CPCSC Checklist for 2026: Is Your Business Ready for Canadian Defence Certification?

If you supply goods or services to the Canadian Department of National Defence, you’ve probably heard the acronym CPCSC in procurement conversations. Maybe your prime contractor mentioned it. Maybe it showed up in an RFP. Maybe you searched for it and ended up more confused than when you started.

This post covers what CPCSC requires, when each phase kicks in, what the checklist looks like in practice, and what a realistic path to certification looks like for a Canadian business.

This entire CPCSC readiness checklist, covering all 6 control areas, evidence examples, and a 6-month readiness timeline, is available as a formatted PDF. Print it, share it with your IT team, or drop it in a shared drive.

What Is CPCSC and Why Is Everyone Talking About It Now?

CPCSC stands for the Canadian Program for Cyber Security Certification. It’s Canada’s answer to a question the federal government has been wrestling with for years: how do we make sure the thousands of businesses in our defence supply chain aren’t a cybersecurity weak point?

The short version: CPCSC requires defence suppliers to implement and demonstrate a specific set of cybersecurity controls, 97 of them, drawn from a standard called ITSP.10.171. This is Canada’s adaptation of NIST SP 800-171 Revision 3, and that Rev 3 detail matters. It’s more demanding than Rev 2, and most existing compliance guides still reference the older version.

CPCSC vs. CMMC: If you’ve heard of CMMC, the US equivalent, CPCSC is Canada’s version. They’re not identical. CPCSC is based on NIST 800-171 Revision 3 (97 requirements), while CMMC still uses Rev 2 (110 requirements). Canada also uses different terminology: where the US says “CUI” (Controlled Unclassified Information), Canada says “Specified Information” (SI). If you’ve been working from a CMMC compliance guide for your CPCSC prep, you may be using the wrong playbook.

The Official CPCSC Rollout Schedule

Knowing exactly when each requirement kicks in is the difference between being ahead of the curve and scrambling at contract time.

Phase 1 (March 2025 to March 2026): Standards Published

The cybersecurity standard for Levels 1 and 2 became available during this phase. Level 1 certification requirements and guidance materials were made publicly available. If you haven’t reviewed the ITSP.10.171 standard yet, that material is available now and there’s no reason to wait.

Phase 2 (April 2026 to March 2027): Level 1 Is Now Mandatory

This is the phase you’re in right now, and the one with the most immediate consequences for most suppliers. Starting April 2026, Level 1 requirements apply to National Defence contracts. Businesses must self-assess against the ITSP.10.171 controls and provide a self-attestation in their Canada Buys profile. Critically, self-attestation is required at contract award, not during the bidding process, so you won’t necessarily see it coming during an RFP. You need to be ready before you bid.

National Defence contracts will also begin using a new Contract Cyber Security Risk Assessment during this phase, which determines the level of certification required for each contract. The Standards Council of Canada will start accepting applications from organizations wanting to become accredited Level 2 assessors, and guidance for Levels 2 and 3 will be shared publicly.

Phase 3 (April 2027 to March 2028): Level 3 Enters, Broader Rollout

Level 3 certification requirements will begin appearing in select defence contracts during this phase, with compliance activities conducted by National Defence authorities directly. Levels 1 and 2 may also be applied to all Government of Canada defence contracts, not just DND, based on industry feedback gathered during Phase 2. The Phase 3 expansion is significant: CPCSC could become a baseline requirement across the entire federal defence procurement ecosystem.

Level 3 is the highest tier of CPCSC certification and will be conducted directly by National Defence authorities. Details on Level 3 requirements will be shared during Phase 2. If your contracts involve highly sensitive information or critical defence systems, start watching for that guidance now.

CPCSC Level 1 vs. Level 2: Which One Do You Need?

CPCSC has three tiers. Which one applies to you depends on your contract and what kind of information you handle.

Level 1 is a self-assessment. You review your own controls, document your findings, and submit a self-attestation through your Canada Buys profile. It’s mandatory from April 2026 for National Defence contracts.

Level 2 requires a third-party assessment conducted by an accredited assessor organization. You cannot self-certify at this level. Level 2 applies to suppliers handling more sensitive Specified Information or working on higher-risk contracts. The accreditation system for Level 2 assessors is being stood up now during Phase 2.

