What are the 13 CPCSC Level 1 controls?

The 13 Level 1 controls are drawn from ITSP.10.171 and cover account management, access enforcement, use of external systems, publicly accessible content, user identification and authentication, device identification, multi-factor authentication, media sanitization, physical access authorizations, physical access control, boundary protection, flaw remediation, and malicious code protection.

How do I scope my CPCSC Level 1 environment?

A defensible scope statement names the categories of SI you handle, the user populations who touch it, the endpoints and internal systems where SI lives, the cloud tenancies and SaaS services in the SI path, and the network boundaries that separate SI-handling systems from the rest. The right scope is the smallest one that honestly contains the SI flow.

Does Microsoft 365 cover my CPCSC Level 1 obligations?

Microsoft 365 implements some controls on your behalf (data-at-rest encryption, platform hardening, malicious-code scanning at the platform layer) but does not attest your CPCSC Level 1 posture. You remain responsible for account lifecycle, MFA, sharing settings, and sanitisation, and you must document which controls the provider implements and which controls remain your responsibility.

What evidence do I retain for CPCSC Level 1?

For each control, retain artefacts that prove implementation for the duration of your attestation cycle, or at least one year. That means account inventories with joiner-mover-leaver records, access-review signoffs, MFA enforcement screenshots, the network diagram, firewall change-control records, patch and vulnerability scan reports, endpoint protection coverage reports, certificates of destruction for sanitised media, and a signed self-attestation package.

How often does CPCSC Level 1 self-attestation renew?

The self-assessment is annual. PSPC's Level 1 supplier guidance says the online self-assessment results page includes an expiry date, and suppliers should save or print it as proof. Set a renewal calendar before the first assessment expires.

Where do I lodge the CPCSC self-attestation?

PSPC's Level 1 supplier guidance says proof of self-attestation, including the expiry date, must be provided to the supplier's CanadaBuys profile and when submitting a bid for a defence contract that requires CPCSC Level 1. Keep the internal package with scope, control statements, evidence pointers, and ODP decisions.

CPCSC Level 1 Readiness for Defence Suppliers

Before you attest, make sure your scope and evidence match what you are claiming. That sentence is the entire job of CPCSC Level 1 readiness, and it is where most small Canadian defence suppliers are about to slip.

For related context, see CPCSC Compliance.

This is the operational companion to the CPCSC overview. The overview tells you what CPCSC is and why Level 1 matters now. This page tells you how to actually get ready: define your scope, trace your Specified Information flows, walk the 13 ITSP.10.171 controls, set organization-defined parameters, retain the right evidence, and prepare the proof PSPC asks suppliers to keep.

What level 1 is and when it applies

CPCSC Level 1 is an annual self-assessment against 13 security requirements drawn from ITSP.10.171, the Canadian Centre for Cyber Security publication aligned to NIST SP 800-171.

CPCSC Level 1 became available to suppliers on April 1, 2026. PSPC says Level 1 to 3 requirements may be identified in select defence contracts as early as summer 2026, but it will “require compliance at a later date”; when a defence contract does require Level 1, PSPC’s Level 1 guidance says the self-assessment is required at “contract award, and not during the bidding process.”

Two properties shape readiness:

Contract timing is transitional. Treat the contract clause as the trigger, and do not assume every summer 2026 opportunity enforces the same date.
The self-assessment is annual. The online results page includes an expiry date, so the renewal date needs an owner and a calendar reminder.

That means the right time to be ready is before the contract you actually want to win names the clause. The urgency comes from gap closure time, not from guessing the enforcement date.

How to define scope

Scope is the single most important decision in a Level 1 program, because everything else (controls, evidence, attestation) is true only inside scope. The scope question is straightforward in principle: which systems store, process, or transmit Specified Information (SI)? PSPC’s Level 1 cyber certification scoping guide is the official reference for deciding which assets, systems, people, facilities, and external service providers belong in the assessment boundary.

