Pilotcore Insights

What Is CPCSC Level 2? Canadian Cyber Security Certification Explained

A practical guide to CPCSC Level 2 for Canadian defence suppliers: third-party assessment, ITSP.10.171 scope, the 98-control baseline, evidence, cloud responsibility, and readiness planning.

Nelson Ford - CMMC CCP / CISSP By Nelson Ford - CMMC CCP / CISSP Reviewed May 20, 2026 13 min read

Need Help With Security?

Our experts can help you implement these strategies in your organisation. Get a free consultation today.

Image for What Is CPCSC Level 2? Canadian Cyber Security Certification Explained

What Is CPCSC Level 2? Canadian Program for Cyber Security Certification Explained

CPCSC Level 2 is the next major step in Canada’s cyber security certification program for defence suppliers. It is intended for suppliers that handle Specified Information in non-Government of Canada systems and need to demonstrate more than basic cyber hygiene.

Quick answer: CPCSC Level 2 is Canada’s moderate-assurance certification level for defence suppliers that handle Specified Information in non-Government of Canada systems. Current federal guidance describes it as 98 controls, external assessment by an accredited certification body, and annual affirmation.

Unlike CPCSC Level 1, which is based on annual self-assessment, Level 2 is currently described by the Government of Canada as requiring external cyber security assessments led by an accredited certification body, plus an annual affirmation. Current federal guidance describes Level 2 as consisting of 98 controls. See the Government of Canada’s CPCSC program overview and supplier support guidance.

That distinction matters. Level 1 is about basic security safeguards. Level 2 is about showing that a broader security program is documented, implemented, evidenced, and operating across the systems that handle or protect Specified Information.

CPCSC Level 2 is not yet broadly available as a completed certification pathway. The program is being introduced in phases. Current Government of Canada guidance says Level 2 and Level 3 certifications will be introduced gradually after Level 1 tooling and support materials, with Level 2 and Level 3 requirements expected to appear in selected defence contracts during the later rollout period.

What CPCSC Level 2 Means in Plain English

CPCSC Level 2 is the moderate-assurance level of Canada’s cyber security certification program for defence suppliers.

A supplier at Level 2 should expect to show that security controls are not just described in a policy document. They need to be implemented in the real environment, tied to named owners, supported by evidence, and maintained over time.

The technical foundation is ITSP.10.171, Protecting Specified Information in Non-Government of Canada Systems and Organizations, published by the Canadian Centre for Cyber Security. ITSP.10.171 applies to non-GC system components that handle, process, store, or transmit Specified Information, and to components that protect those systems.

In practical terms, Level 2 readiness usually means answering questions like these:

  • Who handles Specified Information?
  • Where does it enter the organization?
  • Where is it stored?
  • Which systems process it?
  • Which cloud services, managed service providers, or subcontractors can access it?
  • How is access approved, reviewed, logged, and removed?
  • How are incidents detected and escalated?
  • How is evidence retained for assessment?

Those questions are not just technical. They touch contracts, operations, HR, procurement, cloud architecture, endpoint management, supplier governance, incident response, and executive accountability.

How Level 2 Differs from Level 1 and Level 3

CPCSC has three certification levels.

Level 1 requires an annual cyber security self-assessment against 13 controls.

Level 2 is currently described as requiring external cyber security assessments led by an accredited certification body, plus annual affirmation, against 98 controls.

Level 3 is currently described as requiring Government of Canada cyber security assessments, plus annual affirmation, against a larger control set currently described as 200 controls.

The practical difference is assurance.

Level 1 asks whether the supplier can truthfully attest that basic safeguards are in place.

Level 2 asks whether the supplier can demonstrate to an external assessor that a broader control set is implemented and evidenced.

Level 3 is expected to apply where the contract risk is higher and the Government of Canada requires a stronger assurance model.

For many small and mid-sized defence suppliers, Level 2 is likely to be the most difficult transition. Level 1 can often be handled through a focused readiness effort. Level 2 usually requires a more sustained security program.

CPCSC Applies Through Contracts

CPCSC should not be treated as a blanket requirement for every Canadian business or every Government of Canada supplier.

The requirement matters when it is invoked through a defence contract, included in solicitation terms, or flowed down from a prime contractor. Suppliers should read the actual contract language carefully. The contract determines whether CPCSC applies, which level applies, and what information or systems are in scope.

This also means a supplier may face CPCSC expectations before it directly holds a government contract. A prime contractor may flow requirements down to subcontractors if those subcontractors handle Specified Information or support systems that protect it.

What Are the 98 Level 2 Controls?

The Government of Canada currently describes CPCSC Level 2 as consisting of 98 controls. Those controls are tied to ITSP.10.171, which was developed to protect the confidentiality of Specified Information in non-Government of Canada systems and organizations.

ITSP.10.171 organizes requirements across 17 security families. These include areas such as:

  • access control
  • awareness and training
  • audit and accountability
  • configuration management
  • identification and authentication
  • incident response
  • maintenance
  • media protection
  • personnel security
  • physical protection
  • risk assessment
  • security assessment and monitoring
  • system and communications protection
  • system and information integrity
  • planning
  • system and services acquisition
  • supply chain risk management

The number matters, but the operating model matters more.

Level 2 is not just “Level 1 with more controls.” It introduces a broader expectation that the organization can describe its environment, show how controls are implemented, produce evidence, and sustain those controls over time.

A supplier preparing for Level 2 will likely need artifacts such as:

  • System Security Plan or equivalent system description
  • asset inventory
  • user inventory
  • network and data-flow diagrams
  • access-control procedures
  • access review records
  • MFA and identity configuration evidence
  • endpoint management records
  • vulnerability and patch management records
  • logging and monitoring evidence
  • incident response plan and test records
  • security awareness training records
  • supplier and cloud-service documentation
  • configuration baselines
  • risk register
  • Plan of Action and Milestones for tracked gaps

The exact evidence package will depend on the environment and final assessment expectations. But the basic principle is straightforward: each control needs an implementation story and evidence trail.

The Assessment Model Changes the Risk

Self-assessment and external assessment create very different risk profiles.

In a self-assessment, the supplier decides whether its own answer is good enough. In an external assessment, another party reviews the implementation and evidence.

Current Government of Canada guidance says Level 2 assessments will be led by an accredited certification body. The same guidance says third-party assessors will be accredited by the Standards Council of Canada.

That means suppliers should avoid relying on undocumented practices or verbal explanations. “We do that informally” is weak evidence. “The owner has access to that system” is not the same as an access-control process. “Our MSP handles that” is not the same as a documented responsibility split with retained evidence.

Level 2 preparation should produce evidence before the assessment, not during it.

The Level 2 Scoping Problem

Scope is likely to be one of the hardest Level 2 decisions for Canadian defence suppliers.

ITSP.10.171 applies to components that handle, process, store, or transmit Specified Information, and to components that protect those systems. It also recognizes that organizations can limit scope by isolating the relevant system components through physical or logical separation.

That creates two common approaches.

The first is enterprise-wide compliance. This may be appropriate for some organizations, but it can be expensive and operationally disruptive. If the whole enterprise is in scope, then ordinary email, endpoints, file storage, identity systems, cloud environments, networks, and administrative tools may all need to meet the relevant requirements.

The second is a controlled enclave. This is often more realistic for smaller suppliers. The supplier creates a defined environment for Specified Information, with controlled users, managed devices, approved storage, logging, access reviews, and clear boundaries.

The enclave approach only works if the boundary is real. If Specified Information leaks into ordinary email, unmanaged laptops, personal cloud storage, informal chat tools, or subcontractor systems outside the enclave, then the true scope is larger than the diagram.

Specified Information, Controlled Goods, and Protected Information

CPCSC is formally tied to Specified Information.

That term should not be blurred too casually with every other category of sensitive federal information. Controlled Goods, protected information, export-controlled technical data, and other sensitive contract information may overlap in real projects, but they are not all the same thing.

The safest way to think about it is this:

CPCSC scope starts with the contract and the Specified Information the supplier is required to protect.

Other regimes or data categories may also apply, depending on the work.

A supplier should not assume that Controlled Goods Program obligations, Protected A or Protected B handling expectations, or CPCSC requirements are interchangeable.

In practice, the same project may involve more than one obligation. That is why contract review, data-flow mapping, and scope definition matter before technical remediation begins.

Cloud Environments and Shared Responsibility

Cloud does not remove Level 2 responsibility. It changes how responsibility is divided.

For cloud environments, suppliers need to identify which controls are inherited from the cloud provider, which controls are implemented by the supplier, and which controls are shared. That mapping should be documented.

For example, a hyperscale cloud provider may operate physical data centre security, some infrastructure logging, and underlying platform resilience. The supplier may still be responsible for identity configuration, access reviews, encryption choices, workload hardening, network segmentation, endpoint access, incident response, backup configuration, and evidence retention.

The Cyber Centre has separate cloud guidance that treats security categorization as a key step in selecting cloud controls and cloud deployment models. See the Cyber Centre’s Guidance on the Security Categorization of Cloud-Based Services.

For CPCSC Level 2, the practical question is not “are we in the cloud?” It is “can we show which controls are inherited, which controls we operate, and how the in-scope cloud environment protects Specified Information?”

Readiness and Certification Are Not the Same Thing

The CPCSC market will likely separate into two types of work.

The first is readiness and remediation. This includes scoping, gap assessment, architecture design, documentation, evidence preparation, control implementation, and internal assessment.

The second is certification assessment. For Level 2, this is expected to be performed by accredited certification bodies once the Level 2 pathway is available.

Suppliers should understand the difference. A readiness consultant can help prepare the organization. A certification body assesses whether the organization meets the applicable requirements. Those roles should not be treated as interchangeable.

This distinction matters because suppliers may need help well before a formal Level 2 assessment is available. Waiting until the certification market is fully mature may leave too little time to fix architecture, evidence, and process gaps.

Where CMMC Helps, and Where It Does Not

CMMC experience can help Canadian suppliers prepare for CPCSC Level 2, but it should not be treated as automatic equivalency.

Government of Canada guidance says defence suppliers should contact CPCSC if they are certified under the U.S. Cybersecurity Maturity Model Certification program. It also says Canada may review CMMC certification on a case-by-case basis to confirm whether scope and control coverage are sufficient.

That means a valid CMMC certification may be useful evidence. It may reduce duplication. It may help demonstrate that a supplier already has a mature control environment.

But suppliers should not assume that CMMC certification automatically satisfies CPCSC Level 2.

The scope may differ. The contract may differ. The information category may differ. Canadian requirements and assessment expectations may differ. The right wording is not “CMMC equals CPCSC.” It is closer to: “Canada may consider recognizing relevant CMMC certification evidence on a case-by-case basis, subject to scope and control validation.”

What Suppliers Should Prepare Before Level 2 Arrives

The best time to prepare for Level 2 is before a Level 2 clause appears in a contract you want to win.

A practical readiness sequence looks like this.

First, identify likely Level 2 exposure. Review current and target defence work, prime contractor relationships, technical data, Controlled Goods exposure, protected information handling, and any non-public federal information your organization receives.

Second, define the Specified Information environment. Map where information enters, where it is stored, who uses it, which systems process it, which cloud services host it, and where it exits.

Third, decide whether to build an enclave or uplift the broader enterprise. For many smaller suppliers, a controlled enclave may be more realistic than trying to bring every system into scope.

Fourth, map the Level 2 control set to the real environment. Avoid generic spreadsheet compliance. Each control should map to a system, process, owner, and evidence source.

Fifth, build the core evidence set. This usually includes policies, procedures, inventories, system diagrams, access reviews, vulnerability reports, patch records, training records, incident records, logging samples, configuration baselines, supplier records, and cloud responsibility mappings.

Sixth, create and maintain a Plan of Action and Milestones. Some gaps will take time to remediate. A POA&M gives the organization a disciplined way to track control gaps, owners, dates, dependencies, and closure evidence.

Seventh, run an internal or mock assessment. The purpose is to find evidence gaps, scope errors, and weak implementation before an external assessor finds them.

Eighth, establish continuous monitoring. Level 2 is not a one-time documentation exercise. Current federal guidance describes Level 2 as requiring external assessment and annual affirmation, which means suppliers need a way to maintain security posture between formal assessments.

What Happens If You Fail a Level 2 Assessment?

The final operational details for CPCSC Level 2 assessment outcomes are still developing. Suppliers should be cautious about assuming how findings, remediation windows, or reassessment mechanics will work until the Government of Canada and the accreditation ecosystem provide more detail.

Still, from a readiness perspective, the risk is clear.

A failed or delayed assessment could affect bid eligibility, subcontractor eligibility, delivery timelines, or a prime contractor’s willingness to include the supplier in a defence opportunity. Even before formal certification failure, a weak readiness posture can create business risk if the supplier cannot answer basic scope, control, and evidence questions during procurement.

The practical goal is to avoid treating the external assessment as the first serious review. By that point, the supplier should already have completed scoping, remediation, evidence collection, and internal validation.

The Main Mistake to Avoid

The biggest mistake is waiting for the Level 2 certification process to be fully mature before doing any preparation.

Some details will continue to evolve. That is normal for a phased program. But the direction is already clear: Level 2 will be contract-driven, based on ITSP.10.171, assessed externally, and supported by evidence.

The suppliers that will be best positioned are the ones that already know their Specified Information flows, have a defensible scope boundary, operate core controls, and retain evidence as part of normal business.

FAQ

Is CPCSC Level 2 Available Now?

Not broadly. Canada is rolling CPCSC out in phases. Current Government of Canada guidance says Level 1 tooling and support materials are being introduced first, with Level 2 and Level 3 requirements being incorporated gradually into selected defence contracts later in the rollout.

How Many Controls Are in CPCSC Level 2?

The Government of Canada currently describes CPCSC Level 2 as consisting of 98 controls. Because CPCSC is still being phased in, suppliers should monitor official guidance for updates before making final certification plans.

Who Performs the Level 2 Assessment?

Current Government of Canada guidance says Level 2 assessments will be led by accredited certification bodies, with third-party assessors accredited by the Standards Council of Canada.

Is CPCSC Level 2 the Same as CMMC Level 2?

No. The programs are related, and CMMC evidence may be relevant, but suppliers should not assume automatic equivalency. Canada’s current guidance says suppliers with CMMC certification should contact CPCSC, and that recognition depends on scope and control coverage.

Does CPCSC Level 2 Apply to All Suppliers?

No. CPCSC applies when invoked by contract requirements or flowed down through a prime contractor. Suppliers should review the solicitation, contract clauses, and information-handling requirements to determine whether CPCSC applies.

Can a Small Supplier Use a Secure Enclave for CPCSC Level 2?

Potentially, yes. ITSP.10.171 recognizes that organizations can scope requirements by isolating components that handle, process, store, or transmit Specified Information. The boundary must be real, documented, and enforced.

What Should a Supplier Do First?

Start with scope. Before buying tools or writing policies, identify the Specified Information, map where it flows, identify the systems and users involved, and decide whether the organization will use a controlled enclave or a broader enterprise scope.

Should Suppliers Prepare Now?

Yes, if they expect to bid on defence contracts or support primes where Specified Information may be involved. Even though Level 2 details continue to mature, scoping, architecture, documentation, remediation, and evidence collection take time.

