CPCSC Level 1 Self-Assessment: A Practical Guide

Level 1 self-assessment under the Canadian Program for Cyber Security Certification (CPCSC) is not a formality. Based on the program's alignment with CMMC and NIST 800-171 Rev 3, industry analysts expect Level 1 to cover approximately 13 security requirements evaluated across roughly 71 assessment objectives, with attestation through the Canada Buys procurement platform. The government has not yet published the final Level 1 control list, but starting April 2026, attestation is expected to be a condition of bidding on Department of National Defence contracts.

This guide breaks down what the expected requirements ask for, what evidence satisfies each one, and how the attestation process works. For the broader context on CPCSC, including the three certification levels, the timeline, and how it compares to CMMC, see our complete CPCSC guide.

What Level 1 Actually Requires

Level 1 targets companies handling specified information, which is federal contractual information below the classified level. The scope is deliberately narrower than Level 2's full 97-control standard. It focuses on the foundational security practices that protect basic government data during the course of a contract.

The requirements are drawn from ITSP.10.171, the technical standard developed by the Canadian Centre for Cyber Security (CCCS). Based on the program's alignment with CMMC Level 1 and NIST 800-171 Rev 3, industry analysts expect Level 1 to pull approximately 13 requirements from 6 of the standard's 17 control families, generating roughly 71 assessment objectives that contractors must evaluate themselves against. The government has not yet published the final Level 1 control list.

The assessment is annual. It is a self-assessment, meaning no third-party assessor is involved, but that does not mean it is self-graded. The attestation carries legal weight: you are affirming to the Government of Canada that your organization meets these requirements. Treating it as a checkbox exercise creates real exposure if an incident reveals that the attested controls were not actually in place.

The Expected Control Families and Requirements

Based on CPCSC's alignment with CMMC Level 1 and the NIST 800-171 lineage, Level 1 is expected to draw from six control families. These represent the minimum security domains that any organization handling government contractual information should have covered. The anticipated families align closely with the CMMC Level 1 practices derived from FAR 52.204-21, which makes sense given that both ITSP.10.171 and NIST 800-171 share the same lineage. The final control list has not been published by the government.

Access Control (AC)

Access control is the largest family at Level 1 and the one where organizations with informal practices tend to have the widest gaps.

Identification and Authentication (IA)

Media Protection (MP)

Physical Protection (PE)

System and Communications Protection (SC)

System and Information Integrity (SI)

Breaking Down the Assessment Objectives

Each of the anticipated 13 requirements expands into multiple assessment objectives. These objectives are the actual questions you answer during the self-assessment. They break each requirement into its component parts to ensure the assessment is thorough rather than superficial.

For example, a single requirement like "limit system access to authorized users" expands into objectives that ask whether you have identified authorized users, whether access policies are documented, whether unauthorized access attempts are detected, and whether access rights are periodically reviewed.

Based on the expected requirements, the approximately 71 objectives would distribute across the 6 anticipated families roughly as follows:

Each objective follows a consistent pattern: determine whether [specific condition] is met. The self-assessment requires you to answer each one as either MET or NOT MET. There is no partial credit, no scoring curve, and no weighting. Every objective carries equal standing.

Evidence: What You Need to Produce

The self-assessment is an attestation, not an audit. No one collects your evidence binder during Level 1. But the attestation is a legal declaration, and you should produce and retain evidence as if someone will ask for it, because in the event of an incident or a government review, they will.

For each of the expected requirements, evidence generally falls into three categories:

Policy and procedural documentation. Written policies that address the requirement. An access control policy, a media sanitization procedure, a patch management process. These do not need to be elaborate, but they need to exist, be current, and be followed.

Technical configuration evidence. Screenshots, configuration exports, or system reports that demonstrate the control is implemented. Firewall rules for boundary protection. MFA configuration for authentication. Encryption settings for data in transit. Endpoint protection deployment reports.

Operational records. Logs and records showing the control operates over time. Access review records, visitor logs, patch deployment records, media destruction certificates. This is where many organizations fall short: they implement the control but do not retain evidence that it runs continuously.

