CPCSC Framework

Compliance Evidence That Withstands Audit

Map your infrastructure to ITSP.10.171 controls. Generate tamper-evident, cryptographically verified records. Get audit-ready in weeks, not months.

Level 1 Mandatory: April 2026
Start Free (Level 1) View API Docs

Credit card required to activate. 365-day evidence retention during 2026.

TL;DR — CPCSC in one paragraph

CPCSC is the Canadian Program for Cyber Security Certification, administered by the Department of National Defence and Public Services and Procurement Canada. It becomes mandatory for new DND contracts in April 2026 (Phase 2, Level 1) with full Level 2 certification required for sub-tier suppliers from April 2027. The standard is ITSP.10.171, Canada's adaptation of NIST SP 800-171 Rev 3, covering 97 controls across 17 families. Level 1 is a 13-control self-assessment. Solymus produces audit-ready cryptographic evidence for every control, and verification is free and requires no account.

CPCSC Rollout Timeline

Three-phase mandatory compliance schedule for Canadian DND suppliers

Phase 1
Mar 2025 – Mar 2026
Standard published. Level 1 guidance available. Planning phase.
Completed
Phase 2
Apr 2026 – Mar 2027
Level 1 (13 controls) mandatory. Level 2 assessor accreditation begins.
Current
Phase 3
Apr 2027 – Mar 2028
Level 2 (97 controls) required. Level 3 in high-sensitivity contracts.
Upcoming

CPCSC Certification Levels

Choose the level that matches your supplier tier and regulatory requirements

Level 1
Mandatory April 2026
Free
365-day retention (2026 promo)
  • 13 controls, 6 families
  • Self-assessment model
  • Evidence ingestion
  • Cryptographic receipts
  • Public verification API
  • 1,000 events/month
  • 3 team seats
Start Free
Level 2
📅 Apr 2027
C$5K–10K
Early bird / Standard
  • 97 controls, 17 families
  • Third-party certification
  • Full ITSP.10.171 framework
  • CMMC 2.0 cross-walk
  • 360-day evidence retention
  • 100K events/month
  • 10 team seats, 3 workspaces
  • Supply chain reports
Learn More
Level 3
🔒 Select Contracts
C$5K–30K
Early bird / Standard
  • 97 controls + 6 maturity domains
  • All Level 2 frameworks
  • CMMC 2.0, DFARS, FedRAMP
  • Unlimited evidence retention
  • 1M+ events/month
  • Unlimited team seats
  • Board reports, assessor portal
  • Continuous monitoring dashboard
Learn More

ITSP.10.171 Control Families

17 families covering 97 controls across all security domains

AC
Access Control
22 controls
AT
Awareness & Training
3 controls
AU
Audit & Accountability
9 controls
CA
Security Assessment
4 controls
CM
Configuration Management
9 controls
IA
Identification & Authentication
11 controls
IR
Incident Response
8 controls
MA
Maintenance
6 controls
MP
Media Protection
4 controls
PE
Physical Protection
6 controls
PS
Personnel Security
5 controls
PL
Planning
2 controls
RA
Risk Assessment
3 controls
SA
System & Services Acquisition
5 controls
SC
System & Communications Protection
16 controls
SI
System & Information Integrity
7 controls
SR
Supply Chain Risk Management
3 controls

Level 1: The 13 Mandatory Controls

Self-assessment controls for immediate compliance. Mandatory April 2026 for all DND suppliers.

AC

Access Control

4 Level 1 controls

  • AC-03.01.01 - Managed access points
  • AC-03.01.02 - Account management
  • AC-03.01.20 - Information flow enforcement
  • AC-03.01.22 - Access restrictions by attribute
IA

Identification & Authentication

3 Level 1 controls

  • IA-03.05.01 - User identification
  • IA-03.05.02 - Device identification
  • IA-03.05.03 - Authentication enforcement
MP

Media Protection

1 Level 1 control

  • MP-03.08.03 - Media disposal & destruction
PE

Physical Protection

2 Level 1 controls

  • PE-03.10.01 - Physical access control
  • PE-03.10.07 - Surveillance & monitoring
SC

System & Communications Protection

1 Level 1 control

  • SC-03.13.01 - Confidentiality/integrity services
SI

System & Information Integrity

2 Level 1 controls

  • SI-03.14.01 - Information system monitoring
  • SI-03.14.02 - Flaw remediation

How Solymus Powers CPCSC Compliance

Map your existing infrastructure to ITSP.10.171 controls without rebuilding

1

Upload Evidence

Drag and drop policies, logs, screenshots, and configuration files. Solymus normalizes everything into evidence artifacts.

2

Auto-Map Controls

Machine learning maps artifacts to relevant CPCSC controls with confidence scoring. Assessors see exactly what proves compliance.

3

Cryptographic Seal

Every piece of evidence is SHA-256 hashed, KMS-signed, and Merkle-chained. Tamper-evident and independently verifiable.

4

Continuous Monitoring

Sync with M365, AWS, and endpoints. Evidence accumulates automatically. Assessors see a living, auditable chain of custody.

5

Assessor-Ready Exports

Generate evidence index, readiness report, control mapping, and cryptographic verification URLs in one click.