A defensible Level 1 scope statement names, at minimum:

The categories of SI you handle (non-public contract details, controlled goods information, protected information).
The user populations who touch SI (employees, contractors, named third parties).
The endpoints those users use to touch SI.
The internal systems (file servers, ERP, CAD, project management) where SI is stored or processed.
The cloud tenancies and SaaS services in the SI path.
The network boundaries that separate SI-handling systems from the rest of your environment.

Suppliers who undersize scope (“only this one folder is in scope”) usually fail a verification later, because SI tends to flow into email, shared drives, and personal devices. Suppliers who oversize scope (“everything is in scope”) usually fail to maintain evidence, because the control burden is too high. The right scope is the smallest one that honestly contains the SI flow.

How to map SI flows

A flow map answers a different question than the scope statement. Scope says where SI lives. Flow says how SI moves. You need both.

A minimum-viable SI flow map captures, for each SI category:

The entry point (how SI enters your environment: emailed PDF, CanadaBuys download, prime contractor portal, EDI feed)
The internal handoffs (who opens it, where they save it, who else opens it)
The transformation steps (extracted into a CAD model, summarised into a quote, attached to an internal project file)
The egress points (sent to a sub, archived to backup, deleted)
The retention boundary (when SI must be sanitised or destroyed)

Two things almost always surface in the flow map that were not in the original scope draft: personal email forwards and chat-tool drops. Both are common and both are in scope. Address them before you attest, not after.

How cloud and SaaS services affect scope

Cloud and SaaS are not out-of-scope by virtue of being managed services. If SI lands in a tenancy, the tenancy is in scope. What changes is how the controls are implemented and evidenced.

For each cloud or SaaS service in the SI path, document:

Provider name, service name, and tenancy identifier.
Where the data is stored (region matters for Controlled Goods).
Which controls the provider implements on your behalf (data-at-rest encryption, infrastructure hardening, malicious-code scanning at the platform layer).
Which controls remain your responsibility (account lifecycle, MFA, sharing settings, sanitisation when access ends).
How you obtain evidence the provider’s controls are operating (SOC 2 Type II, ISO 27001 certificate, provider-issued compliance attestation).

The split between “what the provider does” and “what you must still do” is where most small suppliers under-document. Microsoft 365 does not, on its own, attest your CPCSC Level 1 posture.

The 13 controls, with implementation notes and evidence to retain

The 13 Level 1 controls come from ITSP.10.171, the Canadian counterpart to NIST SP 800-171. Below, each control is listed by its official ITSP.10.171 identifier, with implementation guidance and the evidence you should retain.

The names and identifiers are the official Level 1 criteria. The short implementation notes are a practical reading of those criteria for a small supplier environment and should be read beside PSPC’s How to meet Level 1 cyber security certification requirements. If there is any conflict, follow the canada.ca criteria and ITSP.10.171 wording.

#	Control	ITSP.10.171 ID
1	Account management	03.01.01
2	Access enforcement	03.01.02
3	Use of external systems	03.01.20
4	Publicly accessible content	03.01.22
5	User identification, authentication, and re-authentication	03.05.01
6	Device identification and authentication	03.05.02
7	Multi-factor authentication	03.05.03
8	Media sanitization	03.08.03
9	Physical access authorizations	03.10.01
10	Physical access control	03.10.07
11	Boundary protection	03.13.01
12	Flaw remediation	03.14.01
13	Malicious code protection	03.14.02

Access control

1. Account management (03.01.01).

Run one account inventory tied to identity, with no shared logins, offboarding inside a defined window, and a documented joiner-mover-leaver process. Retain the inventory export, the last 12 months of joiner-mover-leaver records, and a sample termination ticket showing the access-revocation timestamp.

2. Access enforcement (03.01.02).

Role-based access in each SI-touching system, with a quarterly access review you can defend on paper. Retain the role-to-permission mapping per system, the signed access-review records, and an exception log for any standing privilege.

3. Use of external systems (03.01.20).

Keep a register of every external connection (VPNs to subs, prime portals, EDI feeds, file-share invitations) and an approval gate for new ones. Retain the register, a sample approval record, and traffic logs showing the connection in use is the one you documented.

4. Publicly accessible content (03.01.22).

SI never goes on the public website, marketing channels, or public buckets. Name a reviewer for anything that does go out. Retain the publishing approval log, periodic public-bucket scan output, and a sample reviewer signoff.

Identification and authentication

5. User identification, authentication, and re-authentication (03.05.01).

Every user account maps to a real person, with re-authentication enforced after a defined idle window or on a privilege change. Retain the user-to-account mapping, the re-authentication policy, and a sample session-timeout configuration screenshot.

6. Device identification and authentication (03.05.02).

Device inventory exists and is current. SI-touching systems authenticate the devices that connect to them, more than the users. Retain the device inventory, the device-registration or enrolment policy, and a sample MDM (or equivalent platform) compliance report.

7. Multi-factor authentication (03.05.03).

For the Level 1 minimum, apply MFA where the Level 1 criteria require it: privileged accounts and systems that store Specified Information. Broader MFA across every SI-touching system is still a strong hardening practice, especially for cloud portals, prime contractor sites, and administrative tools. Retain the MFA enforcement screenshot per system, the MFA factor inventory, and any exception register.

Media protection

8. Media sanitization (03.08.03).

Write the sanitisation procedure for laptops, drives, and removable media. Get a certificate of destruction from any third-party disposal vendor. Retain the procedure, the signed certificates, and an asset-disposal log tying serial numbers to sanitisation events.

Physical protection

9. Physical access authorizations (03.10.01).

Keep an authorised-personnel list for any facility, room, or rack that houses SI-handling systems. Issue and revoke physical access tokens against that list. Retain the authorisation list, sample new-grant approvals, and the revocation log for access that ends.

10. Physical access control (03.10.07).

Locked office or facility, an access-card or key register, visitor sign-in, and an escort rule for visitors near SI-handling systems. Retain the cardholder list, the facility access policy, sample visitor log entries, and the key/card issuance and recovery log.

System and communications protection

11. Boundary protection (03.13.01).

Managed firewall, cloud or on-premise, with default-deny outbound on sensitive segments and a documented rule set. Public-facing infrastructure (web servers, jump hosts) sits in a separate segment from SI-handling systems; the cloud equivalent is a separated VPC or subscription with controlled peering. Retain the firewall rule export, change-control records for rule edits, a sample log review that evidences the rules are in force, and a network diagram showing the public-vs-internal separation.

System and information integrity

12. Flaw remediation (03.14.01).

Patch management policy with named SLAs, vulnerability scanning on a defined cadence, ticketing for remediation. Retain the patch policy, the last 12 months of patch reports for SI-handling systems, and vulnerability scan reports with the remediation evidence attached.

13. Malicious code protection (03.14.02).

Managed endpoint protection on every SI-touching endpoint. Auto-update enabled. Scan schedule documented. Alerts triaged. Retain the deployment report (coverage %), an update-status report, and a sample alert-handling ticket.

The thirteen controls, identifiers, and family groupings above are the current Government of Canada CPCSC Level 1 criteria, as published on the CPCSC Level 1 criteria page on canada.ca and drawn from ITSP.10.171 (Canadian Centre for Cyber Security). For the companion CCCS guidance on how Level 1 self-assessment evidence is structured, see ITSP.10.171-01, Assessing Security Requirements for Specified Information. ITSP.10.171-01 is the Canadian version of NIST SP 800-171A Rev. 3, Assessing Security Requirements for Controlled Unclassified Information. The functional posture under each control is what Level 1 attestation is asserting against the authoritative text.

Organization-defined parameters to record

Several Level 1 criteria contain organization-defined parameters, or ODPs. An ODP is not filler text. It is a value your organization must set, document, and then operate against.

Create a small ODP register with the control ID, the chosen value, the owner, the reason, and the evidence location. At minimum, record decisions for:

Account inactivity and logout timing under 03.01.01.
Notification timing when users leave, transfer, or no longer need access under 03.01.01.
Review frequency for physical access lists under 03.10.01.
Software and firmware update deadlines under 03.14.01.
Malicious-code scan frequency under 03.14.02.

For MFA, keep the decision record just as clearly even when the Level 1 criterion does not express it as an ODP. Note which account classes use MFA, which systems enforce it, and what re-authentication events you require for privileged and non-privileged access.

How to prepare for verification

The Level 1 criteria and ITSP.10.171-01 use three assessment methods: Examine, Interview, and Test. Build your evidence package around those methods.

PSPC’s Level 1 supplier guidance says to keep evidence for the duration of your attestation cycle, or at least one year. Treat that as a minimum retention period, not a cleanup deadline, especially when a bid, renewal, or contract closeout may need the same proof later.

Examine: policies, procedures, inventories, diagrams, configuration exports, tickets, signoffs, scan reports, and logs.
Interview: named owners who can explain how account management, MFA, boundary protection, patching, physical access, and sanitisation work in practice.
Test: a small set of repeatable checks, such as disabling a departed user’s account, proving MFA blocks password-only access, confirming a firewall rule is active, or showing endpoint protection updates.

Do not build the package as a screenshot folder. A good Level 1 package ties each control to the policy, the configuration, the operational record, and the person who can answer for it.

CanadaBuys and the self-attestation process

PSPC’s Level 1 supplier guidance says suppliers should complete an annual self-assessment, save or print the online results page with the expiry date, provide proof of self-attestation to their CanadaBuys profile, and provide proof when submitting a bid if they are bidding on or working under a defence contract that requires CPCSC Level 1.

PSPC also says suppliers can attest that they meet the 13 controls without using the online self-assessment tool, although the tool is encouraged because it provides guidance and information. If you complete the assessment outside the tool, keep the same level of scope, control-status, evidence, and approval records.

Those CanadaBuys steps are the published proof requirements. The following is Pilotcore’s internal preparation checklist, not a PSPC procedure:

Complete the self-assessment internally. Record scope, the 13 control statements, evidence pointers, and an explicit “implemented / partially implemented / not implemented” status per control.
Record every ODP decision and the owner responsible for keeping it current.
Have a designated accountable individual review and sign the internal assessment package.
Save the PSPC results page and expiry date with the internal evidence package.
Provide the proof to CanadaBuys and with bids when PSPC’s Level 1 conditions apply.

The CanadaBuys profile and bid submission carry the proof PSPC asks for. The internal assessment package is what supports that proof under verification.

Common gaps in small supplier environments

Patterns we keep seeing in small Canadian defence suppliers preparing for Level 1:

Shadow SI shows up in personal email almost every time. A sales contact receives an SI-carrying PDF, forwards it to a personal Gmail to read on a phone, and now both endpoints are in scope, one of them outside your control.

Account inventories are usually missing. “Whoever has a Microsoft 365 license” is a billing list, not an inventory. A real inventory ties each account to a person and to an access decision.

MFA is often half-deployed. Microsoft 365 is covered, but the CAD vendor portal, the prime contractor sharing site, and the bookkeeper’s accounting tool (the one with invoices that carry contract numbers) are not.

Public buckets drift. A staging bucket created for one project becomes the default upload location and ends up holding files it should not.

Sanitisation happens, evidence does not. Old laptops get wiped or destroyed, no certificate of destruction is kept, and a control that is actually implemented becomes one you cannot prove.

Annual renewals get forgotten. The first assessment gets celebrated, the renewal calendar never gets set, and the next bid cycle starts with stale proof.

Cloud provider attestations are never collected. The team relies on Microsoft, AWS, or Google for several controls, then cannot produce the provider’s compliance documentation when asked.

Each of these is fixable, and each is the kind of thing that will be found in verification before it is found by a procurement officer.

Sources checked

This guide was checked against the Government of Canada CPCSC Level 1 criteria, PSPC’s How to meet Level 1 cyber security certification requirements, PSPC’s additional information and support page, CCCS ITSP.10.171, CCCS ITSP.10.171-01, and NIST SP 800-171A Rev. 3.

How pilotcore helps

Pilotcore runs a focused CPCSC Level 1 readiness assessment built around the operational outline on this page. The engagement produces:

A defensible scope statement and SI flow map.
A control-by-control walk of all 13 ITSP.10.171 Level 1 controls with implementation status and gap notes.
An ODP register for account, physical access, patching, and malicious-code scan decisions.
An evidence pack indexed to each control and organized by Examine, Interview, and Test.
A signed internal assessment package and the CanadaBuys proof steps when they apply.
A renewal calendar so the annual cycle does not lapse.

Nelson Ford, principal at Pilotcore and based in Ottawa, is a CISSP and CMMC Certified Professional, and works with Canadian defence suppliers on both CPCSC and the CMMC side requirements when the supply chain spans both countries.

Before you attest, make sure your scope and evidence match what you are claiming. If you have a defence contract in front of you that may carry Level 1, a scoped readiness assessment now is cheaper and faster than rushed remediation after the clause appears. Book a CPCSC readiness conversation.

About the author

Nelson Ford - CMMC CCP / CISSP

CISSP
CMMC Certified Professional

Nelson Ford is the principal at Pilotcore, based in Ottawa. He is a CISSP and CMMC Certified Professional, and works with Canadian defence suppliers on CPCSC readiness and US contractors on CMMC. He writes Pilotcore's compliance and zero-trust commentary.

Frequently asked

Frequently asked questions

What are the 13 CPCSC Level 1 controls?

The 13 Level 1 controls are drawn from ITSP.10.171 and cover account management, access enforcement, use of external systems, publicly accessible content, user identification and authentication, device identification, multi-factor authentication, media sanitization, physical access authorizations, physical access control, boundary protection, flaw remediation, and malicious code protection.
How do I scope my CPCSC Level 1 environment?

A defensible scope statement names the categories of SI you handle, the user populations who touch it, the endpoints and internal systems where SI lives, the cloud tenancies and SaaS services in the SI path, and the network boundaries that separate SI-handling systems from the rest. The right scope is the smallest one that honestly contains the SI flow.
Does Microsoft 365 cover my CPCSC Level 1 obligations?

Microsoft 365 implements some controls on your behalf (data-at-rest encryption, platform hardening, malicious-code scanning at the platform layer) but does not attest your CPCSC Level 1 posture. You remain responsible for account lifecycle, MFA, sharing settings, and sanitisation, and you must document which controls the provider implements and which controls remain your responsibility.
What evidence do I retain for CPCSC Level 1?

For each control, retain artefacts that prove implementation for the duration of your attestation cycle, or at least one year. That means account inventories with joiner-mover-leaver records, access-review signoffs, MFA enforcement screenshots, the network diagram, firewall change-control records, patch and vulnerability scan reports, endpoint protection coverage reports, certificates of destruction for sanitised media, and a signed self-attestation package.
How often does CPCSC Level 1 self-attestation renew?

The self-assessment is annual. PSPC's Level 1 supplier guidance says the online self-assessment results page includes an expiry date, and suppliers should save or print it as proof. Set a renewal calendar before the first assessment expires.
Where do I lodge the CPCSC self-attestation?

PSPC's Level 1 supplier guidance says proof of self-attestation, including the expiry date, must be provided to the supplier's CanadaBuys profile and when submitting a bid for a defence contract that requires CPCSC Level 1. Keep the internal package with scope, control statements, evidence pointers, and ODP decisions.

CPCSC Level 1 Readiness: What Canadian Defence Suppliers Need to Do Before Attesting

Need Help With CMMC & CPCSC Compliance?

Need the CPCSC Level 1 guide first?