CPCSC Scorecard

Ready for CPCSC Level 1 Self-Attestation?

Starting April 2026, companies bidding on DND contracts need CPCSC Level 1 certification. This scorecard measures your readiness across the 6 ITSP.10.171 control families required for self-attestation.

Start the Scorecard
Under 5 minutes 16 questions Full report by email
Ali Aleali

Ali Aleali, CISSP, CCSP

Co-Founder & Principal Consultant

Former security architect for Bank of Canada and Payments Canada. 20+ years building compliance programs for critical infrastructure.

Connect on LinkedIn

April 2026 Deadline: CPCSC Level 1 self-attestation becomes mandatory for DND contract eligibility. Level 2 third-party certification follows in April 2027.

Scored Across 6 ITSP.10.171 Control Families

The control families expected to form the Level 1 self-attestation, based on the program's alignment with CMMC and NIST 800-171 Rev 3.

AC

Access Control

User permissions, least privilege, remote access, session management. Who can access controlled information and how.

IA

Identification & Authentication

MFA, password policies, authenticator management, device identification. Proving users and systems are who they claim.

MP

Media Protection

Media access, marking, storage, transport, sanitization. How controlled information on physical and digital media is handled.

PE

Physical Protection

Facility access, visitor management, monitoring, restricted zones. The controls commercial companies most often lack.

SC

System & Communications

Encryption in transit and at rest, boundary protection, network segmentation. Protecting data wherever it moves or sits.

SI

System & Information Integrity

Vulnerability scanning, patching, malware protection, system monitoring. Keeping systems clean, current, and observable.

How It Works

1

Answer 16 Questions

Practical questions mapped to the 6 ITSP.10.171 control families required for Level 1. No trick questions, just honest assessment.

2

Get Your Score

See your overall readiness tier and which control families are strong and which have gaps that would prevent confident attestation.

3

Receive Your Report

A detailed report with control family breakdowns and prioritized remediation steps lands in your inbox. Actionable, not theoretical.

"CPCSC Level 1 is expected to cover a subset of ITSP.10.171 controls focused on basic cyber hygiene. This scorecard measures whether your security program satisfies the anticipated requirements across the 6 control families that industry analysts expect to be in scope."

- Ali Aleali, CISSP, CCSP

Ready? Start Your Scorecard

16 questions. Under 5 minutes. Results you can act on before April.

Rather talk to a human?

If you already know where you stand and want help closing gaps before the April deadline, we're here.

Book a Strategy Call