Canada's CPCSC and Bill C-8 are coming. Here's what you need to do.

The Canadian Program for Cyber Security Certification (CPCSC) is no longer a future consideration as Level 1 became available to suppliers on April 1, 2026, and mandatory requirements are being phased into select defence contracts starting this summer. The legislation underpinning it, Bill C-8, has passed second reading and committee review and is moving toward royal assent. The program is running whether or not the bill has cleared its final parliamentary step.

If your organization does business with the Government of Canada's Department of National Defence or operates in the defence industrial base, this is the moment to act. And if you've already navigated frameworks like the Federal Risk and Authorization Management Program (FedRAMP) or the Cybersecurity Maturity Model Certification (CMMC), the path is familiar.

This post breaks down CPCSC, what each level requires, what Level 1 actually demands of your team, and where Chainguard fits.

What Bill C-8 establishes, and where it stands

Bill C-8 creates Canada's first mandatory cybersecurity certification regime for organizations in the defence industrial base and critical infrastructure sectors. It provides the federal legislative foundation for the CPCSC, moving it from a voluntary framework to a legally grounded requirement for organizations seeking contracts with DND and designated federal entities.

As of May 2026, Bill C-8 has completed second reading and committee review. The Government of Canada publicly launched the CPCSC on March 12, 2025, with Budget 2023 allocating $25 million over three years to establish it. The program is running on schedule regardless of where the bill sits in its parliamentary process.

The practical implication: cybersecurity posture is already a procurement criterion in select contracts, and that scope is expanding. Organizations that can't demonstrate certification will be ineligible for a growing set of government contracts.

The three CPCSC levels: What each requires

The CPCSC is modeled closely on the CMMC framework and uses the same technical backbone: NIST Special Publications 800-171 and 800-172. The controls are technically parallel to those frameworks, and Canada may accept valid CMMC certification status on a case-by-case basis. This is a meaningful detail for organizations that have already invested in CMMC.

Level 1 covers 13 security requirements focused on basic cyber hygiene. Certification at this level is a self-assessment, completed annually using the Government of Canada's online assessment tool — no third-party auditor required. Mandatory requirements are being introduced in select defence contracts beginning summer 2026, with a phased rollout designed to give suppliers time to prepare. Requirements apply contract by contract, not against a single universal deadline.

Level 2 applies to contracts involving controlled defence information or complex cyber-sensitive work. It requires an external assessment every three years, conducted by a certification body accredited by the Standards Council of Canada. Mandatory Level 2 requirements begin appearing in select defence contracts from spring 2027.

Level 3 is reserved for the highest-risk scenarios: weapons systems, critical infrastructure access, and sensitive Five Eyes information. Assessments at this level are conducted every three years directly by the Department of National Defence, not a third party.

For most suppliers entering the program today, Level 1 is the immediate target.

What Level 1 actually requires

Level 1's 13 controls focus on basic safeguarding practices. This maps closely to the 17 practices in FAR Clause 52.204-21 that anchor CMMC Level 1, with Canadian context-specific details drawn from ITSP.10.171. The control families that matter most are access control, identification and authentication, configuration management, risk assessment, system and information integrity, and system and communications protection.

Access control requires you to limit system access to authorized users and processes, enforce least privilege, control which users and services can reach which systems, and revoke access when no longer needed. Identification and authentication require all users and systems to be uniquely identified and authenticated before access is granted, with multi-factor authentication as the baseline for remote access.

Configuration management is where container image hygiene becomes directly relevant. You need to establish and maintain baseline configurations for systems and components, and to track control changes to those baselines. Running containers with known-good, minimal configurations is direct evidence of this control in practice. Risk assessment requires a documented, repeatable vulnerability management process; it isn't enough to scan once and move on.

System and information integrity requires you to protect systems from malicious code and perform periodic scans, and to demonstrate you're actively managing Common Vulnerabilities and Exposures (CVEs), not just scanning after the fact, but remediating at pace. System and communications protection requires monitoring, controlling, and protecting communications at system boundaries.

