03.01.01CPCSC Level 2
Account Management
Apply account management to control who can access in-scope systems, how information flows, and which access paths are allowed for CPCSC Level 2 readiness.
Open Level 2 control guideCPCSC Level 2 Control Library
Last updated June 25, 2026
CPCSC Level 2 Controls Library for Canadian Defence Suppliers
CPCSC Level 2 is the planned externally assessed certification path for Canadian defence suppliers. Levels 2 and 3 are still under development, so use this as a readiness library: 98 active ITSP.10.171 controls translated into practical pages that help teams move from official wording to implementation, evidence, and assessor-ready explanation.
Use the hub to find a control by family, then open the page for the formal control language, plain-English interpretation, implementation guidance, evidence examples, common auditor questions, and related control links.
Controls
Browse the 98 Level 2 controls.
Work by family when building readiness. Access, logging, configuration, incident response, risk, monitoring, planning, acquisition, and supply-chain controls all need evidence before an external assessment.
Access control16 controlsAwareness and training2 controlsAudit and accountability8 controlsConfiguration management10 controlsIdentification and authentication8 controlsIncident response5 controlsMaintenance3 controlsMedia protection7 controlsPersonnel security2 controlsPhysical protection5 controlsRisk assessment3 controlsSecurity assessment and monitoring4 controlsSystem and communications protection10 controlsSystem and information integrity6 controlsPlanning3 controlsSystem and services acquisition3 controlsSupply chain risk management3 controls
Access control
16 controls03.01.02CPCSC Level 2
Access Enforcement
Apply access enforcement to control who can access in-scope systems, how information flows, and which access paths are allowed for CPCSC Level 2 readiness.
Open Level 2 control guide03.01.03CPCSC Level 2
Information Flow Enforcement
Apply information flow enforcement to control who can access in-scope systems, how information flows, and which access paths are allowed for CPCSC Level 2 readiness.
Open Level 2 control guide03.01.04CPCSC Level 2
Separation of Duties
Apply separation of duties to control who can access in-scope systems, how information flows, and which access paths are allowed for CPCSC Level 2 readiness.
Open Level 2 control guide03.01.05CPCSC Level 2
Least Privilege
Apply least privilege to control who can access in-scope systems, how information flows, and which access paths are allowed for CPCSC Level 2 readiness.
Open Level 2 control guide03.01.06CPCSC Level 2
Least Privilege - Privileged Accounts
Apply least privilege - privileged accounts to control who can access in-scope systems, how information flows, and which access paths are allowed for CPCSC Level 2 readiness.
Open Level 2 control guide03.01.07CPCSC Level 2
Least Privilege - Privileged Functions
Apply least privilege - privileged functions to control who can access in-scope systems, how information flows, and which access paths are allowed for CPCSC Level 2 readiness.
Open Level 2 control guide03.01.08CPCSC Level 2
Unsuccessful Logon Attempts
Apply unsuccessful logon attempts to control who can access in-scope systems, how information flows, and which access paths are allowed for CPCSC Level 2 readiness.
Open Level 2 control guide03.01.09CPCSC Level 2
System Use Notification
Apply system use notification to control who can access in-scope systems, how information flows, and which access paths are allowed for CPCSC Level 2 readiness.
Open Level 2 control guide03.01.10CPCSC Level 2
Device Lock
Apply device lock to control who can access in-scope systems, how information flows, and which access paths are allowed for CPCSC Level 2 readiness.
Open Level 2 control guide03.01.11CPCSC Level 2
Session Termination
Apply session termination to control who can access in-scope systems, how information flows, and which access paths are allowed for CPCSC Level 2 readiness.
Open Level 2 control guide03.01.12CPCSC Level 2
Remote Access
Apply remote access to control who can access in-scope systems, how information flows, and which access paths are allowed for CPCSC Level 2 readiness.
