On April 1, 2026, while most Canadian SMBs were finishing Q1 reporting, Public Services and Procurement Canada quietly opened the door to CPCSC Level 1, a cyber-security self-assessment that will become a contract-award gate in select federal defence procurements this summer (Canada.ca, 2026). If your business sells, manufactures, or services anything that ends up in a federal defence contract, directly or three tiers down a supply chain, this applies to you.
If it doesn’t, you can skip the rest of this post. We mean that. There’s no value in chasing CPCSC certification if you don’t sell to defence and don’t plan to.
For everyone else, here’s the practical version: what the 13 controls are, what you self-assess, what an MSP closes for you, and what to do this quarter. Statistics Canada’s most recent Defence, Aerospace, Marine and Cybersecurity Industries Survey covered a final sample of 2,496 businesses (Statistics Canada Survey 2933, 2024–25); most of them small and medium-sized, most now in scope for some level of CPCSC.
Key Takeaways
– CPCSC Level 1 launched April 1, 2026 and will be required at contract award in select defence contracts beginning summer 2026 (Canada.ca, 2026).
– 13 controls drawn from ITSP.10.171, the Canadian adaptation of NIST SP 800-171 Revision 3, generating roughly 71 assessment objectives.
– For an MSP-served SMB on Microsoft 365, roughly 8 of 13 controls are typically already met or partially met by the managed stack. The other 5 are supplier-internal.
What Is CPCSC Level 1, and Who Does It Apply To?
CPCSC is Canada’s Canadian Program for Cyber Security Certification, the procurement framework Public Services and Procurement Canada and National Defence will use as a contract-award gate on select defence contracts. Level 1 went live to suppliers on April 1, 2026 and requires an annual self-assessment against 13 security controls (Canada.ca, 2026).
The Canadian Centre for Cyber Security has flagged vendor concentration as one of five defining trends in its National Cyber Threat Assessment 2025–2026 (Canadian Centre for Cyber Security, 2026), and ESET’s 2026 SMB Cyber Readiness Index found 16% of Canadian SMBs already rank supply-chain attacks among the threats they’re most concerned about (ESET via GlobeNewswire, 2026). CPCSC is part of how Ottawa answers that.
The program has three levels. Level 1 is the entry tier, an annual self-assessment, no third party, focused on basic cyber hygiene. Level 2 will require third-party certification by a Standards Council of Canada–accredited body and covers roughly 98 controls. Level 3 is the most stringent, around 200 controls, assessed directly by National Defence, and follows in 2027 (Kiteworks, 2026).
Who’s in scope? Prime defence contractors, and any supplier, sub-contractor, manufacturer, IT-service provider, logistics partner, or professional-services firm handling unclassified-but-sensitive federal defence information. ITSP.10.171 frames this as “non-Government of Canada systems and organizations” handling specified federal information. An Ontario manufacturer machining parts that end up in a federal defence platform is in scope. A BC engineering firm subcontracting to a prime is in scope. (For broader context, see our 2026 Canadian cyber threat takeaways.)
Which 13 Controls Are in CPCSC Level 1?
Level 1’s 13 security requirements are drawn from ITSP.10.171, the Canadian Centre for Cyber Security’s adaptation of NIST SP 800-171 Revision 3 (Canadian Centre for Cyber Security, 2026). They span roughly six of the standard’s seventeen control families and generate around 71 assessment objectives (Truvocyber, 2026). They’re the basic-cyber-hygiene tier; the foundation an MSP-served SMB should already be 70%-plus aligned with.
Here’s what the six families look like in plain English, with the FC translation of what they mean for a 25-person Canadian shop.
Access Control (4 requirements)
Limit who can do what. Restrict public-facing data. Control information flow between systems. Translation: Microsoft 365 Conditional Access policies, role-based licensing aligned to job function, and a documented joiner-mover-leaver workflow. Stop the standing local-admin accounts.
Identification and Authentication (2 requirements)
Every user gets a unique identifier. The credential matches the actual person. Translation: no shared admin accounts, phishing-resistant MFA on every M365 identity, passkeys where possible.