The Self-Assessment Process

The self-assessment is structured but not prescribed in its methodology. The Government of Canada will specify what you must assess (expected to be approximately 71 objectives) and how you must attest (through Canada Buys), but the internal process is yours to design. Here is a practical approach:

1. Scope your environment. Identify every system, network, and storage location that processes, stores, or transmits specified information received through DND contracts. This is your assessment boundary. Controls outside this boundary are irrelevant to the assessment; controls inside it must all be covered.

2. Map current state to requirements. For each of the expected requirements, document what you have in place today. Be honest. The goal is to understand your actual position, not to construct a narrative.

3. Evaluate each assessment objective. Work through all assessment objectives. For each one, determine whether the condition described is met in your environment. Document your rationale and the evidence that supports your determination.

4. Remediate gaps. Where objectives are not met, implement the missing control, update the policy, or fix the configuration. Then re-evaluate.

5. Compile your assessment record. Even though Level 1 does not require evidence submission, maintain an internal record of your assessment results, the evidence supporting each determination, and any remediation actions taken. This is your defensible position.

6. Attest through Canada Buys. Once all objectives are met, complete the attestation through your Canada Buys contractor profile.

How to Attest Through Canada Buys

The attestation mechanism for Level 1 is the Canada Buys procurement platform, managed by Public Services and Procurement Canada (PSPC). The process works through your existing contractor profile:

1. Log into your Canada Buys account (or register if you do not have one).
2. Navigate to your contractor security profile.
3. Complete the CPCSC Level 1 self-assessment attestation section.
4. Affirm that your organization meets all applicable requirements across the assessment objectives.
5. Submit the attestation.

The attestation is annual. You must renew it each year, which means the self-assessment is not a one-time exercise. Build it into your annual security review cycle.

A few practical notes on the attestation:

• The attestation is tied to your organization, not to specific contracts. Once attested, it applies to all DND procurements requiring Level 1.
• If your compliance status changes (a significant system change, a breach, a control failure), you are expected to reassess and update your attestation accordingly.
• The attestation is a declaration, not a certification. It carries the weight of a formal statement to the Government of Canada.

Common Gaps and How to Close Them

Across the expected requirements, certain gaps appear consistently in organizations that have not previously operated under a formal security framework. These are the areas where the self-assessment tends to surface problems:

Shared accounts and generic credentials. IA-1 and IA-2 require unique identification and proper authentication for all users. Shared admin accounts, generic service accounts without proper management, and systems that allow password-only access to sensitive environments are common findings.

How to close it: Implement unique accounts for all users. Deploy multi-factor authentication on systems that process specified information. Document and restrict service account usage.

No formal access reviews. AC-1 and AC-2 require that access is limited to authorized users and functions. Many organizations provision access when people join but have no process for reviewing or revoking it over time. Former employees, role changes, and accumulated permissions create exposure.

How to close it: Implement quarterly access reviews. Document the review process. Tie deprovisioning to your offboarding procedure.

No media sanitization process. MP-1 catches organizations that dispose of hardware without documented sanitization. Old laptops donated, hard drives discarded, backup media reused without wiping.

How to close it: Establish a media sanitization procedure. Use approved sanitization methods (NIST SP 800-88 guidelines apply). Retain destruction certificates.

Physical access not controlled or logged. PE-1 and PE-2 are straightforward, but organizations in shared office spaces or co-working environments often cannot demonstrate that physical access to systems is restricted and that visitors are escorted.

How to close it: If you operate in a shared space, ensure server and network equipment is in a locked area with controlled access. Implement a visitor log. If cloud-only, document your physical security posture (the cloud provider's controls may satisfy this, but you need to document the rationale).

Patching without a documented process. SI-1 requires timely flaw remediation. Many organizations patch, but without a documented process, a defined timeframe, or compliance reporting. Applying updates when you notice them does not satisfy the assessment objective.

How to close it: Define patching cadence by severity level. Implement a patching tool or process that produces compliance reports. Document your remediation timeframes.

Missing encryption in transit. SC-2 requires cryptographic protection for specified information during transmission. Internal traffic between systems that handle this data is often unencrypted, especially in legacy environments.

How to close it: Enforce TLS 1.2+ for all web traffic. Use encrypted VPN for remote access. Review internal communications between systems in scope and encrypt where specified information flows.

