CPCSC LEVEL 1
Start Your CPCSC Level 1 Readiness Assessment

Canadian Defence Contractors Are Facing a Major Cybersecurity Shift

If your organization works with the Government of Canada, defence contractors, mining operations, infrastructure providers, Indigenous governments, engineering firms, or critical supply chains, there’s a new acronym you need to understand:

CPCSC

The Canadian Program for Cyber Security Certification (CPCSC) is Canada’s new cybersecurity certification framework for defence suppliers and organizations handling sensitive government information.

And here’s the reality:

This is not optional.

The Government of Canada is embedding cybersecurity certification requirements directly into procurement contracts. Organizations that fail to meet these standards risk losing eligibility for future government and defence-related opportunities.

At CasCom, we’re helping organizations across Northern Canada and beyond prepare for this transition with our new:

CPCSC Level 1 Readiness Assessment

👉 Start your assessment here:
CPCSC Level 1 Readiness Assessment

What Is CPCSC?

The Canadian Program for Cyber Security Certification (CPCSC) is a federal cybersecurity compliance program designed to protect Controlled Information (CI) handled by Canadian defence suppliers and contractors.

The framework is heavily aligned with:

  • NIST 800-171
  • NIST 800-172
  • International cybersecurity best practices
  • Secure supply chain standards

The program is administered through Public Services and Procurement Canada (PSPC).

Its purpose is simple:

Ensure Canadian suppliers can adequately protect sensitive government and defence information from cyber threats.

What Is Controlled Information (CI)?

Controlled Information (CI) is sensitive information that is not publicly available and must be protected from unauthorized access.

Examples include:

  • Technical drawings
  • Contract information
  • Operational procedures
  • Infrastructure diagrams
  • Procurement documentation
  • Defence-related project data
  • Sensitive business communications

Think of CI as:

“Sensitive but unclassified information that still requires protection.”

This is similar to what the United States refers to as Controlled Unclassified Information (CUI).

The rule of thumb – If you’re not sure if it’s Controlled Information, treat it as if it is!

Why CPCSC Matters

Cybersecurity threats targeting supply chains are increasing rapidly.

Attackers no longer focus only on governments or large defence organizations. They target:

  • MSPs
  • Engineering firms
  • Manufacturers
  • Remote infrastructure operators
  • Small and medium-sized suppliers

The Government of Canada recognizes this risk.

CPCSC is designed to ensure every organization in the supply chain maintains an appropriate level of cybersecurity maturity.

Who Needs CPCSC Certification?

Organizations likely impacted include:

  • Defence suppliers
  • Mining companies
  • Engineering firms
  • Construction contractors
  • Telecommunications providers
  • Managed Service Providers (MSPs)
  • Aviation and transportation companies
  • Infrastructure operators
  • Indigenous organizations supporting government projects
  • Technology providers supporting federal initiatives

If your business touches federal procurement, secure infrastructure, or defence-adjacent operations, CPCSC is likely relevant to you.

CPCSC Certification Levels Explained

Level 1: Basic Cyber Hygiene

Level 1 focuses on foundational cybersecurity controls and self-assessment requirements.

Typical requirements include:

  • Multi-factor authentication (MFA)
  • Endpoint protection
  • Patch management
  • Access control
  • Security awareness training
  • Basic incident response processes

This is the starting point for many organizations entering the CPCSC ecosystem.

Level 2: Advanced Protection of Controlled Information

Level 2 introduces:

  • Third-party assessments
  • Expanded technical controls
  • Documentation and evidence requirements
  • Formalized cybersecurity governance

This level aligns closely with NIST 800-171 controls.

Level 3: High Assurance Security

Level 3 is designed for organizations handling highly sensitive defence information.

Requirements may include:

  • Government-led assessments
  • Advanced monitoring
  • Enhanced detection and response
  • Mature cybersecurity operations

Very few organizations will initially operate at this level.

When Does CPCSC Take Effect?

The Government of Canada is rolling out CPCSC requirements in phases beginning in 2025 and expanding significantly through 2026 and beyond.

Organizations waiting until contract requirements appear are already behind.

Cybersecurity compliance takes time:

  • Policies must be developed
  • Technical controls implemented
  • Staff trained
  • Evidence documented
  • Security gaps remediated

Early preparation provides a major competitive advantage.

Why CasCom Is Taking CPCSC Seriously

At CasCom, cybersecurity has always been central to our service strategy.

Our existing capabilities already align strongly with CPCSC requirements, including:

  • Zero Trust Architecture (ZTA)
  • Secure Access Service Edge (SASE)
  • Endpoint Detection and Response (EDR)
  • SIEM and security monitoring
  • Managed firewall and secure remote access solutions
  • Microsoft 365 security hardening
  • Secure infrastructure for remote and northern operations

We believe CPCSC will rapidly become a baseline expectation across:

  • Federal procurement
  • Critical infrastructure
  • Mining and natural resources
  • Northern and remote operations

Organizations that prepare now will be significantly better positioned for future opportunities.

Introducing the CasCom CPCSC Level 1 Readiness Assessment

CasCom’s CPCSC Level 1 Readiness Assessment is designed to help organizations:

  • Understand their current cybersecurity posture
  • Identify compliance gaps
  • Prepare for upcoming procurement requirements
  • Build a roadmap toward certification readiness

Our assessment provides:

  • Security posture evaluation
  • Gap identification
  • Actionable recommendations
  • Risk insights
  • Compliance readiness guidance

Why Start With a Readiness Assessment?

Many organizations assume they are prepared until they begin reviewing actual controls and evidence requirements.

Common gaps include:

  • Weak identity management
  • Incomplete asset inventories
  • Poor documentation
  • Inconsistent patching
  • Lack of incident response planning
  • Limited logging and monitoring visibility

A readiness assessment helps identify these issues before they become contract risks.

The Competitive Advantage of Early Compliance

Organizations that move early gain:

  • Stronger cybersecurity maturity
  • Improved client trust
  • Reduced operational risk
  • Better procurement positioning
  • Increased competitiveness in federal opportunities

The reality is simple:

Cybersecurity compliance is becoming a business requirement, not just an IT initiative.

Start Your CPCSC Level 1 Assessment Today

CasCom is helping organizations across Canada prepare for the future of cybersecurity compliance.

Take the first step today.

Begin Your CPCSC Level 1 Readiness Assessment:

https://www.cascom.ca/CPCSC/CPCSCAssessment.html

Or contact CasCom directly to discuss your organization’s cybersecurity and compliance strategy.

About CasCom

CasCom is a leading Managed Technology Service Provider based in Yellowknife, Northwest Territories, delivering secure technology solutions for organizations operating in remote, northern, and critical infrastructure environments.

Our expertise includes:

  • Cybersecurity
  • Managed IT Services
  • Secure communications
  • Satellite and remote connectivity
  • Zero Trust security architectures
  • Compliance readiness solutions

Learn more at:
https://www.cascom.ca