Media Protection (1 requirement)
Sanitize media before disposal or reuse. Translation: a written end-of-life process for laptops, USB drives, and printer hard drives, with chain of custody. The MSP can issue the wipe; you need the procedure on paper.
Physical Protection (2 requirements)
Control physical access to systems. Manage visitors. Translation: keycards, a visitor log, a server-room access list. If you’re in a co-working tenancy, you need a written arrangement with the building.
System and Communications Protection (~2 requirements)
Boundary defence and cryptography in transit. Translation: a managed firewall with a current rule review, TLS everywhere, no plain-text email of sensitive data.
System and Information Integrity (~2 requirements)
Flaw remediation and malicious-code defence. Translation: patched endpoints (Microsoft Defender for Endpoint or equivalent), centralized logging, a 30-day patch SLA. Pair this with a documented incident response plan for Canadian SMBs so a missed patch doesn’t become a missed breach.
ITSP.10.171 has no substantial technical changes from NIST SP 800-171 Revision 3. If you’ve ever looked at NIST 800-171, you’ve already seen this list. The work is in proving it, which is why we recommend a vulnerability assessment scoped to ITSP.10.171 before you formally self-attest.
What’s a Self-Assessment, and What Do You Actually File?
Level 1 is an annual supplier self-assessment, not a third-party audit. You complete the CPCSC Level 1 Scoping Guide, run the assessment against the 13 controls using the Canadian Centre for Cyber Security’s self-assessment tool, and confirm implementation status at contract award rather than at bid. The assessment itself takes under an hour for a business with documented policies (Public Services and Procurement Canada, 2026).
The Scoping Guide matters more than most suppliers expect. It defines what’s “in” the assessment boundary and what’s “out.” For most Canadian SMBs, the boundary covers the M365 tenant, the engineering or CAD systems, and the file shares where federal-related work product lives. Level 1 attestation is filed at contract award, not at bid; a supplier who isn’t certified can still bid but cannot be awarded.
Where do suppliers actually fail? Almost never on the technical implementation. The controls are basic. Suppliers fail on the evidence binder. If a contracting officer or a prime’s compliance team comes back with questions, you need policy PDFs, screenshots of Conditional Access settings, the joiner-leaver workflow doc, and the visitor-log template ready to share. The assessment is short; the preparation is real, and the evidence overlaps neatly with PIPEDA-aligned data compliance work most Canadian SMBs already need.
CPCSC vs CMMC: What Changes for Dual-Jurisdiction Canadian Suppliers
CPCSC and the U.S. CMMC are aligned but not reciprocal. Both anchor on NIST SP 800-171, but CPCSC tracks Revision 3 while current CMMC is built on Revision 2, and CPCSC Level 2 requires mandatory third-party certification from an SCC-accredited body, where CMMC Level 2 still allows self-assessment for non-prioritized CUI (Truvocyber, 2026).
| Dimension | CPCSC (Canada) | CMMC (US DoD) |
|---|---|---|
| Foundational standard | NIST 800-171 Rev 3 | NIST 800-171 Rev 2 |
| Level 1 controls | 13 | 17 |
| Level 2 third-party | Mandatory | Self-assess for non-prioritized CUI |
| Accreditation body | Standards Council of Canada | CyberAB / DoD |
| Data sovereignty | Canadian jurisdiction explicit | Not addressed |
Three differences matter for a Canadian SMB selling into both markets. First, the foundational standard. NIST 800-171 Revision 3 tightens several control families compared to Revision 2. If you’ve already mapped your environment to Revision 2 for a CMMC engagement, you’ve got a small content gap to close, not a re-architecture.
Second, third-party scope. CPCSC Level 2 has no self-assessment path. Every Level 2 supplier will go through an SCC-accredited certification body, which means budgeting for one third-party cycle in Canada even if your U.S. work doesn’t require it.
