How much does CPCSC cost?
There is no single CPCSC price. The right budget depends on the CPCSC level in the contract, the systems and people in scope, and how much security work is already done.
Quick Answer
How much does CPCSC cost?
There is no single CPCSC price. As of June 2026, Pilotcore planning ranges for a small Canadian defence supplier put Level 1 mostly in internal time and gap-closing work because it is an annual self-assessment. Level 1 planning often starts in the low five figures when outside support or remediation is needed. Level 2 readiness can move into six figures before assessor fees. These are scope-based planning ranges, not official government fees. They are not quotes.
Who this applies to
Canadian defence suppliers sizing CPCSC readiness before bidding on, accepting, or renewing work that may require CPCSC
Timeline
Start with the required CPCSC level and the scope that handles Specified Information
Investment
Scope, current controls, evidence quality, and third-party assessment path drive the number
Level
Start with the level your contract requires.
Level 1
Government of Canada guidance describes level 1: requiring an annual cyber security self-assessment
against 13 controls. There is no external assessor to pay at Level 1. Your cost is mainly the time to define scope, close gaps, collect evidence, and prepare the attestation record.
Level 2
The same program overview describes level 2: requiring external cyber security assessments led by an accredited certification body
, plus annual affirmation. PSPC's support page says Level 2 will require triannual external cyber security assessments when it becomes available. That changes the budget shape: assessment fees, readiness preparation, remediation, and annual upkeep all need room.
Planning Bands
Use broad bands until scope is known.
As of June 2026, these are Pilotcore planning ranges for a small Canadian defence supplier scoping systems, users, devices, vendors, and facilities that handle Specified Information. Practical budgets vary, but Level 1 planning often starts in the low five figures when outside support, evidence preparation, or remediation is needed. It can climb when tooling gaps, unmanaged devices, informal file sharing, or weak access controls need cleanup.
Level 2 should be treated as a larger readiness program. Level 2 can move into six-figure first-year readiness before the external assessment fee, especially when the environment was not already managed with security and compliance in mind. These are not official government fees. They are not quotes. They exclude assessor fees, legal advice, major platform replacement, and work outside the confirmed CPCSC scope.
Drivers
What moves the number?
Required level
Level 1 is an annual self-assessment against 13 controls. Level 2 is planned as 98 controls with triannual external assessment and annual affirmation.
Current maturity
Teams already running MFA, managed devices, access reviews, patching, and logging usually have fewer gaps to close.
Scope
Cost follows the systems, people, vendors, and facilities that store, process, or transmit Specified Information.
Evidence state
Clean diagrams, policies, exports, and approval records reduce the time spent proving controls.
The fastest way to keep CPCSC cost under control is honest scoping. A supplier already running MFA, managed devices, logging, patching, and access reviews is usually closing fewer gaps. A supplier starting from shared passwords, unmanaged laptops, informal file sharing, and unclear vendor access is probably looking at a project.
Do not price the whole company by default. Start with the systems, users, devices, vendors, facilities, and processes that store, process, or transmit Specified Information. If the scope expands beyond that path without a clear reason, the budget usually gets worse without making the attestation more accurate.
Estimate
Get a scoped budget view.
If you need a number for your own environment, start with a short scoping call. Bring the contract driver, the systems that touch Specified Information, your current MFA and device posture, and any existing policies or evidence. That is enough to separate a narrow Level 1 readiness effort from a broader remediation program before you bid on, accept, or renew work that may require CPCSC.
Cost FAQ
Common CPCSC cost questions
Short answers for suppliers comparing Level 1 self-assessment work with Level 2 external assessment planning.
How much does CPCSC cost?
There is no single CPCSC price. As of June 2026, Pilotcore planning ranges for a small Canadian defence supplier put Level 1 mainly in internal time, scope work, evidence preparation, and gap closure. Level 1 planning often starts in the low five figures when outside support or remediation is needed. Level 2 adds external assessment every three years by an accredited certification body plus annual affirmation, so first-year readiness can move into six figures before assessor fees. These are not official government fees. They are not quotes.
What drives CPCSC Level 1 cost?
The main drivers are scope, current control maturity, evidence quality, and the number of systems, users, facilities, and service providers that handle Specified Information.
Why does CPCSC Level 2 cost more?
Government of Canada guidance describes Level 2 as 98 controls, triannual external cyber security assessments led by an accredited certification body, plus an annual affirmation. That adds third-party assessment cost and ongoing preparation work.
Next
Where to go next.
References
Official sources.
- Government of Canada CPCSC program overview
- Government of Canada additional information for suppliers
- Government of Canada Level 1 requirements
Source note: PSPC's additional supplier guidance says Level 2 will require triannual external cyber security assessments by an accredited third party when Level 2 becomes available, and that required certification levels will be set contract by contract and communicated in RFPs and contract clauses.