCSC certification follows. Designed for any infrastructure type.

01

Assess

Gap analysis against ITSP 10.171 controls across your full environment: cloud workloads, on-premise systems, and secure enclaves. Evidence source inventory, scoping recommendation, and certification level determination.

02

Build

Control implementation for identified gaps. Two key deliverables: a Security Program Manual with CPCSC-specific policies covering sensitive information handling, access controls, and incident response, and a Security Posture Report giving leadership clear visibility into certification readiness.

03

Operate (Ongoing)

Continuous compliance monitoring and evidence collection. Pre-audit readiness reviews. Auditor coordination for Level 2 third-party certification. Security Posture Report updated quarterly.

01 Assess

Goal: Establish the scope and find the gaps in your current security posture.

  • SOC 2 Gap Assessment

  • System & Data Scoping

  • System Description Development

  • Prioritized Remediation Roadmap

  • Technical Remediation Playbooks

MILESTONES

  • Gap Assessment Report

  • SOC 2 System Description

02 Build

Goal: Implement controls and automate processes for audit readiness.

  • GRC Platform Setup & Integration

  • Policy Customization 20+

  • Tailoring of Controls 100+

  • Customized Mapping of Tests to Controls

  • Fix Automated Evidence Collection Issues

  • Manual Evidence Collection

  • Company Risk Assessments

  • Vendor Risk Assessments

  • Security Awareness Training

  • Access Reviews

  • Penetration Testing

  • Internal Audit

  • Full External Audit Management

MILESTONES

  • Customized Policies 20+

  • Internal Audit Report

  • Penetration Test Report

  • SOC 2 Type I Attestation

03 Operate

Goal: Maintain and improve your compliance posture year-round.

  • Weekly Cadence Calls 

  • Active Compliance Program Management

  • Access to Security & Compliance SME

  • Security Architecture Advisory

  • Continuous Control Monitoring

  • Continuous Evidence Collection

  • Ongoing Company Risk Assessments

  • Ongoing Vendor Risk Assessments

  • Security Awareness & Training

  • Quarterly Access Reviews

  • Annual Policy Updates & Acknowledgement

  • Annual Internal Audit

  • Annual Penetration Testing

  • Annual External Audit Management

MILESTONES

  • Updated Policies 20+

  • Penetration Test Report

  • Internal Audit Report

  • SOC 2 Type II Attestation

Warning: Most Compliance Advisors Don't Understand Defence Requirements.

Generic advisors apply standard compliance templates without accounting for CPCSC-specific controls, CUI handling requirements, or the infrastructure diversity typical in defence supply chains.

The Checkbox Consultant

  • Applies SOC 2 or ISO 27001 templates to defence requirements without CPCSC-specific adaptation.

  • No experience with CUI handling, secure enclaves, or classified information controls.

  • Cannot address dual-jurisdiction CPCSC + CMMC requirements from a single engagement.

  • Generic policies that don't account for the full range of infrastructure in defence environments.

The Truvo Partnership

  • Led by CISSP and GIAC-credentialed engineers with direct experience securing Canada's critical infrastructure, including payment systems under OSFI oversight.

  • Builds and implement an effective security program mapped to ITSP 10.171 controls, designed for your specific infrastructure and operational context.

  • Evidence collection designed for your full environment: cloud, on-premise, hybrid, and secure enclaves.

  • Security Program Manual and Security Posture Report tailored to CPCSC certification requirements and auditor expectations.

Why Our Effective Security Approach Works for Defence

A certification that doesn't reflect your actual security posture fails the first time a prime contractor or DND auditor looks closely.

Preserve Contract Eligibility

CPCSC Level 2 certification will be required for applicable defence RFPs starting Spring 2026. Getting certified before the deadline means you're bidding while competitors are still scrambling.

Cover Both Jurisdictions

Bidding on both Canadian DND and US DoD contracts? CPCSC and CMMC share significant control overlap (both draw from NIST frameworks). We design your security program to satisfy both from a single effort.

