What is the difference between CMMC and CP-CSC?

CMMC Level 2 is based on NIST SP 800-171 Revision 2 (110 controls, 320 assessment objectives) and applies to U.S. Department of Defense contractors. CP-CSC Level 2 is based on ITSP.10.171, Canada's adaptation of NIST SP 800-171 Revision 3 (97 controls, ~422 assessment objectives), and applies to Canadian Department of National Defence contractors. Both share the same NIST lineage and have 79 overlapping controls.

How much does CP-CSC overlap with CMMC?

CP-CSC and CMMC overlap significantly. CP-CSC-compliant organizations have 97.3% coverage of CMMC requirements — needing only 3 additional controls. CMMC-compliant organizations have 80.6% coverage of CP-CSC requirements — needing 19 additional controls from 3 new control families (Planning, System & Services Acquisition, and Supply Chain Risk Management).

Can CMMC certification give you CP-CSC certification?

CMMC compliance provides a strong foundation for CP-CSC but does not automatically confer CP-CSC certification. Canada's February 2024 filing supports reciprocity goals, but as of 2026 the frameworks assess against different NIST revisions (Rev 2 vs Rev 3). CMMC-compliant organizations need to address 19 additional CP-CSC controls and may need to reframe evidence narratives to meet Rev 3's 422 assessment objectives.

What is the Dedicated Administration Workstation (DAW) requirement?

The Dedicated Administration Workstation (DAW) requirement is CP-CSC control 03.14.09, which maps to Canadian-specific NIST controls in the SI-400 series with no CMMC equivalent. It requires a physically isolated, internet-disconnected workstation for all administrative or superuser actions. This is always a net-new requirement for CMMC-compliant organizations moving to CP-CSC.

What are Organization-Defined Parameters (ODPs) in CP-CSC?

Organization-Defined Parameters (ODPs) are 88 variables in CP-CSC control text (based on NIST 800-171 Rev 3) that organizations must specify with concrete values — such as exact frequencies, time periods, and roles. For example, where CMMC says "periodically update system security plans," CP-CSC requires an ODP specifying the exact frequency (e.g., "annually"). CMMC organizations transitioning to CP-CSC must define ODP values for all 88 parameters.

What is the evidence cross-mapping tier system?

Kopit Compliance uses a 3-tier evidence transfer system when cross-mapping between CMMC and CP-CSC. Tier 1 (23% of controls, ~18 controls): Direct reuse — evidence copies over with only a control ID remap. Tier 2 (60% of controls, ~61 controls): Narrative reframing — the evidence artifact is valid but needs re-annotation to address the target framework's specific determination statements. Tier 3 (17% of controls, ~22 controls): Net-new evidence — no equivalent control exists, requiring fresh evidence collection.

Framework Intelligence

CMMC vs CP-CSC:
Two Frameworks, One Compliance Journey

Both frameworks are required for cross-border defence contracts. Our platform cross-maps controls, reframes evidence, and packages your compliance work for both — so you don’t start from scratch.

Start Your Assessment Talk to an Expert

110

CMMC Level 2 controls

CP-CSC Level 2 controls

97.3%

CP-CSC → CMMC coverage

80.6%

CMMC → CP-CSC coverage

Coverage Overview

How Much Does Each Framework Cover?

Starting with one certification gives you a significant head-start on the other. CP-CSC companies need just 3 more controls for CMMC. CMMC companies need 19 more for CP-CSC — but 80.6% is already done.

CP-CSC → CMMC Coverage

97.3%

107 of 110 CMMC controls are covered by CP-CSC compliance. Only 3 additional controls needed.

CMMC → CP-CSC Coverage

80.6%

79 of 98 CP-CSC controls are covered by CMMC compliance. 19 additional controls required.

Framework Overlap

Shared Controls — One Set of Evidence

Both frameworks share 79 controls that can be satisfied with a single set of evidence. Kopit automatically maps this shared evidence, so you never duplicate work.