Open Level 2 control guide03.01.16CPCSC Level 2
Wireless Access
Apply wireless access to control who can access in-scope systems, how information flows, and which access paths are allowed for CPCSC Level 2 readiness.
Open Level 2 control guide03.01.18CPCSC Level 2
Access Control for Mobile Devices
Apply access control for mobile devices to control who can access in-scope systems, how information flows, and which access paths are allowed for CPCSC Level 2 readiness.
Open Level 2 control guide03.01.20CPCSC Level 2
Use of External Systems
Apply use of external systems to control who can access in-scope systems, how information flows, and which access paths are allowed for CPCSC Level 2 readiness.
Open Level 2 control guide03.01.22CPCSC Level 2
Publicly Accessible Content
Apply publicly accessible content to control who can access in-scope systems, how information flows, and which access paths are allowed for CPCSC Level 2 readiness.
Open Level 2 control guideAwareness and training
2 controls03.02.01CPCSC Level 2
Literacy Training and Awareness
Apply literacy training and awareness to make sure people understand their responsibilities before they handle specified information for CPCSC Level 2 readiness.
Open Level 2 control guide03.02.02CPCSC Level 2
Role-Based Training
Apply role-based training to make sure people understand their responsibilities before they handle specified information for CPCSC Level 2 readiness.
Open Level 2 control guideAudit and accountability
8 controls03.03.01CPCSC Level 2
Event Logging
Apply event logging to produce reliable logs and review routines that show what happened in the environment for CPCSC Level 2 readiness.
Open Level 2 control guide03.03.02CPCSC Level 2
Audit Record Content
Apply audit record content to produce reliable logs and review routines that show what happened in the environment for CPCSC Level 2 readiness.
Open Level 2 control guide03.03.03CPCSC Level 2
Audit Record Generation
Apply audit record generation to produce reliable logs and review routines that show what happened in the environment for CPCSC Level 2 readiness.
Open Level 2 control guide03.03.04CPCSC Level 2
Response to Audit Logging Process Failures
Apply response to audit logging process failures to produce reliable logs and review routines that show what happened in the environment for CPCSC Level 2 readiness.
Open Level 2 control guide03.03.05CPCSC Level 2
Audit Record Review, Analysis, and Reporting
Apply audit record review, analysis, and reporting to produce reliable logs and review routines that show what happened in the environment for CPCSC Level 2 readiness.
Open Level 2 control guide03.03.06CPCSC Level 2
Audit Record Reduction and Report Generation
Apply audit record reduction and report generation to produce reliable logs and review routines that show what happened in the environment for CPCSC Level 2 readiness.
Open Level 2 control guide03.03.07CPCSC Level 2
Time Stamps
Apply time stamps to produce reliable logs and review routines that show what happened in the environment for CPCSC Level 2 readiness.
Open Level 2 control guide03.03.08CPCSC Level 2
Protection of Audit Information
Apply protection of audit information to produce reliable logs and review routines that show what happened in the environment for CPCSC Level 2 readiness.
Open Level 2 control guideConfiguration management
10 controls03.04.01CPCSC Level 2
Baseline Configuration
Apply baseline configuration to keep systems configured, changed, inventoried, and hardened in a controlled way for CPCSC Level 2 readiness.
Open Level 2 control guide03.04.02CPCSC Level 2
Configuration Settings
Apply configuration settings to keep systems configured, changed, inventoried, and hardened in a controlled way for CPCSC Level 2 readiness.
Open Level 2 control guide03.04.03CPCSC Level 2
Configuration Change Control
Apply configuration change control to keep systems configured, changed, inventoried, and hardened in a controlled way for CPCSC Level 2 readiness.
Open Level 2 control guide03.04.04CPCSC Level 2
Impact Analyses
Apply impact analyses to keep systems configured, changed, inventoried, and hardened in a controlled way for CPCSC Level 2 readiness.
Open Level 2 control guide03.04.05CPCSC Level 2
Access Restrictions for Change
Apply access restrictions for change to keep systems configured, changed, inventoried, and hardened in a controlled way for CPCSC Level 2 readiness.
