Hunter Fox
Associate
Article
5
This article appeared in our Defence Forecast 2025 guide, which highlights the hot topics impacting Canada's aerospace and defence industries. Read the Forecast here.
As digital threats continue to escalate globally, the Government of Canada has prioritized cyber security as a cornerstone of national security and economic resilience.
Recognizing the increasing sophistication of cyber threats targeting critical infrastructure, Canada has developed a comprehensive cyber security strategy aimed at safeguarding sensitive information, ensuring the resilience of supply chains and maintaining the competitiveness of Canadian industries in international markets.
A key component of this initiative is the Canadian Program for Cyber Security Certification (“CPCSC”), which is expected to take effect in winter 2025, ensuring alignment with the U.S. Department of Defense’s Cyber security Maturity Model Certification (“CMMC”) 2.0 to facilitate cross-border defence contracting, imposing mandatory cyber security certification requirements on suppliers bidding for select defence contracts.
The implementation of the CPCSC aligns with Canada's broader National Cyber Security Strategy, which focuses on enhancing cyber resilience through risk-based security measures, stronger public-private collaboration and alignment with international security standards. The strategy acknowledges that state-sponsored cyber threats and sophisticated cybercriminal networks pose significant risks to critical infrastructure and national security, making proactive cyber security policies essential.
Through the CPCSC, Canada aims to ensure that defence suppliers uphold rigorous security standards, mitigating risks to sensitive government data and reinforcing the integrity of federal contracting processes.
The CPCSC was developed to align with the U.S. Department of Defense's CMMC 2.0. This harmonization ensures that Canadian defence suppliers can remain eligible to bid on U.S. government contracts that require compliance with CMMC security standards.
CMMC 2.0 streamlines cyber security requirements into three levels:
By aligning CPCSC with CMMC, Canada ensures that its defence industry remains competitive and interoperable with U.S. partners. This alignment reduces compliance burdens for Canadian firms engaging in cross-border contracts and enhances national security protections against cyber threats.
The CPCSC will establish a structured certification framework with three distinct levels of compliance, each corresponding to the sensitivity of the information handled and the level of cyber security risk involved.
The CPCSC will be adapted closely from the cyber security standards outlined in the U.S. National Institute of Standards and Technology (“NIST”) Special Publications 800-171 and 800-172. This alignment is intended to facilitate cross-border trade and procurement opportunities, particularly within the United States defence market, while ensuring that Canadian suppliers meet internationally recognized cyber security benchmarks.
As the CPCSC adapts the NIST SP 800-171 and 800-172 frameworks, Canadian defence suppliers will be required to implement specific security controls to protect Controlled Unclassified Information (“CUI”) and other sensitive government data. Some of the most critical requirements are expected to include:
The CPCSC Request for Information (“RFI”) Report (2024) underscores the varying degrees of preparedness among Canadian defence contractors. While 82 per cent of industry respondents indicated an awareness of the new certification requirements and an intention to assess their compliance against NIST-based standards, only 51 per cent have proactively undertaken measures to meet these new obligations.
The report further reveals that larger defence contractors, or prime contractors, exhibit relatively high levels of cyber security maturity and preparedness. However, many express concerns regarding the cost implications and challenges associated with enforcing CPCSC compliance among subcontractors. 57 per cent of prime contractors support the adoption of CPCSC, provided it is fully reciprocal with the U.S. CMMC, as this would streamline regulatory compliance across jurisdictions.
For smaller subcontractors, the compliance burden is expected to be significant. Many firms remain in the early stages of cyber security readiness, with 46 per cent of subcontractors anticipating an investment of at least $50,000 to meet CPCSC certification requirements. Meanwhile, 29 per cent of prime contractors expect to invest more than $250,000 in achieving compliance.
These financial commitments underscore the need for a phased implementation approach and additional government support to mitigate cost barriers for small and medium-sized enterprises.
The introduction of the CPCSC marks a significant advancement in Canada’s approach to cyber security within the defence sector. The National Cyber Security Strategy underscores the importance of building secure and resilient Canadian systems, fostering cyber innovation and enhancing leadership and collaboration with both domestic and international partners.
By implementing internationally recognized security standards, the CPCSC seeks to enhance the security of sensitive federal contract data, increase the global competitiveness of Canadian suppliers, and fortify the defence supply chain against emerging cyber threats.
As CPCSC requirements phase in from winter 2025, defence suppliers should take proactive steps to align their cyber security strategies with the new standards. Given the increasing frequency of cyber attacks targeting defence contractors, early compliance will be critical for maintaining operational integrity and securing future procurement opportunities. More broadly, this initiative reflects Canada's commitment to strengthening national cyber security resilience in an era of unprecedented digital threats.
Through the implementation of CPCSC and its alignment with CMMC 2.0, NIST 800-171 and 800-172, Canada is taking proactive steps to bolster national security, protect critical defence infrastructure and position itself as a leader in cyber security innovation. These efforts will not only enhance the security of government procurement but also contribute to the broader goal of ensuring a resilient and adaptive national cyber security posture in the years ahead.
CECI NE CONSTITUE PAS UN AVIS JURIDIQUE. L'information qui est présentée dans le site Web sous quelque forme que ce soit est fournie à titre informatif uniquement. Elle ne constitue pas un avis juridique et ne devrait pas être interprétée comme tel. Aucun utilisateur ne devrait prendre ou négliger de prendre des décisions en se fiant uniquement à ces renseignements, ni ignorer les conseils juridiques d'un professionnel ou tarder à consulter un professionnel sur la base de ce qu'il a lu dans ce site Web. Les professionnels de Gowling WLG seront heureux de discuter avec l'utilisateur des différentes options possibles concernant certaines questions juridiques précises.