CPCSC Level 1 Self-Assessment: The 13-Control Guide for Canadian Defence Suppliers

The Canadian Program for Cyber Security Certification (CPCSC) is no longer a future problem. Level 1 became available to suppliers on April 1, 2026, and the requirement begins appearing in select Government of Canada defence contracts this summer. If you sell to the federal defence supply chain, or want to, Level 1 is the entry ticket.

The good news: Level 1 is a self-assessment. You do not need a third-party auditor or a government assessor to complete it. The harder news: it is annual, the controls are specific, and the attestation is tied to your ability to bid. This is the practical guide to getting it done.

What CPCSC Level 1 actually is

CPCSC is run by Public Services and Procurement Canada (PSPC). It is Canada's answer to the U.S. Cybersecurity Maturity Model Certification (CMMC), built on ITSP.10.171, the Canadian Centre for Cyber Security's profile of NIST SP 800-171. The program has three levels, scaled to the sensitivity of the information in a contract. Level 1 is the baseline.

At Level 1 you confirm the implementation status of 13 security requirements. Those 13 requirements are drawn from 6 of the 17 ITSP.10.171 control families and break down into 71 individual assessment objectives. You self-assess against each objective, then attest to the result annually through the Canada Buys procurement platform.

The 6 control families in scope

The 13 Level 1 requirements come from these six families:

• Access Control — limit system access to authorized users, restrict what they can do, and control external connections.
• Identification and Authentication — uniquely identify users and devices and authenticate them before granting access.
• Media Protection — sanitize or destroy media containing protected information before disposal or reuse.
• Physical Protection — limit physical access to systems and equipment, and escort and monitor visitors.
• System and Communications Protection — monitor and control communications at system boundaries and separate public-facing components.
• System and Information Integrity — identify and fix flaws, run malicious-code protection, and act on alerts.

None of this is exotic. If you already run modern identity, patching, and endpoint protection, much of Level 1 is documentation, not new spend.

How the self-assessment works

For each of the 71 assessment objectives you decide whether the practice is met, not met, or not applicable, and you record the evidence that supports your answer. The Government of Canada provides an online tool to walk through the requirements. The point is honesty: a self-assessment that overstates your posture is a liability, because the attestation is a representation to the Crown.

The deliverable is twofold. First, the completed assessment itself. Second, the supporting evidence: policies, configuration screenshots, access review records, and a short system security plan that describes the boundary you assessed. Keep that evidence. If a contract later escalates to Level 2, the certification body will want to see it.

Attesting on Canada Buys

Level 1 is self-attested through the Canada Buys procurement platform. When you respond to a solicitation that carries the requirement, you complete the CPCSC Level 1 self-assessment attestation section. The attestation is annual, so this is not a one-time exercise. Plan to re-assess and re-attest every year, and treat any material change to your environment as a trigger to revisit it sooner.

A realistic timeline

For a small supplier with reasonable IT hygiene, Level 1 readiness is typically a 2 to 5 week effort. Most of that is evidence collection and closing two or three real gaps, not the assessment itself. The common gaps we see are missing multi-factor authentication on remote access, no documented media sanitization process, and no record of periodic access reviews. All three are inexpensive to fix once you know to look.

Where to start this week

Pull the list of contracts and opportunities you are chasing and check which carry a CPCSC requirement and at what level. Map your current controls against the 13 Level 1 requirements. Fix the obvious gaps. Collect the evidence as you go so the attestation is a formality, not a scramble. Then build the annual reminder so renewal never sneaks up on you.

If you want a second set of eyes, we run CPCSC readiness engagements and complete the Level 1 self-assessment with Canadian suppliers, and prepare them for Level 2 and 3 when a contract demands it.