Skip to content
FortaRisks
All toolsCertification · CPCSC Level 1

CPCSC (Level 1) certification readiness check

Gauge your readiness for the CPCSC Level 1 self-attestation, and leave with your priorities.

≈ 5 minutes · no sign-up

The Canadian Program for Cyber Security Certification (CPCSC) is becoming a condition for defence contracts. Answer the 13 statements below, drawn from the Level 1 ITSP.10.171 requirements: everything is computed in your browser, no answer is stored.

Answer each statement based on your real situation. Your score and priorities appear instantly in your browser. Nothing is sent anywhere.

Progress0 / 13 answered

1.Access control

You keep an inventory of accounts and you create, disable and review them as people join and leave.

You keep an inventory of accounts and you create, disable and review them as people join and leave.

Access to systems and contractual information is limited to authorized people, on a least-privilege, role-based basis.

Access to systems and contractual information is limited to authorized people, on a least-privilege, role-based basis.

Use of external systems (cloud, personal devices) for federal work is restricted to approved systems.

Use of external systems (cloud, personal devices) for federal work is restricted to approved systems.

A process controls federal information before it is posted on publicly accessible sites.

A process controls federal information before it is posted on publicly accessible sites.

2.Identification and authentication

Every user has a unique identifier and their identity is verified before access is granted.

Every user has a unique identifier and their identity is verified before access is granted.

Only known, authorized devices can connect to systems that handle in-scope information.

Only known, authorized devices can connect to systems that handle in-scope information.

Multi-factor authentication is required before accessing systems, ideally using phishing-resistant methods.

Multi-factor authentication is required before accessing systems, ideally using phishing-resistant methods.

3.Media protection

Media (drives, USB keys, paper documents) are sanitized or destroyed before disposal or reuse, following a documented procedure.

Media (drives, USB keys, paper documents) are sanitized or destroyed before disposal or reuse, following a documented procedure.

4.Physical protection

An authorized-person list is maintained for facilities that handle in-scope information.

An authorized-person list is maintained for facilities that handle in-scope information.

Physical access is controlled and visitors are escorted and logged (visitor logs, badges).

Physical access is controlled and visitors are escorted and logged (visitor logs, badges).

5.System and communications protection

Communications are monitored and controlled at the network boundary (firewalls, segmentation, VPN).

Communications are monitored and controlled at the network boundary (firewalls, segmentation, VPN).

6.System and information integrity

Flaws are identified, tracked and corrected in a timely way (patches applied within roughly 30 days).

Flaws are identified, tracked and corrected in a timely way (patches applied within roughly 30 days).

Malicious-code protection (antivirus or EDR) is deployed and kept up to date on endpoints and servers.

Malicious-code protection (antivirus or EDR) is deployed and kept up to date on endpoints and servers.

Answer every statement to reveal your score.

FAQ

What is the CPCSC?

The Canadian Program for Cyber Security Certification (CPCSC, in French PCCC) is the federal program that requires defence suppliers to demonstrate a level of cyber security to protect unclassified contractual information. It is based on ITSP.10.171, Canada's equivalent of NIST SP 800-171 revision 3.

Who needs to be certified?

Organizations in the defence (DND) supply chain and their subcontractors that handle federal contractual information. The required level is stated in the solicitation; Level 1 is the baseline expected of most suppliers.

What is the difference between the levels?

Level 1 is an annual self-assessment of the 13 requirements, with no third-party assessor. Level 2 requires an external assessment by an accredited certification body, and Level 3 an assessment led by the Government of Canada. This check covers Level 1.

When does it become mandatory?

Level 1 was officially launched in April 2026 and becomes an eligibility condition for applicable defence contracts from summer 2026. Attestation is annual, notably through the CanadaBuys profile.

Does this check replace the official self-attestation?

No. It is an indicative tool to gauge your readiness and prioritize your actions. The official Level 1 self-attestation follows Government of Canada procedures; for Level 2 and above, an accredited body is involved.