6

Public Verification

Share verification links with assessors. They validate the cryptographic proof without needing API keys or credentials.

Tamper-Evident Proof Engine

Industrial-grade cryptography ensures your evidence cannot be altered or repudiated

🔐

SHA-256 Hashing

Each artifact produces a unique, deterministic 256-bit fingerprint. Change a single byte and the hash becomes invalid.

✍️

KMS Signing

AWS KMS (ECDSA_SHA_256) cryptographically signs the hash. Only our infrastructure can produce valid signatures.

⛓️

Merkle Chaining

Daily attestations link all evidence into an unbreakable chain. Backdating or tampering invalidates the entire chain.

Public Verification

Assessors verify the cryptographic proof independently, without accessing your infrastructure or credentials.

📊

Audit Trail

DynamoDB ledger captures every event: creation, verification, export. Immutable record of evidence history.

🌍

AWS GovCloud Ready

All cryptography runs on AWS KMS. Full compliance with Canadian data residency and government security standards.

Frequently Asked Questions

Everything you need to know about CPCSC and Solymus

CPCSC stands for the Canadian Program for Cyber Security Certification. It is based on ITSP.10.171, which is Canada's adaptation of NIST SP 800-171 Revision 3. CPCSC defines three certification levels with increasing control requirements, and is mandatory for all suppliers to the Canadian Department of National Defence.
Level 1 (13 controls) becomes mandatory for all DND suppliers in April 2026. This is Phase 2 of the CPCSC rollout. Level 2 (97 controls) and third-party certification follow in April 2027 (Phase 3).
Yes. Your entire evidence chain, control mappings, and verification URLs transfer automatically from Level 1 to Level 2. You keep all your accumulated evidence history and assessment progress. There is no restarting required.
Solymus does NOT guarantee CPCSC certification. What it does is provide tamper-evident, cryptographically verified evidence that your infrastructure meets the control requirements. Certification still requires a third-party assessor to evaluate that evidence and make a formal determination. Solymus just makes the assessor's job faster and more reliable.
Every artifact is hashed with SHA-256, signed with AWS KMS (ECDSA_SHA_256), and linked into a daily Merkle attestation. The proof is immutable: change a single byte and the hash invalidates. Assessors can verify the proof independently using public verification URLs without accessing your infrastructure. This is called a "tamper-evident" receipt.
Level 1 is free because it is the compliance trigger. During 2026, every Level 1 company accumulates cryptographic evidence history. When Level 2 assessors arrive in 2027, companies with an unbroken evidence chain switch to Solymus Level 2, creating predictable recurring revenue. The free year is infrastructure installation, not a lead funnel. The revenue model is regulation-driven, not sales-driven.
Yes, but only for 2026. Level 2 early bird is C$5,000/month on an annual contract (standard C$10,000). Level 3 early bird is also C$5,000/month on a 24-month contract (standard C$30,000). Early bird pricing expires December 31, 2026. After that, all new customers pay standard pricing. Existing early bird contracts keep their rate for the contract term.
Level 2 and Level 3 support integrations with M365 and AWS (currently in beta). Evidence collectors automatically pull logs and configuration data. Level 1 does not include integrations but you can manually upload evidence. GovCloud and GCC High integrations are on the roadmap for Level 3.
Level 3 includes a third-party assessor portal. Assessors can review your evidence, control mappings, and readiness scores directly in Solymus. They can also verify cryptographic proofs independently. This dramatically speeds up the certification process.

Ready to Prepare for CPCSC?

Start free with Level 1 today. Build your evidence chain, get audit-ready, and upgrade to Level 2 when you need third-party certification.

Start Free (Level 1) Read the Docs

Expected questions

What is CPCSC?

CPCSC is the Canadian Program for Cyber Security Certification, a mandatory framework administered by the Department of National Defence and PSPC for protecting Controlled Information in the Canadian defence supply chain. It is built on ITSP.10.171 (Canada's adaptation of NIST SP 800-171 Rev 3) and has three certification levels.

When does CPCSC become mandatory?

Phase 2 of CPCSC begins April 2026, making Level 1 self-assessment a requirement at contract award for new DND contracts. Phase 3 (April 2027 onward) extends Level 2 third-party certification to sub-tier suppliers.

What is the difference between CPCSC and CMMC?

CPCSC is the Canadian program (DND/PSPC, based on ITSP.10.171 / NIST SP 800-171 Rev 3). CMMC is the US program (DoD/DFARS, based on NIST SP 800-171 Rev 2). They are separate regulators with separate assessor bodies and slightly different control sets. Cross-border suppliers generally need both. See our CPCSC vs CMMC comparison.

How many controls are in CPCSC Level 1?

13 controls across 6 ITSP.10.171 families (AC, IA, MP, PE, SC, SI). Level 1 is a self-assessment, not a third-party audit. See the full Level 1 checklist.

Does CPCSC verification cost money?

No. Public verification of Solymus cryptographic receipts is free and requires no account — auditors, primes, and assessors can verify any receipt or re-hash an original file on verify.html without signing up. Evidence creation (for suppliers) is the paid product.