CPCSC Certification Support (Canadian Program for Cyber Security Certification)
To bid on Defence contracts, cybersecurity must be proven. We get you ready.
Level 1 (self-assessment) or Level 2 (third-party certification) — we help you choose, then take you to ITSP.10.171 compliance.
CPCSC certification support (Canadian Program for Cyber Security Certification, in French PCCC) is a structured engagement preparing your organization for the cyber requirements imposed by Public Services and Procurement Canada (PSPC) on Defence contracts. The program was announced on March 12, 2025 by PSPC, and its technical reference document ITSP.10.171 (Protection of Designated Information in Organizations and Systems Outside the Government of Canada) was published by the Canadian Centre for Cyber Security with an effective date of April 2, 2025. The program provides for three certification levels: Level 1 (self-assessment, 13 foundational security requirements), Level 2 (third-party assessment, 97 complete controls), and Level 3 (conducted by the Canadian government, reserved for very high-risk scenarios). Factero leads the process: level selection, gap analysis against the ITSP.10.171 standard, implementation of missing controls, documentation, self-assessment (Level 1) or third-party certification preparation (Level 2) by a body accredited by the Standards Council of Canada (SCC). We prepare — we don't certify. Level 2 certification is issued by an independent assessment body accredited under ISO/IEC 17020. Engagement led by a CISA-certified principal associate, with ITSP.10.171 as the target and NIST SP 800-171 Rev. 3 as direct reference (to be distinguished from US CMMC which is based on Rev. 2 — see dedicated FAQ). Factero is itself certified PCCC Level 1 based on ITSP.10.171 (attestation valid from 2026-05-19 to 2027-05-19) — we apply to our own organization the same federal cybersecurity framework we guide our clients toward, with the same consistency as for our own corporate CyberSecure Canada (CAN/DGSI 104:2021 / Rev 1: 2024) certification. Proof available on request via our Trust Center.
Who is it for?
Canadian suppliers bidding or planning to bid on National Defence contracts where CPCSC has become — or will become — an eligibility condition.
Tier-one subcontractors handling or hosting Controlled Unclassified Information (CUI/RNC) on federal contracts and required to demonstrate protection of that data in their own systems.
Canadian companies already engaged in the US Defence supply chain (CMMC, NIST SP 800-171) wanting to leverage that work for CPCSC — both frameworks are aligned.
Technology, engineering, professional services, and manufacturing suppliers discovering their next contract with DND, PSPC, or a major defence integrator will require CPCSC certification.
Organizations that received a Level 1 self-assessment request under the PSPC pilot program and want to complete it correctly rather than under pressure.
Canadian SMEs aiming to expand into Canadian or allied defence contracts and wanting to start by building the cyber foundation.
When does it help?
If you recognize yourself in any of these situations, this service is designed for you.
- A recent Defence or PSPC bid mentions CPCSC as an eligibility condition — and you're not certified.
- You're a subcontractor to a major defence integrator who passed down their own ITSP.10.171 requirements, and you don't know where to start.
- You're hesitating between Level 1 (self-assessment, faster, sufficient for some contracts) and Level 2 (third-party certification, required for sensitive contracts) — and you want an outside perspective to decide before investing.
- You already operate under NIST SP 800-171 for US contracts and want to know what CPCSC adds (answer: structure is very close, but the Canadian accreditation ecosystem is distinct).
- You're already certified CMMC Level 2 on the US side and want to leverage that work for CPCSC Level 2 — technically possible and significantly faster.
- You read ITSP.10.171 (97 controls across 17 families) and realize the gap between your current posture and the standard requires a structured approach, not a checklist.
- You confuse CPCSC with CAN/DGSI 104 (CyberSecure Canada) — two distinct Canadian programs with different audiences and requirements.
- Your board or commercial leadership wants to know what defence market access costs in money and time.
What will you receive?
A clear Level 1 or Level 2 recommendation, justified by the contracts you actually target, the type of information handled, and contractual requirements imposed by your defence clients — not by commercial preference.
A complete gap analysis between your current posture and the 97 controls of ITSP.10.171 across 17 families (access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, planning, risk assessment, security assessment, system and communications protection, system and information integrity, system and services acquisition, supply chain risk management).
A realistic estimate of timeline, total cost (Factero fees + assessment body fees for Level 2 + technical investments) and burden on your internal teams.
The policies, procedures, and records required by the standard, drafted and adapted to your reality — not a batch of generic NIST templates hastily translated.
