CPCSC Level 1 Self-Assessment
GreenHat Security5 min readSource: Public Services and Procurement Canada

CPCSC Level 1 Self-Assessment: What Canadian Defence Suppliers Need to Do

Last updated Jun 24, 2026.

Book a CPCSC Level 1 Briefing Read Original Source

CPCSC Level 1 is the baseline cyber security self-assessment for Canadian defence suppliers. It is meant to prove basic cyber hygiene before a supplier handles specified information on a Government of Canada defence contract.

The official program is the Canadian Program for Cyber Security Certification. Level 1 is available now and may appear in select defence contracts beginning in summer 2026. It is an annual self-assessment against 13 controls, with proof of self-attestation and expiry kept for CanadaBuys and bid support when required.

This page gives suppliers a practical pre-check before the official self-assessment. Use it to find obvious gaps, organize evidence, and decide whether the contract scope is really a Level 1 conversation or a CPCSC Level 2 readiness conversation in disguise.

What CPCSC Level 1 is

CPCSC Level 1 is the entry point of Canada's cyber security certification program for defence suppliers. It requires an annual self-assessment and asks suppliers to identify the implementation status of 13 security requirements and controls drawn from ITSP.10.171.

The purpose is practical: make sure suppliers preparing for defence contracts have the security basics covered before they handle sensitive, unclassified Government of Canada information. The official guidance says Level 1 certification will be required at contract award, not during the bidding process.

A valid CMMC certification may be recognized case by case if it covers the required scope, but Canadian suppliers should not assume equivalence without confirmation. CPCSC is aligned with U.S. technical controls, but it is still Canada's domestic pathway for defence procurement cyber expectations.

Who should care about Level 1

Level 1 matters for suppliers bidding on, or working under, defence contracts that require CPCSC Level 1. That can include smaller companies, subcontractors, service providers, technical vendors, professional services firms, and other organizations that may handle specified information on non-government systems.

Specified information can include unclassified contract details not meant for public release, controlled goods information, and protected information. The contract authority decides which information must be safeguarded. Your job is to know where that information lives and whether your systems, people, devices, and vendors can protect it.

If your organization is still trying to map broader Canadian cyber and privacy obligations, use GreenHat's Cybersecurity and Privacy Requirements for Your Organization tool first, then return here for the CPCSC-specific self-assessment work.

The 13 CPCSC Level 1 controls

The 13 Level 1 controls are not meant to be mysterious. They are baseline controls around account management, least privilege, approved systems, public disclosure, user and device authentication, MFA, media sanitization, physical access, boundary protection, flaw remediation, and malicious-code protection.

For control-by-control implementation help, use the CPCSC Level 1 Control Library. Each control page includes the formal wording, plain-English explanation, implementation steps, evidence examples, auditor questions, and related controls.

The real work is proving that these controls are true in your environment. A small supplier does not need a giant policy library for Level 1, but it does need short rules, owner names, approved system lists, account and device records, MFA evidence, patching routines, and a way to show old devices or media are wiped or destroyed.

Level 1 control families

  • Access controlAccount management, least privilege, approved external systems, and public-content review.
  • Identification and authenticationUnique user accounts, approved devices, strong authentication, and MFA for privileged or SI-bearing systems.
  • Media protectionWiping, destroying, or otherwise sanitizing old storage media before disposal or reuse.
  • Physical protectionAuthorized physical access and controls over facilities, rooms, devices, and storage areas.
  • Boundary protectionNetwork and system boundaries that reduce unauthorized access to in-scope systems.
  • System and information integrityFlaw remediation and malicious-code protection that keep systems patched and defended.

CPCSC Level 1 self-assessment tool

Use this GreenHat pre-check before completing the official Government of Canada self-assessment. It does not submit anything, certify anything, or replace the official tool. It helps your team decide whether the 13 controls are actually implemented, partially implemented, or still gaps.

The export is meant for an internal owner review. If several controls are partial or gaps, fix those before attesting. If most answers are implemented and the contract scope is more sensitive, use the result as the starting point for CPCSC Level 2 readiness planning.

Self-Assessment Tool

Pre-check the 13 CPCSC Level 1 controls

Mark each control as implemented, partial, or gap. The snapshot will show whether you are ready to complete the official self-assessment, need targeted remediation, or should treat the work as a Level 2 readiness signal.

0

Implemented

0

Partial

13

Gaps

03.01.01Access control

Account management

Do you maintain a current list of users, roles, system access, account changes, and offboarding actions for systems that handle specified information?

Evidence: User list, role map, access review, HR or offboarding notification records.

Open Control Guide

Level 2 signal: Formal access review evidence and control ownership will matter more at Level 2.

03.01.02Access control

Access enforcement

Do users only receive the access they need, with administrator rights limited and shared folders or systems reviewed regularly?

