gps-cyber-certification-new-webpage

Securing Canada’s defence supply chain

Canadian Program for Cyber Security Certification (CPCSC) Services

The Government of Canada has introduced the Canadian Program for Cyber Security Certification (CPCSC) to protect the unclassified information industry partners handle. If you supply the Department of National Defence (DND), self-attestation is no longer sufficient.

As of March 2026, the program requires contractors to meet defined security standards, specifically ITSP.10.171 (aligned with NIST SP 800-171), to remain eligible for federal contracts. We help organizations navigate these mandatory requirements, from Level 1 self-assessments to Level 2 third-party certifications, helping your business stay compliant and competitive in the defence sector.

A phased path to certification

We view compliance as a strategic advantage—not just a regulatory hurdle. Our approach mirrors the Government of Canada's phased rollout. 

We start by identifying your specific compliance boundary, determining which of your networks handle controlled information to prevent costly over-scoping. We then support you through the full life cycle: from the initial gap assessment against the controls of the new standard to the final rigorous evidence collection required by accredited certification bodies.

The cross-border advantage

PwC has guided US defence suppliers through Cybersecurity Maturity Model Certification (CMMC), working across the same NIST 800-171 controls that form the foundation of CPCSC. This isn’t theoretical experience. Our teams understand how assessors think, where suppliers commonly fail, and what evidence holds under review.

For Canadian suppliers focused on CPCSC, we deliver a certification path grounded in proven cross-border experience. Also, with a lot of US primes partnering with Canadian organizations, we offer an integrated approach that aligns CPCSC and CMMC into one cybersecurity program, opening eligibility for contracts on both sides of the border.

How we can help

Define your your certification requirements

We analyze your current and future DND contracts to determine if you need Level 1 (Self-Assessment) or Level 2 (Third-Party Certification). We then map your data flows to define a precise secure enclave, helping you apply the rigorous controls where necessary.

Measuring compliance against government standards

We conduct a formal assessment of your environment against the ITSP.10.171 standard (Canada's adaptation of NIST SP 800-171). You receive a detailed scorecard and a plan of action and milestones to close any gaps before the official audit.

Advisory support for your compliance journey

We provide the expert guidance your team needs to navigate the remediation process. We advise your internal IT or managed service provider teams on the necessary configurations to meet ITSP.10.171. We support the creation of your system security plan by providing structured templates, interpreting complex requirements, and reviewing your documentation to align it with auditor expectations.

Control design and implementation (ITSP.10.171 / NIST-aligned)  
Design and implement security controls aligned to CPCSC requirements, including access control, configuration management, incident response, system integrity, and audit logging. We translate regulatory requirements into practical, implementable control frameworks. 

Controlled information life cycle protection  
Secure contract and specified information across its life cycle—at rest, in use, and in transit—through data classification, encryption, secure configurations, and monitoring aligned to defence expectations. 

Supply chain and third-party assurance  
Assess and monitor third-party security posture across the defence industrial base. We implement scalable third-party risk management frameworks to address shared responsibility for controlled information. 

Identity, access, and zero-trust architecture  
Implement identity-centric security models, including least privilege access, multi-factor authentication, and zero-trust principles, to protect sensitive systems and enable secure collaboration with defence partners. 

Incident response and recovery  
Develop and test incident response plans aligned to CPCSC expectations. Conduct tabletop exercises and provide breach response support to reduce operational, regulatory, and contractual risk. 

Continuous monitoring and managed security services  
Enable ongoing compliance through security operations, threat detection, and continuous control monitoring. We help maintain certification readiness in a dynamic threat environment.

Validate readiness for third-party assessor

Before you engage an accredited certification body, we perform a mock assessment to validate your readiness. We review your evidence and documentation as an auditor would, reducing the risk of non-conformity during your official certification.

Canadian Program for Cyber Security Certification (CPCSC) Services

Securing Canada’s defence supply chain 

Contact us

Asif  Qayyum

Asif Qayyum

Partner, Cybersecurity Risk & Controls, PwC Canada

Tel: +1 647 781 4751

John Proctor

John Proctor

Partner, Cybersecurity, Privacy & Financial Crimes, PwC Canada

Tel: +1 613.297.6706

Follow PwC Canada