Government of Canada announces first phase of Canadian Program for Cyber Security Certification

Protecting Canada's defence supply chains

GATINEAU, QC, March 12, 2025 /CNW/ - The Government of Canada is committed to implementing robust cyber security measures, which are fundamental to Canada's economic stability and national security. The Canadian defence industry faces regular cyberattacks aimed at contractors and subcontractors, putting unclassified federal information at risk. It's essential for Canada to take action to protect these critical supply chains.

Today, the Honourable Jean-Yves Duclos, Minister of Public Services and Procurement and Quebec Lieutenant, announced the first phase in the implementation of the Canadian Program for Cyber Security Certification (CPCSC). In March 2025, the CPCSC will establish a cyber security standard for companies that handle sensitive unclassified government information in defence contracting.

The implementation of the CPCSC will be phased-in gradually, allowing companies to adapt their operations to meet new requirements. The first phase will involve releasing a new Canadian industrial cyber security standard, opening the accreditation process, and introducing a self assessment tool for level 1 certification. This will help businesses understand the program before a wider rollout later in 2025.

During the initial phases, certification will not be required during the bidding process, rather, only when the contract is awarded. The phased approach is designed to strengthen the resilience and security of Canada's defence supply chains, giving both the government and businesses the necessary time and resources to adapt to evolving cyber security standards.

Quotes

"Cyber security is national security and threats are evermore intricate and in a state of constant change. In defence procurement, cyber incidents can jeopardize the safety of unclassified federal information. To address this, we are thrilled to launch the first phase of the Canadian Program for Cyber Security Certification. We are committed to safeguarding the integrity of the defence sector and we look forward to working with businesses to ensure robust cybersecurity practices."

The Honourable Jean-Yves Duclos
Minister of Public Services and Procurement and Quebec Lieutenant

Quick facts

• The Canadian Program for Cyber Security Certification ecosystem is a structured framework comprising 3 levels. The program ensures that cyber security certification in Canada is handled by accredited bodies, certified assessors and government oversight. It aligns with international standards while also supporting national security initiatives.
• The program's mandatory cyber security certification requirements will be made up of 3 levels:
  • level 1: requiring an annual cyber security self-assessment
  • level 2: requiring external cyber security assessments, led by an accredited certification body
  • level 3: requiring cyber security assessments conducted by National Defence
• Key milestones in the Canadian Program for Cyber Security Certification rollout will include:
  • Phase 1 (March 2025): A new cyber security standard for levels 1 and 2 will be available for businesses with a level 1 self-assessment tool to be launched by full program implementation. The Standards Council of Canada will start accepting applications from organizations that want to become certification bodies to support the evaluation and certification of standard compliance. Support systems will be set up to help businesses get level 2 certification through third-party assessments.
  • Phase 2 (fall 2025): Some defence contracts will require level 1 certification, achieved through a self-assessment. Level 2 certification, which is achieved through a third-party assessment, will be tested in certain defence contracts.
  • Phase 3 (spring 2026): While some defence contracts will start requiring level 2 certification, level 3 certification will officially begin following publication of the additional level 3 controls.
  • Phase 4 (2027): For a small number of contracts, level 3 certification requirements will gradually be incorporated into select defence requests for proposals. Level 3 certification will be conducted by National Defence.
• Engagement sessions with the defence industry and other key stakeholders will continue to take place.
• The Government of Canada is committed to supporting the country's growing cyber security sector, particularly within the realm of defence procurement.

Associated links

Canadian Program for Cyber Security Certification

Follow us on X (Twitter)
Follow us on Facebook

SOURCE Public Services and Procurement Canada

Contacts: Mathis Denis, Press Secretary and Senior Communications Advisor, Office of the Honourable Jean-Yves Duclos, 343-573-1846, [email protected]; Media Relations, Public Services and Procurement Canada, 819-420-5501, [email protected]