Level 3 is assessed directly by National Defence authorities and will begin appearing in select contracts from April 2027. It’s reserved for the most sensitive defence work.
Don’t assume you’re Level 1. Your contract scope could trigger a higher level. Get clarity on your tier before building your evidence package.

The CPCSC Readiness Checklist: 6 Control Areas

Below is the complete checklist in plain language. For each item we’ve included what kind of evidence you need to actually demonstrate the control, because ticking a box isn’t enough. Assessors work from 422 specific assessment objectives drawn from NIST 800-171 Rev 3. You need documentation.

1. Define Your Scope and System Boundary

• Identify everywhere Specified Information (SI) is stored, processed, or transmitted, including on-premise, cloud, and third-party systems. Evidence: Data flow diagrams annotated with SI classification; asset inventory with SI-handling flag per asset.
• Document your system boundary, including explicit exclusions and rationale for cloud shared-responsibility services (e.g. Microsoft 365, AWS). Evidence: System Security Plan (SSP) boundary section; cloud provider shared-responsibility matrices.
• Create a network diagram showing all data flows involving SI, including VPNs, external connections, and third-party integrations. Evidence: Annotated network topology diagram; firewall rule documentation.
• Inventory all in-scope assets: endpoints, servers, cloud instances, mobile devices, and removable media that may contact SI. Evidence: Asset inventory register with owner, classification, and last-reviewed date.
• Identify and document all third parties with access to in-scope systems. These are subject to CPCSC supply chain requirements under ITSP.10.171 SR family controls. Evidence: Third-party access register; vendor contracts with security addenda; MSP scope-of-access documentation.

2. Access Control and Authentication

• Implement MFA for all privileged accounts and all remote access to SI-handling systems. ITSP.10.171 Rev 3 has more prescriptive MFA requirements than Rev 2. Make sure your policy references the right version. Evidence: MFA configuration screenshots; policy referencing ITSP.10.171 IA-3.1; helpdesk enrollment records.
• Enforce unique user accounts with least privilege. No shared accounts. No standing admin access. RBAC documented for all SI-handling systems. Evidence: Active Directory/IAM role matrix; privilege escalation request records; no shared-account attestation.
• Maintain a formal process for both provisioning and deprovisioning access, including HR-triggered offboarding workflows. Evidence: Access request tickets; HR-IT offboarding checklist with sign-off; terminated user audit log.
• Conduct periodic access reviews at defined intervals and document the output. Informal reviews don’t count. Evidence: Signed access review log with reviewer, date, and accounts reviewed; remediation tickets for exceptions.
• Implement a strong authentication policy covering password complexity, rotation, lockout thresholds, and session timeout. Evidence: Written policy; technical configuration evidence (e.g. Group Policy export, Azure AD settings screenshot).

3. Configuration and Asset Management

• Maintain a complete, current asset inventory. ITSP.10.171 CM controls treat this as foundational and assessors will verify it against your system boundary. Evidence: CMDB export or asset inventory spreadsheet with last-updated date; software license register.
• Document secure configuration baselines for all critical systems referencing CCCS hardening guides or CIS Benchmarks. Show the actual configuration, not just the intended state. Evidence:
• Configuration baseline documents per system type; CIS Benchmark mapping; deviations log with approvals.
• Operate a formal change management process for all production systems handling SI. Ad hoc changes without approval records are a direct CM control gap. Evidence: Change request tickets with approval chain; CAB meeting minutes; emergency change log.
• Implement a patch management policy with severity-based SLAs and show they’re being met. Evidence: Patch policy with defined SLAs; vulnerability scan reports showing remediation dates; exception register.

4. Monitoring, Logging, and Incident Response

• Centralized logging for all SI-handling systems covering authentication events, privilege use, data access, and system changes. Evidence: SIEM or log aggregation configuration; log source inventory mapped to SI-handling systems.
• A defined, documented log retention period. “Indefinite” is not sufficient. Evidence: Written retention policy with specific timeframes; log storage configuration showing retention settings.
• Alerting configured for failed logins, privilege escalation, large data exports, off-hours access, and configuration changes. Evidence: Alert rule configuration screenshots; sample alert tickets; escalation runbook.
• A documented Incident Response plan that specifically references SI handling. Generic IT IR plans that predate your CPCSC scoping are typically not sufficient. Evidence: IR plan with version date and owner; contact tree; evidence the plan references SI.
• An annual tabletop exercise with documented output. A plan that has never been tested will not satisfy an assessor. Evidence: Tabletop exercise agenda and scenario; after-action report with findings; sign-off from leadership.

