What evidence should I keep for CPCSC Level 1?

Keep a scope statement, account lists, device lists, access review notes, copies of security policies, security, IT, and information management training records, update, patching, and sanitization logs, visitor logs, firewall settings or screenshots, MFA configuration screens, SSP-style notes, and CanadaBuys attestation proof.

How long should I keep CPCSC Level 1 evidence?

Keep Level 1 evidence for the duration of the attestation cycle, or at least one year. Keep it longer when your contract, legal, tax, privacy, or internal retention rules require it.

Do I need an SSP for CPCSC Level 1?

Government Level 1 guidance does not require the same formal SSP used in many CMMC Level 2 programs, but an SSP-style system description is useful because it shows the scope, inherited controls, and evidence locations.

Can CMMC evidence be reused for CPCSC?

It can support CPCSC when the assessed scope matches. Canada may accept valid CMMC status case by case and may verify specific controls, so keep a CPCSC mapping pack rather than assuming automatic reuse.

Is a CPCSC evidence checklist enough for certification?

No. A checklist helps you collect and organize proof, but your attestation still depends on the real scope, the controls you operate, the evidence you keep, and any contract or program instructions that apply to your organization.

CPCSC Level 1 evidence checklist

CPCSC Level 1 checklist for evidence and self-assessment scope.

Canadian Program for Cyber Security Certification (CPCSC) evidence should show what is in scope, which controls are implemented, which records prove it, and who owns renewal before the CanadaBuys expiry date.

Use this page as the working CPCSC evidence checklist. Keep it open while you collect records, then use the CPCSC self-assessment checklist when you are ready to confirm the attestation steps before signing.

Baseline

The minimum evidence package.

For Level 1, suppliers assess 13 controls annually. Government guidance says the self-assessment results must be retained and proof of self-attestation with the expiry date must be provided in CanadaBuys when required by a defence contract.

For Level 1, keep evidence for the duration of the attestation cycle, or at least one year. Contract, legal, privacy, or internal retention rules may require a longer period.

Suppliers can attest that they meet the 13 controls without using the online self-assessment tool. If they do, the evidence package should still preserve the same scope, control-status, evidence, and approval records.

The categories below match PSPC published Level 1 evidence guidance, translated into a practical checklist you can use before or after CanadaBuys attestation.

If you only need the attestation sequence, use the shorter CPCSC Level 1 self-assessment checklist. This page is for the supporting records behind that decision.

Malware response notes and control-exception logs are supporting records. They help explain how anti-malware alerts, threat handling, and approved exceptions were tracked, but they do not add a separate control to the Level 1 checklist.

Evidence categories

Four buckets for the Level 1 evidence pack.

01
Scope evidence
- Contract clause
- Specified Information flow map
- System boundary diagram
- Cloud and SaaS inventory
- Paper file and printed SI locations
- USB and removable media paths
- Subcontractor and MSP access list
02
Identity and access
- account lists
- access review notes
- Privileged-account list
- MFA configuration screens
- Joiner-mover-leaver sample tickets
03
Device and platform
- device lists
- Approved systems list
- Endpoint protection coverage
- logs of updates, patching, and sanitization
- Vulnerability remediation tickets
04
Policies, training, and operations
- copies of security policies
- security, IT, and information management training records
- firewall settings or screenshots
- visitor logs
- Malware response notes and control-exception log

13 Level 1 items

What to collect for each CPCSC Level 1 control.

The official criteria define what is assessed. This checklist turns those controls into records a small supplier can collect, assign, and review before relying on an attestation.

