What is a CPCSC self-assessment?

For CPCSC Level 1, suppliers complete an annual self-assessment against 13 security requirements and keep evidence for the attestation cycle, or at least one year, for the in-scope systems that handle federal Specified Information.

Where do I record CPCSC Level 1 proof?

Government guidance says suppliers must keep the self-assessment results, add proof of self-attestation and expiry date to their CanadaBuys supplier profile, and provide that proof with a bid when the bid or contract requires CPCSC Level 1.

Can Pilotcore complete the attestation for me?

No. Pilotcore can help you prepare scope, evidence, and gaps. Your organisation remains responsible for the self-assessment and attestation.

CPCSC Level 1 self-assessment

CPCSC Level 1 self-assessment checklist before attestation.

CPCSC Level 1 is an annual self-assessment against 13 controls. The hard part is not the form. The hard part is knowing that your scope and evidence can support the attestation.

Use this CPCSC self-assessment checklist when you are close to attesting and need to confirm the sequence: clause, scope, evidence, CanadaBuys proof, and renewal owner. If you are still collecting records, start with the CPCSC Level 1 evidence checklist.

Timing

Before you attest.

Level 1 became available in April 2026 and begins appearing in select defence contracts in summer 2026. In the initial phase, suppliers need Level 1 certification at contract award, not at bid submission. Use the checklist before an award decision creates time pressure.

Certification timing is not the same as proof timing. After self-assessment, add proof of self-attestation and expiry date to your CanadaBuys supplier profile, and provide it with the bid when the bid or contract requires CPCSC Level 1.

PSPC says suppliers can attest that they meet the 13 controls without using the online self-assessment tool, although the tool is encouraged. If you assess outside the tool, keep the same scope, control-status, evidence, and approval records.

The online self-assessment tool is the under an hour step only after you already know the standards and have reviewed your policies. If you need to implement one or more of the controls, save the assessment and return after scope, remediation, and evidence are ready.

Before attestation, write down the internal configuration decisions behind the controls. Small suppliers often miss values such as how long an inactive account can stay enabled, when MFA should re-authenticate a user, and how often scans or reviews run.

For the full record list behind these checks, use the CPCSC evidence checklist. This page stays focused on the self-assessment decision and attestation path.

Evidence

Evidence beats confidence.

A self-assessment should be backed by records: account exports, access-review signoffs, MFA configuration, approved-system lists, firewall rules, patch reports, endpoint protection coverage, sanitisation records, and a scope statement that names the systems handling Specified Information.

For Level 1, keep evidence for the duration of the attestation cycle, or at least one year. Treat that as the minimum for account lists, access reviews, policies, training records, update logs, sanitisation logs, firewall settings, and MFA screenshots.

A valid CMMC status may help if the same systems were assessed, but Canada reviews CMMC status case by case. Keep a CPCSC-specific evidence index even when controls are shared.

Worksheet

Want the worksheet version?

The printable prep worksheet gives your team eight prompts to complete before signing a Level 1 self-attestation.

Open the worksheet

Page references

References used for this page.

Use Pilotcore's worksheet and readiness call as the practical next step. The links below show the Government of Canada pages used to check this guidance.