Ottawa launches Level 1 cyber scheme for defence suppliers

The Federal Government has introduced Level 1 of the Canadian Program for Cyber Security Certification for defence suppliers, with the requirement set to apply to select defence contracts from summer 2026.

The move launches a three-tier certification system intended to strengthen cybersecurity across the country's defence supply chain. In the first phase, suppliers will not need certification during the bidding process and will only need to demonstrate compliance when a contract is awarded.

Level 1 is based on an annual self-assessment. Suppliers must complete and attest to meeting 13 security requirements and controls using an online tool provided by the federal government.

The program is led by Public Services and Procurement Canada and National Defence. A CAD $25 million budget over three years was allocated to establish the scheme, which is designed to protect sensitive but unclassified information used in defence contracting and to keep Canadian suppliers aligned with requirements in allied markets.

Officials have presented the scheme as a response to growing threats to domestic supply chains. Canada's cyber security authorities have warned that attacks on digital supply chains are likely to continue over the next two years, including efforts targeting defence contractors to obtain government information.

Phased Rollout

The federal government plans to introduce stricter requirements in stages. Level 2 is due to apply to select defence contracts from spring 2027 and will require an external assessment every three years by an accredited certification body. Level 3, intended for the highest-risk work, will involve assessments conducted by the government rather than by third parties.

Under the program design, Level 2 is expected to apply where contracts involve controlled defence information or more complex cyber-sensitive work. Level 3 is reserved for areas such as weapon systems, access to critical infrastructure, or sensitive information shared with Five Eyes partners.

Low-risk work that may fall under self-assessment includes administrative support contracts, unclassified non-technical communications, and basic IT services with no sensitive data. Higher-risk work will move to third-party or government-led reviews as those levels take effect.

The staged approach is intended to give suppliers and the wider cybersecurity market time to adapt. Public officials and industry bodies, including the Canadian Association of Defence and Security Industries, were consulted during the program's development, with feedback gathered through a formal request for information and engagement sessions on the draft standard.

US Alignment

A central feature of the Canadian model is its alignment with the United States Cybersecurity Maturity Model Certification regime. While Canada is establishing its own domestic accreditation and oversight system, the underlying technical controls align with U.S. National Institute of Standards and Technology publications that also underpin the American program.

That link matters for Canadian contractors seeking work in cross-border defence markets. Ottawa has said the framework is intended to reduce duplication, preserve Canadian sovereignty, and give domestic suppliers a local route to meet standards already relevant in the US defence sector.

Canada may also accept a contractor's valid U.S. certification status on a case-by-case basis, provided the assessment covers the required scope. Contracting authorities will retain the right to verify compliance with specific controls where needed.