If you have followed U.S. defence procurement, the Canadian Program for Cyber Security Certification (CPCSC) will feel familiar. It is deliberately modelled on the U.S. Cybersecurity Maturity Model Certification (CMMC). But familiar is not identical, and assuming the two are interchangeable is how Canadian suppliers waste money. Here is what carries over and what does not.
What they share
Both programs exist for the same reason: governments want their defence supply chains to protect sensitive but unclassified information, and self-policing did not work. Both are tied to the right to bid. No certification, no contract. Both use a tiered model where the level required scales with the sensitivity of the information. And both trace their controls back to the same root: NIST SP 800-171.
Because of that shared root, the underlying security practices overlap heavily. Access control, multi-factor authentication, media sanitization, boundary protection, and flaw remediation appear in both. If you have done CMMC work, most of the actual engineering transfers.
Where they differ
The standard. CMMC points at NIST SP 800-171 directly. CPCSC points at ITSP.10.171, the Canadian Centre for Cyber Security's own profile of 800-171. The control intent is nearly the same, but the document you cite in your evidence, and the language your assessor uses, is Canadian.
The governance. CMMC is administered through the U.S. Department of Defense and its accreditation body. CPCSC is run by Public Services and Procurement Canada, with certification bodies accredited by the Standards Council of Canada and the highest level assessed by National Defence. Different regulators, different accreditation chains.
The levels. CMMC has three levels. So does CPCSC, but the breakdown is its own: Level 1 is a 13-requirement self-assessment, Level 2 is an external assessment by an accredited certification body at roughly 98 requirements, and Level 3 is a National Defence-led assessment at roughly 200 requirements.
The attestation platform. CMMC reporting flows through U.S. systems like SPRS. CPCSC Level 1 is attested through the Canada Buys procurement platform. Practically, this matters: your team needs to be set up in the Canadian system, not the American one.
Can one certification cover both?
Not automatically. A CMMC certification does not grant you CPCSC certification or vice versa. They are separate programs with separate attestations. However, because the control sets overlap so much, the evidence you build for one dramatically shortens the work for the other. A supplier that has done CMMC Level 2 is in a strong position to reach CPCSC Level 2, and most of the gap is mapping and re-documentation rather than new controls.
What this means if you sell to both governments
Build your control program once, to the stricter of the two standards that apply to you, and maintain a single evidence library. Then map that library to each program's requirements and complete each attestation in its own platform. Suppliers who treat CPCSC and CMMC as two entirely separate projects pay twice. Suppliers who treat them as one control program with two attestations pay once and a bit.
The Canadian side is the newer of the two and is rolling out in phases through 2026, so the window to get ahead of it is open now. We help Canadian suppliers get CPCSC-ready, and we reuse existing CMMC or SOC 2 evidence wherever it maps.
Selling to Canadian and U.S. defence?
We map your existing compliance evidence to CPCSC so you do not rebuild controls you already have. One control program, both attestations.
Talk to us