What evidence should I keep for CPCSC Level 1?

Keep a scope statement, account lists, device lists, access review notes, copies of security policies, security, IT, and information management training records, update, patching, and sanitization logs, visitor logs, firewall settings or screenshots, MFA configuration screens, SSP-style notes, and CanadaBuys attestation proof.

How long should I keep CPCSC Level 1 evidence?

Keep Level 1 evidence for the duration of the attestation cycle, or at least one year. Keep it longer when your contract, legal, tax, privacy, or internal retention rules require it.

Do I need an SSP for CPCSC Level 1?

Government Level 1 guidance does not require the same formal SSP used in many CMMC Level 2 programs, but an SSP-style system description is useful because it shows the scope, inherited controls, and evidence locations.

Can CMMC evidence be reused for CPCSC?

It can support CPCSC when the assessed scope matches. Canada may accept valid CMMC status case by case and may verify specific controls, so keep a CPCSC mapping pack rather than assuming automatic reuse.

CPCSC Level 1

CPCSC Level 1 evidence packet and scoping checklist.

CPCSC evidence should show what is in scope, which controls are implemented, which records prove it, and who owns renewal before the CanadaBuys expiry date.

Baseline

The minimum evidence package.

For Level 1, suppliers assess 13 controls annually. Government guidance says the self-assessment results must be retained and proof of self-attestation with the expiry date must be provided in CanadaBuys when required by a defence contract.

For Level 1, keep evidence for the duration of the attestation cycle, or at least one year. Contract, legal, privacy, or internal retention rules may require a longer period.

Suppliers can attest that they meet the 13 controls without using the online self-assessment tool. If they do, the evidence package should still preserve the same scope, control-status, evidence, and approval records.

The categories below match PSPC published Level 1 evidence guidance, translated into a practical checklist you can use before or after CanadaBuys attestation.

Evidence categories

Four buckets for the Level 1 evidence pack.

01
Scope evidence
- Contract clause
- Specified Information flow map
- System boundary diagram
- Cloud and SaaS inventory
- Subcontractor and MSP access list
02
Identity and access
- account lists
- access review notes
- Privileged-account list
- MFA configuration screens
- Joiner-mover-leaver sample tickets
03
Device and platform
- device lists
- Approved systems list
- Endpoint protection coverage
- logs of updates, patching, and sanitization
- Vulnerability remediation tickets
04
Policies, training, and operations
- copies of security policies
- security, IT, and information management training records
- firewall settings or screenshots
- visitor logs
- Incident and exception register

Documentation

SSP-style notes for CPCSC.

Even when Level 1 does not require a formal CMMC-style SSP, an SSP-style packet is useful. Keep a short system description, data-flow diagram, responsibility matrix for cloud and SaaS providers, inherited-control notes, and evidence links for each Level 1 control.

System overview

Name the systems, devices, cloud services, users, and support providers that handle Specified Information.
Scope boundary

State what is in scope, what is out of scope, and why the boundary is broad enough to test each Level 1 requirement.
Evidence index

Map each control to the policy, export, screenshot, ticket, log, or review record that proves the current state.

This also helps if your organisation later needs CMMC Level 2, CPCSC Level 2, or a customer security questionnaire that asks for the same records in different words.

Readiness support

Pilotcore readiness support.

We help suppliers define scope, map controls, build an evidence index, and prepare for CanadaBuys attestation. We do not issue official certifications or replace an accredited assessor.

Official sources

CPCSC Level 1 evidence packet and scoping checklist.

The minimum evidence package.

Four buckets for the Level 1 evidence pack.

Scope evidence

Identity and access

Device and platform

Policies, training, and operations

SSP-style notes for CPCSC.

System overview

Scope boundary

Evidence index

Pilotcore readiness support.

Government of Canada CPCSC references.