Cover Every Environment

Cloud workloads, on-premise systems, secure enclaves, hybrid deployments. We design evidence collection across your entire infrastructure so nothing falls through the gaps during certification.

The All-in-One Solution for CPCSC Readiness

Fixed-price package: Assess + Build + Operate. Security Program Manual, Security Posture Report, and continuous compliance management through Level 2 certification and beyond.

Get a Quote for CPCSC Readiness

  • Everything in Build

  • Everything in Operate

  • GRC Platform License

  • Annual Penetration Test

  • External Audit

  • Internal Audit

Trusted by Canada's Critical Infrastructure

They don’t just provide recommendations; they ensure we meet our stringent ISO 27001 and SWIFT compliance goals. We trust them with projects of national importance, and they deliver.

Matt Charette

CISO at Payments Canada

CPCSC Compliance: Frequently Asked Questions

The Canadian Program for Cyber Security Certification (CPCSC) is Canada's cybersecurity certification standard for defence supply chain companies. It launched in March 2025 based on ITSP 10.171, the Canadian Centre for Cyber Security's cybersecurity standard. Phase 2 (Level 1 self-assessment) is already in effect for applicable contracts. Phase 3, which introduces mandatory Level 2 third-party certification for applicable defence RFPs, arrives Spring 2026.

CPCSC is Canada's defence cybersecurity certification program, based on ITSP 10.171. CMMC is the US equivalent, based on NIST SP 800-171. Both protect sensitive information in the defence supply chain, and both use a tiered certification model. The control frameworks overlap significantly since ITSP 10.171 draws from NIST standards. Canadian companies bidding on US DoD contracts need CMMC in addition to CPCSC, which is why a dual-jurisdiction approach that addresses both frameworks simultaneously is more efficient than handling them separately.

Yes. CPCSC and CMMC are separate certification programs administered by different countries. CMMC certification does not satisfy CPCSC requirements, and vice versa. However, since both frameworks draw from NIST standards, much of the underlying security work transfers. A company with CMMC Level 2 will find that many CPCSC Level 2 controls are already satisfied. The additional effort is in mapping to ITSP 10.171 specifically and working with CPCSC-accredited assessors.

CPCSC has three levels. Level 1 requires an annual self-assessment and applies to contracts involving basic federal contracting information. Level 2 requires third-party certification by an accredited assessor and applies to contracts involving more sensitive information. Level 3 involves a Department of National Defence audit for the most sensitive contracts. Most defence supply chain companies will need Level 2 certification when Phase 3 takes effect in Spring 2026. The specific level required will be stated in individual RFPs.

Typically 4-6 months from assessment to certification readiness, depending on your current security posture and the gaps identified. The Assess phase takes 2-4 weeks, the Build phase 6-12 weeks depending on gap size and infrastructure complexity, and audit preparation 2-4 weeks. Companies that already have mature security programs or existing CMMC compliance will move faster. Given the Spring 2026 Phase 3 deadline, starting now provides comfortable margin for Level 2 certification.

Ready to Build and implement an Effective Security Program?

Talk to our team about CPCSC readiness for your defence supply chain organization.

Group 39868
Book a Strategy Call

From the Blog: CPCSC and Defence Compliance

Readiness guides for Canadian defence contractors navigating CPCSC and CMMC requirements.

CPCSC Compliance Consulting: What a Consultant Actually Does for Defence Contractors

CPCSC Level 1 attestation becomes a procurement requirement for Department of National Defence contracts in April 2026. Companies that can't attest ...

Learn More
A professional illustration of a cybersecurity dashboard featuring a laptop, risk register, and compliance audit charts. People in an office manage data labeled

Risk Assessment and Security Planning for ITSP.10.171

The majority of ITSP.10.171 control families deal with operational security: how you configure systems, manage access, protect data. The Risk ...

Learn More
An infographic titled

From SOC 2 to CPCSC: Extending Your Security Program for Defence Contracts

The question comes up consistently when companies with established security programs look at entering the Canadian defence supply chain: Do we need ...

Learn More