Get the guide
Nelson Ford, founder and principal consultant of Pilotcore

Built by Nelson Ford, CMMC CCP and CISSP

Pilotcore

Your Free CPCSC Level 1 Compliance Guide

Relevant requirements for suppliers working on designated current or future defence contracts that include CPCSC Level 1 language. The Canadian Program for Cyber Security Certification (CPCSC) applies when contract language requires it and federal Specified Information is handled on supplier systems.

The 13 published CPCSC Level 1 controls in plain English
Planning ranges: 1-2 weeks for initial scoping, 2-6 weeks for smaller Level 1 improvements, and 6-12+ weeks for larger remediation
Common readiness gaps, scoping questions, and evidence habits
Action plan with early planning ranges
Pilotcore CPCSC Level 1 readiness guide book cover

IMPORTANT: CPCSC requirements are being phased into designated Department of National Defence contracts. Confirm timing and applicability in current solicitation documents.

Get the CPCSC guide by email

Understand contract and attestation implications before submitting self-assessments.

Enter your work email and we'll send the guide link.

By submitting, you agree to our Terms of Service and Privacy Policy.

Your information is encrypted and protected

We respect your privacy. Unsubscribe anytime.

Who Should Download?

Any company--Canadian or foreign--expecting to handle federal Specified Information for a designated Canadian defence contract or prime flow-down. Prime contractors, suppliers, and partners can use it before contract-award timing creates pressure.

↓ See what's inside the guide below ↓

Audience

Who should download this guide?

This guide is for organisations that:

  • Bid on or support DND or PSPC defence contracts.
  • Handle contract-designated Specified Information.
  • Act as subcontractors to Canadian defence primes.
  • Provide IT, MSP, cloud, software, engineering, or manufacturing support to defence suppliers.
  • Need to understand CPCSC Level 1 before completing a self-assessment or supplier questionnaire.
  • Want to compare CPCSC expectations against CMMC, NIST 800-171, or current security controls.

If you are unsure whether CPCSC applies to your organisation, the guide can help you ask the right scoping questions.

Why now

Prepare for DND contract cyber requirements.

CPCSC requirements are being phased into designated Department of National Defence contracts based on current rollout guidance. Whether you are based in Canada or abroad, validate current contract language to confirm applicability and timing.

  • Phased rollout.

    Level 1 requirements may appear in select contracts beginning Summer 2026.

  • Attestation risk managed.

    Attestation ownership, evidence records, and renewal timing explained.

  • Contract ready.

    Relevant when CPCSC language appears in a DND or PSPC solicitation, prime flow-down, or contract.

The guide provides clear steps for both Canadian and international contractors.

What you'll get

Inside the email delivery.

  • Requirements overview.

    The 13 published Level 1 CPCSC controls explained across the 6 security domains: Access Control, Identity and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity. Includes scope definition (enterprise vs. boundary), implementation notes, and evidence examples.

  • Timeline and cost planning.

    1-2 weeks for initial scope review and gap analysis for a focused environment. 2-6 weeks for smaller Level 1 readiness improvements when Microsoft 365, cloud, and endpoint controls are already mature. 6-12+ weeks for larger environments, missing policies, weak identity controls, or deeper technical remediation. Plus cost estimates, resource requirements, and annual maintenance.

  • Common implementation challenges.

    Common readiness gaps and how to avoid them, supplier and subcontractor scoping questions, self-attestation ownership, evidence records, and renewal checkpoints.

  • Implementation roadmap.

    Action plan with practical milestones, operating habits for maintaining evidence, the business case for early preparation, and the value of knowing your scope before a solicitation deadline.

Applicability

CPCSC applies to designated DND contractors, not just Canadian companies.

Any organisation awarded a designated DND contract that handles federal Specified Information on supplier systems may need CPCSC Level 1 when the clause is present. That includes foreign companies, subcontractors, and partners. The guide covers the scoping questions to ask before attestation.

Readiness consulting

Want help applying the guide to your environment?

If CPCSC is tied to an active opportunity, renewal, or supplier questionnaire, Pilotcore can help translate the guide into a practical readiness plan for your systems, team, and timeline.

  • scope and applicability review
  • ITSP.10.171 gap analysis
  • remediation roadmap
  • evidence checklist
  • technical control recommendations
  • control and evidence review before self-attestation or assessment
Book a CPCSC readiness review Explore CPCSC readiness consulting

Comparing programs? Read CPCSC vs CMMC.

Frequently asked

CPCSC Level 1 questions.

  1. What is CPCSC Level 1?

    CPCSC Level 1 is the entry-level readiness tier for organisations in scope of designated Canadian defence procurement requirements. It focuses on baseline cybersecurity practices and self-assessment expectations based on current program guidance.

  2. Who needs CPCSC Level 1?

    Organisations that bid on or support certain DND/PSPC defence contracts may need CPCSC Level 1 readiness, including subcontractors and suppliers that handle federal Specified Information. That can include non-public contract details with DND, controlled goods information, and protected information. Always confirm against the specific solicitation language.

  3. Is this guide official government guidance?

    No. The guide is practical readiness guidance from Pilotcore. Use it alongside current Government of Canada, PSPC, Canadian Centre for Cyber Security, and solicitation-specific guidance.

  4. Can Pilotcore certify my company for CPCSC?

    No. Pilotcore provides readiness, implementation, and evidence-preparation support. We are not an accredited certification body, we do not issue official CPCSC certifications, and we do not guarantee assessment outcomes.

  5. Can CMMC, SOC 2, ISO 27001, or NIST 800-171 work help with CPCSC?

    Often, yes. Existing controls and documentation can reduce the effort, but they still need to be mapped to CPCSC and ITSP.10.171 expectations and the actual contract scope.