Both frameworks protect defence supply chains, but they are different. Understand the key differences between Canadian CPCSC and US CMMC compliance.
CPCSC (Canadian Program for Cyber Security Certification) and CMMC (Cybersecurity Maturity Model Certification) are two separate defence supply-chain compliance frameworks that share a common ancestor (NIST SP 800-171) but differ in administering body, timeline, control catalogue, and enforcement. CPCSC is run by the Department of National Defence and PSPC and becomes mandatory in April 2026; its standard is ITSP.10.171, a Canadian adaptation of NIST SP 800-171 Rev 3. CMMC is run by the US DoD under DFARS and is already phasing in; its current version (CMMC 2.0) maps to NIST SP 800-171 Rev 2. Cross-border suppliers generally need both. Solymus runs one evidence pipeline that produces audit-ready cryptographic receipts for CPCSC today and CMMC on the roadmap, so the same control evidence satisfies both regulators.
If you are a defence supplier working in both Canada and the US, you might wonder: "Are CPCSC and CMMC the same thing?" The answer is no. They are separate compliance frameworks with different requirements, different timelines, and different enforcement bodies.
The simple version:
Both protect defence data, both are mandatory, and both are structured in three certification levels. But they have different implementations, different timelines, and different terminology.
| Aspect | CPCSC | CMMC |
|---|---|---|
| Country | Canada | United States |
| Enforcer | Department of National Defence (DND) | US Department of Defense (DoD) |
| Based On | ITSP.10.171 (Canadian Centre for Cyber Security) | NIST SP 800-171 Rev 2 |
| Controlled Data Term | Controlled Information (CI) | Controlled Unclassified Information (CUI) |
| Level 1 Timeline | Mandatory April 2026 | Mandatory April 2024 (already in effect) |
| Level 2 Timeline | Mandatory April 2027 | Mandatory May 2025 (phased) |
| Level 1 Controls | 13 core controls | 17 core practices |
| Full Framework | 97 controls (17 families) | 110 practices (17 domains + 5 processes) |
| Certification Model | Level 1 = self-assessment, Level 2/3 = third-party | All levels = third-party certified assessor |
| Assessor Authority | Standards Council of Canada (SCC) accredited assessors | CMMC-AB (CMMC Accreditation Body) certified assessors |
| Target Suppliers | All DND defence suppliers (600 primes + thousands of subs) | All DoD defence contractors (10,000+ companies) |
| Applies To | Companies handling Canadian Controlled Information | Companies handling US Controlled Unclassified Information |
| Cost (Level 2) | C$5K–10K/year | $3K–5K per assessment |
CMMC enforcement started in 2024 (Level 1 mandatory by April 2024). CPCSC starts in 2026 (Level 1 mandatory by April 2026).
Why the difference? The US defence department moved faster due to a series of high-profile breaches (SolarWinds, etc.). Canada took more time to adapt NIST 800-171 into ITSP.10.171 and plan the rollout. Both countries saw the urgency, but enforced different timelines.
CMMC uses "CUI" (Controlled Unclassified Information). This is US terminology. CUI includes defence technical data, procurement information, security assessments, and other unclassified but sensitive DoD data.
CPCSC uses "CI" (Controlled Information). This is Canadian terminology, adapted from ITSP.10.171. CI is conceptually similar to CUI but includes information protected under Canadian law (Access to Information Act, Privacy Act, trade secrets, etc.).
In practice: Both terms mean defence-sensitive data. If you handle either, you need compliance certification in that country.
CPCSC Level 1 is self-assessment. You assess your own controls. No external auditor is required. You upload evidence to Solymus, generate a readiness report, and share it with defence primes. This is fast and low-cost but relies on your honesty.
CMMC Level 1 is third-party assessment. You cannot self-assess. You must hire a CMMC-certified assessor to audit your controls. This is slower and more expensive but adds external credibility.
For cross-border suppliers: If you have CPCSC Level 1 self-assessment, you still need a CMMC Level 1 third-party assessment. The two do not overlap.
CPCSC Level 1: 13 controls across 6 families (AC, IA, MP, PE, SC, SI).
CMMC Level 1: 17 core practices across multiple domains.
CPCSC Full: 97 controls across 17 families.
CMMC Full: 110 practices across 17 domains + 5 processes.
The differences in control count reflect how each country adapted NIST 800-171. CPCSC is slightly more streamlined for the Canadian market. CMMC added additional practices to address US-specific threats and requirements.
CPCSC: Assessors are accredited by the Standards Council of Canada (SCC). This is Canada's national standards body.
CMMC: Assessors are certified by the CMMC Accreditation Body (CMMC-AB), a non-profit created by the DoD to manage assessor training and certification.
Implication: The assessor pools are completely separate. A CMMC-certified assessor cannot audit CPCSC compliance, and vice versa. If you need both, you hire two different assessors.
You need both CPCSC and CMMC certification. They do not substitute for each other. Here is why:
Scenario: Your company is a Canadian defence technology vendor. You supply software to both Canadian DND and US DoD.
You must maintain both certifications simultaneously.
Good news: The core controls overlap significantly (both are based on NIST 800-171). If you implement controls for CMMC, many will also satisfy CPCSC. But you still need separate assessments and certifications for each.
Solymus can help: We support CPCSC now (Level 1 free, Level 2/3 paid). CMMC support is on our Level 3 roadmap. Using a single platform for both frameworks reduces duplicate evidence collection.
If you only work in Canada: Focus on CPCSC. Level 1 is mandatory by April 2026 (12 months from now). Start your gap assessment immediately.
If you only work in the US: CMMC Level 1 is already mandatory (since April 2024). If you haven't certified yet, you are late. Hire a CMMC-AB assessor immediately.
If you work in both countries: Prioritize whichever has the nearest deadline. If you are a Canadian company working with US DoD, you may already have CMMC Level 1 requirements. If you are also starting Canadian defence contracts, add CPCSC to your roadmap for 2026. Focus on implementing shared controls that satisfy both frameworks.
Regardless of which framework applies to you, start now:
Start free with Solymus Level 1 today. Build your evidence chain and get audit-ready for Canadian defence contracts.
Jurisdiction and lineage. CPCSC is the Canadian program run by DND/PSPC, based on ITSP.10.171 (Canada's adaptation of NIST SP 800-171 Rev 3). CMMC is the US DoD program under DFARS, based on NIST SP 800-171 Rev 2. Different regulators, different assessor bodies, slightly different control sets.
Not automatically. The programs share common ancestry so much of the underlying evidence overlaps, but CPCSC assessment must be conducted by a CPCSC-accredited assessor against ITSP.10.171. Cross-border suppliers generally maintain both certifications.
Yes. Solymus runs a single evidence pipeline that produces a KMS-signed receipt per artifact and cross-walks the control IDs to both ITSP.10.171 (CPCSC) and NIST SP 800-171 (CMMC), so the same upload satisfies both regulators.
CMMC 2.0 is already in phased US rollout. CPCSC Phase 2 (mandatory Level 1 at contract award) begins April 2026, with Level 2 third-party certification cascading to sub-tier suppliers from April 2027.
No. CPCSC assessors are accredited by the Canadian Centre for Cyber Security. CMMC assessors (C3PAOs) are accredited by the Cyber AB. A supplier pursuing both certifications must engage assessors from each body.