What Canadian Defence Suppliers Need to Do Next
Nitin Bedi, ISA Cybersecurity’s VP, Services revisits the Canadian Program for Cyber Security Certification (CPCSC) as Phase 2 of the rollout takes effect, and outlines the practical steps organizations should be taking right now.
Amid all the attention on Mythos Preview and Project Glasswing in early April, another important security development was pushed off the front page. On April 14, the Canadian Program for Cyber Security Certification (CPCSC) Level 1 formally entered the federal procurement process. “Over the past year, the program has been in a ‘soft launch’ phase – establishing the framework, enabling voluntary self-assessments, and helping suppliers prepare for future requirements,” says ISA Cybersecurity’s Nitin Bedi, who has over 30 years of experience spanning cybersecurity, IT audit, risk management, and compliance across a wide range of industry sectors. “As of April 2026, new National Defence contracts are being assessed to determine the applicable certification level, with mandatory Level 1 requirements expected to begin this summer. Organizations that handle sensitive (but unclassified) government information that haven’t started preparing need to get moving.”
What the Program Covers
Managed by Public Services and Procurement Canada, CPCSC establishes mandatory cybersecurity certification requirements for defence suppliers across three levels:
- Level 1 – Annual self-assessment of 13 controls against ITSP.10.171, required at contract award
- Level 2 – 98 controls, with triannual external assessments by an accredited certification body
- Level 3 – 200 controls, with triannual assessments conducted directly by the Government of Canada, plus annual affirmations
Levels 2 and 3 are being phased in through 2028.
A Familiar Framework – With Important Distinctions
“The standard will be familiar to anyone who has worked through CMMC compliance in the U.S.,” notes Bedi. “Both programs are built on the NIST SP 800-171. But it’s crucial to remember that the CPCSC is built on Revision 3 of the standard, while CMMC 2.0 is explicitly locked to Revision 2. It’s important to understand the distinctions in documentation and reporting that result.” As an example, Revision 3 introduces ‘Organization-Defined Parameters’ that require companies to make and document specific configuration choices and operating effectiveness at a level of detail for identity and access management (IAM), continuous monitoring and supplier management that the previous version didn’t require. “If you built your compliance program around CMMC, you can’t simply repurpose that documentation for CPCSC. The work overlaps significantly, but it isn’t just transferable as is due to the requirements around demonstrating operating effectiveness and continuous monitoring,” Bedi cautions.
“Organizations with existing CMMC certifications may have that status considered under CPCSC on a case-by-case basis. Our compliance team at ISA Cybersecurity can help you navigate this process.”
What’s Required Right Now
As of spring 2026, new requests for proposals (RFPs) in support of national defence are being screened through a Contract Cyber Security Risk Assessment, which determines what level of certification a supplier must hold. Level 1 self-attestation is completed through a supplier’s CanadaBuys profile and is required at contract award, not during the bidding process.
“The timing matters,” says Bedi. “If you’re bidding on National Defence work and you haven’t assessed where you stand against the Level 1 controls, you need to do that now. No matter what your RFP response includes, without passing the risk assessment, you won’t be able to proceed at contract award.”
Avoiding Supply Chain Pitfalls
“One thing that often catches organizations off guard is the supply chain dimension,” says Bedi. “CPCSC requirements don’t stop at the prime contractor – they flow down to subcontractors at every tier, and responsibility for ensuring suppliers meet the required certification level sits with the prime. We’ve seen organizations invest significant effort in their own compliance posture, only to discover that a key subcontractor isn’t ready – and that becomes their problem, not just the subcontractor’s. Your compliance program needs to account for your entire supply chain, not just your own environment.”
Organizations using cloud infrastructure should also verify their data residency configurations. Bedi observes: “This isn’t a CPCSC requirement specifically, but Canadian government policy requires Protected B information handled under defence contracts to be stored in Canada. That’s a requirement that trips up some organizations who assume that U.S.-based cloud platforms cover them by default.”
Getting Started
As Bedi explained when the CPCSC was first announced, compliance carries a strategic benefit alongside the obligation. “We said in 2024 that this could open doors for organizations not currently providing services to the defence sector. That’s still true. A certified cybersecurity posture makes a company a more credible partner – not just for federal procurement, but for any relationship where the security of sensitive information matters.”
His advice on where to begin is straightforward: a readiness or gap assessment is the logical first step. “The most common mistake is tackling controls in isolation, before understanding the full picture and the intent behind each requirement.,” says Bedi. “A structured assessment gives you visibility into what’s in scope, what needs work, and what order to do things in. It makes the whole effort more manageable and helps you avoid investing resources in the wrong places.”
ISA Cybersecurity’s compliance management and governance services are designed to support organizations at any stage of their CPCSC compliance journey, whether starting from scratch or building on an existing security program ahead of a contract requirement. For more information on the CPCSC program, visit the “Cyber security certification for defence suppliers in Canada” landing page or contact our experts directly for assistance.
