Framework readiness

CPCSC Level 1 Readiness

The Canadian Program for Cyber Security Certification (CPCSC) is Canada’s emerging requirement for suppliers to the Department of National Defence. Level 1 is a self-assessment against 13 requirements drawn from ITSP.10.171, Canada’s profile of the NIST SP 800-171 controls. We run the self-assessment for you so you can meet contract eligibility without guessing at the intent of each requirement.

Book a discovery call See pricing & SKUs

Built for teams that...

  • Canadian businesses bidding on Government of Canada defence contracts
  • DND suppliers and subcontractors told they need CPCSC Level 1
  • Small firms that handle non-classified information and need a clean self-assessment
  • Teams that want the 13 requirements interpreted correctly the first time

What we do

  • Scoping of the systems and information in scope for CPCSC Level 1
  • Assessment against all 13 Level 1 requirements based on ITSP.10.171
  • Gap identification with plain-language explanations of each requirement’s intent
  • Remediation guidance to close gaps before you attest
  • Evidence and documentation to support your self-assessment
  • Preparation of the self-assessment so it is defensible if reviewed

What you walk away with

You complete a defensible CPCSC Level 1 self-assessment against the 13 requirements, with the evidence to back it and the gaps closed, so a defence procurement requirement stops standing between you and the contract. Because CPCSC builds on ITSP.10.171, the work also strengthens your baseline for the US CMMC program if you supply both governments.

Explore related work

Frequently asked questions

What is CPCSC?

The Canadian Program for Cyber Security Certification is a Government of Canada program that sets cybersecurity requirements for defence suppliers. It is built on ITSP.10.171, Canada’s profile of the NIST SP 800-171 controls, and is broadly analogous to the US CMMC program.

What does CPCSC Level 1 involve?

Level 1 is a self-assessment against 13 requirements aimed at protecting non-classified information. It is the entry tier of CPCSC and does not require a third-party assessor, but the self-assessment still needs to be accurate and evidence-backed.

How does CPCSC relate to CMMC?

Both programs are built on the NIST SP 800-171 control set, so the underlying safeguards overlap heavily. If you supply both the Canadian and US defence markets, doing one gives you a strong head start on the other, and we scope accordingly.

Do we need a third-party assessor for Level 1?

No. Level 1 is a self-assessment, so you attest to meeting the 13 requirements yourself. We do the assessment work with you and make sure it is defensible, but you remain the one attesting.

CPCSC Level 1 Readiness, on your timeline

Book a free 30-minute call. We’ll tell you whether it fits, what it costs, and when we can start.

Book a call