CPCSC Compliance

Canadian Program for Cyber Security Certification

For more information, visit the Government of Canada website

What is CPCSC?

The Canadian Program for Cyber Security Certification (CPCSC) is a new federal initiative designed to help protect sensitive government information, especially in defence contracts. If your business works with the Government of Canada and handles confidential data (like project files, communications, or technical specs), CPCSC sets the cybersecurity standards you’ll need to follow.

It’s a multi-level certification program, administered by the Canadian Centre for Cyber Security, and assessed by independent Third-Party Assessment Organizations (3PAOs). Certification is not just a checklist. It’s a rigorous, evidence-based process that ensures organizations can protect Controlled Information (CI) across the defence supply chain.

Think of it as Canada’s version of the U.S. Department of Defense’s CMMC program. CPCSC requires companies to meet specific cybersecurity controls based on the NIST SP 800-171 standard. These controls cover everything from access management and incident response to system integrity and risk assessment.

Starting in Winter 2025, CPCSC will become mandatory for select federal contractors, especially those working with the Department of National Defence (DND).

Who Does It Impact?

CPCSC applies to any Canadian business that processes, stores, or transmits Controlled Information (CI) on behalf of the federal government. This includes:

  • Defence and aerospace contractors
  • IT service providers and managed service firms
  • Organizations involved in critical infrastructure or national security
  • Subcontractors supporting larger federal bids

If your company touches sensitive government data (even indirectly) you’ll need to demonstrate compliance with CPCSC to continue doing business with federal agencies.

Thank you for your email
Why Does CPCSC Matter?

For the Canadian Armed Forces, CPCSC is about mission assurance and interoperability with allies. For suppliers, it’s the gateway to defence contracts and a mark of trust in the supply chain.

It helps in avoiding common pitfalls. Under-scoping, over-scoping, and static scoping can derail compliance. Regular reviews and structured gap assessments are key to success.

How Valencia Can Help

At Valencia, we understand that navigating CPCSC can feel overwhelming, especially if cybersecurity isn’t your core business. That’s why we’ve built a tailored approach to help organizations not only meet CPCSC requirements but do so efficiently and confidently.

Our goal is to make CPCSC compliance achievable, whether you’re a small business just starting out or a larger organization scaling up your cyber capabilities.

To learn about how we can help make your M365 system compatible with CPCSC, click below.

M365 - CPCSC Compatibility