Open Level 2 control guide03.04.06CPCSC Level 2
Least Functionality
Apply least functionality to keep systems configured, changed, inventoried, and hardened in a controlled way for CPCSC Level 2 readiness.
Open Level 2 control guide03.04.08CPCSC Level 2
Authorized Software - Allow by Exception
Apply authorized software - allow by exception to keep systems configured, changed, inventoried, and hardened in a controlled way for CPCSC Level 2 readiness.
Open Level 2 control guide03.04.10CPCSC Level 2
System Component Inventory
Apply system component inventory to keep systems configured, changed, inventoried, and hardened in a controlled way for CPCSC Level 2 readiness.
Open Level 2 control guide03.04.11CPCSC Level 2
Information Location
Apply information location to keep systems configured, changed, inventoried, and hardened in a controlled way for CPCSC Level 2 readiness.
Open Level 2 control guide03.04.12CPCSC Level 2
System and Component Configuration for High-Risk Areas
Apply system and component configuration for high-risk areas to keep systems configured, changed, inventoried, and hardened in a controlled way for CPCSC Level 2 readiness.
Open Level 2 control guideIdentification and authentication
8 controls03.05.01CPCSC Level 2
User Identification, Authentication, and Re-Authentication
Apply user identification, authentication, and re-authentication to prove that users, devices, and authenticators are unique, protected, and trustworthy for CPCSC Level 2 readiness.
Open Level 2 control guide03.05.02CPCSC Level 2
Device Identification and Authentication
Apply device identification and authentication to prove that users, devices, and authenticators are unique, protected, and trustworthy for CPCSC Level 2 readiness.
Open Level 2 control guide03.05.03CPCSC Level 2
Multi-Factor Authentication
Apply multi-factor authentication to prove that users, devices, and authenticators are unique, protected, and trustworthy for CPCSC Level 2 readiness.
Open Level 2 control guide03.05.04CPCSC Level 2
Replay-Resistant Authentication
Apply replay-resistant authentication to prove that users, devices, and authenticators are unique, protected, and trustworthy for CPCSC Level 2 readiness.
Open Level 2 control guide03.05.05CPCSC Level 2
Identifier Management
Apply identifier management to prove that users, devices, and authenticators are unique, protected, and trustworthy for CPCSC Level 2 readiness.
Open Level 2 control guide03.05.07CPCSC Level 2
Password Management
Apply password management to prove that users, devices, and authenticators are unique, protected, and trustworthy for CPCSC Level 2 readiness.
Open Level 2 control guide03.05.11CPCSC Level 2
Authentication Feedback
Apply authentication feedback to prove that users, devices, and authenticators are unique, protected, and trustworthy for CPCSC Level 2 readiness.
Open Level 2 control guide03.05.12CPCSC Level 2
Authenticator Management
Apply authenticator management to prove that users, devices, and authenticators are unique, protected, and trustworthy for CPCSC Level 2 readiness.
Open Level 2 control guideIncident response
5 controls03.06.01CPCSC Level 2
Incident Handling
Apply incident handling to prepare the organization to identify, report, contain, and learn from security incidents for CPCSC Level 2 readiness.
Open Level 2 control guide03.06.02CPCSC Level 2
Incident Monitoring, Reporting, and Response Assistance
Apply incident monitoring, reporting, and response assistance to prepare the organization to identify, report, contain, and learn from security incidents for CPCSC Level 2 readiness.
Open Level 2 control guide03.06.03CPCSC Level 2
Incident Response Testing
Apply incident response testing to prepare the organization to identify, report, contain, and learn from security incidents for CPCSC Level 2 readiness.
Open Level 2 control guide03.06.04CPCSC Level 2
Incident Response Training
Apply incident response training to prepare the organization to identify, report, contain, and learn from security incidents for CPCSC Level 2 readiness.
