Cyber security certification for defence suppliers in Canada

Explore upcoming cyber security requirements for suppliers that bid or work on Government of Canada defence contracts. The requirements help to protect networks, systems and applications from malicious cyber activity.

On this page

About upcoming changes

Beginning in winter 2025, suppliers seeking to bid or work on select Government of Canada defence contracts must become certified under the Canadian Program for Cyber Security Certification (CPCSC). The CPCSC will complement our efforts to strengthen cyber security. It will do this by better securing the federal contracting process.

Canadian Program for Cyber Security Certification Request for Information

Public Services and Procurement Canada (PSPC) would like to thank industry experts for their insights and comments through their participation in PSPC’s Request for Information (RFI). Your valued feedback will significantly influence the development and implementation of the program, bolstering our national industrial cyber security.

The RFI has now closed. A report highlighting the key findings will be available later this summer.

Overview of program

Once in place, the CPCSC will:

Key features of the CPCSC will include the following:

Cyber security controls

These will outline requirements for federal contracting based on a new Canadian cyber security standard. The standard will be adapted closely from the United States Department of Commerce’s National Institute of Standards and Technology Special Publications 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information

Risk assessments

The comprehensive process will identify defence contracts with mandatory requirements and will determine the level of certification needed

Contractual clauses

These are mandatory sections or provisions included within defence procurement documents, including request for proposals (RFPs), will implement the CPCSC requirements

Accredited third-party assessors

Third-party assessors will:

Certification levels

The program’s mandatory cyber security certification requirements will be made up of 3 levels:

Benefits to Canada

The CPCSC will help safeguard the Government of Canada’s unclassified contractual information. It will also increase the cyber security capabilities of Canada’s defence supply chain. The change in requirements will ensure alignment with the National Cyber Security Action Plan and the National Cyber Security Strategy.

Benefits for suppliers

A single successful malicious cyber incident has the potential to cause widespread impacts.

The CPCSC will help strengthen the cyber security resilience of the industry. This will help suppliers better identify, assess and manage potential risks to Canada’s supply chain.

Timing of upcoming requirements

Starting in winter 2025, mandatory cyber security requirements from the CPCSC will be part of certain defence-related RFPs.

Changes to the certification requirements will be introduced in phases. This will give suppliers and the broader cyber security community time to adapt to the changes. In the interim, we encourage defence suppliers to proactively assess and evaluate their current cyber security readiness.

Contact us

Email the Government of Canada’s cyber security program at tpsgc.pacertcybersecur-apcybersecurcert.pwgsc@tpsgc-pwgsc.gc.ca

Resources for suppliers

Explore resources available to small and medium-sized suppliers:

Related links

Date modified: