For years, many Canadian job shops have treated digitisation as the finish line. Paper travellers gave way to electronic job packets, whiteboards were replaced by scheduling systems, and quality records became searchable rather than scattered. But for manufacturers supplying Canada’s Department of National Defence, or hoping to, being digital is no longer enough. The new test is whether those systems can be trusted to protect sensitive government information, and whether that trust ...
Continue Reading This Article
Enjoy this article as well as all of our content, including reports, news, tips and more.
By registering or signing into your SRM Today account, you agree to SRM Today's Terms of Use and consent to the processing of your personal information as described in our Privacy Policy.
can be demonstrated.
That is the aim of the Canadian Program for Cyber Security Certification, or CPCSC. According to Public Services and Procurement Canada, the framework is Canada’s official cybersecurity certification programme for defence suppliers, designed to protect sensitive information below the classified level and strengthen the domestic defence industrial base. It is being rolled out in phases, with Level 1 introduced in April 2026 and due to be required in select defence contracts from summer 2026.
The programme is built around a practical reality: cyber risk has become a supply-chain issue. Canada’s defence networks increasingly depend on private-sector suppliers handling controlled information, technical files and contract data. To address that, the CPCSC combines cybersecurity controls, contractual requirements, risk assessments and accredited third-party assessors. It also draws on the same family of controls that underpin the United States’ Cybersecurity Maturity Model Certification, or CMMC, which raises the possibility of future mutual recognition between the two systems.
That international alignment matters. The Canadian government has said the CPCSC is intended not only to improve security, but also to preserve access to overseas procurement opportunities. In the defence sector, where Canadian firms already sell extensively to allied markets, certification is likely to become a commercial as well as a compliance requirement.
The rollout is deliberately gradual, giving suppliers time to adapt. Public Services and Procurement Canada says Level 1 requires suppliers to complete and attest to the relevant criteria, with certification checked at contract award rather than during bidding in the initial phase. The broader programme will continue to expand through higher levels, with more demanding assessments for suppliers handling more sensitive information.
The underlying technical standard, ITSP.10.171, is Canada’s adaptation of the controls used to protect specified information in non-government systems. It is closely related to NIST SP 800-171 Revision 3, but adjusted for Canadian procurement and legal requirements. In practical terms, it gives defence suppliers an auditable set of security expectations rather than a vague policy objective.
For many shops, the hardest lesson is that a modern software stack does not automatically mean compliance. A business can run paperless operations, use tablets on the shop floor and keep digital quality records, yet still fall short if it cannot show how information is controlled, logged and protected.
The most common weaknesses tend to be basic. Access may be granted informally and revoked slowly, if at all. Shared folders may hold drawings and specifications without any proper trail of who opened them. Remote connections, cloud tools and supplier portals may have been added over time without a clear map of what is connected to what. Even the simplest incident response procedure may exist only in someone’s head.
That is why the first step for most firms is a structured self-assessment. The Government of Canada’s Level 1 guidance focuses on scoping: identifying which systems, devices, people and facilities store, transmit or process specified information. From there, suppliers are expected to examine access control, authentication, logging, configuration management, incident response, media protection, risk assessment and communications security.
In other words, the question is not simply whether a shop has moved to digital tools, but whether it can prove those tools are governed properly. Role-based access, unique user accounts, audit logs, encrypted connections and a written incident plan are no longer optional extras if a defence contract brings controlled information into the environment.
The scoping question is especially important because CPCSC is risk-based rather than size-based. The level a supplier needs is determined by the nature of the contract and the information involved. Level 1 is intended for suppliers handling lower-sensitivity protected information. Level 2, which will require an external assessment by an accredited body, is expected to apply to firms dealing directly with more sensitive controlled information such as technical drawings, specifications and design files. Level 3 will be reserved for the most sensitive work and assessed by the Department of National Defence itself.
For precision manufacturers, the implication is clear. Many will probably land at Level 2 once the programme matures, which means preparation should start well before certification becomes mandatory. Industry observers have noted that readiness can take many months, depending on how mature a company’s cybersecurity posture already is.
Regional obligations add another layer. CPCSC is national, but suppliers may also have to align with provincial privacy and incident-reporting rules. Ontario and Quebec have both tightened expectations around data governance, while manufacturers in British Columbia and Alberta are operating in regions where cyber readiness has become increasingly intertwined with industrial policy. For firms serving both federal and provincial customers, the compliance picture is likely to get more complex, not less.
Still, there is an upside to all of this. Companies that work through certification early may discover problems they would otherwise have missed, from loose access controls to undocumented external connections. They may also gain an edge when prime contractors begin pushing requirements through their own supply chains. If Canada and the United States do move closer on mutual recognition, the firms that are ready first could benefit on both sides of the border.
The safest response for job shops is to begin now: map where sensitive information lives, determine who can reach it, review account management, document policies and assign clear internal ownership. The deadline may still appear distant, but the direction of travel is already set. Going digital was the first step. Being protected is the next.
Source: Noah Wire Services