Implementation of missing technical controls with your IT teams or MSP: standard-compliant MFA, FIPS-validated encryption where applicable, logging, privileged access management, configuration management, etc.
The System Security Plan (SSP) — central document of ITSP.10.171 compliance, equivalent to the CMMC SSP — describing scope, controls in place, responsibilities.
The Plan of Action and Milestones (POA&M) documenting acceptable residual gaps and their remediation timeline.
For Level 1: a self-assessment file ready to submit to PSPC, with the necessary evidence.
For Level 2: complete support during certification by the SCC-accredited assessment body: team preparation, question translation, management of any non-conformities.
A maintenance plan over the certification validity period: tracking program changes, recertification preparation, adjustments if your scope evolves.
Not a good fit?
- CPCSC is a demanding engagement — the ITSP.10.171 standard counts 97 technical controls several of which require significant investment (FIPS encryption, configuration management, monitoring, privileged access management). It requires an internal owner (typically the CTO, security lead, or dedicated compliance lead) with a mandate to mobilize IT and operational teams. Without that anchor, even the best external support can't carry through.
- If you have no active or planned defence contract, CPCSC is likely premature. CAN/DGSI 104 (CyberSecure Canada) is a general cybersecurity certification for Canadian SMEs, with proportional effort and significantly lower cost — often a better starting point.
- If you operate only in the US for US defence contracts, CMMC applies, not CPCSC. The two frameworks are technically very close, but accreditation ecosystems and authorities differ.
- If your actual exposure to controlled information (CUI/RNC) is very limited — for example a non-technical service provider with no access to contract data — CPCSC may be disproportionate. We clarify at the discovery call whether certification is actually required for your situation.
- If your current cyber maturity is very low (no MFA deployed, no configuration management, no centralized logging), aiming for CPCSC Level 2 certification in the next 12 months will create more stress than value. We'll propose a phased plan: foundations first, certification later.
How does the process work?
A rigorous and transparent approach, step by step.
Scoping and level selection
We start by determining which level is right for your situation. Level 1 is a self-assessment you complete yourselves (with our support) and submit to PSPC — usable for level 1 contracts, less sensitive. Level 2 requires certification by an independent SCC-accredited assessment body — required for contracts handling controlled information (CUI/RNC). The choice depends on your current and target contracts, type of information handled, and specific requirements from your defence clients. Sometimes the right answer is Level 1 now to bid quickly, then Level 2 in 12-18 months.
Gap analysis against ITSP.10.171
We map your current posture against the 97 ITSP.10.171 controls across 17 families. The structure aligns with NIST SP 800-171 Rev. 3 — if you already have work on NIST 800-171 (typical of CMMC chain suppliers), much is reusable. Otherwise, we identify what's in place and documentable, what needs adjustment, and what requires real work. Deliverable: gap report prioritized by criticality and effort, with realistic timeline estimate.
Controls and documentation
We implement missing controls with your teams: compliant MFA, FIPS encryption where applicable (essential for ITSP.10.171), logging and monitoring, configuration management, privileged access management, awareness and training. In parallel, we draft the System Security Plan (SSP) — central document of your compliance — and the Plan of Action and Milestones (POA&M) documenting residual gaps with remediation timeline.
Self-assessment or internal audit
For Level 1, we prepare the self-assessment for PSPC submission: justified answers, attached evidence, expected format. For Level 2, we conduct a formal internal audit before certification by the assessment body — an independent external perspective identifying potential non-conformities while there's still time to fix them. This step distinguishes first-pass successes from restarts.
Assessment support (Level 2)
We support you through the assessment conducted by the SCC-accredited body you've chosen. Our role: translate assessor requests into concrete actions for your teams, prepare interviews and technical demonstrations, manage any non-conformities and correction plans within required timelines. The choice of assessment body remains yours — we can present SCC-accredited options, with no commercial tie to any of them.
Maintenance and recertification
CPCSC is a young program (first phase launched March 2025, full rollout ongoing) and requirements may evolve. We remain available to track program changes, adjust your setup if your scope changes (new contracts, new data types handled), and prepare recertification — without an imposed recurring contract.
Frequently Asked Questions
Answers to the questions our clients ask before reaching out.
What's the difference between CPCSC and CAN/DGSI 104 (CyberSecure Canada)?
