Compliance Framework

CPCSC Compliance

CPCSC is Canada defence supply-chain cyber certification program, built on ITSP.10.171 — Canada profile of NIST SP 800-171 — for vendors bidding on federal defence contracts.

Talk to us about CPCSC CPCSC Readiness

CPCSC for Canadian startups · CPCSC cost in CAD

Who needs CPCSC

Vendors and suppliers who want to bid on or stay eligible for Government of Canada defence contracts that require cyber certification.

Key CPCSC requirements

The core of what CPCSC asks you to put in place.

  • Scope the systems that handle protected or contract information
  • Implement the ITSP.10.171 security requirements (the Canadian NIST SP 800-171 profile)
  • A System Security Plan (SSP) documenting your controls
  • A Level 1 self-assessment; higher levels are third-party assessed
  • A Plan of Action and Milestones (POA&M) for remaining gaps
  • Evidence and attestation appropriate to your certification level

Typical timeline

A Level 1 self-assessment is achievable in a few months once gaps are remediated. Third-party-assessed higher levels take longer and depend on assessor scheduling.

How we help with CPCSC

We scope your environment, determine the required certification level, run the ITSP.10.171 gap assessment, author your SSP and POA&M, and get you to a Level 1 self-assessment you can attest to — with groundwork laid for higher, third-party-assessed levels.

See CPCSC Readiness, or compare estimated CPCSC cost in CAD. Based in Toronto and led by a published CVE researcher, we deliver across Canada and the US with our partner Lorikeet Security.

Start the CPCSC Level 1 readiness →

CPCSC questions

What is CPCSC?

The Canadian Program for Cyber Security Certification, Canada defence supply-chain cyber certification, built on ITSP.10.171, which is Canada profile of NIST SP 800-171.

Who needs CPCSC?

Vendors that want to bid on or remain eligible for Government of Canada defence contracts requiring cyber certification.

How does CPCSC relate to CMMC?

Both build on NIST SP 800-171. CPCSC is Canada program and CMMC is the US DoD program, so work done for one substantially maps to the other.

What is involved in a Level 1 assessment?

Scoping, implementing the ITSP.10.171 requirements, writing a System Security Plan, and attesting to a self-assessment. Higher levels add third-party assessment.

What is ITSP.10.171?

The Canadian Centre for Cyber Security profile of NIST SP 800-171, the control set underpinning CPCSC.

Move on CPCSC with a team that has done it

Book a free discovery call. We will tell you whether CPCSC fits, what it would take, and roughly what it would cost.

Book a call Contact us