CPCSC & CMMC Services

Canadian expertise for CPCSC and CMMC compliance without shutting down delivery.

I partner with Canadian and U.S. defence suppliers to design compliant cloud architecture, implement NIST 800-171 controls, and prepare teams for CPCSC or CMMC assessments while keeping engineering velocity intact, even when obligations span both countries.

Book CPCSC & CMMC consult View services overview

Credentials

CMMC CCP Certified

CMMC CCP

Certified CMMC Professional

Government of Canada Level 2 Secret Clearance

Readiness focus

First-wave

Supporting early CPCSC and CMMC adopters as the assessment programs roll out, with an emphasis on architecture and evidence gaps.

Outcome

Cleaner assessments

Preparation work that shortens assessor interviews and reduces rework when you are ready to certify.

Tailored readiness for each framework

CPCSC and CMMC are distinct programs. I help OSCs tackle whichever standard they are facing today and coordinate efforts when they happen to serve both Canada and the United States.

CPCSC track

Guidance rooted in Canadian procurement requirements, from cleared personnel considerations to GC program tier expectations.

CMMC track

NIST 800-171 implementation, SSP development, and assessor prep geared toward U.S. Department of Defense supply chains.

Cross-border OSCs

When you work with both governments, I align workstreams, call out where controls legitimately overlap, and keep evidence sets organised so nothing is double counted.

Engagement playbook

These frameworks are still new, so my work is centred on readiness: closing technical gaps, rehearsing evidence reviews, and ensuring you are confident before formal audits start. Every program is bespoke, but the milestones stay consistent so executives know exactly where they are.

  1. 1

    Rapid triage

    10 business days to benchmark current state, review contracts, and identify show-stoppers.

  2. 2

    Architecture adjustments

    Update AWS org design, IAM boundaries, logging, and encryption controls to satisfy both frameworks.

  3. 3

    Evidence + SSP

    Build shared SSP, POA&M, and evidence catalogue with automation hooks to keep data fresh.

  4. 4

    Assessment coaching

    Prep engineering + leadership for assessor interviews, dry-run artifact reviews, and remediations.

What you receive

  • CPCSC + CMMC control matrix with shared evidence references.
  • Terraform or CloudFormation guardrails mapped to each requirement.
  • Executive-ready roadmap with risk scoring and budget estimates.
  • SSP, POA&M, and policies written in clear, auditor-friendly language.
  • Assessment-day coaching and on-call support.

CPCSC vs CMMC — at a glance

Side-by-side expectations so your stakeholders stay aligned.

CPCSC (Canada)

  • Three maturity levels aligned with GC program tiers.
  • Emphasis on Canadian data residency and cleared personnel.
  • Requires attested security policy stack plus cloud architecture diagrams.
  • Pilot assessors expect practical evidence (screenshots, IaC, logging exports).

CMMC (United States)

  • Focused on safeguarding FCI/CUI with NIST 800-171 at its core.
  • Requires formal SSP + POA&M with evidence aligned to each practice.
  • Third-party assessments demand defended technical demonstrations.
  • U.S. data handling constraints and subcontractor oversight are critical.

Visual reference

Program tiers at a glance

The CPCSC pyramid highlights how Canadian program levels align with increasing control rigor. I use this with OSC leadership to prioritise investments before formal assessments and to show where CMMC practices overlap.

Diagram comparing CPCSC certification levels
CPCSC levels visualised for executive briefings and assessor prep sessions.

Need CPCSC or CMMC guidance you can trust?

I help you prioritise the toughest controls first, coordinate internal teams, and walk into CPCSC or CMMC assessments confident.

Schedule CPCSC/CMMC briefing See related projects
Book Free Strategy Call