How Pilotcore Can Help

If your organization expects CPCSC Level 2 requirements in future defence contracts, the right first step is a scope and evidence review.

Pilotcore helps Canadian defence suppliers map Specified Information flows, define a defensible assessment boundary, identify gaps against ITSP.10.171, and prepare the documentation and evidence needed for Level 2 readiness.

About the author

Nelson Ford - CMMC CCP / CISSP

Nelson Ford - CMMC CCP / CISSP

  • CISSP
  • CMMC Certified Professional

Nelson Ford is the principal at Pilotcore, based in Ottawa. He is a CISSP and CMMC Certified Professional, and works with Canadian defence suppliers on CPCSC readiness and US contractors on CMMC. He writes Pilotcore's compliance and zero-trust commentary.

Frequently asked questions

What is CPCSC Level 2?

CPCSC Level 2 is the moderate-assurance level of Canada's cyber security certification program for defence suppliers. It is intended for suppliers that handle Specified Information in non-Government of Canada systems and are required by contract to demonstrate a broader, externally assessed security program.

How many controls are in CPCSC Level 2?

The Government of Canada currently describes CPCSC Level 2 as consisting of 98 controls. Because the program is still being phased in, suppliers should monitor official guidance for updates before making final certification plans.

Who performs CPCSC Level 2 assessments?

Current Government of Canada guidance says Level 2 assessments will be led by accredited certification bodies. Third-party assessors are expected to be accredited by the Standards Council of Canada.

Is CPCSC Level 2 the same as CMMC Level 2?

No. CPCSC and CMMC are related, and Canada may consider recognizing relevant CMMC certification evidence on a case-by-case basis, but suppliers should not assume automatic equivalency. Scope, control coverage, contract requirements, and Canadian assessment expectations still need to be validated.

Does CPCSC Level 2 apply to all Canadian suppliers?

No. CPCSC applies when it is invoked through a defence contract, solicitation requirement, or prime contractor flowdown. Suppliers should review the specific contract language to determine whether CPCSC applies, which level applies, and what systems or information are in scope.

How should suppliers scope CPCSC Level 2?

Suppliers should start by identifying the Specified Information they handle, then mapping where it enters, where it is stored, who uses it, which systems process it, which cloud services host it, and where it exits. The scope should include systems that handle, process, store, transmit, or protect Specified Information.

Can a supplier use a secure enclave for CPCSC Level 2?

Potentially, yes. ITSP.10.171 allows organizations to limit scope by isolating relevant system components through physical or logical separation. The enclave boundary must be real, documented, enforced, and supported by evidence.

What evidence is needed for CPCSC Level 2 readiness?

A Level 2 evidence package will likely include a system security plan or equivalent system description, asset and user inventories, network and data-flow diagrams, access review records, MFA evidence, endpoint management records, vulnerability and patch records, incident response documentation, training records, supplier documentation, cloud responsibility mappings, and a Plan of Action and Milestones for tracked gaps.

How do cloud services affect CPCSC Level 2?

Cloud services do not remove the supplier's responsibility. Suppliers need to document which controls are inherited from the provider, which controls they operate themselves, and which controls are shared. Identity, access reviews, encryption choices, workload configuration, endpoint access, logging, backup settings, and evidence retention often remain supplier responsibilities.

Should suppliers prepare for CPCSC Level 2 now?

Yes, if they expect to bid on defence contracts or support primes where Specified Information may be involved. Even while Level 2 details continue to mature, scoping, architecture, documentation, remediation, and evidence collection take time.

Ready to Get Started?

Choose how you'd like to begin your journey with Pilotcore

Full Consultation

Discuss your complete cloud and security strategy with our experts. Perfect for comprehensive transformations and enterprise initiatives.

Popular Choice

Start with a Pilot

Test our expertise with a focused 1-4 week engagement. See real results before committing to larger initiatives.

View Pilot Projects →