Open Level 2 control guide03.06.05CPCSC Level 2
Incident Response Plan
Apply incident response plan to prepare the organization to identify, report, contain, and learn from security incidents for CPCSC Level 2 readiness.
Open Level 2 control guideMaintenance
3 controls03.07.04CPCSC Level 2
Maintenance Tools
Apply maintenance tools to control maintenance tools, remote maintenance, and the people who service in-scope systems for CPCSC Level 2 readiness.
Open Level 2 control guide03.07.05CPCSC Level 2
Non-Local Maintenance
Apply non-local maintenance to control maintenance tools, remote maintenance, and the people who service in-scope systems for CPCSC Level 2 readiness.
Open Level 2 control guide03.07.06CPCSC Level 2
Maintenance Personnel
Apply maintenance personnel to control maintenance tools, remote maintenance, and the people who service in-scope systems for CPCSC Level 2 readiness.
Open Level 2 control guideMedia protection
7 controls03.08.01CPCSC Level 2
Media Storage
Apply media storage to protect storage media through its lifecycle from storage and access through transport, reuse, and disposal for CPCSC Level 2 readiness.
Open Level 2 control guide03.08.02CPCSC Level 2
Media Access
Apply media access to protect storage media through its lifecycle from storage and access through transport, reuse, and disposal for CPCSC Level 2 readiness.
Open Level 2 control guide03.08.03CPCSC Level 2
Media Sanitization
Apply media sanitization to protect storage media through its lifecycle from storage and access through transport, reuse, and disposal for CPCSC Level 2 readiness.
Open Level 2 control guide03.08.04CPCSC Level 2
Media Marking
Apply media marking to protect storage media through its lifecycle from storage and access through transport, reuse, and disposal for CPCSC Level 2 readiness.
Open Level 2 control guide03.08.05CPCSC Level 2
Media Transport
Apply media transport to protect storage media through its lifecycle from storage and access through transport, reuse, and disposal for CPCSC Level 2 readiness.
Open Level 2 control guide03.08.07CPCSC Level 2
Media Use
Apply media use to protect storage media through its lifecycle from storage and access through transport, reuse, and disposal for CPCSC Level 2 readiness.
Open Level 2 control guide03.08.09CPCSC Level 2
System Backup - Cryptographic Protection
Apply system backup - cryptographic protection to protect storage media through its lifecycle from storage and access through transport, reuse, and disposal for CPCSC Level 2 readiness.
Open Level 2 control guidePersonnel security
2 controls03.09.01CPCSC Level 2
Personnel Screening
Apply personnel screening to manage personnel trust, screening, termination, and transfer processes around specified information for CPCSC Level 2 readiness.
Open Level 2 control guide03.09.02CPCSC Level 2
Personnel Termination and Transfer
Apply personnel termination and transfer to manage personnel trust, screening, termination, and transfer processes around specified information for CPCSC Level 2 readiness.
Open Level 2 control guidePhysical protection
5 controls03.10.01CPCSC Level 2
Physical Access Authorizations
Apply physical access authorizations to protect facilities, work sites, transmission paths, and physical access to systems and media for CPCSC Level 2 readiness.
Open Level 2 control guide03.10.02CPCSC Level 2
Monitoring Physical Access
Apply monitoring physical access to protect facilities, work sites, transmission paths, and physical access to systems and media for CPCSC Level 2 readiness.
Open Level 2 control guide03.10.06CPCSC Level 2
Alternate Work Site
Apply alternate work site to protect facilities, work sites, transmission paths, and physical access to systems and media for CPCSC Level 2 readiness.
Open Level 2 control guide03.10.07CPCSC Level 2
Physical Access Control
Apply physical access control to protect facilities, work sites, transmission paths, and physical access to systems and media for CPCSC Level 2 readiness.
Open Level 2 control guide03.10.08CPCSC Level 2
Access Control for Transmission
Apply access control for transmission to protect facilities, work sites, transmission paths, and physical access to systems and media for CPCSC Level 2 readiness.
