03.01.01Level 1
Account management
Create, authorize, review, monitor, and disable accounts that can access systems containing specified information.
Open control guideCPCSC Control Library
CPCSC Level 1 Control Library for Canadian Defence Suppliers
Use this library to understand the 13 CPCSC Level 1 controls, what each control means in operating language, how to implement it, what evidence to keep, and what an assessor or customer is likely to ask.
Each page separates formal control language from GreenHat practical guidance so founders, CISOs, engineers, and compliance owners can move from requirement to evidence without losing the official wording.
Controls
Browse the 13 Level 1 controls.
Start with the control that matches your gap, or work through the library in order before completing the Level 1 self-assessment.
Access control
4 controls03.01.02Level 1
Access enforcement
Make sure approved access rules are actually enforced by systems, permissions, groups, and administrative controls.
Open control guide03.01.20Level 1
Use of external systems
Control when personal devices, third-party systems, customer systems, contractor tools, and external cloud services can touch specified information.
Open control guide03.01.22Level 1
Publicly accessible content
Prevent specified information from being accidentally published on websites, social media, proposals, case studies, job postings, or public repositories.
Open control guideIdentification and authentication
3 controls03.05.01Level 1
User identification, authentication, and re-authentication
Use unique identities and authentication rules so every in-scope action can be tied back to the right person or process.
Open control guide03.05.02Level 1
Device identification and authentication
Identify and approve the devices that can connect to systems or networks where specified information is stored, processed, or accessed.
Open control guide03.05.03Level 1
Multi-factor authentication
Require strong MFA for privileged and non-privileged accounts that can access systems with specified information.
Open control guideMedia protection
1 controlsPhysical protection
2 controls03.10.01Level 1
Physical access authorizations
Maintain an approved list of people who can physically access spaces, systems, or media related to specified information.
Open control guide03.10.07Level 1
Physical access control
Use locks, badges, visitor controls, logs, and safeguards to prevent unauthorized physical access to systems and specified information.
Open control guideSystem and communications protection
1 controlsSystem and information integrity
2 controls03.14.01Level 1
Flaw remediation
Identify, report, prioritize, and fix software and firmware flaws within defined timelines.
Open control guide03.14.02Level 1
Malicious code protection
Deploy, update, scan, monitor, and respond to malicious-code protections across endpoints, servers, email, and other relevant entry points.
Open control guideSources
Source and attribution.
Formal control language is sourced from Public Services and Procurement Canada CPCSC Level 1 criteria and should be checked against the official program page before submission or attestation.
This page also references Canadian Centre for Cyber Security guidance for ITSP.10.171. Government of Canada information is used under the Open Government Licence - Canada.
CPCSC Level 1 CriteriaITSP.10.171Open Government Licence - Canada