Assess Your Readiness for CPCSC Level 1

CPCSC Level 1 self-attestation becomes mandatory for National Defence contract awards in April 2026. Is your organization ready?

If your contracts touch the Department of National Defence and involve Specified Information, CPCSC applies to you.

Carbide’s CPCSC Level 1 Readiness Assessment takes less than 10 minutes to complete. Answer 14 questions and receive a personalized report showing exactly where you stand.

Your report includes:

  1. A readiness score for each control family.
  2. A list of every gap identified, with the specific control area it falls under.
  3. A prioritized set of remediation actions you can act on immediately.

Access Control (AC)

1. Does your organization have a documented process for managing user accounts throughout their lifecycle, including creating, modifying, disabling, and removing accounts, with defined timelines for handling terminated or transferred employees?(Required)
2. Are access controls technically enforced in your systems so that users can only access the specific data, applications, and functions they are authorized for (for example, through role-based permissions, group policies, or access control lists)?(Required)
3. Does your organization have documented policies controlling when and how external systems (personal devices, contractor laptops, cloud services not managed by your organization) can be used to access your systems or handle sensitive information?(Required)
4. Does your organization review its publicly accessible content (websites, public portals, downloadable documents) to ensure that sensitive or controlled information is not accidentally exposed, and train staff who publish content on what should not be made public?(Required)

Identification and Authentication (IA)

5. Does every person who accesses your systems have their own unique user account (no shared or generic logins), and are they required to prove their identity (authenticate) before gaining access?(Required)
6. Does your network verify the identity of devices (laptops, phones, servers) before allowing them to connect, meaning that unknown or unapproved devices are automatically blocked from joining the network?(Required)
7. Is multi-factor authentication (MFA), requiring two or more verification methods such as a password plus a phone notification or security key, enforced for all user accounts, including both administrator and standard user accounts?(Required)

Media Protection (MP)

8. Does your organization have a documented process to securely wipe or physically destroy storage media (hard drives, USB drives, old laptops, mobile devices) that contained sensitive information before disposing of them, recycling them, or transferring them outside your organization?(Required)

Physical Protection (PE)

9. Does your organization maintain a current, approved list of who is authorized to physically access the locations where your IT systems are housed (server rooms, offices with workstations, data closets), and is this list reviewed and updated on a regular schedule?(Required)
10. Are the locations where your IT systems are housed physically secured (through locks, badge/key card systems, or other controls), with access logs maintained and visitors escorted? Note: this applies to any location where systems processing sensitive information reside, whether that is a dedicated server room, a locked office, or a secured area in a home office.(Required)

System and Communications Protection (SC)

11. Does your organization monitor and control network traffic at its network boundaries using firewalls or similar security tools? For cloud or hybrid environments, this includes virtual firewalls, security groups, or cloud-native boundary controls that govern what traffic enters and leaves your environment.(Required)
12. If your organization has any systems that are publicly accessible (for example, a website, customer portal, or public API), are those systems on a separate network segment from your internal systems, so that a compromise of the public-facing system does not give direct access to your internal network?(Required)

System and Information Integrity (SI)

13. Does your organization have a defined process to identify security vulnerabilities in your systems and install software and firmware security updates (patches) within established timeframes, for example, critical patches within 14 days?(Required)
14. Does your organization have antivirus or endpoint detection and response (EDR) software installed on all systems, with automatic updates enabled, regular scheduled scans configured, and the software set to automatically block or quarantine detected threats?(Required)

Please fill out the following to get your report.

Name(Required)

By submitting this request you consent to receive emails from Carbide. You can opt-out from receiving emails at any time.