CPCSC Level 1 requirements

CPCSC Level 1

CPCSC Level 1 applies to suppliers working on designated Canadian defence contracts that handle federal Specified Information on supplier systems. The supplier completes an annual self-assessment against 13 cyber security controls, keeps supporting evidence, and provides proof of self-attestation and expiry when the contract or CanadaBuys process requires it.

Assessment: annual self-assessment

Controls: 13 Level 1 controls

Proof: CanadaBuys attestation details

Key takeaways

What it is
An annual self-assessment against 13 cyber security controls for suppliers that handle federal Specified Information on their own systems.
Who needs it
Suppliers on designated Canadian defence contracts that call for CPCSC, including subcontractors when a prime flows the requirement down.
When it applies
Available since April 1, 2026. It may start appearing in select contracts in summer 2026, with proof due at contract award.
Effort and cost
The online form can take under an hour. The real work is closing gaps and keeping evidence, and the cost depends on your current setup.
Download the Level 1 guide Get readiness help

Applicability

Who needs CPCSC Level 1?

CPCSC Level 1 is not a company-wide licence. It is tied to Canadian defence work. Canada says required certification levels are determined contract by contract and stated in RFPs and contract clauses. Prime contractors may also flow requirements down to subcontractors.

Use this page before bidding on, accepting, or renewing work that may require CPCSC. The contract language decides what level is required, when proof is due, and which supplier systems are in scope.

Scope

What information does CPCSC protect?

CPCSC protects federal Specified Information that a supplier stores, processes, or transmits on its own systems. Canada gives examples such as non-public DND contract details, controlled goods information, and protected information.

Start by tracing the path of that information. Do not price or remediate the whole company by default. Start with the systems, users, devices, vendors, facilities, and processes that store, process, or transmit Specified Information. If the scope expands beyond that path without a clear reason, the budget usually gets worse without making the attestation more accurate.

Timing

When does CPCSC Level 1 apply?

CPCSC Level 1 became available to suppliers on April 1, 2026. Canada says Level 1 requirements may begin appearing in select defence contracts beginning in summer 2026.

Canada also says the Level 1 self-assessment is required at contract award, not during the bidding process. There is still a bid-time proof step for contracts that require it: suppliers must provide proof of self-attestation and expiry date in their CanadaBuys supplier profile and when submitting a bid.

Requirements

CPCSC Level 1 controls and evidence.

Canada publishes 13 Level 1 controls across six families. The table below keeps that spine in order and adds practical evidence examples for a supplier readiness file.

01
Family Access control
Level 1 requirement Manage user accounts
Proof to keep Current user inventory, owner list, account request and removal records, and privileged-account list.
02
Family Access control
Level 1 requirement Give people only the access they need
Proof to keep Access review notes, role or group assignments, approval records, and samples showing least-privilege changes.
03
Family Access control
Level 1 requirement Use only approved systems and devices
Proof to keep Approved system list, endpoint inventory, mobile-device inventory, SaaS inventory, and exception records.
04
Family Access control
Level 1 requirement Prevent sensitive information from being shared publicly
Proof to keep File-sharing settings, external sharing review, data-handling policy, and samples from collaboration tools.
05
Family Identification and authentication
Level 1 requirement Use individual accounts and strong passwords
Proof to keep Password policy, identity-provider settings, disabled shared accounts list, and account configuration screenshots.
06
Family Identification and authentication
Level 1 requirement Approve devices before they connect
Proof to keep Device approval process, managed-device list, network access rules, enrollment records, and remote-access settings.
07
Family Identification and authentication
Level 1 requirement Enable multi-factor authentication
Proof to keep MFA policy, identity-provider screenshots, privileged-account coverage, and exception or break-glass records.
08
Family Media protection
Level 1 requirement Wipe or destroy old devices
Proof to keep Sanitization procedure, device retirement tickets, wipe logs, destruction certificates, and disposal vendor records.
09
Family Physical protection
Level 1 requirement Keep a list of who can access secure areas
Proof to keep Access list for offices, server rooms, labs, storage areas, or other locations where in-scope systems are kept.
10
Family Physical protection
Level 1 requirement Control physical entry
Proof to keep Visitor logs, badge or key records, access reviews, and hosting or facility control descriptions.
11
Family System and communications protection
Level 1 requirement Use basic network protections
Proof to keep Network diagram, firewall or security-group settings, remote-access rules, VPN configuration, and exposed-service review.
12
Family System and information integrity
Level 1 requirement Apply security updates
Proof to keep Patch policy, update reports, vulnerability remediation records, and owner notes for overdue updates.
13
Family System and information integrity
Level 1 requirement Use antivirus and anti-malware software
Proof to keep Endpoint protection coverage report, alert handling records, configuration screenshots, and excluded-device review.

