Overview: CPCSC Level 1 Certification
CPCSC Level 1 is a self-assessment of 13 core security controls across 6 control families. It is mandatory at contract award starting April 2026. Every DND defence prime must verify that all contractors meet Level 1 readiness before awarding contracts.
Key Facts:
- 13 controls in 6 families (Access Control, Identification & Authentication, Media Protection, Physical Protection, System Protection, System Integrity)
- Self-assessment model — you assess your own controls, no external auditor required
- Evidence-based — you must collect and document proof that each control is implemented
- Mandatory — all defence suppliers must meet Level 1 by April 2026
- Tamper-evident — Solymus cryptographically verifies your evidence so assessors trust it
The 13 Level 1 Controls
AC-03.01.01
Account Management
Access Control
Enforce authorisation policies for creating, enabling, and disabling accounts. Only authorised personnel can create accounts.
Example Evidence:
Account creation policy, user access review logs, deactivation procedures
AC-03.01.02
Access Enforcement
Access Control
Enforce approved authorizations for logical and physical access. Systems must deny access by default.
Example Evidence:
Access control lists (ACLs), permission matrix, system logs showing enforced denials
AC-03.01.20
Use of External Systems
Access Control
Restrict or prohibit the use of external systems (removable media, mobile devices, personal computers). If allowed, enforce controls.
Example Evidence:
External system policy, device management logs, USB restrictions
AC-03.01.22
Publicly Accessible Content
Access Control
Manage information posted on public-facing websites. Only approved content is published; no controlled information is exposed.
Example Evidence:
Content review process, approval logs, web server configurations
IA-03.05.01
Identification
Identification & Auth
Systems must uniquely identify each user. No shared accounts. Every action is traceable to an individual.
Example Evidence:
Active Directory users, user account policies, audit logs showing individual IDs
IA-03.05.02
Authentication
Identification & Auth
Systems must authenticate user identity before granting access. Multi-factor authentication (MFA) is strongly recommended.
Example Evidence:
MFA implementation, password policies, authentication logs, 2FA verification
IA-03.05.03
Authenticator Management
Identification & Auth
Passwords and authentication credentials must meet complexity requirements. Protect against reuse. Reset regularly.
Example Evidence:
Password policy (minimum length, complexity), expiration settings, rotation logs
MP-03.08.03
Media Sanitization
Media Protection
When disposing of storage media (hard drives, USB sticks, paper), data must be irreversibly destroyed. Shredding, incineration, or cryptographic overwriting.
Example Evidence:
Media destruction policy, certificates of destruction, disposal vendor contracts
PE-03.10.01
Physical Access Authorizations
Physical Protection
Access to physical facilities (data centres, server rooms, offices) is restricted to authorised personnel only. Badges, alarms, locked doors.
Example Evidence:
Badge access system logs, door lock audits, physical security policy, visitor logs
PE-03.10.07
Alternate Work Sites
Physical Protection
When employees work remotely, the same access controls apply. Home offices must be secure. Data must not be left visible on desks.
Example Evidence:
Remote work policy, VPN requirements, encryption enforcement, device management logs
SC-03.13.01
Boundary Protection
System Protection
Monitor and control network traffic at the boundary. Firewalls, intrusion detection, network segmentation. Only approved traffic enters/exits.
Example Evidence:
Firewall rules, IDS/IPS logs, network diagrams, security zone definitions
SI-03.14.01
Flaw Remediation
System Integrity
Identify security vulnerabilities (patches, updates, fixes) and apply them promptly. Document and track patching schedules.
Example Evidence:
Patch management policy, update logs, vulnerability scanner results, compliance reports
SI-03.14.02
Malicious Code Protection
System Integrity
Deploy anti-malware tools on all systems. Scan for viruses, ransomware, spyware. Keep definitions current.
Example Evidence:
Antivirus deployment, definition update logs, scan reports, endpoint protection console logs
What Evidence Do You Need?
For each of the 13 controls, you need to collect evidence proving that the control is implemented. Evidence is not a document certifying compliance. Evidence is the actual artifact showing that the control works.
Examples of good evidence:
📋
Policies & Procedures
Written policies describing how the control is implemented
📊
Audit Logs
System logs showing the control in action (authentication, access denials, patches applied)
🔐
Configuration Exports
System configuration files (firewall rules, password policies, encryption settings)
🎫
Certificates & Reports
Security scan results, penetration test reports, vendor attestations
💼
Business Records
Contracts, SLAs, vendor assessments, maintenance records
✅
Test Results
Results from security tests, vulnerability scans, compliance checks
Bad Evidence
A self-signed document saying "We comply with AC-03.01.01" is NOT evidence. Assessors will reject it. Good evidence is:
- Generated by the actual systems in use (logs, exports, scan results)
- Time-stamped and verifiable
- Shows the control working, not a promise that it works
- Not forged or easily fabricated
This is why Solymus uses cryptographic verification—evidence is tamper-evident and auditors trust it immediately.
How to Implement CPCSC Level 1: 6-Step Guide
1
Assess Your Current State
For each of the 13 controls, determine: Do we meet this control? What do we have? What are we missing?
2
Close Gaps
For controls you don't meet, implement the needed security tools. Examples: enable MFA, deploy antivirus, configure firewall, enforce password policies.
3
Document Policies
Write or update policies for each control family. Example: "Password Policy," "Access Control Policy," "Media Destruction Procedure."
4
Collect Evidence
Export logs, configuration files, and test results. Gather audit trails, system screenshots, scan reports. Store them securely.
5
Upload to Solymus
Use Solymus to upload evidence. The platform automatically maps evidence to controls and generates cryptographic receipts.
6
Export Your Compliance Package
Download your CPCSC Level 1 compliance package with evidence index, control mappings, and verification URLs ready for auditors.
Timeline: When to Start
You don't have time to waste. CPCSC Level 1 is mandatory in April 2026. That is approximately 12 months away. Here is a recommended timeline:
- Now (March 2026): Start gap assessment. Identify which controls you meet and which need work.
- April–June 2026: Implement missing controls. Deploy MFA, firewall updates, antivirus, encryption. Document policies.
- July–August 2026: Collect evidence. Export logs and configurations. Run security tests and scans.
- September–November 2026: Upload evidence to Solymus. Review control mappings. Refine evidence quality.
- December 2026–March 2027: Export compliance package. Share with defence primes. Prepare for Level 2 assessment (starting April 2027).
Ready to Build Your Evidence Chain?
Start free with Solymus Level 1 today. Upload your first evidence, map to controls, and get a compliance readiness score.