Canadian Public Services and Procurement Minister and Quebec Lieutenant Jean-Yves Duclos has announced the start of the initial phase of the Canadian Program for Cyber Security Certification, a move to secure the nation’s defense supply chain.
“Cybersecurity is national security and threats are ever more intricate and in a state of constant change. In defense procurement, cyber incidents can jeopardize the safety of unclassified federal information,” Duclos said.
The Standards Council of Canada will lead the first phase, accepting applications for certification bodies to assess and evaluate standards compliance.
CPCSC brings about a significant change in government contracting in Canada, ensuring vendors’ capability to secure sensitive, unclassified government information. It introduces three levels of certification for contractors:
- Level 1 requires an annual cybersecurity self-assessment,
- Level 2 mandates assessments led by an accredited organization and
- Level 3 is awarded after the National Defence conducts a cybersecurity review.
Once fully implemented, the initiative is expected to protect federal contractual information deemed non-classified data, improve the Canadian defense sector’s cyber posture, and ensure the supply chain remains resilient and ready to support the nation’s armed forces.
The CPCSC’s second phase is expected to start in the fall of 2025 as contractors seek Level 1 or Level 2 certification. Its third and final phases are slated for spring 2026 and 2027, respectively.