Two distinct Canadian programs often confused — and the difference matters. CyberSecure Canada (based on CAN/DGSI 104) is a general cybersecurity certification for Canadian SMEs, administered by the Standards Council of Canada, with two levels (Level 1 and Level 2). CPCSC (Canadian Program for Cyber Security Certification) is specific to National Defence suppliers, based on the ITSP.10.171 standard (97 controls, aligned with NIST SP 800-171 Rev. 3), with three levels (Level 1 self-assessment, Level 2 third-party assessment, Level 3 conducted by the government for very high-risk scenarios). Authorities, underlying standards, and audiences differ. If a Defence bid mentions "cyber certification," it almost certainly means CPCSC — not CyberSecure Canada. Factero clarifies this at the discovery call: it would be costly and frustrating to pursue the wrong certification. (Source: Public Services and Procurement Canada, March 2025; Canadian Centre for Cyber Security, April 2025.)
What's the difference between CPCSC and CMMC?
CPCSC is the Canadian equivalent of US CMMC — technically close, administratively distinct. Both programs protect Controlled Unclassified Information (CUI in US, RNC in Canada) in the Defence supply chain. Both rely on the same technical base: NIST SP 800-171 (ITSP.10.171 in Canada is essentially the Canadian version of the same standard). But the accreditation ecosystem differs: in the US, DoD via Cyber AB; in Canada, the SCC accredits assessment bodies under ISO/IEC 17020. A Canadian company already CMMC Level 2 certified can likely reuse much of the work to obtain CPCSC Level 2 — documentation, technical controls, SSP, POA&M are largely transferable. Factero structures the process to maximize reuse between both programs where relevant.
When does CPCSC become mandatory?
CPCSC is in progressive rollout since March 2025. The first phase, launched March 12, 2025 by the Government of Canada, includes the new Canadian industrial security standard, the launch of the accreditation ecosystem, and a pilot program testing self-assessment for certain defence contracts. Full rollout continues progressively. Suppliers targeting defence contracts must follow PSPC notices to know which specific contracts now require certification. Once fully implemented, CPCSC will be required to bid on defence contracts handling controlled information. Factero actively tracks PSPC and SCC announcements to adjust ongoing engagements per developments. (Source: canada.ca, Public Services and Procurement Canada, CPCSC program.)
How long does it take?
For Level 1 (self-assessment), expect 3 to 6 months depending on your starting point. For Level 2 (third-party certification), 9 to 18 months is realistic. Timeline depends mainly on your initial maturity: if you already work on NIST 800-171 or CMMC, most of the work is reusable and timelines shorten significantly. If you start from a weak cyber foundation (little MFA, little logging, little configuration management), even Level 1 can take 6 months. Factero gives a realistic estimate from the gap analysis — not a marketing range from a brochure.
What does it cost — and what's not included?
Factero's engagement covers the full preparation — scoping, gap analysis, control implementation, SSP and POA&M drafting, self-assessment (Level 1) or support through certification (Level 2), maintenance. Costs not included and paid directly by you: for Level 2, the accredited assessment body fees (assessment itself and certificate issuance); the technical investments identified during the engagement (compliant MFA, FIPS encryption, logging tools, privileged access management solutions, etc.) — ITSP.10.171 requirements may demand significant investment depending on your starting point; and your internal team's time — always the biggest investment. We provide a full estimate of all three from the gap analysis onward.
We already have NIST 800-171 or CMMC. Does that accelerate CPCSC?
Yes, significantly — but with an important technical nuance. ITSP.10.171 is the Canadian version of NIST SP 800-171 Rev. 3, whereas US CMMC is based on NIST SP 800-171 Rev. 2. Concretely, Rev. 3 contains 97 controls across 17 families (vs 110 controls across 14 families for Rev. 2), and added three new families: Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR). So if you have an SSP, POA&M, implemented technical controls, and documentation for CMMC or for a US contract under DFARS 252.204-7012, most of it is reusable, but you will need to add controls from the three new families and adapt documentation to the Canadian context (PSPC references rather than DoD, "designated information" terminology rather than CUI), go through the Canadian accreditation ecosystem (SCC rather than Cyber AB), and validate that your assessment body is properly accredited in Canada. The gap analysis identifies precisely what transfers as-is, what needs adaptation, and what remains to build.
Our MSP already manages our infrastructure. Can they also drive our CPCSC certification?
