One of the most common questions Canadian defence suppliers ask about the CPCSC is which level they need. The honest answer is that you do not choose. The contract chooses for you. But you can absolutely figure out, ahead of any bid, which level your pipeline will require, and that foresight is the difference between winning work and watching it close without you.
The level follows the information
CPCSC has three certification levels, and the level required on any given solicitation is set by the sensitivity of the information involved in that work. A contract that touches only low-sensitivity information sits at Level 1. As the information becomes more sensitive, or the work more critical, the required level rises. You will see the requirement stated in the solicitation itself.
Level 1: self-assessed baseline
Level 1 requires an annual self-assessment against 13 security requirements, drawn from 6 ITSP.10.171 control families and broken into 71 assessment objectives. You complete it yourself and attest through the Canada Buys platform. No external assessor is involved. This is the level most suppliers will encounter first, and it is the entry point to the federal defence supply chain.
Level 2: third-party certified
Level 2 applies when a contract involves controlled or more sensitive defence information. It requires an external assessment led by a certification body accredited by the Standards Council of Canada, plus an annual affirmation, against roughly 98 requirements. This is a real audit: an accredited assessor reviews your evidence and your system security plan. You cannot self-attest your way to Level 2, and you should be wary of any consultant who claims they can certify you. Readiness partners prepare you; accredited bodies certify you.
Level 3: government-assessed
Level 3 is reserved for the highest-risk work, the kind that can involve weapon systems, critical infrastructure, or information shared with Five Eyes partners. It requires an assessment conducted by National Defence itself, plus an annual affirmation, against roughly 200 requirements. Far fewer suppliers will need Level 3, but those who do should expect a demanding, government-led process and continuous evidence rather than a point-in-time snapshot.
How to figure out your level before you bid
Do not wait for a solicitation to tell you. Take the contracts and opportunities you are pursuing over the next 12 to 18 months and ask, for each: what information would we handle, and how sensitive is it? Low-sensitivity work points to Level 1. Controlled defence information points to Level 2. The most sensitive national-security work points to Level 3. If your pipeline mixes levels, plan for the highest one you realistically intend to chase, because certifying up is slower than certifying down.
Remember that requirements flow down. If you subcontract to a prime on a Level 2 contract and you touch the protected information, you can be required to hold Level 2 too, even though you never contract directly with the government. Map your subcontracting relationships, not just your direct bids.
The cost of guessing wrong
Guess too low and you are disqualified when the requirement appears, with no time to close the gap before the bid closes. Guess too high and you spend on an external assessment you did not yet need. The fix is the same in both directions: scope your pipeline early, certify to the level your real opportunities require, and build the evidence once so moving up a level later is an extension, not a restart.
If you are not sure where your contracts land, we scope the right CPCSC level with you and run the readiness work to get you there.
Not sure which CPCSC level you need?
We map your contract pipeline to the right level, then run the readiness work, from the Level 1 self-assessment to full Level 2 and 3 preparation.
Book a scoping call