Third, the accreditation ecosystem itself. SCC is currently accrediting Canadian certification bodies, and that capacity is the bottleneck for Level 2 in 2026 and 2027. Suppliers who wait until Level 2 is required to start shopping for an assessor will find slots scarce. Reciprocity isn’t there yet either; a CMMC certificate doesn’t satisfy CPCSC, and vice versa. Plan for two parallel programs.
What Does an MSP Close for You, and What Stays in Your Lane?
On a typical FC-managed Microsoft 365 tenant, a Canadian SMB enters CPCSC Level 1 with roughly 8 of the 13 controls already met or partially met by the managed stack. Conditional Access, MFA, endpoint patching, audit logging, malware defence, encryption-in-transit, and identity governance are all standard work product. The other 5 controls require supplier-internal work: physical access policy, media-disposal procedure, written acceptable-use policy, the joiner-leaver workflow, and a documented annual review.
Here’s the split in practice.
The MSP-side close. Microsoft 365 Business Premium or E5 with Defender for Endpoint and Defender for Office 365. Conditional Access policies tuned for the tenant. Intune device management with a 30-day patch SLA. Encrypted backup. Centralized log aggregation through the M365 audit log or a SIEM. MFA enforcement on every identity, with phishing-resistant methods preferred. This is the managed cybersecurity service stack most FC clients already run.
The supplier-side close. A 6-page acceptable-use, media-handling, and visitor policy you can hand to an auditor. A documented joiner-mover-leaver workflow, ideally signed by HR. A visitor sign-in process. A server-room access list, even if your “server room” is a locked closet. An end-of-life device handling form. An annual evidence-binder review on the calendar.
The grey zone. Vulnerability scanning and penetration testing. The MSP delivers them; the supplier owns the scope, the remediation timeline, and the sign-off.
A Canadian SMB engaged with a competent MSP can typically close Level 1 in 30 to 60 days using existing tooling. Suppliers going in cold can see budgets balloon to $25,000-plus for what’s near-zero incremental spend if you’re already on a Business Premium tenant.
What Does a 90-Day CPCSC Level 1 Readiness Plan Look Like?
A practical 90-day path for a Canadian SMB engaged with an MSP looks like this. Days 1 to 30: scope and identity hardening. Days 31 to 60: policy and physical-access cleanup. Days 61 to 90: evidence assembly, the self-assessment dry-run, and the formal submission. Total internal time investment for a 25-person business is typically 15 to 25 hours of leadership and HR time, plus the MSP’s managed-services baseline.
Days 1 to 30: Scoping and Identity
Define the assessment boundary using the CPCSC Level 1 Scoping Guide. Inventory every account in the tenant. Enforce MFA on every account, including service and admin accounts. Review Conditional Access policies. Close standing local-admin accounts on every endpoint. If your environment is messy, start with an IT business assessment to set the baseline.
Days 31 to 60: Policy and Physical
Publish a 6-page acceptable-use, media-handling, and visitor policy. Document the joiner-mover-leaver workflow and have HR sign it. Review server-room access (yes, your locked closet counts). Finalize end-of-life device handling. This is the phase that drags, because it requires written sign-off from leadership.
Days 61 to 90: Evidence and Filing
Run the self-assessment dry-run against the 13 controls. Gather screenshots, policy PDFs, and workflow docs. Formally complete the CCCS self-assessment tool. Archive the evidence binder so next year’s renewal is a 30-minute exercise.
Want help mapping your existing controls against the 13 Level 1 requirements? Book a Consultation with Fusion Computing’s cybersecurity team.
What’s Coming Next? Level 2, Level 3, and the Procurement-Gate Calendar
Level 2 is expected to follow Level 1 with roughly 98 controls and mandatory third-party certification by an SCC-accredited certification body, applying to suppliers handling more sensitive but unclassified federal defence information. Level 3, the most stringent, around 200 controls and assessed directly by National Defence, follows in 2027 (Kiteworks, 2026).
Why does Level 2 matter for a supplier currently scoped to Level 1? Because prime contractors are already asking about Level 2 readiness as a tiebreaker, before Level 2 contracts begin. Suppliers who can show a Level 2 plan will win bids over equally-priced suppliers who can’t.