The practical work of Level 1 is less about new tooling and more about demonstrating consistent, documented practices across these domains. These are practices that hold up across your software supply chain, not just your network perimeter.

Where supply chain risk fits in

Even at Level 1, the software you run is in scope. Containers carrying CVEs weaken your configuration management and system integrity controls. If you can't produce provenance for your software components, you can't demonstrate supply chain integrity to an assessor.

The source of your open source artifacts matters directly to your compliance posture, not as a theoretical future risk, but as a control you need to demonstrate now.

How Chainguard helps

Chainguard's approach is to harden artifacts before they reach your environment. Rather than scanning containers for CVEs after the fact, Chainguard Containers are built from source in the Chainguard Factory, with minimal packages by construction. Chainguard delivers zero CVEs by design, not zero CVEs by patching.

For CPCSC Level 1, this maps cleanly to the configuration management and system and information integrity control families.

On configuration management: every Chainguard container image is minimal by construction. Only the packages required to run the application are included. Unnecessary packages are the most common source of CVE exposure in container environments, and a smaller package footprint means a tighter, better-documented configuration baseline with far less drift to manage.

On system and information integrity: Chainguard Containers are rebuilt daily from source as upstream open source projects change, with CVEs remediated within hours rather than days. For organizations that need to demonstrate active, continuous vulnerability management (exactly what assessors look for), this is the operational foundation. Every image includes a Software Bill of Materials (SBOM) and Sigstore signature, giving you verifiable provenance for every artifact in your environment.

On Federal Information Processing Standards (FIPS) validation: for organizations operating in classified or sensitive contexts, where Level 2 and above requirements come into play, or where encryption standards must be certified, Chainguard's FIPS container images use FIPS-validated cryptographic modules. With 600+ FIPS container images in our catalog, Chainguard provides validated cryptographic foundations that no other vendor comes close to matching. The FIPS Cryptographic Module Validation Program is a joint effort between U.S. and Canadian government agencies, and it’s important that Canadian organizations adhere to FIPS in their environments.

The provenance story matters specifically for Canadian compliance. ITSP.10.171 and the CPCSC framework share the same underlying concern as NIST SP 800-171: can you demonstrate the integrity of your software supply chain? Chainguard's Supply-chain Levels for Software Artifacts (SLSA) Level 3 provenance, Sigstore signatures, and SBOMs provide exactly that: documented, machine-verifiable evidence of where your software came from and that it hasn't been tampered with.

What to do now

The work of CPCSC Level 1 isn't complicated, but it does require an honest inventory.

Map your container inventory first. Which images are you running in production? Where do they come from? Can you produce provenance for each one? Then assess your CVE posture: how many CVEs do your current base images carry, how quickly can your team remediate them, and what's your mean time to remediation?

From there, document your configuration baselines — do you have documented, enforced baseline configurations for your container hosts and images, and are deviations tracked? Finally, review access controls for your registry and image pull: who can pull images into your environment, and are those controls documented?

Organizations that have already gone through FedRAMP or CMMC will find the control mapping close enough that much of their existing documentation applies directly. The Canadian-specific elements, ITSP.10.171 framing and the CPCSC assessment process, sit on top of the same NIST foundation. And if your organization holds a valid CMMC certification, it may count toward CPCSC compliance on a case-by-case basis. You can confirm this with your contracting authority.

The bottom line

The CPCSC is active, Level 1 is available, and mandatory requirements in defence contracts start this summer. Bill C-8 is on its way to becoming law. The program is already rolling out, and legislation is imminent. There's no practical reason to wait.

The CPCSC assessor won't ask whether you intended to manage your CVEs. They'll ask whether you did.

Want to understand how Chainguard can help your organization meet CPCSC requirements? Get in touch with our team.