Canadian CMMC? Canada Proposes Cyber Compliance Regime for Canadian Defense Suppliers

Client Alert | 2 min read | 03.31.25

On March 12, 2025, the Government of Canada announced plans to launch the Canadian Program for Cyber Security Certification (CPCSC). CPCSC is a cybersecurity compliance verification program that aims to protect sensitive unclassified government information handled by Canadian government contractors and subcontractors within Canada’s defense sector. Canada will roll out CPCSC to contractors in four phases, with the first phase launching this month.

CPCSC’s structure appears closely aligned with the U.S. Department of Defense (DoD) Cyber Maturity Model Certification (CMMC) program. Like CMMC, CPCSC is broken out into 3 compliance levels, will verify compliance via self, third-party, and government-conducted assessments, and will be included in Canadian government defense solicitations and other procurement opportunities.

However, CPCSC and CMMC have one key difference: as currently structured, they will evaluate contractors against fundamentally different security standards. CMMC assessments are primarily based on security controls from the U.S. National Institute of Standards and Technology Special Publication (NIST SP) 800-171, Revision 2. CPCSC, in contrast, will evaluate Canadian defense contractors against Canadian industrial security standard (ITSP 10.171), a Canadian government standard that mirrors NIST SP 800-171, Revision 3.

While this distinction may appear minor, there are significant differences between the security controls found in Revision 2 and Revision 3 of NIST SP 800-171. DoD has stated that CMMC will eventually adopt Revision 3, but to date all CMMC rulemaking and guidance materials have been tailored to Revision 2. Accordingly, reciprocity or mutual recognition for CMMC and CPCSC assessment and certifications does not appear feasible, at least for now. Simultaneously, however, DoD has begun socializing the possibility of contractors’ voluntary adoption of Revision 3, an approach that now merits more consideration for contractors supporting both countries’ defense supply chains.

Given the historically close ties between the U.S. and Canadian defense sectors, contractors on both sides of the border should watch closely for further updates from Canada on its phased rollout of CPCSC, updates from DoD regarding CMMC’s adoption of NIST SP 800-171, Revision 3, and any discussions of mutual recognition between the respective programs.

Contacts

Kate M. Growley
Partner, Crowell Global Advisors Senior Director
- Washington, D.C.
  - D | +1.202.624.2698
- Washington, D.C. (CGA)
  - D | +1 202.624.2500
a2dyb3dsZXlAY3Jvd2VsbC5jb20=
Caitlyn Weeks
Crowell Global Advisors Associate Consultant
- Washington, D.C. (CGA)
  - D | +1.202.654.2762
Y3dlZWtzQGNjcm93ZWxsZ2xvYmFsYWR2aXNvcnMuY29t
Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==
Nkechi Kanu
Partner
- Washington, D.C.
  - D | +1 202.624.2872
bmthbnVAY3Jvd2VsbC5jb20=
Jessica R. Chao
Associate
She/Her/Hers
- Denver
  - D | +1.303.524.8637
amNoYW9AY3Jvd2VsbC5jb20=
Jacob Harrison
Associate
He/Him/His
- Washington, D.C.
  - D | +1.202.624.2533
amhhcnJpc29uQGNyb3dlbGwuY29t

Insights

Client Alert | 5 min read | 12.12.25

Eleventh Circuit Hears Argument on False Claims Act Qui Tam Constitutionality

On the morning of December 12, 2025, the Eleventh Circuit heard argument in United States ex rel. Zafirov v. Florida Medical Associates, LLC, et al., No. 24-13581 (11th Cir. 2025). This case concerns the constitutionality of the False Claims Act (FCA) qui tam provisions and a groundbreaking September 2024 opinion in which the United States District Court for the Middle District of Florida held that the FCA’s qui tam provisions were unconstitutional under Article II. See United States ex rel. Zafirov v. Fla. Med. Assocs., LLC, 751 F. Supp. 3d 1293 (M.D. Fla. 2024). That decision, penned by District Judge Kathryn Kimball Mizelle, was the first success story for a legal theory that has been gaining steam ever since Justices Thomas, Barrett, and Kavanaugh indicated they would be willing to consider arguments about the constitutionality of the qui tam provisions in U.S. ex rel. Polansky v. Exec. Health Res., 599 U.S. 419 (2023). In her opinion, Judge Mizelle held (1) qui tam relators are officers of the U.S. who must be appointed under the Appointments Clause; and (2) historical practice treating qui tam and similar relators as less than “officers” for constitutional purposes was not enough to save the qui tam provisions from the fundamental Article II infirmity the court identified. That ruling was appealed and, after full briefing, including by the government and a bevy of amici, the litigants stepped up to the plate this morning for oral argument....

Client Alert | 8 min read | 12.11.25
Director Squires Revamps the Workings of the U.S. Patent Office
Client Alert | 8 min read | 12.10.25
Creativity You Can Use: CJEU Clarifies Copyright for Applied Art
Client Alert | 4 min read | 12.10.25
Federal Court Strikes Down Interior Order Suspending Wind Energy Development

View All Insights