The U.S. Cybersecurity Maturity Model Certification and the Canadian Program for Cyber Security Certification share a parent standard, a phased rollout, and a goal. They diverge on revision, terminology, authority, and assessor. Here is the practitioner’s read on both, with a working plan for organizations that have to certify under both.
Both programs at a glance
If you only have two minutes, this table covers the structural shape. The rest of the article fills in the consequences.
| Attribute | CMMC 2.0 U.S. | CPCSC CAN |
|---|---|---|
| Owner | U.S. Department of Defense | Public Services and Procurement Canada, with National Defence |
| Underlying standard | NIST SP 800-171 Rev 2 | ITSP.10.171 (adapted from NIST SP 800-171 Rev 3) |
| Information protected | FCI, CUI | Federal Contract Info, Specified Information (SI) |
| Levels | 3 (Foundational, Advanced, Expert) | 3 (Level 1, Level 2, Level 3) |
| Level 1 controls | 17 practices | 13 controls |
| Level 2 controls | 110 | ~97 |
| Level 3 controls | 110 + 24 enhanced | ~200 (incl. DND additions) |
| L1 assessment | Annual self-assessment | Annual self-assessment |
| L2 assessment | Third-party (C3PAO), every 3 years | Third-party (SCC-accredited CB), every 3 years |
| L3 assessment | DIBCAC (government), every 3 years | National Defence (government), every 3 years |
| Accreditation body | Cyber AB | Standards Council of Canada |
| Effective in contracts | Phase 1 began Nov 10, 2025 | Level 1 began April 1, 2026 |
| Annual affirmation | Required by senior official | Required (Levels 2 and 3) |
| POA&M tolerance | L2 allows limited POA&M, 180-day close | To be finalized for L2 with rollout |
One family tree, two branches
Both programs trace back to a single document: NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” It is the technical baseline for protecting sensitive but unclassified federal data outside government systems.
The U.S. and Canada have integrated defence supply chains. When the Canadian government built CPCSC, deliberate alignment with NIST 800-171 was the point. That alignment is explicit policy, not a coincidence.
The branch point matters more than the shared root. CMMC anchors to NIST 800-171 Revision 2. CPCSC’s underlying standard, ITSP.10.171, anchors to Revision 3. Same family, different generation. We will come back to this.
CMMC 2.0
The Cybersecurity Maturity Model Certification is the U.S. Department of Defense’s mechanism for verifying that contractors and subcontractors actually implement the cybersecurity practices they have been contractually obligated to implement since 2017 under DFARS clause 252.204-7012.
The earlier model relied on self-attestation. Adversaries exploited the gap between what contractors said and what they did. CMMC closes that gap with third-party verification at most levels.
The three levels
| Level | Controls | Standard | Assessment | Cadence |
|---|---|---|---|---|
| Level 1 (Foundational) FCI only | 17 | FAR 52.204-21 basic safeguarding | Self-assessment | Annual |
| Level 2 (Advanced) CUI | 110 | NIST 800-171 Rev 2 | C3PAO third-party (some self for non-critical CUI) | Every 3 years, annual affirmation |
| Level 3 (Expert) Critical CUI / HVA | 110 + 24 | NIST 800-171 Rev 2 + selected NIST 800-172 | DIBCAC (government-led) | Every 3 years, annual affirmation |
The phased rollout
The 48 CFR final rule took effect on November 10, 2025. From that date, CMMC requirements began appearing in select DoD contracts. The rollout runs in four phases over three years.
Most contractors handling CUI need Level 2. DoD estimates 93 percent of CUI-handling organizations fall into Level 2 with C3PAO certification, roughly 5 percent qualify for Level 2 with self-assessment, and 2 percent face Level 3 with DIBCAC.
What CMMC requires beyond NIST 800-171
NIST 800-171 is a security requirements catalog. CMMC is a certification program. The catalog and the program are not the same thing. CMMC adds the verification layer, plus a few mechanics the catalog does not specify:
- Third-party assessment by C3PAOs accredited through Cyber AB at Level 2
- Government-led assessment by DIBCAC at Level 3
- Annual senior leadership attestation of continued compliance
- Mandatory flow-down to subcontractors who process, store, or transmit covered data
- Submission of assessment results in the Supplier Performance Risk System (SPRS)
- Limited POA&M tolerance at Level 2 with a 180-day close window
CPCSC
The Canadian Program for Cyber Security Certification is the Canadian equivalent, jointly run by Public Services and Procurement Canada and National Defence. It exists because Canada’s defence supply chain faces the same attack surface as the U.S. supply chain, often with the same adversaries targeting the same primes from a different border.
Budget 2023 allocated $25 million over three years to stand the program up. The Canadian Centre for Cyber Security publishes the underlying standard, ITSP.10.171, titled “Protecting Specified Information in Non-Government of Canada Systems and Organizations.” Note the terminology shift. Canada calls it “Specified Information” (SI). The U.S. calls it CUI. The categories are similar in spirit but not identical in scope.
The three levels
| Level | Controls | Assessment | Cadence |
|---|---|---|---|
| Level 1 Baseline cyber hygiene | 13 | Annual self-assessment, filed in CanadaBuys at contract award | Annual |
| Level 2 Controlled defence info | ~97 | SCC-accredited third-party certification body | Every 3 years, annual affirmation |
| Level 3 High-risk / weapons / 5-Eyes | ~200 | National Defence (Government of Canada) | Every 3 years, annual affirmation |
The phased rollout
Level 1 went live April 1, 2026, and becomes a contract-award condition in select defence procurements beginning Summer 2026. Level 2 enters select contracts in Spring 2027. Level 3 follows after the additional Level 3 controls are formally published.
The cascade effect
Around 600 prime contractors are registered with the Department of National Defence. They are the first to feel the requirement, but the obligation flows down. Primes have to verify their supply chain. That means thousands of tier-2 and tier-3 suppliers who never directly held a DND contract will be asked to prove CPCSC posture, or be replaced.
The families, side by side
The control family structures differ because the two programs pin to different revisions. CMMC’s Rev 2 baseline has 14 families. ITSP.10.171’s Rev 3 baseline has 17 families. The new families in Rev 3 are Planning, System and Services Acquisition, and Supply Chain Risk Management. These existed informally in Rev 2 as “non-federal organization” expectations. Rev 3 makes them explicit and assessable.
| Family | CMMC L2 (Rev 2) | CPCSC L2 (Rev 3 / ITSP.10.171) |
|---|---|---|
| Access Control (AC) | 22 | ~17 |
| Awareness and Training (AT) | 3 | ~3 |
| Audit and Accountability (AU) | 9 | ~9 |
| Configuration Management (CM) | 9 | ~8 |
| Identification and Authentication (IA) | 11 | ~9 |
| Incident Response (IR) | 3 | ~6 |
| Maintenance (MA) | 6 | ~6 |
| Media Protection (MP) | 9 | ~7 |
| Personnel Security (PS) | 2 | ~2 |
| Physical Protection (PE) | 6 | ~5 |
| Risk Assessment (RA) | 3 | ~7 |
| Security Assessment (CA) | 4 | ~3 |
| System and Communications Protection (SC) | 16 | ~10 |
| System and Information Integrity (SI) | 7 | ~7 |
| Planning (PL) Rev 3 new | n/a | ~2 |
| System and Services Acquisition (SA) Rev 3 new | n/a | ~2 |
| Supply Chain Risk Management (SR) Rev 3 new | n/a | ~2 |
| Total | 110 | ~97 |
Family-level counts for ITSP.10.171 are approximate because Rev 3 consolidated and reworded several Rev 2 requirements. The structural delta is what matters. CPCSC L2 explicitly assesses Planning, System and Services Acquisition, and Supply Chain Risk Management. CMMC L2 assesses outcomes that touch those areas without making them their own families.
The Level 1 subset
CPCSC Level 1 picks 13 specific controls from 6 families of ITSP.10.171. These are the foundational hygiene items every organization handling defence information should already have done.
| CPCSC L1 Family | Controls | Focus |
|---|---|---|
| Access Control (AC) | 4 | Account management, least privilege, external system limits |
| Identification and Authentication (IA) | 3 | User identification, authenticator strength, password reuse |
| Media Protection (MP) | 1 | Sanitization of media before disposal or reuse |
| Physical Protection (PE) | 2 | Limit physical access, escort visitors, log entry |
| System and Communications Protection (SC) | 1 | Boundary protection between trusted and untrusted networks |
| System and Information Integrity (SI) | 2 | Flaw remediation, malicious code protection |
| Total | 13 | 6 families, ~71 assessment objectives |
CMMC Level 1 picks 17 practices that map to the 15 basic safeguarding requirements in FAR 52.204-21. The overlap is heavy. If you can meet CMMC L1, you can meet CPCSC L1 with minor tuning, and the reverse holds.
Rev 2 vs Rev 3, and why it matters
This is the single most important detail in the comparison, and the one most organizations get wrong.
Locked to Rev 2
The CMMC final rule explicitly states that NIST SP 800-171 Revision 3 is not currently applicable. DoD issued a class deviation requiring contractors to continue using Rev 2 for DFARS 252.204-7012 compliance.
C3PAO assessors are not authorized to evaluate organizations against Rev 3. SPRS scoring runs on Rev 2. Building documentation against Rev 3 risks gaps relative to what assessors actually use.
Built on Rev 3
ITSP.10.171 is the Canadian Centre for Cyber Security’s adaptation of NIST SP 800-171 Revision 3. It uses Rev 3’s structural changes: 17 families, 97 controls, and Organization-Defined Parameters.
That means assessors evaluating CPCSC Level 2 will look for Rev 3 conventions, including ODPs that specify exact values for tunable controls. Rev 2 documentation will not map cleanly.
What changed in Rev 3
- Control count dropped from 110 to 97. Some Rev 2 requirements were merged. Others were reworded. None of the underlying security intent was removed.
- Three new families were added. Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR). These existed informally in Rev 2 as “non-federal organization” expectations. Rev 3 made them explicit.
- Organization-Defined Parameters were introduced. ODPs specify exact values for tunable controls, like minimum password length, account lockout thresholds, or audit log retention. DoD has published its own ODP values. Canada will publish its own. They may not match.
- NFO controls were removed. Anything required is now stated in the controls. If it is not in the controls, it is not required. This makes the standard cleaner and easier to scope.
- Control identifiers changed. Rev 2 used “3.1.1” style identifiers. Rev 3 uses “03.01.01” with two-digit numbers. Mapping work is required.
Where they diverge
The differences are not just paperwork. Each one has operational consequences.
| Dimension | CMMC 2.0 | CPCSC |
|---|---|---|
| Underlying standard | NIST SP 800-171 Rev 2 (110 controls) | ITSP.10.171 / NIST SP 800-171 Rev 3 lineage (97 controls) |
| Data category | Federal Contract Information, Controlled Unclassified Information | Federal Contract Information, Specified Information |
| Regulatory authority | DFARS, 32 CFR Part 170, 48 CFR Parts 204/212/217/272 | PSPC procurement policy, Treasury Board frameworks |
| Accreditation body | Cyber AB | Standards Council of Canada |
| L2 assessor | C3PAO (third-party, Cyber AB accredited) | Accredited certification body (SCC accredited) |
| L3 assessor | DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) | Department of National Defence |
| Submission system | SPRS (Supplier Performance Risk System) | CanadaBuys supplier profile |
| Privacy framework | U.S. privacy regs, no overarching federal statute | PIPEDA, provincial privacy law, Treasury Board policy |
| Cryptography validation | FIPS 140-2 / 140-3 (NIST CMVP) | FIPS-validated, with CCCS-approved cryptographic algorithms |
| Data residency | FedRAMP for cloud handling CUI | Canadian deployment options often preferred; sovereignty pressure on SI |
| Reciprocity | None with CPCSC. Certificates are not interchangeable. | None with CMMC. Certificates are not interchangeable. |
| Affirmation | Annual senior leadership attestation, False Claims Act exposure | Annual affirmation for Levels 2 and 3 |
| POA&M | Limited at L2, 180-day close, SPRS score ≥80% | To be finalized for L2 rollout |
Where they intersect
The overlap is large enough that a serious organization can build one cybersecurity program and harvest two certificates from it. The work is not doubled. It is roughly 1.3x to 1.4x what a single program would cost, assuming the underlying SSP is structured for both lenses.
Practical overlap
- Underlying control intent. Access control, audit logging, identification, incident response, media protection, and configuration management have nearly identical objectives in both frameworks.
- Three-tier model. Self-assessment at the base, third-party at the middle, government-led at the top. The pattern is the same.
- Phased rollout. Both governments learned from the earlier CMMC 1.0 stumble and built phased enforcement curves that give suppliers time to adapt.
