Get CPCSC-ready with FortaRisks
The Canadian Program for Cyber Security Certification is becoming mandatory for defence suppliers. Assess your gaps, reach the required level and keep your attestation valid, without burning out your teams.
13
requirements in the Level 1 self-assessment
2026
mandatory for defence contracts
ITSP.10.171
the underlying standard (≈ NIST SP 800-171 r3)
What is the CPCSC?
The Canadian Program for Cyber Security Certification (CPCSC, in French PCCC) is the federal framework that requires defence suppliers to demonstrate a level of cyber security to protect unclassified contractual information. It is based on the Canadian Centre for Cyber Security's ITSP.10.171 standard, Canada's equivalent of NIST SP 800-171 revision 3: 97 controls across 17 families.
In practice, the required level now appears in defence solicitations. Without the matching attestation, an organization loses its eligibility. Because the program is brand new, suppliers that prepare now gain a clear head start on their competitors.
Three levels, one starting point
The required level depends on the sensitivity of the information you handle. Most suppliers start at Level 1.
- Level 1
Annual self-assessment
13 requirements drawn from 6 ITSP.10.171 families, self-attested, with no third-party assessor. The baseline expected of most suppliers, launched in April 2026.
- Level 2
External assessment
The full set of ITSP.10.171 controls, verified every three years by an accredited certification body, with an annual affirmation.
- Level 3
Government assessment
The highest requirements, with an assessment led by the Government of Canada, for the most sensitive information.
The 2026 timeline
April 2026
Level 1 launch
The Government of Canada publishes the Level 1 criteria and opens self-attestation.
Summer 2026
First contract requirements
Level 1 becomes an eligibility condition for applicable defence solicitations.
2026 to 2027
Ramp-up
The program extends to more contracts and prepares the rollout of Levels 2 and 3.
Every year
Re-attestation
Attestation renews annually: controls must stay in place and documented.
How FortaRisks takes you to attestation
The FortaRisks platform structures your preparation, and our experts support you through attestation and keeping it valid over time.
Guided gap analysis
We map your posture to the 13 Level 1 requirements, and to the full ITSP.10.171 set for Level 2, then prioritize gaps by effort and impact.
Continuous evidence and monitoring
The platform centralizes evidence for each control and watches for drift, so your attestation stays accurate all year, not just on signing day.
Scope and documentation
We help you build the scoping rationale, network diagram and asset inventory expected at self-attestation.
Expert support
Our specialists guide you from remediation to attestation, and prepare the path to Level 2 when your contracts require it.
Where do you really stand?
Answer 13 questions and get your Level 1 readiness score, with your priorities. Free, no sign-up, everything stays in your browser.
CPCSC or CMMC: what is the difference?
The CPCSC is Canada's equivalent of the U.S. CMMC program. Both protect defence information, but they fall under distinct jurisdictions and standards.
| CPCSC (Canada) | CMMC (United States) | |
|---|---|---|
| Jurisdiction | Canadian federal defence contracts | U.S. Department of Defense (DoD) contracts |
| Technical standard | ITSP.10.171 (≈ NIST SP 800-171 r3) | NIST SP 800-171 and 800-172 |
| Levels | 3 levels, from self-assessment to government assessment | 3 levels, from self-assessment to a third-party assessor (C3PAO) |
| Entry level | Annual self-attestation on 13 requirements | Annual self-assessment on 15 requirements |
Take action
CPCSC Level 1 readiness check
Answer the 13 Level 1 questions and get your readiness score, with priorities by family. No sign-up.
Take the checkGuide: CPCSC Level 1 certification for defence suppliers
The Level 1 guide for defence suppliers: the 13 requirements, what to prepare, and where to start.
Read the articleSee your real risk in a 30-minute demo.
A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.
Frequently asked questions
Does the CPCSC apply to me?
If your organization sells, directly or as a subcontractor, to Canadian defence and handles federal contractual information, yes. The required level is stated in the solicitation; Level 1 is the baseline for most suppliers.
How long does Level 1 readiness take?
For an SMB with sound security hygiene, a few weeks to a few months depending on gaps. The free check gives you a first estimate, and our gap analysis firms up the plan.
Do I need a third-party assessor?
Not at Level 1: it is a self-assessment attested annually. Level 2 requires an accredited certification body, and Level 3, the Government of Canada.
Are we in scope if we are only subcontractors?
Often yes. The requirement flows down the supply chain: a certified prime will ask subcontractors that handle in-scope information to meet the required level.
How does FortaRisks actually help?
We assess your gaps against ITSP.10.171, centralize evidence, watch for drift and support you to attestation, then to its annual upkeep and the move to Level 2.