Cyber security certification for defence suppliers in Canada
Explore upcoming cyber security requirements for suppliers that bid or work on Government of Canada defence contracts. The requirements help to protect networks, systems and applications from malicious cyber activity.
On this page
- About upcoming changes
- Overview of program
- Certification levels
- Benefits for Canada
- Benefits for suppliers
- Timing of upcoming requirements
- Contact us
- Resources for suppliers
- Related links
About upcoming changes
Beginning in winter 2025, suppliers seeking to bid or work on select Government of Canada defence contracts must become certified under the Canadian Program for Cyber Security Certification (CPCSC). The CPCSC will complement our efforts to strengthen cyber security. It will do this by better securing the federal contracting process.
Canadian Program for Cyber Security Certification Request for Information
Public Services and Procurement Canada (PSPC) would like to thank industry experts for their insights and comments through their participation in PSPC’s Request for Information (RFI). Your valued feedback will significantly influence the development and implementation of the program, bolstering our national industrial cyber security.
The RFI has now closed. A report highlighting the key findings will be available later this summer.
Overview of program
Once in place, the CPCSC will:
- protect federal contractual information held below the classified level on contractors’ systems, networks and applications
- maintain Canadian industry’s access to international procurement opportunities with similar cyber security certification requirements
- boost the basic level of cyber security for Canada’s defence industry
- ensure that the supplier system stays strong and reliable for Canadian Armed Forces capabilities and readiness
- increase Canadian industrial participation in the cyber security certification program
Key features of the CPCSC will include the following:
Cyber security controls
These will outline requirements for federal contracting based on a new Canadian cyber security standard. The standard will be adapted closely from the United States Department of Commerce’s National Institute of Standards and Technology Special Publications 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information
Risk assessments
The comprehensive process will identify defence contracts with mandatory requirements and will determine the level of certification needed
Contractual clauses
These are mandatory sections or provisions included within defence procurement documents, including request for proposals (RFPs), will implement the CPCSC requirements
Accredited third-party assessors
Third-party assessors will:
- be accredited by the Standards Council of Canada, as the sole accreditation body for the CPCSC
- assess and certify level 2 (moderate) cyber security certification requirements for suppliers
Certification levels
The program’s mandatory cyber security certification requirements will be made up of 3 levels:
- level 1: requiring an annual cyber security self-assessment
- level 2: requiring external cyber security assessments, led by an accredited certification body
- level 3: requiring cyber security assessments conducted by the Department of National Defence
Benefits to Canada
The CPCSC will help safeguard the Government of Canada’s unclassified contractual information. It will also increase the cyber security capabilities of Canada’s defence supply chain. The change in requirements will ensure alignment with the National Cyber Security Action Plan and the National Cyber Security Strategy.
Benefits for suppliers
A single successful malicious cyber incident has the potential to cause widespread impacts.
The CPCSC will help strengthen the cyber security resilience of the industry. This will help suppliers better identify, assess and manage potential risks to Canada’s supply chain.
Timing of upcoming requirements
Starting in winter 2025, mandatory cyber security requirements from the CPCSC will be part of certain defence-related RFPs.
Changes to the certification requirements will be introduced in phases. This will give suppliers and the broader cyber security community time to adapt to the changes. In the interim, we encourage defence suppliers to proactively assess and evaluate their current cyber security readiness.
Contact us
Email the Government of Canada’s cyber security program at tpsgc.pacertcybersecur-apcybersecurcert.pwgsc@tpsgc-pwgsc.gc.ca
Resources for suppliers
Explore resources available to small and medium-sized suppliers:
- Canada Digital Adoption Program: offers grants and expertise to transform your business, including the Boost Your Business Technology Grant, which supports eligible suppliers looking to upgrade cyber security tools and systems
- Procurement Assistance Canada: provides procurement support for businesses
- Information for small and medium businesses: Cyber security advice and guidance tailored to small and medium businesses
Related links
- Canadian Centre for Cyber Security: advises and guides small and medium-sized enterprises on cyber security
- Government of Canada helping defence industry protect itself from cyber security threats (May 31, 2023)
- National Cyber Security Action Plan
- National Cyber Security Strategy
- Information for small and medium businesses
- Communications Security Establishment
- Date modified: