Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
Public Services and Procurement Canada opened CPCSC Level 1 on April 1, 2026; it becomes a contract’award gate on select federal defence procurements in summer 2026. Canadian businesses selling into federal defence, even three tiers down, fall inside the supplier population. Level 1 is an annual self’assessment against 12 baseline controls, filed by the supplier at award.
Most managed Microsoft 365 tenants already cover the technical floor. The binder is where suppliers fall behind.
Key Takeaways
- CPCSC Level 1 is an annual self’assessment against 12 baseline controls drawn from ITSP.10.171, the Canadian adaptation of NIST SP 800’171.
- Scope reaches every Canadian supplier handling unclassified’but’sensitive federal defence information, including sub’contractors several tiers deep.
- Across Fusion Computing’s 2026 Canadian defence’supplier engagements, roughly 8 of 12 controls are typically already met by a managed Microsoft 365 stack; 4 are supplier’internal policy work.
- The filing itself takes under an hour with a documented evidence binder; readiness preparation for a 25’person SMB runs 30 to 60 days.
- CPCSC L1 maps cleanly to CMMC Level 1, but certificates are not reciprocal across programs.
Book a CPCSC Readiness Consultation
What is the Canadian Program for Cyber Security Certification (CPCSC)?
CPCSC is a federal procurement framework that gates select defence contracts on supplier cyber hygiene. PSPC owns the program; the Canadian Centre for Cyber Security publishes the underlying control standard. Three tiers are planned; Level 1 is the entry tier and the only tier active in 2026.
Level 1 is an annual self’assessment, filed in the CCCS tool at contract award, with no third party involved. The 12 controls trace to ITSP.10.171, the Canadian adaptation of NIST SP 800’171, generating roughly 71 assessment objectives a supplier confirms each year. See related context in 2026 Canadian cyber takeaways.
Who needs CPCSC Level 1, and when
CPCSC Level 1 applies to any Canadian supplier handling unclassified’but’sensitive federal defence information, regardless of company size. The list runs deeper than most owners expect:
- Prime defence contractors bidding directly on PSPC or DND awards.
- Tier’1 sub’contractors manufacturing components or fabricating parts for a prime.
- Tier’2 and tier’3 suppliers several hops removed, including engineering firms, CAD bureaus, calibration labs, and logistics partners.
- IT and professional’services firms with access to a prime’s defence’related systems.
An Ontario machine shop fabricating brackets for a federal platform is in scope. So is a Vancouver engineering firm subcontracting to a prime, and a Hamilton MSP managing a defence supplier’s tenant. An inaccurate or missing attestation blocks award.
CITATION CAPSULE
Public Services and Procurement Canada confirms CPCSC Level 1 went live April 1, 2026 and applies to organizations of all sizes that sell to federal defence (PSPC, 2026). The Canadian Centre for Cyber Security publishes the underlying ITSP.10.171 baseline that defines the supplier control set (CCCS, 2026).
The 12 controls inside CPCSC Level 1
The 12 Level 1 controls cover six ITSP.10.171 families: Access Control, Identification and Authentication, Media Protection, Physical Protection, System and Communications Protection, and System and Information Integrity. An MSP’served Canadian SMB is typically 70 percent aligned on day one.
| Control | What it requires | Evidence |
|---|---|---|
| AC.L1’1 | Limit system access to authorized users | User inventory, RBAC matrix exported from Entra ID |
| AC.L1’2 | Limit access to authorized transactions and functions | Conditional Access policy export |
| AC.L1’3 | Verify and control external connections | Firewall rule review and quarterly attestation |
| AC.L1’4 | Control public’facing information | Public’information release log signed by leadership |
| IA.L1’1 | Identify users, processes, and devices | Unique account list, device join records |
| IA.L1’2 | Authenticate identities before access | Phishing’resistant MFA enforcement report |
| MP.L1’1 | Sanitize media before disposal or reuse | End’of’life device log with serial numbers |
| PE.L1’1 | Limit physical access to systems | Server’room list, keycard access roster |
| PE.L1’2 | Escort visitors and monitor activity | Visitor sign’in log, badge policy |
| SC.L1’1 | Monitor and control communications at the boundary | Firewall config export, VPN posture |
| SI.L1’1 | Identify, report, and correct system flaws | Patch SLA report, 30’day cadence |
| SI.L1’2 | Protect against malicious code | EDR coverage report across all endpoints |
Technical implementation is basic on a managed Microsoft 365 Business Premium tenant. Suppliers fail on the binder: policy PDFs, Conditional Access screenshots, joiner’mover’leaver workflow, and visitor log. Pair Level 1 prep with a documented incident response plan.
CPCSC Level 1 vs CMMC Level 1 (US DoD): how they overlap
Suppliers selling into both Canadian and US defence markets share DNA across the two programs but face different standards, scopes, and certification paths.
| Dimension | CPCSC L1 (Canada) | CMMC L1 (US DoD) |
|---|---|---|
| Foundational standard | ITSP.10.171 / NIST SP 800’171 | NIST SP 800’171 Revision 2 |
| Control count | 12 | 17 |
| Assessment path | Annual self’assessment | Annual self’assessment |
| Filed at | Contract award via CCCS tool | Contract award via SPRS |
| Reciprocity | Not accepted by US DoD | Not accepted by Canada |
| Data sovereignty | Canadian jurisdiction explicit | Not addressed |
Three implications matter for dual’market suppliers. CPCSC and CMMC L1 share NIST SP 800’171 ancestry, so technical evidence often repackages across both filings. Reciprocity is not in place: a CMMC certificate does not satisfy CPCSC, and vice versa. ISO 27001:2022 alignment helps because management’system controls overlap, but it does not replace either attestation.
The CPCSC Level 1 self’assessment process
Level 1 is filed through the CCCS self’assessment tool. With evidence assembled the filing takes under an hour. The lifecycle has four phases:
- Scope. Define the boundary using the CPCSC Scoping Guide. For most SMBs that covers the Microsoft 365 tenant, CAD systems, and file shares with federal work product.
- Self’assess. Walk all 12 controls and 71 objectives. Mark each Met, Not Met, or Not Applicable with written justification.
- Attest. File in the CCCS tool at contract award. A supplier may bid without certification but cannot be awarded.
- Renew. Repeat annually; maintain the binder so renewal is a 30’minute exercise.
The Scoping Guide carries weight. Too wide inflates evidence load; too narrow risks an audit finding.
Evidence package: what assessors look for
The evidence binder separates a clean self’assessment from a procurement integrity risk. PSPC reviewers expect documented, dated, signed artifacts mapped to each of the 71 objectives. The minimum binder includes:
- Written Acceptable Use Policy and media’sanitization procedure
- Joiner’mover’leaver workflow signed by HR
- Visitor log template in active use, end’of’life device disposal form
- MFA enforcement export and Conditional Access policy export
- Patch SLA report covering the last 90 days, EDR coverage report
The binder is the supplier’s contract’defence record. If a procurement officer questions an attestation, the binder is what answers the question.
The 90’day CPCSC Level 1 readiness plan
An ordered 90’day plan turns the self’assessment into confirmation rather than discovery. The plan below is what FC uses to close Level 1 inside one quarter.
| Phase | Action | Owner | Days |
|---|---|---|---|
| Days 1’15 | Define assessment boundary, inventory accounts, devices, and systems | MSP and supplier leadership | 15 |
| Days 16’30 | Enforce phishing’resistant MFA, close standing local’admin accounts, tune Conditional Access | MSP | 15 |
| Days 31’45 | Verify EDR coverage, document 30’day patch SLA, export firewall config | MSP | 15 |
| Days 46’60 | Publish AUP, media’handling, visitor, and joiner’mover’leaver policies | Supplier HR and leadership | 15 |
| Days 61’75 | Document physical access, build server’room list, activate visitor log, EOL device form | Supplier operations | 15 |
| Days 76’90 | Run dry’run, assemble binder, file CCCS attestation, schedule annual review | MSP and supplier | 15 |
The first 45 days are MSP’led and move quickly. Days 46 to 75 drag because they need written sign’off from leadership and HR. Map controls against ITSP.10.171 before the dry’run.
Tools FC deploys for CPCSC alignment
Fusion Computing closes 8 of the 12 Level 1 controls with a managed Microsoft stack:
- Microsoft Entra ID covers AC.L1’1, AC.L1’2, IA.L1’1, IA.L1’2 via user inventory, Conditional Access, and phishing’resistant MFA.
- Microsoft Defender for Endpoint closes SI.L1’2 with EDR coverage reports across every managed device.
- Microsoft Intune enrolls endpoints, supplies device join records for IA.L1’1, and enforces compliance baselines.
