Canadian CMMC? Canada Proposes Cyber Compliance Regime for Canadian Defense Suppliers

On March 12, 2025, the Government of Canada announced plans to launch the Canadian Program for Cyber Security Certification (CPCSC). CPCSC is a cybersecurity compliance verification program that aims to protect sensitive unclassified government information handled by Canadian government contractors and subcontractors within Canada’s defense sector. Canada will roll out CPCSC to contractors in four phases, with the first phase launching this month.

CPCSC’s structure appears closely aligned with the U.S. Department of Defense (DoD) Cyber Maturity Model Certification (CMMC) program. Like CMMC, CPCSC is broken out into 3 compliance levels, will verify compliance via self, third-party, and government-conducted assessments, and will be included in Canadian government defense solicitations and other procurement opportunities.

However, CPCSC and CMMC have one key difference: as currently structured, they will evaluate contractors against fundamentally different security standards. CMMC assessments are primarily based on security controls from the U.S. National Institute of Standards and Technology Special Publication (NIST SP) 800-171, Revision 2. CPCSC, in contrast, will evaluate Canadian defense contractors against Canadian industrial security standard (ITSP 10.171), a Canadian government standard that mirrors NIST SP 800-171, Revision 3.

While this distinction may appear minor, there are significant differences between the security controls found in Revision 2 and Revision 3 of NIST SP 800-171. DoD has stated that CMMC will eventually adopt Revision 3, but to date all CMMC rulemaking and guidance materials have been tailored to Revision 2. Accordingly, reciprocity or mutual recognition for CMMC and CPCSC assessment and certifications does not appear feasible, at least for now. Simultaneously, however, DoD has begun socializing the possibility of contractors’ voluntary adoption of Revision 3, an approach that now merits more consideration for contractors supporting both countries’ defense supply chains.

Given the historically close ties between the U.S. and Canadian defense sectors, contractors on both sides of the border should watch closely for further updates from Canada on its phased rollout of CPCSC, updates from DoD regarding CMMC’s adoption of NIST SP 800-171, Revision 3, and any discussions of mutual recognition between the respective programs.