CPCSC Level 1 Control
03.05.03Identification and authentication

CPCSC 03.05.03: Multi-factor authentication

Require strong MFA for privileged and non-privileged accounts that can access systems with specified information. This guide separates the formal control language from practical implementation, evidence, auditor questions, and related controls.

Open Level 1 Self-Assessment Browse Control Library

Formal Control Language

Official CPCSC Level 1 wording for 03.05.03. Use the Government of Canada page as the source of truth for certification or procurement submissions.

  • Strong multi-factor authentication for privileged accounts is implemented.
  • Strong multi-factor authentication for non-privileged accounts is implemented.

Contains information sourced from Government of Canada material used under the Open Government Licence - Canada.

What This Means In Plain English

Passwords alone are not enough. If an account can access specified information, MFA should be enabled and enforced.

Privileged accounts need especially strong handling because they can change systems, read sensitive data, create users, bypass controls, or disable protections.

For CPCSC Level 1, the useful test is not whether a policy mentions the control. The useful test is whether an owner can show the system setting, record, ticket, review output, or operating routine that proves the answer is true today and can be repeated when the next contract, customer, or assessment request arrives.

How To Implement It

1

Enable MFA in the identity provider for all users who access in-scope systems. Prioritize admin, finance, engineering, support, and contractor access.

2

Prefer phishing-resistant MFA where available for administrators and high-risk users. Avoid SMS-only MFA for privileged access when stronger options are feasible.

3

Document break-glass accounts, recovery methods, and exceptions. Review them more frequently than normal user accounts.

4

Block legacy authentication or protocols that bypass MFA.

5

Export MFA registration and enforcement reports on a regular cadence and investigate users without MFA.

Evidence Normally Gathered

MFA enforcement policy screenshot.

MFA user registration report.

Privileged account list with MFA status.

Legacy authentication block settings.

Break-glass account procedure and review record.

Exception register with expiry dates.

Common Auditor Questions

Is MFA enforced or merely available?

Which privileged accounts exist, and do all of them use MFA?

Are there any exceptions, and who approved them?

Can any legacy protocol bypass MFA?

How do you review break-glass or recovery accounts?