What Happened
On April 14, 2026, Public Services and Procurement Canada (PSPC) announced the formal introduction of Level 1 of the Canadian Program for Cyber Security Certification (CPCSC). The program is modeled in part on the US Cybersecurity Maturity Model Certification (CMMC) and is designed to raise the security baseline of suppliers participating in federal defence contracts.
Level 1 is now accessible through the Canada Buys supplier portal. Suppliers must identify the implementation status of 13 security requirements and controls drawn from existing government frameworks, complete an annual self-assessment, and submit an attestation. Beginning in Summer 2026, Level 1 compliance will be a mandatory condition in select Department of National Defence and defence-related procurement contracts. PSPC administers the program, which is structured across three levels:
- Level 1 — Annual self-assessment, 13 security controls, supplier-attested
- Level 2 — Third-party assessment every three years, conducted by an accredited certification body
- Level 3 — Government-conducted assessment every three years by National Defence
Levels 2 and 3 will be phased in over subsequent years as the accreditation ecosystem matures.
Why This Matters for Canadian Organizations
The CPCSC represents a concrete regulatory shift in how the federal government evaluates supplier cybersecurity. Unlike voluntary frameworks or aspirational guidelines, CPCSC Level 1 creates a contractual prerequisite — suppliers who do not complete the self-assessment risk disqualification from relevant defence procurement opportunities. For Canadian small and medium-sized enterprises (SMEs) in the defence supply chain, this requires active action before Summer 2026, not passive awareness.
The 13 controls required at Level 1 are considered baseline security hygiene — but completing and submitting a formal attestation introduces accountability. Misrepresentation of compliance status in a federal contract context carries legal exposure. Organizations supplying to DND or related departments should treat the April 14 announcement as the start of a short compliance window, not a distant regulatory development.
Beyond the immediate procurement context, CPCSC signals where Canadian cyber policy is heading. The CMMC experience in the United States showed that certification requirements tend to expand — more contracts, more suppliers, higher levels over time. Canadian organizations across defence-adjacent industries, including aerospace, telecommunications, and logistics, should monitor how CPCSC evolves and whether it broadens beyond its initial DND scope.
What to Do
If your organization supplies to the Government of Canada on defence contracts, log in to the Canada Buys portal and review the CPCSC Level 1 self-assessment requirements now. Map your current security controls against the 13 required items and identify gaps. Assign ownership for remediation before Summer 2026 contract cycles begin. If you work with a prime contractor rather than directly with DND, contact that prime to confirm whether CPCSC requirements flow down through your subcontract. Canadian cybersecurity consultants and managed security providers familiar with CMMC-equivalent frameworks are well-positioned to assist with gap assessments. Do not wait for contract notices to begin — the attestation process and any necessary control implementation take time.
Source: Government of Canada / PSPC