5. Data Protection and Communications Security

• Encrypt all SI in transit using TLS 1.2 or higher. TLS 1.0 and 1.1 are not acceptable. Evidence: Network config or web server TLS settings; SSL/TLS scan report; policy referencing approved protocols.
• Encrypt SI at rest across all in-scope storage. Full-disk encryption alone may not be sufficient if SI resides in specific database fields. Evidence: Encryption configuration per asset (BitLocker, FileVault, database TDE settings); encryption policy.
• Network segmentation isolating SI-handling systems from general corporate traffic. Flat networks with no segmentation are a clear gap. Evidence: Network diagram showing segmentation; VLAN configuration; firewall rules enforcing boundary.
• Secure remote access with VPN and MFA at minimum. Consumer-grade remote tools are not acceptable for accessing SI-handling systems. Evidence: VPN configuration with MFA enforcement; remote access policy; audit log of remote sessions.

6. Risk Management and Continuous Improvement

• A formal risk assessment aligned to ITSP.10.171 RA controls, specific to SI. A generic corporate risk register doesn’t satisfy this requirement. Evidence: Risk assessment report referencing SI and ITSP.10.171; risk register with likelihood/impact ratings.
• A remediation plan with assigned owners, target dates, and current status for all identified gaps. Evidence: Remediation tracker; evidence of owner acknowledgement; status update cadence.
• A vendor and third-party security review process covering all suppliers with SI access. Evidence: Vendor security questionnaire template; completed assessments; supplier risk register.
• A control-to-evidence register mapping each of the 97 ITSP.10.171 requirements to your specific evidence artefacts. Evidence: Evidence register mapping control ID to policy to technical config to test result.

How Long Does CPCSC Certification Actually Take?

Most suppliers significantly underestimate this. Getting to Level 1 readiness could takes three to six months for small to mid-size contractors depenfing on their current secutity posture. Level 2 can take longer depending on the accuracy of their  documentation. Writing a compliant Incident Response plan, testing it, and producing the after-action report alone takes weeks. That’s where the time goes, not in configuring the technical controls.

Month 1 to 2: Foundation:

Define your system boundary, inventory SI-handling assets, and conduct a gap assessment against all 97 controls. Assign owners and stand up your evidence register. This is the stage most teams skip or rush. Carbide’s platform tracks your controls and evidence against ITSP.10.171 requirements from day one, and the advisory team helps you determine which controls apply to your specific system boundary, so you’re not scoping blind.

Month 3 to 4: Remediation:

Implement technical controls. Develop or update required policies. Begin evidence collection per 800-171A Rev 3 assessment objectives. Address third-party and supply chain documentation gaps.

Month 5 to 6: Level 1 Readiness:

Complete your internal self-assessment. Conduct and document your tabletop exercise. Finalize your System Security Plan. Submit your Level 1 self-attestation through Canada Buys.

Month 6 onward: Level 2 Preparation:

Engage an accredited assessor organization. Close gaps from Level 1. Prepare your evidence package mapped to the 422 assessment objectives. Complete the formal Level 2 assessment.
Starting when your contract requires it means you’ve already missed it. Level 1 self-attestation is required at contract award, not during bidding. By the time an RFP lands in your inbox, the certification window has already opened.

What To Do Next

Reading through this checklist is a useful starting point, but there’s a meaningful difference between feeling ready and being able to demonstrate readiness to an assessor. The evidence gap is where most suppliers get tripped up. If any section above surfaced uncertainty about your current posture, the most useful immediate action is a structured gap assessment: work through each of the 97 controls, rate your current state, and map what evidence you already have against what you still need to produce. The PDF version of this CPCSC readiness checklist includes a pre-formatted evidence register to help you do exactly that. Book a free CPCSC readiness call with Carbide’s advisory team, and we’ll help walk you through it.