Evidence: Access groups, permission review notes, privileged-account list.

Open Control Guide

Level 2 signal: Least privilege needs repeatable evidence, not only a policy statement.

03.01.20Access control

Use of external systems

Do you have an approved systems list and rules that prevent specified information from being handled in personal email, personal storage, or unapproved devices?

Evidence: Approved systems list, vendor review notes, staff instructions, onboarding material.

Open Control Guide

Level 2 signal: Cloud, MSP, and subcontractor dependencies can quickly become Level 2 scoping work.

03.01.22Access control

Publicly accessible content

Do you review public website, marketing, proposal, social, and communications content to prevent accidental disclosure of specified information?

Evidence: Publication checklist, approval owner, review log, staff training notes.

Open Control Guide

Level 2 signal: Customer and defence information handling should connect to a broader data classification routine.

03.05.01Identification and authentication

User identification and authentication

Does every user have a unique account, strong authentication, and an inactivity lock or similar protection on systems that handle specified information?

Evidence: Identity provider settings, password policy, screen-lock configuration, account screenshots.

Open Control Guide

Level 2 signal: Identity evidence becomes harder when privileged access, shared services, or admin paths are unclear.

03.05.02Identification and authentication

Device identification and authentication

Do you approve devices before they connect to in-scope systems, and can you identify corporate laptops, mobile devices, external drives, and network access?

Evidence: Device inventory, MDM or endpoint list, approval records, WiFi or network access rules.

Open Control Guide

Level 2 signal: Level 2 preparation should define the full system boundary and endpoint control evidence.

03.05.03Identification and authentication

Multifactor authentication

Is MFA enabled for privileged accounts and for systems that store specified information?

Evidence: MFA policy, identity provider export, admin account list, recovery procedure.

Open Control Guide

Level 2 signal: MFA exceptions and break-glass accounts need clear ownership before external assessment pressure.

03.08.03Media protection

Media sanitization

Can you show how drives, USB media, phones, printers, and other storage-capable devices are wiped or destroyed before disposal or reuse?

Evidence: Sanitization log, disposal certificate, asset inventory, wipe procedure.

Open Control Guide

Level 2 signal: Asset and media records should connect to retention, backup, and evidence management.

03.10.01Physical protection

Physical access authorizations

Do you know who is authorized to access facilities, rooms, cabinets, or areas where in-scope systems and media are located?

Evidence: Access list, badge records, visitor process, facility access review.

Open Control Guide

Level 2 signal: Shared office, colocation, and remote-work environments need a defensible scope story.

03.10.07Physical protection

Physical access control

Are physical access points controlled, monitored, or otherwise restricted so unauthorized people cannot reach systems or media containing specified information?

Evidence: Door control records, lock procedures, visitor logs, office or server-room rules.

Open Control Guide

Level 2 signal: External reviewers will expect physical controls to align with the documented system boundary.

03.13.01System and communications protection

Boundary protection

Do you protect network and system boundaries with firewalls, secure configurations, approved remote access, and controls over how in-scope systems communicate?

Evidence: Firewall or cloud security settings, VPN or remote access rules, network diagram.

Open Control Guide

Level 2 signal: A weak network diagram usually becomes a Level 2 evidence and scope blocker.

03.14.01System and information integrity

Flaw remediation

Do you identify, prioritize, and fix software and system flaws through patching, updates, vulnerability review, or managed service routines?

Evidence: Patch records, vulnerability scan summary, ticket history, MSP patch report.

Open Control Guide

Level 2 signal: Level 2 needs a repeatable remediation routine with owners, dates, and exception handling.

03.14.02System and information integrity

Malicious code protection

Do endpoints, servers, email, and other relevant systems have malicious-code protection that is active, updated, and monitored?

Evidence: Endpoint protection status, alert review, email security settings, update policy.

Open Control Guide

Level 2 signal: Monitoring, alert response, and incident evidence become more important as assurance expectations rise.

Export the current answers for an internal owner review, then use the Level 2 guide if your scope includes controlled defence information, complex supplier dependencies, or evidence that needs external-assessment discipline.

Open Level 2 Guide

Evidence suppliers should keep

Level 1 is a self-assessment, but self-assessment does not mean evidence-free. The official guidance says suppliers are responsible for retaining the results of the self-assessment. Once complete, suppliers should save the results page, expiry date, and proof needed for CanadaBuys or bid support when a contract requires CPCSC Level 1.

A defensible Level 1 file should be simple and boring: one folder, clear owner, current export date, and enough proof to show the 13 answers were not guessed. That is also what makes the transition to Level 2 easier if the next opportunity carries higher assurance expectations.