Open Level 2 control guideRisk assessment
3 controls03.11.01CPCSC Level 2
Risk Assessment
Apply risk assessment to identify, prioritize, scan, and respond to risks that could affect specified information for CPCSC Level 2 readiness.
Open Level 2 control guide03.11.02CPCSC Level 2
Vulnerability Monitoring and Scanning
Apply vulnerability monitoring and scanning to identify, prioritize, scan, and respond to risks that could affect specified information for CPCSC Level 2 readiness.
Open Level 2 control guide03.11.04CPCSC Level 2
Risk Response
Apply risk response to identify, prioritize, scan, and respond to risks that could affect specified information for CPCSC Level 2 readiness.
Open Level 2 control guideSecurity assessment and monitoring
4 controls03.12.01CPCSC Level 2
Security Assessment
Apply security assessment to assess controls, track remediation, monitor effectiveness, and manage information exchanges for CPCSC Level 2 readiness.
Open Level 2 control guide03.12.02CPCSC Level 2
Plan of Action and Milestones
Apply plan of action and milestones to assess controls, track remediation, monitor effectiveness, and manage information exchanges for CPCSC Level 2 readiness.
Open Level 2 control guide03.12.03CPCSC Level 2
Continuous Monitoring
Apply continuous monitoring to assess controls, track remediation, monitor effectiveness, and manage information exchanges for CPCSC Level 2 readiness.
Open Level 2 control guide03.12.05CPCSC Level 2
Information Exchange
Apply information exchange to assess controls, track remediation, monitor effectiveness, and manage information exchanges for CPCSC Level 2 readiness.
Open Level 2 control guideSystem and communications protection
10 controls03.13.01CPCSC Level 2
Boundary Protection
Apply boundary protection to protect system boundaries, communications, cryptography, shared resources, and sessions for CPCSC Level 2 readiness.
Open Level 2 control guide03.13.04CPCSC Level 2
Information in Shared System Resources
Apply information in shared system resources to protect system boundaries, communications, cryptography, shared resources, and sessions for CPCSC Level 2 readiness.
Open Level 2 control guide03.13.06CPCSC Level 2
Network Communications - Deny by Default - Allow by Exception
Apply network communications - deny by default - allow by exception to protect system boundaries, communications, cryptography, shared resources, and sessions for CPCSC Level 2 readiness.
Open Level 2 control guide03.13.08CPCSC Level 2
Transmission and Storage Confidentiality
Apply transmission and storage confidentiality to protect system boundaries, communications, cryptography, shared resources, and sessions for CPCSC Level 2 readiness.
Open Level 2 control guide03.13.09CPCSC Level 2
Network Disconnect
Apply network disconnect to protect system boundaries, communications, cryptography, shared resources, and sessions for CPCSC Level 2 readiness.
Open Level 2 control guide03.13.10CPCSC Level 2
Cryptographic Key Establishment and Management
Apply cryptographic key establishment and management to protect system boundaries, communications, cryptography, shared resources, and sessions for CPCSC Level 2 readiness.
Open Level 2 control guide03.13.11CPCSC Level 2
Cryptographic Protection
Apply cryptographic protection to protect system boundaries, communications, cryptography, shared resources, and sessions for CPCSC Level 2 readiness.
Open Level 2 control guide03.13.12CPCSC Level 2
Collaborative Computing Devices and Applications
Apply collaborative computing devices and applications to protect system boundaries, communications, cryptography, shared resources, and sessions for CPCSC Level 2 readiness.
Open Level 2 control guide03.13.13CPCSC Level 2
Mobile Code
Apply mobile code to protect system boundaries, communications, cryptography, shared resources, and sessions for CPCSC Level 2 readiness.
Open Level 2 control guide03.13.15CPCSC Level 2
Session Authenticity
Apply session authenticity to protect system boundaries, communications, cryptography, shared resources, and sessions for CPCSC Level 2 readiness.