CMMC Level 2110 controls total · 3 unique

Shared Controls79 overlapping requirements

CP-CSC Level 298 controls total · 19 unique

By Control Family

Coverage Breakdown by Family

Full Overlap6 families

AC
Access Control16 shared controls
AT
Awareness & Training2 shared controls
MP
Media Protection7 shared controls
PS
Personnel Security2 shared controls
PE
Physical Protection5 shared controls
CA
Security Assessment4 shared controls

Partial Overlap8 families

AU
Audit & Accountability1 CP-CSC-only control
CM
Configuration Mgmt2 CMMC-only, 4 CP-CSC-only
IA
Identification & Auth1 CP-CSC-only control
IR
Incident Response1 CP-CSC-only control
MA
Maintenance1 CMMC-only control
RA
Risk Assessment1 CP-CSC-only control
SC
Sys & Comm Protection1 CP-CSC-only control
SI
System & Info Integrity1 CP-CSC-only control

CP-CSC Only3 families

PL
Planning3 controls — governance & policy
SA
System & Services Acq3 controls — engineering & vendors
SR
Supply Chain Risk Mgmt3 controls — supply chain

These 3 families have no CMMC equivalent and represent the largest evidence gap for CMMC-compliant organizations moving to CP-CSC.

See How Your Controls Map Across Both Frameworks

Our free assessment identifies your exact overlap and gaps in minutes.

Start Free Assessment Talk to an Expert

Structural Differences

Where CMMC and CP-CSC Diverge

Despite sharing a common NIST lineage, the two frameworks differ in standard version, assessment granularity, terminology, and certification bodies.

CMMC Level 2

CP-CSC Level 2

StandardNIST SP 800-171 Revision 2 — 110 controls, 320 assessment objectives

StandardITSP.10.171 / NIST SP 800-171 Revision 3 — 97 controls, ~422 assessment objectives

Assessment Granularity320 determination statements — each scored MET or NOT MET by C3PAO

Assessment Granularity~422 determination statements — 32% more granular despite fewer controls

Assessment BodyCyber-AB accredited C3PAO (Third Party Assessment Organization)

Assessment BodyStandards Council of Canada accredited assessors (methodology still being finalized)

Information TypeControlled Unclassified Information (CUI)

Information TypeControlled Information (CI) — Protected A/B/C & Specified Information

Org-Defined ParametersUses vague language ("periodically") — no ODPs required

Org-Defined Parameters88 Organization-Defined Parameters (ODPs) — specific values required

Certification TimelinePhased rollout — Level 2 mandatory assessments underway in 2025

Certification TimelinePhased rollout — Level 2 third-party audits begin Spring 2026

MarketU.S. Department of Defense (DoD) contractors

MarketCanadian Department of National Defence (DND) contractors

Gap Analysis

Exactly What You Still Need

Based on your existing certification, here are the precise controls you need to add for the other framework. Expand each category for control-level detail.

If you are CMMC Level 2 compliant, you have 80.6% coverage of CP-CSC. The following 19 controls have no direct CMMC equivalent and require new evidence.

PLGovernance & Planning (PL)

3 controls

03.15.01

Policy and ProceduresDevelop, document, and disseminate policies and procedures needed to satisfy all control families.NIST 800-53: AC-01, AU-01, CA-01, CM-01, IA-01, IR-01, MA-01, MP-01, PE-01, PL-01, PS-01, RA-01, SA-01, SC-01, SI-01, SR-01

03.15.02

System Security PlanDevelop a system security and privacy plan that defines system components, identifies scope boundaries, and documents security controls.NIST 800-53: PL-02

03.15.03

Rules of BehaviourEstablish rules describing responsibilities and expected behaviour for system usage and protecting Controlled Information (CI).NIST 800-53: PL-04

SRSupply Chain Risk Management (SR)

3 controls

03.17.01

Supply Chain Risk Management PlanDevelop a plan for managing supply chain risks associated with the development, design, manufacturing, acquisition, and delivery of systems and services.NIST 800-53: SR-02

03.17.02

Acquisition Strategies, Tools, and MethodsDevelop and implement acquisition strategies, contract tools, and procurement methods to protect against supply chain risks.NIST 800-53: SR-05