Your MSP is a key player in technical implementation — but driving the process is a separate role, and the assessment body will pay attention to it. CPCSC Level 2 is assessed by an independent body accredited to ISO/IEC 17020; this accreditation imposes strict independence requirements between actors implementing controls and those validating them. If your MSP manages your infrastructure and drafts your SSP and prepares your POA&M, the assessment body will raise hard questions about separation of responsibilities. Factero has no commercial ties to your MSP: we structure the process, document reality, and let your MSP do what they do well — operations. We work with them, not in their place, exactly as in an independent audit.
What methodology do you use?
Factero uses ITSP.10.171 as the target standard (published by the Canadian Centre for Cyber Security), with NIST SP 800-171 Rev. 3 as direct reference (both standards are aligned). The NIST Cybersecurity Framework (NIST-CSF) structures risk assessment and recommendation prioritization. The principal associate holds the CISA certification (Certified Information Systems Auditor) from ISACA — the international reference in information systems auditing. For organizations targeting both CMMC and CPCSC, we structure the engagement to maximize reuse between both frameworks. The approach is adapted to each organization's size and profile.
The program is still young. Is there a risk it will change?
Yes, and it's a reality to integrate into your strategy. CPCSC is in its first deployment phase (launched March 2025) — precise requirements, affected contracts, and the full rollout timeline continue to take shape. That said, the technical foundation (ITSP.10.171 standard, SCC accreditation, two levels) is set and stable. Coming changes will likely affect scope of application (which contracts), timeline (deadlines by supplier type), and assessment ecosystem (number of available accredited bodies). Factero actively tracks PSPC and SCC announcements — if your engagement is underway when an update is published, we adjust without restarting. Investment in ITSP.10.171 compliance remains worthwhile even if program details evolve.
Is it confidential?
Yes, every support engagement conducted by Factero is governed by a formal confidentiality agreement in favor of the client, signed before any work begins. No information — SSP, POA&M, internal audit results, technical documentation — is shared with any third party, provider, or partner without your explicit written authorization, in accordance with our privacy protection policy and Law 25 requirements. Materials provided to the assessment body are shared under your control and with your approval. Given the sensitivity of the defence environment, we apply an elevated rigor standard on CPCSC engagements.
Does this commit us to ongoing work?
No. The engagement ends naturally with certification (Level 2) or validated submission (Level 1). For maintenance and recertification preparation, some organizations prefer to keep us on a light cadence, particularly given the program's expected evolution. Others internalize after the first cycle. Our Charter of Independence prohibits creating artificial dependency. If your team can take over, that's a good outcome.
Why Factero for this engagement — what sets you apart?
Before signing with a support firm, verify a few fundamental elements. A serious firm demonstrates them without hesitation and in writing.
The firm itself is certified — Factero holds the CyberSecure Canada (CAN/DGSI 104:2021 / Rev 1:2024) certification, publicly verifiable through the IAF CertSearch registry and through our Trust Center. We apply to our own organization the same standards we support for our clients. A firm guiding you toward a recognized certification should, by consistency, hold one itself.
Incorporated and established since 2022 — Factero Service Conseil is duly incorporated with the Quebec Enterprise Registrar (REQ) since 2022, with no insolvency or bankruptcy proceedings on record. The legal status of any candidate firm can be verified free of charge through the REQ; insolvency and bankruptcy proceedings appear in the registry of the Office of the Superintendent of Bankruptcy Canada (osb-bsf.ic.gc.ca).
Complete team and operational continuity — Factero relies on an interdisciplinary team covering information technology, human resources, and accounting — the three dimensions that intersect in most governance engagements. A certification engagement extends over 6 to 18 months; the firm supporting you must have the team depth to go the distance, not just the availability of a single person.
Professional liability and cyber insurance — Factero maintains active professional liability (E&O) and cyber insurance coverage, adapted to its IT governance and cybersecurity consulting activities. A firm that recommends cyber insurance to you should, by consistency, hold one itself. Ask for the certificate before signing.
Written and public independence — Our engagements are governed by a public Charter of Independence that prohibits commissions, rebates, and commercial arrangements with vendors, brokers, or markets.
Public procurement registration — Factero is registered with the SEAO (Quebec) and the Ontario Tenders Portal — a process that involves regulatory verifications and up-to-date tax attestations.
These criteria are not commercial arguments. They are the minimum conditions to require of any candidate firm. The absence of a clear answer to any of these questions is, in itself, an answer.
Need to move forward on this?
Let's discuss your specific situation. No commitment, just expert advice.