Cyber security certification for defence suppliers in Canada (CPCSC)

Beginning in winter 2025, suppliers seeking to bid or work on select Government of Canada defence contracts must become certified under the Canadian Program for Cyber Security Certification (CPCSC). The CPCSC will complement our efforts to strengthen cyber security. It will do this by better securing the federal contracting process.

Canadian Program for Cyber Security Certification Request for Information

Public Services and Procurement Canada (PSPC) would like to thank industry experts for their insights and comments through their participation in PSPC’s Request for Information (RFI). Your valued feedback will significantly influence the development and implementation of the program, bolstering our national industrial cyber security.

The RFI has now closed.

Overview of program

Once in place, the CPCSC will:

• protect federal contractual information held below the classified level on contractors’ systems, networks and applications

• maintain Canadian industry’s access to international procurement opportunities with similar cyber security certification requirements

• boost the basic level of cyber security for Canada’s defence industry

• ensure that the supplier system stays strong and reliable for Canadian Armed Forces capabilities and readiness

• increase Canadian industrial participation in the cyber security certification program

Key features of the CPCSC will include the following:

Cyber security controls

These will outline requirements for federal contracting based on a new Canadian cyber security standard. The standard will be adapted closely from the United States Department of Commerce’s National Institute of Standards and Technology Special Publications 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information

Risk assessments

The comprehensive process will identify defence contracts with mandatory requirements and will determine the level of certification needed

Contractual clauses

These are mandatory sections or provisions included within defence procurement documents, including request for proposals (RFPs), will implement the CPCSC requirements

Accredited third-party assessors

Third-party assessors will:

• be accredited by the Standards Council of Canada, as the sole accreditation body for the CPCSC

• assess and certify level 2 (moderate) cyber security certification requirements for suppliers

Certification levels

The program’s mandatory cyber security certification requirements will be made up of 3 levels:

• level 1: requiring an annual cyber security self-assessment

• level 2: requiring external cyber security assessments, led by an accredited certification body

• level 3: requiring cyber security assessments conducted by the Department of National Defence

Benefits to Canada

The CPCSC will help safeguard the Government of Canada’s unclassified contractual information. It will also increase the cyber security capabilities of Canada’s defence supply chain. The change in requirements will ensure alignment with the National Cyber Security Action Plan and the National Cyber Security Strategy.

Benefits for suppliers

A single successful malicious cyber incident has the potential to cause widespread impacts.

The CPCSC will help strengthen the cyber security resilience of the industry. This will help suppliers better identify, assess and manage potential risks to Canada’s supply chain.

Timing of upcoming requirements

Starting in winter 2025, mandatory cyber security requirements from the CPCSC will be part of certain defence-related RFPs.

Changes to the certification requirements will be introduced in phases. This will give suppliers and the broader cyber security community time to adapt to the changes. In the interim, we encourage defence suppliers to proactively assess and evaluate their current cyber security readiness.