The Clock Is Running

The Canadian Program for Cyber Security Certification enters Phase 2 in April 2026. That means CPCSC Level 1 compliance becomes a condition of contract award for all new DND procurements involving sensitive information. If you hold a DND contract — or sit anywhere in a prime contractor's supply chain — this applies to you.

Unlike broad frameworks that leave implementation open to interpretation, CPCSC Level 1 is specific: 13 controls drawn from 6 families of the ITSP.10.171 standard (Canada's adaptation of NIST SP 800-171 Rev 3). You either meet them or you do not win the contract.

What CPCSC Level 1 Requires

Level 1 is a self-assessment. No third-party assessor is needed. You evaluate your own environment against 13 controls and attest that you meet them. The controls cover the foundational cyber hygiene that every organisation handling defence information should already have in place:

Family Controls What It Covers
Access Control 4 controls Limit system access to authorised users, control remote access, restrict data flow
Identification & Authentication 3 controls Identify and authenticate users before granting access, enforce password complexity
Media Protection 1 control Sanitise or destroy media containing sensitive information before disposal
Physical Protection 2 controls Limit physical access to systems, protect and monitor physical facility
System & Comms Protection 1 control Monitor, control, and protect communications at system boundaries
System & Info Integrity 2 controls Identify, report, and correct system flaws in a timely manner; provide protection from malicious code

Key detail: Level 1 is self-assessed, but your attestation must be backed by evidence. When an assessor or prime contractor asks to see your access control policies or media destruction logs, you need to produce them — ideally with tamper-evident, cryptographically signed proof.

The CPCSC Rollout Timeline

Why This Matters Beyond DND Primes

The 600 DND-registered primes are the first to feel the requirement, but the real impact cascades downward. To maintain their own compliance, primes must verify that their supply chain partners also meet the standard. That means the prime you supply parts, software, or services to will soon ask you to prove your CPCSC Level 1 compliance — or risk losing the relationship.

This cascade effect means thousands of second- and third-tier suppliers who have never directly held a DND contract will still need to comply. The question is not whether you will need CPCSC certification, but when.

CPCSC vs. CMMC — How Canada Compares

If you work with both Canadian and American defence contracts, you have likely heard of CMMC (Cybersecurity Maturity Model Certification). Both programs share DNA — they derive from NIST 800-171 and use tiered certification levels — but they serve different jurisdictions and have different control mappings.

CPCSC uses ITSP.10.171 (Canada's adaptation), while CMMC uses NIST SP 800-171 Rev 2. The overlap is significant, but not complete. Companies operating across the border may need compliance with both. The good news: if you are already working toward one, you are well on your way to the other.

How to Get Compliant — Practical Steps

1. Understand the 13 controls

Read the ITSP.10.171 Level 1 control descriptions. Map each one to what you already have in place — many organisations already meet several controls through existing IT policies.

2. Identify your gaps

For each control, ask: can I produce evidence that this is implemented? If the answer is no, that is your gap. Common gaps include formal access control policies, media destruction procedures, and documented authentication requirements.

3. Collect and sign your evidence

Self-assessment requires evidence you can stand behind. Policies, screenshots, configuration exports, training records — anything that demonstrates the control is in place. Cryptographically signed evidence with tamper-evident receipts makes your attestation significantly more credible.

4. Plan ahead for Level 2

Level 1 covers 13 controls. Level 2 covers all 97. Starting your evidence collection now means 12 months of history when Level 2 assessors arrive in April 2027. That unbroken chain of evidence is worth far more than a fresh start.

The evidence advantage: Assessors evaluating Level 2 readiness strongly prefer organisations with months of documented compliance history over those starting from scratch. Every month you collect evidence now is a month of credibility banked for Level 2.

Frequently Asked Questions

When does CPCSC Level 1 become mandatory?

CPCSC Level 1 self-assessment becomes mandatory at contract award starting April 2026 (Phase 2 of the CPCSC rollout).

How many controls does CPCSC Level 1 require?

13 controls drawn from 6 families of the ITSP.10.171 standard: Access Control (4), Identification and Authentication (3), Media Protection (1), Physical Protection (2), System and Communications Protection (1), and System and Information Integrity (2).

What is ITSP.10.171?

Canada's adaptation of NIST SP 800-171 Rev 3, published by the Canadian Centre for Cyber Security. It defines 97 security controls across 17 families that protect controlled information in non-federal systems.

Is CPCSC the same as CMMC?

They serve similar purposes for different countries. CPCSC is Canada's program; CMMC is the US equivalent. Both derive from NIST 800-171 but use different adaptations. Cross-border suppliers may need both.

Do I need a third-party assessor for Level 1?

No. Level 1 is a self-assessment. Third-party certification is only required starting at Level 2 (April 2027).

Start Your CPCSC Level 1 Assessment

Solymus maps all 13 Level 1 controls, collects tamper-evident evidence, and generates your readiness report — free for a limited time.

Start Free (Level 1) Learn About CPCSC