On March 12, 2025, the Government of Canada launched the first phase of its Canadian Program for Cyber Security Certification (CPCSC) for defense contractors. As anticipated in our previous coverage, this program aligns with the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) program.

CPCSC Overview

Similar to the CMMC program, the primary objective of the CPCSC is to safeguard unclassified information. The program will be rolled out in four phases, with the first phase already underway as of March 2025. Like CMMC, the CPCSC features three compliance levels and will verify compliance through a combination of self-assessments, third-party assessments, and government-conducted evaluations.

The Canadian Commercial Corporation (CCC) will begin including mandatory certification requirements in select federal defense contracts this spring, with a phased approach to implementation:

Phase 1 (March 2025): Introduction of the new cyber security standard, opening of the accreditation ecosystem, and a pilot program focusing on select defense contracts through self-assessment

Phase 2 (Fall 2025): Some defense contracts will require Level 1 certification through self-assessment, with Level 2 certification being tested in certain contracts

Phase 3 (Spring 2026): Some defense contracts will require Level 2 certification, with Level 3 certification officially beginning following publication of additional Level 3 controls

Phase 4 (2027): Level 3 certification requirements will gradually be incorporated into select defense RFPs

Key Difference Between CPCSC and CMMC

While CPCSC and CMMC share many structural similarities, there is one notable difference: they currently evaluate contractors against different security standards. CMMC assessments are based on security controls from NIST SP 800-171, Revision 2, while CPCSC will evaluate Canadian defense contractors against Canadian industrial security standard (ITSP 10.171), which mirrors NIST SP 800-171, Revision 3.

This distinction is important because there are differences between Revision 2 and Revision 3 of NIST SP 800-171. While the DoD has stated that CMMC will eventually adopt Revision 3, all current CMMC rulemaking and guidance materials are tailored to Revision 2. This means that reciprocity or mutual recognition between CMMC and CPCSC certifications may not be feasible in the short term.

What Does This Mean for US Defense Contractors?

International Competition & Reciprocity

Canada’s implementation of a cybersecurity certification program that aligns with CMMC will mean more competition for DoD contracts from foreign defense suppliers. The CCC, a government-owned enterprise established to help Canadian businesses enter contracts with foreign governments, understands that Canadian defense contractors will need to meet cybersecurity standards to be a part of the US Defense Industrial Base (DIB) supply chain.

Canada—and potentially other countries in the Five Eyes intelligence network (Australia, New Zealand, and the United Kingdom, along with the United States)—expect to negotiate reciprocity agreements to recognize their cybersecurity certification programs as equivalent to the DoD’s CMMC program. As Stacy Bostjanik, DoD’s CMMC director, previously indicated, after federal rulemaking is finalized for CMMC, additional rulemaking for establishing reciprocity with international partners will follow.

Confirmation of CMMC Implementation

Perhaps most important, this development confirms that CMMC will be implemented by DoD. Katie Arrington, who is CIO of the DoD, has said:

“CMMC is not pausing… CMMC is going to stay in place; there’s no question about that.”

And as America’s allies—particularly those with which it has close intelligence sharing and cybersecurity relationships—continue aligning their own programs with CMMC, it further solidifies the program’s future.

CMMC Basics

CMMC is designed to increase defense contractors’ accountability and compliance with existing DoD regulations. CMMC has three levels that reflect increasingly sophisticated capabilities for protecting sensitive unclassified information. 

Organizations that handle Controlled Unclassified Information (CUI) will need to achieve at least CMMC Level 2. Level 2 requires implementation of the 110 security controls specified in NIST SP 800-171 and independent verification of that compliance through a CMMC Assessor (C3PAO). 

NIST SP 800-171 has been in effect since late 2017; any defense contractors that have not yet implemented its 110 controls need to move now to do so. Experts estimate that, depending on their current cybersecurity level, organizations will need 6-18 months to be ready for their CMMC Level 2 assessment.

To learn more:

If you need help or have questions about CPCSC, CMMC, NIST 800-171, or any other compliance topics, please don’t hesitate to reach out and schedule a free 15-minute consultation with our compliance team.

Or you may wish to learn more by reading PreVeil’s white papers and blogs: