Pilotcore Insights
CMMC & CPCSC Compliance

CPCSC Just Showed Up in Your Contract. Here's the Order of Operations

A practical sequence for Canadian defence suppliers who find CPCSC requirements in a bid or contract: confirm the level, define scope, assess gaps, remediate, collect evidence, and attest or prepare for assessment.

Nelson Ford - CMMC CCP / CISSP By Nelson Ford - CMMC CCP / CISSP 8 min read

Need Help With CMMC & CPCSC Compliance?

Our experts can help you implement these strategies in your organisation. Get a free consultation today.

CPCSC Level 1 Guide

Need the CPCSC Level 1 guide before you start?

Get the guide before you scope the work. It helps you compare Level 1 expectations, evidence needs, and the systems that may belong in your CPCSC boundary.

Get the CPCSC Level 1 Guide
Pilotcore CPCSC Level 1 readiness guide book cover

There is a specific email I get more often now. A Canadian defence supplier has found CPCSC language in an RFP, contract clause, or customer request, and the message has the tone of someone who just found a deadline they did not know existed.

The instinct makes sense: buy tools, write policies, call the MSP, and try to close every visible gap at once.

Do not do that yet.

CPCSC work has a natural order. Doing it in sequence saves money, reduces stress, and prevents one of the most expensive mistakes in compliance work: fixing the wrong environment.

Here is the path I walk suppliers through.

Quick answer

If CPCSC appears in an RFP, clause, or customer request, start by reading the contract language. Confirm the required level and due date, then scope the systems that handle Specified Information before assessing controls. PSPC says Level 1 self-assessment is required at contract award, not during bidding, and select contracts may name CPCSC before compliance is due at a later date.

Six-step order

  1. Read the clause and confirm the required CPCSC level and due date.
  2. Define the Specified Information boundary before assessing controls.
  3. Assess the scoped environment against the required level.
  4. Fix the highest-impact gaps first.
  5. Capture evidence while the work happens.
  6. Attest for Level 1, or prepare for external assessment when the contract requires it, then maintain the control set.

First, breathe, then read the clause carefully

The phased rollout gives suppliers more runway than the panic usually suggests.

Current PSPC guidance says Level 1 self-assessment is required at contract award, not during the bidding process. That does not mean bids are irrelevant. Once Level 1 applies, suppliers should expect proof of self-attestation and expiry date to be part of the CanadaBuys and bid-submission proof trail for applicable procurements.

PSPC also says Level 1 to 3 requirements may be identified in select defence contracts as early as summer 2026, but it will require compliance at a later date. Read the actual opportunity. Do not assume one rollout statement answers every contract.

The first task is not technical. It is to find two facts:

  1. The required CPCSC level.
  2. The date compliance is actually due.

The required level is set contract by contract. For National Defence contracts, PSPC says a Cyber Security Risk Assessment will help determine the required CPCSC level and serve as an addendum to the Security Requirements Checklist. The resulting requirement should be communicated in the RFP and contract clauses.

Everything downstream depends on those two facts. Pin them down before you spend money.

Confirm the level, because Level 1 and Level 2 are different projects

If your contract calls for Level 1, you are looking at an annual self-assessment against 13 controls. You complete the assessment yourself and attest to the result. Canada’s CPCSC program overview lists Level 1 as an annual self-assessment, and Canada provides an online self-assessment tool, although suppliers can also attest without using the tool if they can support the attestation properly.

That is a defined, bounded piece of work.

If your contract calls for Level 2, you are planning for a much larger requirement: 98 controls, external assessment by an accredited certification body once that system is available, and annual affirmation. PSPC’s additional supplier guidance says Level 2 will require triannual external cyber security assessments when it becomes available.

Levels 2 and 3 are still being introduced in phases, so the practical move is to start readiness work early instead of waiting until assessment dates and market capacity become the bottleneck. For more context, compare this with the CPCSC overview for Canadian defence suppliers and the CPCSC Level 1 readiness guide.

Getting the level wrong in either direction is costly. Over-scope to Level 2 when the contract only requires Level 1 and you may spend money you did not need to spend yet. Under-scope and you may miss the actual contractual requirement.

Confirm the level from the clause.

Define your scope before you assess the requirements

This is the step that most changes your cost and timeline, and it is the one suppliers most often skip.

CPCSC is about protecting Specified Information in non-Government of Canada systems and organizations. In practical terms, that means you need to understand which information the contract is protecting, where it lives, where it moves, which systems handle it, which people access it, and which facilities or service providers are involved.

The controls do not automatically apply to every device, account, server, and SaaS tool in your company. They apply to the systems, people, places, and activities that store, process, transmit, or otherwise handle the protected information.

So before you assess anything, draw the boundary.

Map where the information comes in, where it is created, where it is stored, where it is emailed, where it is backed up, where it is printed, where it is destroyed, and who touches it. Identify the in-scope assets. Identify the out-of-scope assets. Identify external service providers, remote access paths, administrative access, and any employee-owned devices that may touch the information.

The expensive mistake is not usually failing a control. It is fixing the wrong environment.

A tight, well-defined scope, ideally a separated enclave where that makes sense, can be the difference between a focused project and an open-ended one. I have seen suppliers nearly triple their effort by treating the whole company as in scope when a defined boundary would have covered the actual requirement.

Spend real time here.

Run a gap assessment against the actual controls

Once scope is set, measure the in-scope environment against the controls for the required level.

