Is CPCSC the same as CMMC 2.0?

They are aligned but separate. CPCSC is administered by the Canadian government and applies to Government of Canada procurement; CMMC 2.0 is administered by the US Department of Defense. The technical control base for both draws on NIST SP 800-171, which lets contractors and MSPs reuse evidence across both programmes.

Do I need CPCSC if I already have CMMC 2.0?

CPCSC and CMMC 2.0 are programme certifications administered by different governments. If you supply both governments, you may need both certifications. The work to maintain the underlying NIST SP 800-171 control evidence is largely the same; the certification artefacts differ.

When is CPCSC enforceable?

CPCSC is being phased into Canadian government procurement progressively. Contractors should treat CPCSC as enforceable now for any solicitation that names it, and should expect to see CPCSC requirements appear in an increasing share of Department of National Defence and broader Government-of-Canada contracts during the rollout.

How does CPCSC interact with PIPEDA, BC PIPA, Alberta PIPA, and Quebec Law 25?

CPCSC governs cybersecurity controls for protecting government information. The Canadian privacy frameworks (PIPEDA, BC PIPA, Alberta PIPA, Quebec Law 25) govern personal information handling. They overlap in places (access control, breach notification) but are separate compliance regimes. Lavawall® covers all of them; the Canadian privacy frameworks are bundled together as a single privacy framework rather than counted separately.

What is CPCSC (Canadian Program for Cyber Security Certification)? Definition, components, and why it matters

Definition

CPCSC stands for the Canadian Program for Cyber Security Certification. It is the Government of Canada's contractor cybersecurity programme, developed by Public Services and Procurement Canada (PSPC) and the Communications Security Establishment (CSE) in alignment with the US CMMC 2.0 framework.

The programme establishes graduated cybersecurity certification levels for Canadian Defence Industrial Base contractors and broader Government-of-Canada suppliers handling sensitive but unclassified information. CPCSC's control set is aligned with NIST SP 800-171 — the same control base CMMC 2.0 uses — so an organisation pursuing both can largely reuse a single evidence base.

CPCSC is being phased into Canadian government procurement gradually, starting with select Department of National Defence (DND) contracts and expanding outward. As with CMMC 2.0 in the US, contractors that fail to meet the required level will be ineligible for affected procurement awards.

Core components

Alignment with CMMC 2.0. CPCSC is intentionally aligned with US CMMC 2.0 to enable Canadian-US defence-industrial-base interoperability. Both programmes use NIST SP 800-171 as the foundational control set.
Graduated certification levels. Like CMMC 2.0, CPCSC defines multiple levels of certification matched to the sensitivity of information handled by the contractor.
NIST SP 800-171 control set. The core technical control set is NIST SP 800-171's 110 controls covering access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.
Third-party assessment. Higher levels are expected to require independent third-party assessment, comparable to the CMMC 2.0 C3PAO model.
Procurement integration. CPCSC requirements will be incorporated into Government of Canada solicitations; failure to meet the specified level disqualifies a contractor from the affected award.

Why it matters

For Canadian defence contractors, CPCSC is becoming a procurement gate equivalent to CMMC 2.0 in the United States. Contractors that previously self-attested to baseline cybersecurity practices will increasingly need formal certification at the level specified by the contract.

For Canadian MSPs serving Government of Canada contractors, CPCSC creates a service-delivery requirement: the MSP's own posture must be compatible with the client's required level, because the MSP is part of the client's system boundary. Many MSPs are also developing CPCSC readiness as a billable service.

For organisations that operate cross-border — Canadian subsidiaries of US defence contractors or US contractors with Canadian Government work — CPCSC alignment with CMMC 2.0 is a major efficiency. A single evidence base built around NIST SP 800-171 controls supports both certifications, reducing duplicate compliance overhead.

How Lavawall® helps with CPCSC (Canadian Program for Cyber Security Certification)

Lavawall® includes CPCSC alongside CMMC 2.0, NIST SP 800-171, and 12+ other frameworks as a first-class compliance target. The same continuous evidence collection that supports CMMC 2.0 — patching, configuration assessment, MFA enforcement, audit logging, incident response, supply-chain risk — flows directly into CPCSC evidence with no duplicate work.

Because Lavawall® is built in Canada (Calgary, Alberta) by ThreeShield Information Security Corporation — a Canadian audit firm with CISSP and CISA staff — the platform reflects Canadian regulatory context including the Canadian Centre for Cyber Security guidelines and the substantially similar provincial frameworks. Native CAD billing and Canadian-resident data hosting (currently AWS Montreal, migrating to dedicated Calgary servers) make Lavawall® a natural fit for CPCSC engagements.

For MSPs serving cross-border clients, Lavawall®'s 15+ framework set lets a single platform deliver CPCSC, CMMC 2.0, NIST CSF, NIST SP 800-171, CIS Controls, SOC 2, ISO 27001, HIPAA, PCI DSS, BC HIA, Alberta HIA, Canadian privacy bundle, NERC CIP, IIROC, CPA Canada, and Australian Essential Eight from one console.

Frequently asked

Is CPCSC the same as CMMC 2.0?: They are aligned but separate. CPCSC is administered by the Canadian government and applies to Government of Canada procurement; CMMC 2.0 is administered by the US Department of Defense. The technical control base for both draws on NIST SP 800-171, which lets contractors and MSPs reuse evidence across both programmes.
Do I need CPCSC if I already have CMMC 2.0?: CPCSC and CMMC 2.0 are programme certifications administered by different governments. If you supply both governments, you may need both certifications. The work to maintain the underlying NIST SP 800-171 control evidence is largely the same; the certification artefacts differ.
When is CPCSC enforceable?: CPCSC is being phased into Canadian government procurement progressively. Contractors should treat CPCSC as enforceable now for any solicitation that names it, and should expect to see CPCSC requirements appear in an increasing share of Department of National Defence and broader Government-of-Canada contracts during the rollout.
How does CPCSC interact with PIPEDA, BC PIPA, Alberta PIPA, and Quebec Law 25?: CPCSC governs cybersecurity controls for protecting government information. The Canadian privacy frameworks (PIPEDA, BC PIPA, Alberta PIPA, Quebec Law 25) govern personal information handling. They overlap in places (access control, breach notification) but are separate compliance regimes. Lavawall® covers all of them; the Canadian privacy frameworks are bundled together as a single privacy framework rather than counted separately.