Canada is moving to harden its defence supply chains against rising cyber threats with the launch of Level 1 of the Canadian Program for Cyber Security Certification (CPCSC), the first phase of a new national framework that will soon become a requirement in select defence contracts.
Announced April 14 in Gatineau, Quebec, the program marks a significant step in Ottawa’s effort to strengthen economic stability, protect sensitive information and reinforce national security as malicious cyber activity increasingly targets domestic supply chains and defence contractors.
Beginning in Summer 2026, suppliers bidding on select defence contracts will need to complete and attest to meeting all Level 1 criteria. It is the first of three certification levels to be introduced in the coming years, with implementation designed as a phased rollout to give businesses and the cyber security sector time to adapt. In the initial stage, certification will only be required upon contract award rather than throughout the bidding process.
“The Government of Canada is committed to strong cyber security measures to protect Canada’s economic stability and national security, including defence supply chains,” said The Honourable Joël Lightbound, Minister of Government Transformation, Public Works and Procurement and Quebec Lieutenant. “The Canadian Program for Cyber Security Certification is designed to align with the standards of international partners, ensuring Canadian companies remain competitive in international defence markets. The phased approach, domestic accreditation system and harmonization with the United States requirements all work to efficiently help suppliers to strengthen their cyber security in a cost-effective, predictable way.”
The program is also intended to support Canada’s Defence Industrial Strategy by establishing standardized cyber security requirements across the supplier base. Officials say the framework will help contractors better identify, assess and manage cyber risks while protecting specified sensitive but unclassified information under a new industrial cyber security standard.
“Cyber security is no longer optional for companies operating in Canada’s defence ecosystem: it is a prerequisite for resilience, trust and growth,” said The Honourable Stephen Fuhr, Secretary of State (Defence Procurement). “The introduction of Level 1 of the Canadian Program for Cyber Security Certification gives suppliers, particularly small and medium-sized enterprises, a clear and accessible pathway to strengthen their cyber practices while remaining competitive at home and with our allies.”
For Canada’s broader defence network, the move is being positioned as both a security measure and an economic opportunity. By raising baseline standards, the government expects Canadian businesses to be better equipped to compete for procurement opportunities domestically and internationally.
“A secure supply chain is foundational to the Canadian defence ecosystem’s operational readiness,” said Doug Guzman, Chief Executive Officer, Defence Investment Agency. “Level 1 certification establishes a common, standardized baseline that improves resilience across the defence industrial base and reinforces the reliability of the suppliers our armed forces depend on.”
The Canadian Centre for Cyber Security’s technical standards form the backbone of the program, helping create common expectations for organizations working with the Canadian Armed Forces.
“The foundational standards developed by the Canadian Centre for Cyber Security are at the heart of the Canadian Program for Cyber Security Certification,” said The Honourable David J. McGuinty, Minister of National Defence. “This strengthens the CAF’s confidence in its partners and contributes to a more resilient defence supply chain.”
As cyber threats continue to evolve, Ottawa is betting that stronger supplier standards today will translate into greater defence readiness tomorrow.