Requirement	What to prove	Evidence to collect	Owner	Review cadence	Common gap
03.01.01 Account management	Every in-scope account has an owner, a reason to exist, an access level, and a removal path.	User and admin account export, role or group membership list, joiner-mover-leaver tickets, disabled-account sample, access review notes.	IT or identity owner	Quarterly review, plus every joiner, mover, or leaver event	Shared accounts, old contractor accounts, and no record of who approved access.
03.01.02 Access enforcement	Permissions match approved need-to-know access for systems that process, store, or transmit Specified Information.	Access policy, group-permission export, privileged-access list, sample folder or cloud permission screenshots, approval tickets.	System owner	Quarterly review, plus every major role or system change	Permissions are granted directly to people instead of controlled through named groups.
03.01.20 Use of external systems	External systems, personal devices, subcontractor tools, and cloud services are approved before they touch Specified Information.	Approved external systems list, BYOD decision record, subcontractor access notes, MSP agreement, cloud-service security settings.	Operations or vendor owner	Before adoption, then at renewal or supplier change	Teams use personal storage, unmanaged phones, or client portals without a recorded approval decision.
03.01.22 Publicly accessible content	Public websites, documents, marketing pages, repositories, and file shares are checked before sensitive contract information is posted.	Publishing review checklist, reviewer assignment, sample content review, takedown record if sensitive information was found.	Communications or contract owner	Before publication, plus periodic public-content review	No one owns public-content review for contract details, diagrams, screenshots, or customer files.
03.05.01 User identification and authentication	Users have unique accounts, sign in with approved credentials, and re-authenticate when your policy requires it.	Identity policy, account export, password or sign-in policy settings, screen-lock settings, session timeout settings.	Identity owner	Quarterly review, plus identity-platform change	Generic logins, unclear screen-lock settings, or no written rule for re-authentication.
03.05.02 Device identification and authentication	Devices that connect to in-scope systems are known, approved, and blocked when they should not connect.	Device inventory, endpoint-management export, device compliance policy, Wi-Fi or VPN access settings, blocked-device sample.	Endpoint owner	Monthly device list review, plus onboarding and disposal events	Personal or old devices can still connect because inventory and access control are separate.
03.05.03 Multi-factor authentication	MFA is enforced where Level 1 requires it and where your scope says Specified Information is stored or accessed.	MFA policy, per-system MFA configuration screens, privileged-account MFA report, exception list, recovery process.	Identity owner	Monthly privileged-account review, plus every new system	MFA is turned on for email but not for admin consoles, VPN, file storage, or prime-contractor portals.
03.08.03 Media sanitization	Media that held Specified Information is wiped, destroyed, or otherwise handled before disposal or reuse.	Disposal log, wipe certificate, destruction receipt, printer or copier storage note, USB and backup-media inventory.	IT asset owner	Every disposal, return, reuse, or decommission event	Laptops are tracked, but printers, USB drives, phones, paper files, and backups are missed.
03.10.01 Physical access authorizations	People with physical access to locations that hold Specified Information are approved and removed when access is no longer needed.	Key, badge, lock, or cabinet access list, access approval record, removal sample, temporary-access expiry list.	Facilities or office owner	Quarterly review, plus staff and contractor changes	Physical access is handled informally and is not tied to employee offboarding.
03.10.07 Physical access control	Rooms, cabinets, visitor paths, and work areas that can expose Specified Information have controlled entry.	Visitor log, locked-storage list, office access procedure, escort rule, photo or screenshot of access-control setting.	Facilities or office owner	Monthly visitor-log review, plus office or storage change	Printed files, home offices, and shared storage rooms are left out of the scope discussion.
03.13.01 Boundary protection	The edge of the in-scope environment is known and basic protections are configured.	Network diagram, firewall or router settings, VPN settings, cloud security group export, allowed and blocked traffic review.	Network or cloud owner	Quarterly review, plus every network or cloud boundary change	The diagram shows the office network but not cloud storage, email, remote access, or admin paths.
03.14.01 Flaw remediation	In-scope systems are updated, known weaknesses are tracked, and fixes are recorded.	Patch policy, update logs, vulnerability tickets, vendor advisory subscription, sample remediation record.	IT operations owner	Monthly patch review, faster for urgent vendor advisories	Updates happen automatically, but no one keeps the logs or records exceptions.
03.14.02 Malicious code protection	Anti-malware protections are installed, active, updated, and monitored across in-scope devices and services.	Endpoint protection console export, malware policy, alert sample, scan schedule, response notes for a resolved alert.	Security or endpoint owner	Monthly coverage review, plus every new endpoint or server	Coverage looks good for laptops, but servers, email, file storage, and unmanaged devices are not checked.

If the table exposes missing owners, stale screenshots, or unclear scope boundaries, treat that as a readiness issue. Pilotcore can review the packet, test the scope against the Level 1 controls, and identify the records to fix first.

Documentation

SSP-style notes for CPCSC.

Even when Level 1 does not require a formal CMMC-style SSP, an SSP-style packet is useful. Keep a short system description, data-flow diagram, responsibility matrix for cloud and SaaS providers, inherited-control notes, and evidence links for each Level 1 control.

System overview

Name the systems, devices, cloud services, users, and support providers that handle Specified Information.
Scope boundary

State what is in scope, what is out of scope, and why the boundary covers digital, cloud, paper, and portable media locations that can hold Specified Information.
Evidence index

Map each control to the policy, export, screenshot, ticket, log, or review record that proves the current state.

This also helps if your organisation later needs CMMC Level 2, CPCSC Level 2, or a customer security questionnaire that asks for the same records in different words.

Readiness support

Pilotcore readiness support.

We help suppliers define scope, map controls, build an evidence index, and prepare for CanadaBuys attestation. We do not issue official certifications or replace an accredited assessor.

Page references

References used for this page.

Use Pilotcore's guide and evidence plan as the practical next step. The links below show the Government of Canada pages used to check this guidance.

CPCSC Level 1 checklist for evidence and self-assessment scope.

The minimum evidence package.

Four buckets for the Level 1 evidence pack.

Scope evidence

Identity and access

Device and platform

Policies, training, and operations

What to collect for each CPCSC Level 1 control.

SSP-style notes for CPCSC.

System overview

Scope boundary

Evidence index

Pilotcore readiness support.

References used for this page.