03.17.03

Supply Chain Requirements and ProcessesEstablish a process for identifying and addressing weaknesses or deficiencies in supply chain elements and processes.NIST 800-53: SR-03

SASystem & Services Acquisition (SA)

3 controls

03.16.01

Security Engineering PrinciplesApply systems security engineering principles to the development or modification of the system and system components.NIST 800-53: SA-08

03.16.02

Unsupported System ComponentsReplace system components when support is no longer available from the developer, vendor, or manufacturer.NIST 800-53: SA-22

03.16.03

External System ServicesRequire providers of external system services used for processing, storing, or transmitting CI to comply with security requirements.NIST 800-53: SA-09

CMConfiguration Management (CM)

4 controls

03.04.03

Configuration Change ControlDefine configuration-controlled changes, review proposed changes before implementation, and document approved changes with security impact analysis.NIST 800-53: CM-03

03.04.04

Impact AnalysesAnalyze security and privacy impacts of changes prior to implementation. Verify security functions after changes.NIST 800-53: CM-04, CM-04(02)

03.04.05

Access Restrictions for ChangeDefine, document, approve, and enforce physical and logical access restrictions associated with changes to the system.NIST 800-53: CM-05

03.04.11

Information LocationIdentify and document the location of CI and the system components on which the information is processed and stored.NIST 800-53: CM-12

OtherOther Families

6 controls

03.03.04

Response to Audit Logging Process FailuresAlert organizational personnel within organization-defined time period in the event of an audit logging process failure.NIST 800-53: AU-05

03.05.02

Device Identification and AuthenticationUniquely identify and authenticate organization-defined devices or types of devices before establishing connections to the system.NIST 800-53: IA-03

03.06.05

Incident Response PlanDevelop an incident response plan that provides a roadmap for implementing its incident response capability.NIST 800-53: IR-08

03.11.04

Risk ResponseRespond to findings from security assessments, monitoring, and audits.NIST 800-53: RA-07

03.13.10

Cryptographic Key Establishment and ManagementEstablish and manage cryptographic keys in accordance with organization-defined key management requirements.NIST 800-53: SC-12

03.14.09

Dedicated Administration WorkstationUniquely CanadianRequire any administrative or superuser actions to be performed from a physical workstation dedicated solely to that purpose.NIST 800-53: SI-400, SI-400(02), SI-400(05)

Know Your Gaps — Now Close Them

Kopit auto-generates a personalized remediation plan based on your current compliance posture.

Get Your Gap Report Book a Walkthrough

Evidence Intelligence

How Your Evidence Transfers

Evidence doesn’t transfer 1:1 between frameworks. Kopit classifies every control pair into one of three tiers and handles each automatically.

Tier 1: Direct Reuse23% · 18 controls

Tier 2: Narrative Reframing60% · 61 controls

Tier 3: Net-New Evidence17% · 22 controls

Tier 1

23%

Direct Reuse

Same NIST 800-53 source, no structural change. Assessment objectives map 1:1.

Copy artifact · Remap ID only

Tier 2

60%

Narrative Reframing

Same underlying requirement, Rev 3 adds specificity or splits objectives. Artifact valid, needs re-annotation.

Keep artifact · Generate new narrative · Handle ODPs

Tier 3

17%

Net-New Evidence

No equivalent control in the other framework. Existing evidence does not apply.

Flag gap · Guided collection workflow

Why Evidence Needs Work

The Types of Complexity Involved

For the 60% of controls that can’t be directly reused, several structural differences between the frameworks mean evidence needs to be reviewed and adapted rather than simply copied.

Scope Change

Controls Merge or Split

Rev 3 consolidated some Rev 2 controls while expanding others. Evidence that addressed one CMMC control may now need to cover a broader CP-CSC control — or be divided across several narrower ones.

Granularity Gap

More Assessment Objectives

CP-CSC has ~422 assessment objectives vs. CMMC's 320. Even where controls overlap, the Rev 3 versions often break a single requirement into multiple specific, testable sub-objectives that each need supporting evidence.