Open Level 2 control guideSystem and information integrity
6 controls03.14.01CPCSC Level 2
Flaw Remediation
Apply flaw remediation to find flaws, detect threats, monitor activity, and retain information appropriately for CPCSC Level 2 readiness.
Open Level 2 control guide03.14.02CPCSC Level 2
Malicious Code Protection
Apply malicious code protection to find flaws, detect threats, monitor activity, and retain information appropriately for CPCSC Level 2 readiness.
Open Level 2 control guide03.14.03CPCSC Level 2
Security Alerts, Advisories, and Directives
Apply security alerts, advisories, and directives to find flaws, detect threats, monitor activity, and retain information appropriately for CPCSC Level 2 readiness.
Open Level 2 control guide03.14.06CPCSC Level 2
System Monitoring
Apply system monitoring to find flaws, detect threats, monitor activity, and retain information appropriately for CPCSC Level 2 readiness.
Open Level 2 control guide03.14.08CPCSC Level 2
Information Management and Retention
Apply information management and retention to find flaws, detect threats, monitor activity, and retain information appropriately for CPCSC Level 2 readiness.
Open Level 2 control guide03.14.09CPCSC Level 2
Dedicated Administration Workstation
Apply dedicated administration workstation to find flaws, detect threats, monitor activity, and retain information appropriately for CPCSC Level 2 readiness.
Open Level 2 control guidePlanning
3 controls03.15.01CPCSC Level 2
Policy and Procedures
Apply policy and procedures to document how the system is scoped, protected, used, and governed for CPCSC Level 2 readiness.
Open Level 2 control guide03.15.02CPCSC Level 2
System Security Plan
Apply system security plan to document how the system is scoped, protected, used, and governed for CPCSC Level 2 readiness.
Open Level 2 control guide03.15.03CPCSC Level 2
Rules of Behaviour
Apply rules of behaviour to document how the system is scoped, protected, used, and governed for CPCSC Level 2 readiness.
Open Level 2 control guideSystem and services acquisition
3 controls03.16.01CPCSC Level 2
Security Engineering Principles
Apply security engineering principles to build security expectations into engineering, unsupported components, and external services for CPCSC Level 2 readiness.
Open Level 2 control guide03.16.02CPCSC Level 2
Unsupported System Components
Apply unsupported system components to build security expectations into engineering, unsupported components, and external services for CPCSC Level 2 readiness.
Open Level 2 control guide03.16.03CPCSC Level 2
External System Services
Apply external system services to build security expectations into engineering, unsupported components, and external services for CPCSC Level 2 readiness.
Open Level 2 control guideSupply chain risk management
3 controls03.17.01CPCSC Level 2
Supply Chain Risk Management Plan
Apply supply chain risk management plan to manage supplier, acquisition, and supply chain risks that affect the in-scope environment for CPCSC Level 2 readiness.
Open Level 2 control guide03.17.02CPCSC Level 2
Acquisition Strategies, Tools, and Methods
Apply acquisition strategies, tools, and methods to manage supplier, acquisition, and supply chain risks that affect the in-scope environment for CPCSC Level 2 readiness.
Open Level 2 control guide03.17.03CPCSC Level 2
Supply Chain Requirements and Processes
Apply supply chain requirements and processes to manage supplier, acquisition, and supply chain risks that affect the in-scope environment for CPCSC Level 2 readiness.
Open Level 2 control guideSources
Source and attribution.
Formal control language is sourced from the Canadian Centre for Cyber Security ITSP.10.171 publication. CPCSC Level 2 timing and assessment model references the Government of Canada CPCSC program overview and supplier support guidance.
Government of Canada information is used under the Open Government Licence - Canada. Confirm current requirements in the contract, RFP, and official CPCSC guidance before making certification decisions.
CPCSC Program OverviewSupplier Support GuidanceITSP.10.171ITSP.10.171-01Open Government Licence - Canada