What to do now if Level 2 is in your future? Schedule an ITSP.10.171-mapped vulnerability assessment, not generic best practice. The work product carries forward into the Level 2 third-party engagement, and the accreditation ecosystem itself is the practical bottleneck; assessor slots will be scarce in 2026–2027 and pricing will climb.
Frequently Asked Questions
What is CPCSC Level 1?
CPCSC Level 1 is an annual cyber-security self-assessment against 13 security controls drawn from the Canadian Centre for Cyber Security’s ITSP.10.171 standard, a Canadian adaptation of NIST SP 800-171 Revision 3. It launched to suppliers on April 1, 2026, and will be required at contract award in select federal defence contracts beginning summer 2026 (Canada.ca, 2026).
When does CPCSC become mandatory in Canada?
Level 1 becomes mandatory at contract award in select defence contracts beginning summer 2026. Level 2 (third-party certification, roughly 98 controls) follows with phased rollout. Level 3, around 200 controls and assessed directly by National Defence, lands in 2027 (Kiteworks, 2026).
How many controls are in CPCSC Level 1?
Level 1 has 13 security requirements drawn from approximately 6 of the 17 control families in ITSP.10.171: Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity. Together they generate around 71 assessment objectives (Truvocyber, 2026).
Do small Canadian businesses need CPCSC certification?
Only if they sell to or sub-contract under federal defence prime contractors handling sensitive-but-unclassified federal information. The Canadian Centre for Cyber Security explicitly designed the program to apply to organizations of all sizes including SMBs. If you don’t sell to defence and aren’t planning to, CPCSC doesn’t apply to you (Canadian Centre for Cyber Security, 2026).
What’s the difference between CPCSC and CMMC?
CPCSC is built on ITSP.10.171, aligned with NIST SP 800-171 Revision 3. CMMC is the U.S. Department of Defense program currently built on Revision 2. CPCSC Level 2 requires mandatory third-party certification, where CMMC Level 2 still allows self-assessment for non-prioritized CUI. The two programs are aligned but not reciprocal (Truvocyber, 2026).
How long does the CPCSC Level 1 self-assessment take?
The assessment itself takes under an hour using the Canadian Centre for Cyber Security’s self-assessment tool, if you have documented policies and assembled evidence ahead of time. The preparation work, bringing controls into compliance and organizing evidence, typically takes 30 to 60 days for an SMB engaged with an MSP (Public Services and Procurement Canada, 2026).
Does my MSP handle CPCSC certification?
An MSP can typically close 8 of the 13 Level 1 controls through a managed Microsoft 365 tenant with Conditional Access, MFA, Intune, and Defender for Endpoint, plus centralized logging and patch management. The remaining 5 (physical access, media disposal, joiner-leaver process, written acceptable-use policy, and the annual review) are supplier-internal. The certification submission itself is the supplier’s, not the MSP’s.
Conclusion
Five things to take away:
- CPCSC Level 1 launched April 1, 2026 and will be required at contract award in select defence contracts starting summer 2026.
- 13 controls drawn from ITSP.10.171 across roughly 6 control families. Basic cyber-hygiene tier.
- Annual self-assessment via the CCCS tool, under an hour if your evidence is organized.
- For an MSP-served SMB, roughly 8 of 13 controls are already closed by a managed Microsoft 365 stack. The other 5 are supplier-internal.
- Level 2 (~98 controls, third-party) is next; Level 3 (~200 controls) lands in 2027. Start now, climb later.
CPCSC Level 1 isn’t the end of the world for Canadian defence-supply-chain SMBs. It’s a basic cyber-hygiene baseline; most MSP-served businesses are already 70%-plus there. The work is in scoping the boundary, writing the supplier-side policies, and assembling the evidence binder.
Book a Consultation with Fusion Computing’s cybersecurity team. We’ll map your controls against the 13 Level 1 requirements, identify the supplier-side gaps, and prep a 90-day plan ahead of the summer 2026 contract gate.
