Skip to content
FortaRisks
Back to blogCompliance

CPCSC Level 1: the guide for Canadian defence suppliers

June 19, 2026 · 4 min read

A new clause is showing up in Canadian defence solicitations: proof of a given level of cyber security. It comes from the Canadian Program for Cyber Security Certification (CPCSC, in French PCCC). Officially launched in April 2026, it becomes an eligibility condition for applicable contracts from summer 2026. For many suppliers and subcontractors, the question is no longer whether to start, but whether they are ready for the Level 1 self-attestation.

Here is what the program requires, what Level 1 actually covers, and where to start without drowning in the standard.

What the CPCSC is, and what it rests on

The CPCSC is the federal framework that requires defence suppliers to show they protect unclassified contractual information. It does not invent a standard: it rests on the Canadian Centre for Cyber Security's ITSP.10.171, Canada's equivalent of NIST SP 800-171 revision 3, with 97 controls across 17 families.

The program has three levels, from lightest to most demanding:

  • Level 1: an annual self-assessment, with no third-party assessor. This is the baseline expected of most suppliers, and the subject of this guide.
  • Level 2: an external assessment every three years by an accredited certification body, with an annual affirmation.
  • Level 3: an assessment led by the Government of Canada, for the most sensitive information.

The required level is stated in each solicitation. If you sell to defence, directly or as a subcontractor, expect the requirement to flow down to you.

The 13 Level 1 requirements

Level 1 does not ask for all 97 controls. It keeps 13 requirements, drawn from 6 of the 17 ITSP.10.171 families, for roughly 71 assessment objectives. They cover foundational security hygiene:

  • Access control (4 requirements). Inventory and manage accounts, enforce least privilege, restrict external-system use to approved systems, and control information posted on public sites.
  • Identification and authentication (3). Unique identifiers and verified identities, only known devices allowed to connect, and multi-factor authentication before access, ideally phishing-resistant.
  • Media protection (1). Sanitize or destroy media (drives, USB keys, paper) before disposal or reuse.
  • Physical protection (2). Keep an authorized-person list, control facility access, and escort visitors.
  • System and communications protection (1). Monitor and control communications at the network boundary.
  • System and information integrity (2). Remediate flaws in a timely way and block malicious code on endpoints and servers.

None of these is exotic. An SMB with sound security hygiene already meets several. The trap is not technical difficulty, it is evidence and consistency.

What you need on hand

The Level 1 self-attestation is not a checkbox in a vacuum. Before declaring compliance, prepare three items the program expects you to be able to produce:

  1. A scoping rationale. Which systems, networks and people handle in-scope information, which are excluded, and why.
  2. A simple network diagram. Where in-scope information flows, and where its boundaries sit.
  3. An in-scope asset inventory. The endpoints, servers, cloud services and media involved.

These three deliverables force clarity. Many organizations discover, while writing them, that their real scope is wider than they thought.

Where suppliers stumble

  • Problem: teams read "self-assessment" as "quick declaration," when the attestation commits the organization and renews every year. A control that is ticked but not maintained becomes a false statement at the next cycle.
  • Impact: an inaccurate or missing attestation costs eligibility for defence contracts, and the gap tends to surface at the worst time, when a solicitation is already open.
  • Action: treat Level 1 as a permanent baseline, not a form. Document the scope, the evidence for each requirement, and a clear owner who keeps it all running between attestations.

Get ahead of it

The program is new, and that is exactly the opportunity. Suppliers that reach Level 1 now, cleanly and verifiably, position themselves ahead of those who wait for the first contractual requirement to pay attention.

Take stock

Before anything else, gauge your starting point. Our free CPCSC Level 1 readiness check walks the 13 requirements above, computes a readiness score and highlights your priorities by family. No sign-up, no data sent: everything is computed in your browser.

Once your gaps are visible, our Get CPCSC-ready page explains how the FortaRisks platform and support turn them into a prioritized plan, centralize evidence and keep your attestation accurate all year. Level 1 is not an insurmountable hurdle: it is documented security hygiene kept up over time. This guide does not replace the Government of Canada's official procedures, but it shows you exactly where to start.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.