February 16, 2026: Latest news on Canadian Defense cybersecurity certification - CPCSC
Reminder
On March 12, 2025, Canada implemented the Canadian Program for Cyber Security Certification (CPCSC) to strengthen the security of the national defense supply chain. This certification is inspired by the US CMMC and is based on the NIST 800-171 Rev3 and NIST 800-172 standards.
Mandatory for the Canadian Defense Supply Chain
All companies wishing to collaborate with the Department of National Defense (DND), whether Canadian or foreign, will be required to obtain CPCSC certification.
The requirement applies to the prime contractor and its subcontractors, following a model for transmitting requirements similar to that of the CMMC.
Three levels of CPCSC certification
Like its American counterpart, CPCSC has three levels:
CPCSC Level 1 similar to CMMC Level 1
CPCSC Level 2 similar to CMMC Level 2
CPCSC Level 3 similar to CMMC Level 3
We talk about CI in Canada
Unlike CMMC, which uses the terms CUI (Controlled Unclassified Information) and FCI (Federal Contract Information), CPCSC adopts the concept of Controlled Information (CI). This includes:
Protected A
Protected B
Information from the Controlled Goods Program
Still no equivalence with the CMMC
There will be no equivalence between CMMC and CPCSC.
If you are a DoD (DoW) and DND supplier, consider that you will need to become CMMC and CPCSC certified.
Good news: Canada continues to offer hope for CMMC recognition
Canada is still considering recognizing CMMC certification unilaterally, but under certain conditions:
The flow of CUI/CI is the same
The data resides in Canada.
Our opinion on this point: if you are a DoD/DoW and DND supplier, you should pay close attention to this point, as it could allow you to reduce your compliance and certification costs.
Recommendation: if you are a DoD/DoW and DND supplier, forget about cloud solutions and create a CMMC/CPCSC enclave within your internal network. This is the only option for having the same CUI flow while complying with the requirement for data residency in Canada.
Why doesn't the cloud work?
If a cloud is used for CMMC, DoD/DoW requires that the cloud be FedRAMP (the cloud must be in the US).
For CPCSC, Canada requires that the cloud be in Canada.
CPCSC implementation timeline
Phase 1 of CPCSC began in March 2025 and ends in late March 2026.
Here are the highlights of Phase 1:
October 2025: Canada published its equivalent to NIST 800-171 Rev3, called ITSP.10.171
March 31, 2026, at the latest: Canada plans to publish documents to enable compliance with CPCSC Level 1 (compliance kit).
Phase 2 (April 2026 to March 2027): CPCSC Level 1 becomes mandatory
CPCSC Level 1 becomes mandatory in DND contracts starting in April 2026
Companies will be required to self-assess and provide a self-certification in their BuyingCanada profile
Self-assessment certification will be required for contract awards
Selection of cybersecurity companies to act as Assessers for CPCSC
Phase 3: April 2027 to March 2028
April 2027 marks the start of the requirement to hold CPCSC Level 2 certification
Canada is gradually preparing for the implementation of CPCSC Level 3 certification.
Your priority for 2026: obtain CPCSC Level 1 certification
For 2026, focus on obtaining your CPCSC Level 1 certification. Once you are compliant with CPCSC Level 1 requirements, conduct a self-assessment to confirm your compliance.
How can StreamScan help you?
StreamScan, an expert in defense cybersecurity, supports companies in their compliance with NIST 800-171, CMMC and CPCSC standards. As a Registered Provider Organization (RPO) CMMC, we are authorized to guide organizations in their process.
We currently have a 100% success rate for CMMC certification.