- Flow-down obligations. Primes must verify supply chain compliance in both programs.
- Annual leadership affirmation. Both require a senior official to attest to continued compliance, with legal exposure for false statements.
- Cryptographic baselines. Both reference FIPS-validated cryptographic modules. Different validation programs, but the underlying intent matches.
- POA&M concept. Both programs accept that small gaps can be closed under a structured remediation plan rather than blocking certification entirely. Tolerances differ.
How to implement both
The goal is one cybersecurity program, two compliance lenses. Do not run two parallel programs. That doubles cost without doubling value. The work below assumes an organization that needs Level 2 in both jurisdictions, which is the most common cross-border scenario.
Phase 1: Scope
Inventory what you actually handle. FCI, CUI, and SI live in different places. Mark the systems that touch covered data. Mark the systems that do not. The assessment boundary is everything that touches, plus the security infrastructure that protects it. Out-of-scope systems stay out of scope only if you can prove the data does not flow into them.
Map data flows. Where does CUI enter your environment? Where does SI enter your environment? Where does it leave? The flow diagrams become evidence. They also become the foundation for the next phase.
Phase 2: Gap analysis
Run two gap assessments in parallel. One against NIST SP 800-171 Rev 2 with DoD’s ODP values. One against ITSP.10.171 (Rev 3) with CCCS-published parameters when they are released. Build a single gap register with columns for both. Most gaps will be identical. A few will not.
The new Rev 3 families that have no Rev 2 equivalent are where most organizations have the biggest gaps. Planning, System and Services Acquisition, and Supply Chain Risk Management require formal documentation that most contractors do not yet have.
Phase 3: SSP and policy
Build the System Security Plan to Rev 2 as the primary structure, because that is what your C3PAO will assess against. Maintain a Rev 3 overlay as an addendum that maps each Rev 2 control to its Rev 3 equivalent and notes any new Rev 3 requirements.
Policy documents should be modular. One identification and authentication policy covers both lenses. The differences are usually in ODP values, not in the underlying control. Document the ODP values you have chosen and why. When CMMC eventually transitions to Rev 3, your work converts cleanly.
Phase 4: Control implementation
Implement to the superset. If Rev 2 requires X and Rev 3 requires X plus Y, you implement X plus Y. You will not be penalized for exceeding Rev 2 on a CMMC assessment as long as you can also demonstrate the Rev 2 requirement. Evidence everything. Screenshots, configuration exports, log samples, signed policies, training rosters, ticket records.
Common implementations that satisfy both programs cleanly:
- Identity. Entra ID or Active Directory with conditional access, MFA on all privileged accounts, joiner-mover-leaver workflows, quarterly access reviews.
- Endpoint. EDR with active detection, full-disk encryption, USB control, automated patching with measurable SLA.
- Network. Segmented architecture with documented trust zones. Egress filtering. Logging to SIEM. No flat networks.
- Cloud. FedRAMP Moderate or High for CUI workloads. Canadian-residency options for SI when sovereignty matters.
- Logging. Centralized SIEM with retention long enough to satisfy both DoD’s Rev 3 ODP for audit log retention and CCCS guidance. Default to the longer of the two.
- Incident response. Documented plan, tested annually, with separate reporting paths for U.S. DC3 and Canadian CCCS depending on incident scope.
- Supply chain. Vendor assessment program with documented risk tiering. This is where Rev 3’s SR family lives.
Phase 5: Assess and certify
The two assessments will happen separately. A C3PAO cannot certify CPCSC, and an SCC-accredited certification body cannot certify CMMC. Plan for two assessment events, two reports, two attestations. The evidence packages are mostly the same. The framing is different.
Submit results to the right systems. CMMC scores go to SPRS. CPCSC self-assessment results go to CanadaBuys. Track expiry dates in your compliance calendar. Annual affirmations are not optional.
The combined calendar
Both rollouts overlap through 2028. If you bid into both markets, your compliance calendar looks like this.
Questions that come up
Does a CMMC Level 2 certificate satisfy CPCSC Level 2?
No. There is no reciprocity between the programs. They are administered by different governments, accredited by different bodies, and assessed by different organizations. The underlying technical work overlaps significantly, but the certificates are not interchangeable. Plan for two assessments if you bid in both markets.
If CPCSC uses Rev 3 and CMMC uses Rev 2, should I build to Rev 3 to be forward-looking?