Minimum evidence file for Level 1

  • Self-assessment resultSaved official self-assessment results page, expiry date, and any CanadaBuys profile confirmation needed for the contract.
  • Specified information mapShort list of where Government of Canada specified information is stored, processed, transmitted, or accessed.
  • Users and devicesCurrent user list, role or access groups, device inventory, admin account list, and MFA proof.
  • Approved systemsOne-page list of approved tools, cloud services, storage locations, vendors, and external access paths.
  • Protection recordsPatch evidence, endpoint protection status, firewall or boundary rules, and media sanitization records.
  • Owner and expiryNamed owner for the attestation, review date, and remediation notes for any control that was not mature.

When Level 1 turns into Level 2 planning

Level 1 is best for baseline cyber hygiene and lower-risk supplier situations. It starts to turn into a Level 2 planning conversation when the work involves controlled defence information, complex technical data, supplier systems deeply connected to the customer, subcontractors that can touch the information, or privileged IT and cyber security access.

The Government of Canada has described Level 2 as the path for more complex cyber-sensitive work, with external cyber security assessments led by accredited third-party assessment organizations once Level 2 becomes available. GreenHat's CPCSC Level 2 guide explains the 98-control readiness jump, evidence library, supplier flow-down, CMMC overlap, and 30/60/90 day preparation plan.

The move is not to over-engineer Level 1. The move is to use Level 1 as a clean baseline. If you cannot prove the 13 controls, Level 2 will be messy. If you can prove the 13 controls and your contract risk is rising, you have the foundation for a real readiness roadmap.

  • Treat controlled defence information as a scope escalation signal.
  • Review MSPs, cloud providers, developers, and subcontractors before attesting casually.
  • Create an evidence owner now, before a prime contractor or RFP asks for it.
  • Use Level 1 gaps to prioritize the Level 2 readiness roadmap.

Common CPCSC Level 1 mistakes

The most common mistake is treating Level 1 as a form instead of a security decision. If the team does not know where specified information lives, which systems are approved, whether MFA covers the right accounts, or whether old media is sanitized, the attestation becomes fragile.

The second mistake is ignoring the Level 2 signal. A supplier may only see a Level 1 clause today, but the customer, prime contractor, or future RFP may expect more if the work touches sensitive technical data or defence supply-chain dependencies. Capture the Level 1 evidence in a way that can grow.

CPCSC Level 1 FAQ

These quick answers are written for suppliers trying to decide what to do next before a bid, contract award, or prime-contractor request.

No. CPCSC Level 1 is an annual cyber security self-assessment. Level 2 is the path associated with external assessment once that level becomes available.

CPCSC Level 1 uses 13 controls from ITSP.10.171. They cover access control, identification and authentication, media protection, physical protection, boundary protection, flaw remediation, and malicious-code protection.

Official guidance says Level 1 self-assessment is required at contract award, not during the bidding process. The practical move is to prepare before award so the attestation does not become a last-minute blocker.

The Government of Canada may accept valid CMMC certification case by case after confirming scope. Suppliers should not assume automatic acceptance without confirmation from the relevant process or authority.

Move into CPCSC Level 2 readiness when the contract involves controlled defence information, complex cyber-sensitive work, elevated privileges, subcontractor dependencies, or evidence requirements that exceed basic cyber hygiene.

What To Do Next

Turn the Level 1 pre-check into a readiness plan

GreenHat can help Canadian defence suppliers map specified information, review the 13 Level 1 controls, organize evidence, and decide whether the next move is a simple self-assessment cleanup or deeper CPCSC Level 2 readiness.

Book a CPCSC Level 1 Briefing

Related GreenHat Resources

Continue into the adjacent tools, guides, and service pages that help turn this topic into action.

GreenHat Link

CPCSC Level 1 Control Library

Open each Level 1 control with formal wording, implementation guidance, evidence, auditor questions, and related controls.

GreenHat Link

CPCSC Level 2 Guide

Use Level 1 evidence as the starting point for 98-control readiness, external assessment planning, and supplier flow-down.

GreenHat Link

Cybersecurity and Privacy Requirements Tool

Map Canadian cyber, privacy, sector, contract, and procurement-driven requirements for your organization.

GreenHat Link

Vendor Security Assessment Questionnaire

Review subcontractors and service providers that may touch sensitive defence information.

GreenHat Link

How to Do a Cybersecurity Risk Assessment

Turn CPCSC control gaps into risk-ranked decisions and owner-backed remediation.

GreenHat Link

Cyber Risk Matrix Builder

Create a risk register, score likelihood and impact, and export the matrix for leadership.

GreenHat Link

Virtual CISO Services

Bring in security leadership for CPCSC scoping, evidence, roadmap, vendor risk, and executive reporting.

Source and further reading

This GreenHat page cites How to meet Level 1 cyber security certification requirements from Public Services and Procurement Canada. Read the original source.