Specificity

Organization-Defined Parameters

CP-CSC introduces 88 parameters where organizations must define specific values — exact timeframes, roles, frequencies. CMMC used general language ("periodically"). Moving to CP-CSC means pinning down those specifics.

Framing

Different Assessor Audiences

The two frameworks use different language, reference documents, and information type definitions. Evidence written for a C3PAO may need its framing adjusted to speak to what a Standards Council of Canada assessor expects to see.

Key Takeaways

What Defence Contractors Should Know

CP-CSC is broader than CMMC

CP-CSC adds 3 control families absent from CMMC: Planning (PL), System & Services Acquisition (SA), and Supply Chain Risk Management (SR) — totalling 9 additional controls.

The DAW requirement is uniquely Canadian

CP-CSC 03.14.09 requires a physically isolated, internet-disconnected workstation for all admin actions. There is no CMMC equivalent — this is always net-new for CMMC companies.

CMMC companies are most of the way there

With 80.6% coverage, CMMC-compliant organizations have a strong foundation. The 19-control delta is manageable and concentrated in governance, supply chain, and a few technical controls.

CP-CSC companies are almost CMMC-ready

At 97.3% coverage, CP-CSC compliance nearly satisfies CMMC Level 2. Only 3 controls (application execution policy, user-installed software, and system maintenance) need attention.

Reciprocity is a goal, not yet a guarantee

Canada's February 2024 filing supports CP-CSC → CMMC reciprocity, but as of 2026 both frameworks assess against different NIST revisions. Kopit shows exact coverage percentages and gaps.

Cross-certification accelerates market access

Kopit automatically cross-maps overlapping controls, eliminating duplicate evidence for 79+ shared requirements. Focus effort only on the delta — days instead of weeks to cross-certify.

Ready to Start Your Dual Compliance Journey?

Take the free assessment to see exactly where you stand across both CMMC and CP-CSC.

Start Free Assessment Talk to an Expert

Your Compliance Journey

Two Paths to Dual Certification

Whether you’re starting fresh or have existing compliance work, Kopit meets you where you are.

Recommended

Start Both Together

Begin your compliance journey targeting both frameworks simultaneously. The most efficient path — weeks instead of months to cross-certification.

Begin targeting both frameworks from day one
Platform cross-maps controls automatically
Single implementation serves both frameworks
Shared evidence collection for 79+ overlapping controls
Focus only on framework-specific gaps (3–19 controls)
Generate assessment-ready packages for both

Import Existing Compliance

Already CMMC or CP-CSC compliant? Import your existing data and Kopit maps it to the other framework automatically.

Import your existing compliance data into Kopit
Platform auto cross-maps to the target framework
Receive a precise gap report (19 or 3 controls)
Reframe existing evidence narratives automatically
Collect net-new evidence for framework-only controls
Generate complete assessment-ready package

Package Your Compliance Journey
for Both Frameworks

Stop treating CMMC and CP-CSC as separate projects. Kopit cross-maps your evidence, reframes narratives, and identifies gaps automatically — so you achieve dual compliance in a fraction of the time.

Start Free Assessment

CMMC vs CP-CSC:Two Frameworks, One Compliance Journey

How Much Does Each Framework Cover?

Shared Controls — One Set of Evidence

Coverage Breakdown by Family

See How Your Controls Map Across Both Frameworks

Where CMMC and CP-CSC Diverge

Exactly What You Still Need

Know Your Gaps — Now Close Them

How Your Evidence Transfers

The Types of Complexity Involved

What Defence Contractors Should Know

CP-CSC is broader than CMMC

The DAW requirement is uniquely Canadian

CMMC companies are most of the way there

CP-CSC companies are almost CMMC-ready

Reciprocity is a goal, not yet a guarantee

Cross-certification accelerates market access

Ready to Start Your Dual Compliance Journey?

Two Paths to Dual Certification

Package Your Compliance Journeyfor Both Frameworks

CMMC vs CP-CSC:
Two Frameworks, One Compliance Journey

Package Your Compliance Journey
for Both Frameworks