CPCSC Level 1 Control
03.05.02Identification and authentication

CPCSC 03.05.02: Device identification and authentication

Identify and approve the devices that can connect to systems or networks where specified information is stored, processed, or accessed. This guide separates the formal control language from practical implementation, evidence, auditor questions, and related controls.

Open Level 1 Self-Assessment Browse Control Library

Formal Control Language

Official CPCSC Level 1 wording for 03.05.02. Use the Government of Canada page as the source of truth for certification or procurement submissions.

  • Device types to be identified and authenticated before establishing a connection are defined.
  • Devices and device types are uniquely identified before establishing a connection.
  • Devices and device types are authenticated before establishing a connection.

Contains information sourced from Government of Canada material used under the Open Government Licence - Canada.

What This Means In Plain English

The organization should know which laptops, phones, servers, virtual machines, and network devices are allowed into the environment.

This does not always require enterprise tooling, but there must be a reliable device inventory and a way to keep unmanaged devices away from in-scope systems.

For CPCSC Level 1, the useful test is not whether a policy mentions the control. The useful test is whether an owner can show the system setting, record, ticket, review output, or operating routine that proves the answer is true today and can be repeated when the next contract, customer, or assessment request arrives.

How To Implement It

1

Maintain a device inventory for laptops, phones, servers, virtual machines, network equipment, removable drives, and administrator workstations.

2

Use MDM, endpoint management, certificate-based access, conditional access, VPN posture checks, or network access control where appropriate.

3

Define which device types are approved for specified information and which are not, such as personal laptops, unmanaged phones, and public computers.

4

Record ownership, serial number or asset ID, operating system, encryption status, endpoint protection status, and assigned user.

5

Review stale, lost, retired, or unmanaged devices and remove their access from identity, MDM, VPN, and cloud platforms.

Evidence Normally Gathered

Device inventory export.

MDM or endpoint management screenshots.

Conditional access or VPN posture rules.

Approved device type standard.

Retired or lost device records.

Encryption and endpoint protection reports.

Common Auditor Questions

Which device types are allowed to connect to in-scope systems?

How do you identify company devices versus personal devices?

What happens when a laptop is lost, retired, or reassigned?

How do you prevent unmanaged devices from accessing specified information?

Can you show device compliance for the systems in scope?