Skip to content
FortaRisks
Solutions
Certification · Defence · Canada

Get CPCSC-ready with FortaRisks

The Canadian Program for Cyber Security Certification is becoming mandatory for defence suppliers. Assess your gaps, reach the required level and keep your attestation valid, without burning out your teams.

13

requirements in the Level 1 self-assessment

2026

mandatory for defence contracts

ITSP.10.171

the underlying standard (≈ NIST SP 800-171 r3)

The program

What is the CPCSC?

The Canadian Program for Cyber Security Certification (CPCSC, in French PCCC) is the federal framework that requires defence suppliers to demonstrate a level of cyber security to protect unclassified contractual information. It is based on the Canadian Centre for Cyber Security's ITSP.10.171 standard, Canada's equivalent of NIST SP 800-171 revision 3: 97 controls across 17 families.

In practice, the required level now appears in defence solicitations. Without the matching attestation, an organization loses its eligibility. Because the program is brand new, suppliers that prepare now gain a clear head start on their competitors.

Three levels, one starting point

The required level depends on the sensitivity of the information you handle. Most suppliers start at Level 1.

  • Level 1

    Annual self-assessment

    13 requirements drawn from 6 ITSP.10.171 families, self-attested, with no third-party assessor. The baseline expected of most suppliers, launched in April 2026.

  • Level 2

    External assessment

    The full set of ITSP.10.171 controls, verified every three years by an accredited certification body, with an annual affirmation.

  • Level 3

    Government assessment

    The highest requirements, with an assessment led by the Government of Canada, for the most sensitive information.

The 2026 timeline

  1. April 2026

    Level 1 launch

    The Government of Canada publishes the Level 1 criteria and opens self-attestation.

  2. Summer 2026

    First contract requirements

    Level 1 becomes an eligibility condition for applicable defence solicitations.

  3. 2026 to 2027

    Ramp-up

    The program extends to more contracts and prepares the rollout of Levels 2 and 3.

  4. Every year

    Re-attestation

    Attestation renews annually: controls must stay in place and documented.

Our support

How FortaRisks takes you to attestation

The FortaRisks platform structures your preparation, and our experts support you through attestation and keeping it valid over time.

  • Guided gap analysis

    We map your posture to the 13 Level 1 requirements, and to the full ITSP.10.171 set for Level 2, then prioritize gaps by effort and impact.

  • Continuous evidence and monitoring

    The platform centralizes evidence for each control and watches for drift, so your attestation stays accurate all year, not just on signing day.

  • Scope and documentation

    We help you build the scoping rationale, network diagram and asset inventory expected at self-attestation.

  • Expert support

    Our specialists guide you from remediation to attestation, and prepare the path to Level 2 when your contracts require it.

Where do you really stand?

Answer 13 questions and get your Level 1 readiness score, with your priorities. Free, no sign-up, everything stays in your browser.

Start the CPCSC check

CPCSC or CMMC: what is the difference?

The CPCSC is Canada's equivalent of the U.S. CMMC program. Both protect defence information, but they fall under distinct jurisdictions and standards.

CPCSC (Canada)CMMC (United States)
JurisdictionCanadian federal defence contractsU.S. Department of Defense (DoD) contracts
Technical standardITSP.10.171 (≈ NIST SP 800-171 r3)NIST SP 800-171 and 800-172
Levels3 levels, from self-assessment to government assessment3 levels, from self-assessment to a third-party assessor (C3PAO)
Entry levelAnnual self-attestation on 13 requirementsAnnual self-assessment on 15 requirements

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.

Frequently asked questions

Does the CPCSC apply to me?

If your organization sells, directly or as a subcontractor, to Canadian defence and handles federal contractual information, yes. The required level is stated in the solicitation; Level 1 is the baseline for most suppliers.

How long does Level 1 readiness take?

For an SMB with sound security hygiene, a few weeks to a few months depending on gaps. The free check gives you a first estimate, and our gap analysis firms up the plan.

Do I need a third-party assessor?

Not at Level 1: it is a self-assessment attested annually. Level 2 requires an accredited certification body, and Level 3, the Government of Canada.

Are we in scope if we are only subcontractors?

Often yes. The requirement flows down the supply chain: a certified prime will ask subcontractors that handle in-scope information to meet the required level.

How does FortaRisks actually help?

We assess your gaps against ITSP.10.171, centralize evidence, watch for drift and support you to attestation, then to its annual upkeep and the move to Level 2.