Process

CPCSC Level 1 self-assessment process.

  1. Confirm the clause and level

    Read the RFP, contract, or prime flow-down language. Required CPCSC certification levels are contract-specific.

  2. Scope Specified Information

    Map where federal Specified Information is stored, processed, or transmitted. Include systems, users, devices, vendors, facilities, and processes.

  3. Assess the 13 controls

    Record whether each Level 1 control is implemented, partly implemented, or not implemented for the in-scope environment.

  4. Fix the gaps that block attestation

    Close issues such as shared accounts, missing MFA, unmanaged laptops, public file-sharing, weak patch records, or unclear vendor access.

  5. Keep proof and plan renewal

    Retain the assessment result and supporting records, track the expiry date, and assign an owner for annual renewal.

The online self-assessment itself can take less than an hour if you have already reviewed your policies and implementation. The readiness work is what can take days or weeks.

Retention

Evidence retention.

Keep the self-assessment result and the records behind it for the duration of the attestation cycle, or at least one year. Keep records longer when your contract, legal, privacy, tax, or internal retention rules require it.

A practical evidence pack includes scope notes, account and device lists, MFA screenshots, access reviews, patch reports, endpoint-protection reports, firewall or security-group settings, visitor logs, and sanitization records.

Gaps

Common CPCSC Level 1 gaps.

  • Shared administrator or shop-floor accounts instead of individual accounts.
  • MFA enabled for email but not for remote access, cloud consoles, or privileged accounts.
  • Unmanaged laptops or personal devices touching contract information.
  • Old devices retired without wipe logs or destruction records.
  • Firewall rules, remote access, or vendor access that no one has reviewed recently.
  • Patch status known informally but not retained as a report or ticket record.
  • No clear scope statement for which systems handle Specified Information.

Comparison

CPCSC Level 1 vs CMMC Level 1.

CPCSC and CMMC overlap because both are built around defence-supplier cyber security expectations. That does not make them interchangeable. Canada says valid CMMC status may be accepted case by case after confirming scope, and Canada may verify specific controls.

Treat existing CMMC work as useful evidence, not an automatic substitute. Your CPCSC file should still map the Canadian contract scope, Specified Information path, 13 Level 1 controls, proof, and renewal date.

Planning

How long does CPCSC Level 1 take?

The form can be fast. The readiness work depends on your current state. A supplier already using MFA, managed devices, logging, patching, and access reviews may only need scope confirmation and evidence cleanup. A supplier starting from shared passwords, unmanaged laptops, informal file sharing, and unclear vendor access is probably looking at a remediation project.

For more timing detail, read how long CPCSC takes.

Cost

How much does CPCSC Level 1 cost?

There is no government fee for the Level 1 self-assessment, and Level 1 has no external assessor to pay. Your cost is mostly internal time: defining scope, closing gaps, collecting evidence, and recording the attestation.

What moves the number is your starting point. A supplier already running MFA, managed devices, patching, and access reviews is usually confirming scope and tidying evidence. A supplier starting from shared passwords, unmanaged laptops, and informal file sharing is closer to a remediation project measured in weeks.

As of June 2026, Pilotcore planning for a small Canadian defence supplier often starts in the low five figures once outside support or remediation is needed. These are planning ranges, not quotes, and not official government fees. For a fuller breakdown, read how much CPCSC costs.

Next step

Build the Level 1 file before the clause creates pressure.

The ungated guide gives you the Level 1 control list, scope prompts, and evidence planning structure. Pilotcore can help turn it into a readiness plan for your environment.

Open the Level 1 guide

Official sources

Government of Canada CPCSC references.

Frequently asked

CPCSC Level 1 questions.

Is CPCSC Level 1 a third-party audit?

No. CPCSC Level 1 is an annual supplier self-assessment. Level 2 is expected to use an external assessment every three years plus annual affirmation once it becomes available.

When will CPCSC Level 1 appear in contracts?

Canada says Level 1 may begin appearing in select defence contracts in summer 2026. The actual requirement depends on the RFP, contract clause, or prime flow-down language.

Do I need to finish the assessment before bidding?

Canada says the Level 1 self-assessment is required at contract award, not during the bidding process. If the contract requires CPCSC Level 1, suppliers must also provide proof of self-attestation and expiry date to their CanadaBuys supplier profile and when submitting a bid.

How long does the Level 1 self-assessment take?

Canada says the online self-assessment can take less than an hour if you have already reviewed your policies and implementation. The readiness work can still take weeks when scope, evidence, MFA, device management, or patching gaps need to be fixed first.

Can CMMC Level 1 replace CPCSC Level 1?

Not automatically. Canada says valid CMMC status may be accepted case by case, but the supplier must still confirm that the same systems and controls are in scope for CPCSC.