Government Modernization · Canada
CPCSC Summer 2026.
CMMC’s Canadian twin.
Canada’s Programme for Cyber Security Certification (CPCSC) Level 1 becomes mandatory in defence procurement summer 2026. The control structure is the Canadian analog of CMMC L2 / NIST 800-171. Five Eyes intelligence + cybersecurity reciprocity makes US-side delivery via PSPC standing offers and CanadaBuys directly sellable for a US WOSB. Our CMMC playbook translates with light framework wrapper changes, not rebuild.
CAD 175-220K (~$130-160K) for CPCSC L1 readiness · at parity with local boutique pricing · Five Eyes reciprocity, no in-country residency required for federal supplier listing
What we run for Canadian government partners
Six components. All ITSG-33 mapped.
CPCSC Level 1 Readiness
Canadian Programme for Cyber Security Certification — Level 1 mandatory in defence contracts summer 2026. CMMC L2 analog with NIST 800-171 control alignment. Our existing CMMC playbook converts with light translation.
ITSG-33 Implementation
Information Technology Security Guidance 33 — IT security risk management framework for Government of Canada. Security categorization, control selection, assessment, authorization.
Protected B Environment Setup
Protected B classification handling. Cloud architecture (Microsoft Cloud for Sovereignty Canada, AWS GovCloud Canada paths), endpoint hardening, network segregation, personnel security baseline.
PSPC Standing Offers + Supply Arrangements
Public Services and Procurement Canada standing offers. SBIPS, SBIPS-2, Cyber Protection Supply Arrangement bidding. CanadaBuys posting, CISD pre-qualifications.
Cyber Security Establishment (CSE) Coordination
Coordinated assessment and authorization for federal sponsorship. Top Secret Cyber Threat Sharing partnership readiness for primes.
PIPEDA + Provincial Privacy
PIPEDA (Personal Information Protection and Electronic Documents Act), Quebec Law 25, Alberta PIPA, BC PIPA cybersecurity-specific obligations.
Specifics
Read the detail.
Who you’ll work with
Quinnlan Varcoe
CEO and Founder · OSCP · GIAC × 10 · 17 credentials across the practice
CMMC + NIST 800-171 + ITAR-credentialed. CPCSC + ITSG-33 readiness work converts from existing US federal playbook. Five Eyes delivery, US-side billed in CAD or USD.
Every partnership begins with me. Not a sales rep, not an account executive, not a junior. The first call, the diagnostic, the strategy work — that’s mine.
Canadian defence supplier?
Schedule a callTrusted by partners across the practice
Reviews
From the senior people
who’ve worked alongside Quinn.
The named companies beside each reviewer are their employers — not Varcoe partnerships. Each quote is a professional reference from someone who’s shipped work alongside Quinn directly.
“The partnership model isn't marketing language with Quinn — it's how she actually works. Senior judgment, single accountable contact, and the rigor to integrate across IT, security, and AI under one roof.”
Aaron Birnbaum
Managing Partner
“Quinnlan brings more than expertise — she brings strategic alignment. The ability to scale operations without sacrificing depth is exactly what serious organizations need from a modernization partner.”
Caroline Lombard
Threat Specialist
“I've worked with Quinnlan on incidents most teams couldn't navigate — Log4j among them. The technical depth and the calm under fire are real, and they're rare.”
Justin Cox
Senior AWS Security Analyst
“One of the most seamless collaborations I've had in this industry. Composure under pressure, technical precision, and the kind of credibility that compounds — exactly the senior bench a modernization partnership needs.”
Soufiane Jihadi
Senior Incident Response Consultant
Original references collected on the legacy Varcoe site · LinkedIn endorsements available on request