The output should be plain and usable:

  • Which controls you meet.
  • Which controls you partly meet.
  • Which controls you do not meet.
  • What evidence supports each answer.
  • What work is needed to close each gap.

This is also where you find the controls you think you meet but cannot prove. That distinction matters more than people expect.

A supplier may have MFA enabled, but only for some users. It may have written access rules, but no record of approvals or reviews. It may have endpoint protection, but no evidence that the relevant devices are covered. It may have backups, but no proof that restoration has been tested.

Attesting to a control you cannot demonstrate is the failure mode that creates problems later.

Remediate in risk order, not checklist order

You do not fix controls from top to bottom. You fix them in the order that buys the most risk reduction and unlocks the most evidence.

In practice, identity and access usually come early. Multi-factor authentication, account management, administrator access, and user review practices touch many other controls and close real risk.

Logging and monitoring often come next, because you cannot demonstrate much without records. Encryption, configuration baselines, backup handling, media handling, and endpoint controls may follow depending on the environment.

The documentation layer should not wait until the end, but it also should not become theatre. Policies, procedures, and internal rules should describe how the organization actually operates, not how someone wishes it operated. They can usually run in parallel with technical remediation.

Sequencing this way matters. If the timeline gets tight, the things you have finished are the things that reduce risk and support the most evidence.

Build the evidence as you go

Evidence is not a step you do at the end.

Every control you close should leave a trail at the moment you close it: the configuration, screenshot, policy, log sample, ticket, approval record, asset list, diagram, or meeting note that shows what was done and when.

For Level 1, your evidence will usually start with the basics:

  • A scoping rationale explaining why assets are in or out of scope.
  • A simple network diagram showing where systems are and how they connect.
  • A list of in-scope assets, including devices and systems.
  • A list of out-of-scope and specialized assets, where applicable.
  • Identified facilities, physical storage locations, and handling points.
  • Proof of security tasks, such as configurations, agreements, contracts, and key settings.
  • A list of employees who access Specified Information and their roles.
  • Notes on external systems, remote access, and personal computers or phones used for work.

For Level 2, the evidence burden becomes heavier. An assessor will want proof, not assertions. That means evidence needs to be organized, current, and tied back to the specific control requirement.

For Level 1, you are attesting on your own credibility. That is its own reason to be able to back it up.

Suppliers who treat evidence as a final scramble often end up redoing work because they cannot reconstruct what they did three months earlier.

Attest, or prepare for assessment, then maintain it

For Level 1, you complete the self-assessment, retain the result, track the expiry date, and provide the required proof through the appropriate procurement channels when the requirement applies.

For Level 2, readiness work should lead toward an external assessment once the certification system and accredited assessment capacity are available for the applicable requirement.

Either way, the work does not end at attestation or certification. Controls drift. Staff change. Cloud environments evolve. SaaS tools get added quietly. Remote work patterns change. Contractors come and go.

Build a light maintenance rhythm now:

  • Review scope when contract work changes.
  • Review access regularly.
  • Keep asset lists current.
  • Retain evidence as controls change.
  • Update diagrams when the environment changes.
  • Revisit policies when the actual process changes.
  • Track expiry and affirmation dates before they become urgent.

The suppliers who treat CPCSC as an operating practice, not a one-time documentation project, are the ones who will not dread the next renewal.

The order of operations

Read the clause and find the level and date.

Define a tight scope.

Assess the scoped environment against the actual controls.

Fix the highest-impact gaps first.

Capture evidence as you go.

Then attest, or prepare for assessment, and keep the control set current.

Do it in that order and CPCSC becomes a manageable project instead of an emergency.

If you would rather not navigate that sequence cold, Pilotcore scopes this as a focused CPCSC compliance readiness review: level, boundary, gap map, evidence list, and next-step plan before you commit to a larger remediation effort. If you need a smaller starting point, the Pilot Projects page explains the fixed-scope way Pilotcore handles early discovery work.

About the author

Nelson Ford - CMMC CCP / CISSP

Nelson Ford - CMMC CCP / CISSP
  • CISSP
  • CMMC Certified Professional

Nelson Ford is the principal at Pilotcore, based in Ottawa. He is a CISSP and CMMC Certified Professional, and works with Canadian defence suppliers on CPCSC readiness and US contractors on CMMC. He writes Pilotcore's compliance and zero-trust commentary.

Common buyer questions

Frequently asked questions

What should I do first when CPCSC appears in a contract?

Read the clause and confirm the required CPCSC level and the date compliance is actually due. Do that before buying tools or starting remediation work.

Is CPCSC Level 1 required during bidding?

PSPC's Level 1 guidance says Level 1 self-assessment will be required at contract award, not during the bidding process. The same guidance says proof of self-attestation and expiry date must be provided to CanadaBuys and with the bid when Level 1 applies.

Why does CPCSC scope come before the gap assessment?

The gap assessment only means something inside a defined boundary. Start with the systems, people, applications, facilities, vendors, and processes that store, process, transmit, or otherwise handle Specified Information.

What is the right CPCSC order of operations?

Read the clause, confirm the level and due date, define scope, assess the scoped environment, remediate high-impact gaps first, collect evidence as work happens, then attest or prepare for assessment and maintain the control set.

Next step

Ready to get started?

Choose how you'd like to begin your engagement with Pilotcore.

Full engagement

Full consultation

Discuss your complete cloud and security strategy with the principal consultant. For comprehensive transformations and multi-quarter engagements.

Recommended start

Start with a pilot

Test the engagement with a focused 1-4 week scope. See real results, on a fixed timeline, before committing to anything larger.