Build to Rev 2 as your primary documentation if you have a near-term C3PAO assessment. Layer Rev 3 mappings on top as an overlay. C3PAO assessors are not authorized to evaluate against Rev 3, and building only to Rev 3 risks creating gaps in what assessors actually look for. When CMMC eventually transitions to Rev 3, the overlay becomes your primary documentation.
I am a Canadian sub-contractor to a Canadian prime. Do I need CPCSC?
If you handle Specified Information on behalf of the prime, then yes. The prime cannot maintain compliance if their suppliers cannot. Expect a CPCSC posture question to appear in supplier onboarding, RFPs, and master service agreements over the next 18 months. The cascade is faster than most suppliers expect.
What is the difference between CUI and Specified Information?
Both refer to sensitive, unclassified government information that requires protection in non-government systems. The categories are similar in intent but not identical in scope or governing policy. CUI is defined in 32 CFR 2002.4(h) under U.S. law. Specified Information is defined in CPCSC and underpinned by Treasury Board policy. The information that one government classifies as Specified might or might not match what the other classifies as CUI.
Can a single cloud platform support both certifications?
In principle, yes. The cloud platform needs FIPS-validated cryptography, FedRAMP authorization for CUI workloads, and Canadian-residency options when SI sovereignty matters. The platform supports the work. The certifications still happen at the organization level, against the organization’s policies, procedures, and operational practices, not against the cloud platform itself.
What happens if I fail a C3PAO or SCC-accredited assessment?
At Level 2 in both programs, limited POA&M tolerance allows certain gaps to be closed within a defined window. CMMC’s window is 180 days. CPCSC’s is being finalized. Outside that tolerance, failure means you do not get the certificate, which means you do not get the contract. There is no shortcut. Remediate, re-engage the assessor, and try again.
Does my ISO 27001 certification count for either program?
No. Neither CMMC nor CPCSC accepts ISO 27001 as a substitute. The control sets overlap meaningfully, and an ISO 27001 program is a strong starting point. The certificate itself does not transfer.
Is the cost difference between CMMC and CPCSC significant?
Assessment costs are roughly comparable. Implementation costs depend on starting maturity. An organization that starts with mature NIST 800-171 controls will spend roughly 1.3x to 1.4x the cost of a single certification to achieve both, primarily in documentation, ODP reconciliation, and the second assessment event. An organization starting from zero will spend more, but the same SSP and evidence package serves both lenses.
What is the single biggest mistake organizations make?
Treating compliance as a documentation exercise rather than an operational discipline. Assessors at both programs are not checking if you wrote a policy. They are checking if the policy is implemented, evidenced, and operational. A well-written SSP with no operational evidence behind it fails. A modestly written SSP backed by daily evidence of practice passes.
The practitioner’s read
CMMC and CPCSC are not the same program. They share parentage, structure, and intent, but they are administered by different governments under different authorities with different assessors using different revisions of the same source standard. Treating them as interchangeable creates assessment risk. Treating them as completely separate doubles the cost.
The right read is this. They are two compliance lenses on one cybersecurity program. Build the program properly, anchor your documentation correctly for each lens, and the certificates fall out of the work. The organizations that struggle are the ones treating compliance as paperwork rather than as evidence of an operating practice. The organizations that succeed are the ones that already do the security work and now have to prove it in two languages.
If you are in the Canadian defence supply chain and you sell into the U.S. defence supply chain, the next 18 months will sort the suppliers who built early from the suppliers who waited. Build early.
Related guidance
- Defence and CMMC consulting, the service page covering CMMC and CPCSC readiness, SSP development, and assessor preparation engagements.
- Hardening Windows Server: Getting Started, the baseline that maps into the Rev 2 and Rev 3 control sets these programs assess against.
- Hardening Windows Server: Group Policy Baseline, GPO-driven STIG/CIS settings that satisfy the configuration management family.
- Hardening Windows Server: Audit Logging, the auditpol and Windows Event Forwarding setup that satisfies the audit and accountability family.
- Security controls for CCTV and access control networks, the parallel controls reference for physical security networks.
- Workstation Hardening Config Generator, the tool that produces a SHA-256 fingerprinted PowerShell script aligned to DISA STIG, CIS Benchmark L1, NSA/CISA, and CCCS guidance.