How organizations can approach CPCSC readiness as part of a broader operational and supply chain security strategy across Canada’s defence industrial base
By Allan McDougall MA BMASc CMAS CISSP CPP
Senior Security Program Manager and Acting Chief Information Security Officer (CISO), ADGA Group
The Canadian Program for Cyber Security Certification (CPCSC) is currently moving into the second phase of its implementation. Focusing on Level 2, this phase establishes much more stringent requirements for those entering or operating within Canada’s Defence Industrial Base. While Level 1 includes thirteen security controls, Level 2 is expected to incorporate approximately 98 controls and require a tri annual security assessment by an external party. This is the intermediary step, with Level 3 encompassing approximately 200 controls.
The obvious value of certification involves being able to compete within the Defence Industrial Base. While this is important, we should not lose sight of the primary goal of the CPCSC effort: building a more resilient and secure ecosystem surrounding defence procurement. The temptation is to lose sight of that objective in favour of simply “ticking the boxes.”
"The CPCSC is not the gold medal. It is the minimum performance level required to compete."
Understanding the Broader Security Context
For organizations beginning their cyber security journey, it is important to remember that certification does not operate in a vacuum. The first challenge lies in identifying the full suite of requirements that apply to a network environment. Depending on business operations, organizations may find themselves operating within multiple overlapping security regimes.
One of the benefits of CPCSC is that the risk assessment guidance provided by PSPC reveals several overlapping requirements. Level 2 requirements are tied not only to Controlled Goods Information, but also to Protected B information. Historically, these areas often fell under separate security frameworks.
For business owners, reducing the number of different security control regimes marks a significant benefit in terms of simplifying how networks are monitored and managed.
Certification Is Not the End State
This does not mean CPCSC is the final destination for cyber security maturity. It is written for a specific context, and organizations may still need to comply with additional standards or program requirements depending on their operational environment.
For example, organizations involved in the development of dual use technologies may also need to align with programs such as the National Security Guidelines for Research Partnerships. These frameworks are aligned, managed, and monitored separately, but often converge within the same network environment.
This creates an increasing need to consolidate and manage requirements effectively without overlooking gaps or creating unintended impacts across different security regimes.
Network owners must also recognize that certification represents a baseline, not the ultimate objective. In practical terms, CPCSC establishes the minimum threshold required to compete, not the end state of organizational cyber resilience.
A Rapidly Changing Threat Environment
Organizations are operating in an environment that has changed significantly in recent years. Rapid acceleration in research, development, and innovation has increased the value associated with intellectual property theft and corporate espionage.
At the same time, modern conflict increasingly targets infrastructure, including transportation systems, energy networks, and other critical services. Organizations supporting these sectors must think carefully about how their technologies and services could become targets for disruption.
This also raises additional questions regarding future legislative and regulatory developments, including Bill C-8 and the proposed Critical Cyber Systems Protection Act (CCSPA). As new requirements emerge, organizations may face multiple compliance regimes operating across the same network environments.
Building Long Term Resilience
CPCSC and other certification regimes should not be viewed as endpoints. They are starting points.
While implementation costs are significant, organizations must also consider the ongoing operational requirements associated with maintaining System Security Plans, managing compliance activities, overseeing supply chain security, and sustaining long term governance processes.
The CPCSC ecosystem itself is still evolving. Supporting infrastructure, training, assessment frameworks, and methods for recording and managing results continue to mature. Future expectations may also extend further into managed service providers and broader supply chain partners.
For organizations preparing for their CPCSC Level 2 journey, success will require a methodical and rigorous approach to understanding how certification requirements interact with broader operational and security realities.
The goal should not simply be certification itself, but the development of resilient and sustainable security practices capable of supporting increasingly complex threat environments.