CPCSC Certification
CPCSC certified for Canadian defence contracts.
The Canadian Program for Cyber Security Certification (CPCSC) is Canada’s official cyber security certification for defence suppliers, run by Public Services and Procurement Canada and National Defence. Level 1 became available April 1, 2026 and begins appearing in select defence contracts in summer 2026. RESTIV gets you assessment-ready against the ITSP.10.171 standard — and because CPCSC aligns with U.S. CMMC, we certify you once for both.
- Built on ITSP.10.171 (Canadian NIST SP 800-171A Rev. 3)
- Level 1 self-attestation required at contract award from summer 2026
- Aligns with U.S. CMMC — certify once for both
- Level 2 independent certification begins spring 2027
What CPCSC readiness takes.
Canada-specific certification, run as an operational programme — so you protect Specified Information and keep your access to federal defence procurement.
Level 1 self-assessment
Complete the annual self-assessment against the 13 ITSP.10.171 controls, with the documented evidence the Government of Canada expects suppliers to keep — required at contract award.
Level 2 & 3 readiness
Prepare for external assessment by an accredited certification body (Level 2) and National Defence assessment (Level 3), scaling the programme to 98 and 200 controls as your contracts require.
CMMC + CPCSC harmonization
Both programs share NIST-based controls. We map a single control programme to satisfy CMMC and CPCSC together, so cross-border suppliers certify once instead of twice.
Specified Information protection
Identify and safeguard federal Specified Information on your networks, systems, and applications — the sensitive, non-classified data CPCSC is designed to protect.
The three CPCSC certification levels.
A phased, risk-based program. We get you certified at the level your contracts demand — and ready for the next one before it is required.
Level 1
Annual self-assessment — 13 controls
A basic level of cyber hygiene confirmed by an annual self-assessment against the 13 ITSP.10.171 controls. Required at contract award, not during bidding. Available since April 1, 2026.
Level 2
External assessment — ~98 controls
An external cyber security assessment led by an accredited certification body every three years, plus an annual affirmation. Required for contracts handling more sensitive Specified Information.
Level 3
National Defence assessment — ~200 controls
A cyber security assessment conducted by National Defence every three years, plus an annual affirmation — the highest assurance level for the most sensitive defence work.
Who needs CPCSC.
Beginning in summer 2026, suppliers bidding on Canadian defence contracts — and other sensitive federal contracts — will need CPCSC certification based on risk level.
Defence Primes
Secure your Canadian supply chain
Primes on Government of Canada defence contracts need their suppliers certified. We bring your supplier base up to the required level on a predictable, risk-based timeline.
SME Suppliers
Certify cost-effectively
Most Canadian SMEs have no in-house compliance team. We run the self-assessment and the path to Level 2/3 so you keep access to federal procurement without the overhead.
Cross-Border Suppliers
One programme for Canada and the U.S.
Suppliers serving both Canadian and U.S. defence contracts can satisfy CPCSC and CMMC from a single NIST-based control programme — no duplicate certification effort.
The Canadian standard, by the numbers
13 / 98 / 200
Controls across CPCSC Levels 1–3
April 2026
Level 1 certification available
CAD 25M
Budget 2023 program investment over 3 years
Certify once for Canada and the U.S.
A CPCSC readiness call is a private working session with the RESTIV team — your Specified Information scope, the certification level your contracts require, and a single path that satisfies CPCSC and CMMC together.