Level 1 Readiness Checklist

Use this checklist to track your readiness across the expected requirements before completing your Canada Buys attestation.

Access Control

• Authorized users, processes, and devices are identified and documented
• System access is limited to authorized transaction and function types (RBAC or equivalent)
• Information on publicly accessible systems is reviewed and controlled
• Information flow between systems is controlled and documented

Identification and Authentication

• All users, processes, and devices are uniquely identified
• Authentication mechanisms verify identities (MFA deployed where applicable)

Media Protection

• Media sanitization or destruction procedures are documented
• Sanitization records and destruction certificates are retained

Physical Protection

• Physical access to systems and equipment is limited to authorized personnel
• Visitor escort and monitoring procedures are in place and followed

System and Communications Protection

• Communications at system boundaries are monitored and protected
• Encryption protects specified information in transit

System and Information Integrity

• Flaw remediation process is documented and operating (patch management)
• Malicious code protection is deployed on systems processing specified information

Assessment and Attestation

• All assessment objectives have been evaluated
• Evidence is documented and retained for each requirement
• Gaps have been remediated
• Canada Buys attestation is complete

Building Beyond Level 1

Level 1 is the entry point, not the destination. The expected requirements represent the minimum security posture for handling unclassified government data. Companies that already hold DND contracts involving Controlled Information will need Level 2 certification by April 2027, which expands the scope to 97 controls across all 17 ITSP.10.171 families and requires third-party assessment by an SCC-accredited certification body.

The practical advice: treat Level 1 as the foundation of a broader security program, not as an isolated compliance exercise. Organizations that build an effective security program now, with proper policies, technical controls, and operational evidence, will find Level 2 preparation is an extension of work already done rather than a rebuild. That is the difference between a compliance project and a security program that produces compliance as a byproduct.

For a detailed walkthrough of your organization's readiness, including gap analysis across all ITSP.10.171 control families, Truvo's CPCSC compliance services cover both Level 1 preparation and the full Level 2 certification journey.

Frequently Asked Questions

What are the expected CPCSC Level 1 requirements?

The government has not yet published the final Level 1 control list, but based on the program's alignment with CMMC Level 1 and NIST 800-171 Rev 3, industry analysts expect approximately 13 requirements drawn from 6 of the 17 ITSP.10.171 control families: Access Control (4 requirements covering authorized access, function-level access, public information controls, and information flow), Identification and Authentication (2 requirements for unique identification and identity verification), Media Protection (1 requirement for media sanitization), Physical Protection (2 requirements for physical access and visitor management), System and Communications Protection (2 requirements for boundary protection and encryption in transit), and System and Information Integrity (2 requirements for flaw remediation and malware protection).

How long does the Level 1 self-assessment take?

The assessment itself can be completed in days, but preparation is the real variable. Organizations with existing security frameworks, such as SOC 2 or ISO 27001, often find that their current controls satisfy many of the expected assessment objectives with minimal additional documentation. Organizations starting without formal security practices should expect several weeks to months of preparation to implement missing controls, draft policies, and produce defensible evidence.

What happens if a Level 1 assessment objective is not met?

There is no partial compliance mechanism. All assessment objectives must be met before you can attest through Canada Buys. If an objective is not met, the gap must be remediated before attestation. Attesting while knowing that objectives are unmet carries legal risk, as the attestation is a formal declaration to the Government of Canada.

Is Level 1 self-assessment the same as CMMC Level 1?

The structure is similar. Both CPCSC Level 1 and CMMC Level 1 are self-assessments focused on basic safeguarding practices, and both trace back to NIST 800-171. The specific requirements overlap significantly because ITSP.10.171 is aligned with NIST SP 800-171 Revision 3. However, the programs have no mutual recognition, so completing one does not satisfy the other. Companies subject to both must attest separately.

Do I need to submit evidence for Level 1?

No. Level 1 is a self-assessment with attestation through Canada Buys. You do not submit an evidence package. However, you should produce and retain evidence internally. The attestation is a legal declaration, and in the event of a security incident, a government review, or a transition to Level 2, you will need to demonstrate that your self-assessment was thorough and accurate.

This is the second post in our CPCSC series. For help preparing your Level 1 self-assessment or planning your path to Level 2, reach out to our team.