- NinjaOne drives the 30’day patch SLA for SI.L1’1 and produces the EOL device log for MP.L1’1.
- Microsoft Sentinel aggregates boundary’monitoring data for SC.L1’1 and supports annual review.
- Microsoft Purview handles AC.L1’4 public’information release logging.
FIELD NOTE FROM MIKE
Early 2026, a 35’person Ontario fabricator on a federal defence sub’contract called us six weeks before a contract’award gate. The technical posture was solid: Business Premium, Defender for Endpoint, MFA across the tenant. The team had assumed certification was an MSP deliverable. It is not.
What was missing was the supplier’side binder: a written AUP, a joiner’mover’leaver workflow signed by HR, a visitor log, and an end’of’life device form. We closed the technical evidence in eight working days. Their HR director wrote and signed the four policies in another twelve. They filed on day 26 and won the renewal.
The lesson: 8 of 12 controls are tooling. The other 4 are leadership signature, and that signature has to come from inside the supplier.
Mike Pearlstein, Fusion Computing
Common CPCSC mistakes Canadian suppliers make
Across 2026 defence’supplier engagements, six errors recur. Each is recoverable, but each delays a contract’award decision.
- Drawing the boundary too wide. Pulling the entire tenant in when only a project’specific OU touches federal information.
- Treating the MSP as the certification owner. The MSP closes controls; the supplier files the attestation and signs the policies.
- Self’attesting before the policy binder exists. The 71 objectives map to documented evidence; verbal practice fails an auditor cross’check.
- Skipping physical protection. A locked server closet still counts as a server room and still needs an access list and a visitor log.
- Assuming CMMC reciprocity. A CMMC L1 attestation does not satisfy CPCSC L1.
- Filing once and forgetting. Level 1 is annual; skipped renewals lose contract eligibility on the next award cycle.
CITATION CAPSULE
NIST SP 800’171 is the parallel US standard CPCSC tracks; it defines protection requirements for controlled unclassified information that ITSP.10.171 adapts for Canada (NIST, 2024). CMMC 2.0 program documentation defines the parallel US procurement gate (US DoD, 2025); ISO 27001:2022 supplies the management’system control overlap suppliers can reuse (ISO, 2022).
Frequently asked questions
What is CPCSC Level 1?
CPCSC Level 1 is an annual cyber’security self’assessment against 12 baseline controls drawn from ITSP.10.171, the Canadian adaptation of NIST SP 800’171. It became required at contract award on select federal defence procurements beginning summer 2026.
Who must comply with CPCSC L1?
Any Canadian supplier handling unclassified’but’sensitive federal defence information, regardless of size: primes, sub’contractors several tiers deep, IT providers with access to defence systems, and professional’services firms in the supply chain.
How many controls are in CPCSC Level 1?
Twelve baseline controls across six ITSP.10.171 families, generating roughly 71 assessment objectives.
How long does the CPCSC L1 self’assessment take?
The filing itself takes under an hour using the CCCS self’assessment tool when policies are documented and evidence is assembled. Readiness preparation typically runs 30 to 60 days for an SMB engaged with an MSP.
What does CPCSC L1 readiness cost a Canadian SMB?
An MSP’served Microsoft 365 Business Premium tenant runs $4,000 to $8,000 in MSP fees plus 15 to 25 hours of leadership time. Suppliers entering without a managed stack can exceed $25,000 total.
Does a CMMC L1 certificate satisfy CPCSC L1?
No. The two programs share a NIST SP 800’171 foundation, yet the certificates are not reciprocal. Suppliers selling into both Canadian and US defence markets need parallel attestations.
Does ISO 27001:2022 cover CPCSC L1?
ISO 27001:2022 covers the management’system overlap and shortens readiness, but ISO certification on its own is not accepted as a CPCSC attestation.
Does the MSP file CPCSC certification on the supplier’s behalf?
An MSP can typically close 8 of the 12 controls and support evidence assembly. The attestation is filed by the supplier; the supplier signs the policies and owns the annual renewal.
What happens if a supplier files Level 1 incorrectly?
An inaccurate attestation is a procurement integrity risk. Suppliers can lose contract eligibility, face termination, or be referred for review. The fix is documented evidence and an honest self’assessment.
Is CPCSC Level 2 coming next?
Level 2 is expected to follow with roughly 98 controls and mandatory third’party certification by an accredited body. Level 3, around 200 controls and assessed by National Defence, is targeted for 2027.
