CPCSC

CPCSC Level 1 Requirements: The 13-Control Checklist for Canadian Defense Suppliers

CPCSC Level 1 Requirements: The 13-Control Checklist for Canadian Defense Suppliers

Canada’s defense supply chain now faces a new mandatory cybersecurity bar. The Canadian Program for Cyber Security Certification (CPCSC) sets baseline requirements for organizations handling sensitive government information, and Level 1 is being introduced into select contracts and becomes a requirement for those contracts as it appears in them.

 

This CPCSC Level 1 checklist breaks down what the 13 controls cover, who needs to meet them, and how to build a scoping and evidence process that holds up to scrutiny.

 

Who Needs CPCSC Level 1?

 

CPCSC Level 1 applies to Canadian organizations that hold or are pursuing contracts involving Specified Information, sensitive unclassified government data that must be protected outside Government of Canada systems. This includes prime contractors, subcontractors at any tier, and IT providers whose systems touch that information, regardless of company size. CPCSC certification requirements are tied to contract terms: suppliers need certification at contract award rather than at bid submission, and future eligibility depends on maintaining it.

 

A small engineering firm holding a single defense subcontract can face the same obligations as a much larger prime, since scope is defined by the contract rather than the number of employees.

 

The 13 Controls, by Cyber Hygiene Category

 

Level 1 draws its 13 controls from ITSP.10.171, organized around six key best practices. Organized by cyber hygiene focus, these include:

 

  • Account and Access Management: Unique user IDs, least-privilege access, and external system restrictions.
  • Authentication: Multi-factor authentication and authenticator management.
  • Device and Media Handling: Sanitizing or disposing of media that stores Specified Information.
  • Physical Security: Authorizing physical access and securing alternate work sites.
  • Network Protection: Boundary controls separating Specified Information from the rest of the network.
  • System Integrity: Patching known flaws and malicious code protection.

 

Scoping Your Environment

 

Before self-assessing, suppliers need a clear picture of where Specified Information actually lives and moves. A defensible scope statement should account for the systems and applications that store, process, or transmit that information, along with the devices that can access it, including personal devices used remotely. It should also cover the cloud tools in the data path, such as email and backup services.

 

Scope extends beyond technology, too. It includes everyone who touches the information, from employees to subcontractors removed from the prime, and every physical location where it’s accessed or stored, including home offices. That inventory sets the boundary between in- and out-of-scope systems, which becomes the reference point for every control that follows.

 

Evidence to Have Ready

 

Level 1 is self-affirmed, but that affirmation still needs to hold up under scrutiny. If a prime contractor or future assessor asks for proof, suppliers should be ready to produce:

 

  • A current account list showing unique user IDs and no shared logins
  • A device inventory covering every endpoint with access to Specified Information
  • Documentation confirming multi-factor authentication is enforced
  • Written policies covering account management, access control, and media handling
  • Training records showing completed security awareness sessions
  • Patching logs showing known vulnerabilities are remediated on schedule
  • Records of periodic access reviews confirming permissions match current roles

 

Building this evidence into routine operations is far easier than assembling it once a contract deadline is approaching.

 

Self-Assessment Expectations and CMMC Recognition

 

CPCSC Level 1 self-assessment happens annually, with results confirmed through the CanadaBuys supplier profile. That renewal date is worth tracking as a fixed point on the calendar, since affirmation applies to bidding on and working under a Level 1 contract.

 

Holding CMMC certification does not automatically satisfy CPCSC. The two programs run on different revisions of NIST SP 800-171: CMMC Level 2 uses Revision 2, while CPCSC’s ITSP.10.171 standard reflects the newer Revision 3. As a result, CMMC certification cannot be assumed to cover CPCSC without a separate review of scope and controls. Discussions about formal recognition are ongoing, but no agreement is currently in place.

 

Check Your CPCSC Level 1 Requirements with Carbide

 

Mapping scope, tracking 13 controls, and keeping evidence current are manageable on a spreadsheet for a small supplier, but it gets harder to sustain as contracts and staff change. Carbide pairs a CPCSC compliance platform that centralizes evidence, monitoring, and workflow tracking with credentialed advisors who handle control scoping, documentation, and readiness for CPCSC alongside other programs and standards, such as CMMC or ISO 27001. Suppliers get a structured plan and a team that helps carry it through, from gap assessment to ongoing renewal.

 

Take Carbide’s free CPCSC Level 1 self-assessment to find your gaps against all 13 controls: it only takes about five minutes. Then, schedule a demo to see how our platform and advisors can close those gaps for your organization.

Share