CPCSC Level 1 Requirements

Q: Who needs CPCSC certification?

Any Canadian defense contractor or subcontractor that handles controlled information as part of a contract with the Department of National Defence.

Q: What happens if you fail a CPCSC audit?

A failed audit can delay or block contract approval. You will be required to remediate findings before any award and any open gaps must be resolved before reassessment.

CPCSC Level 1 is the foundational tier of the Canadian Program for Cyber Security Certification. It applies to Canadian defense contractors that handle controlled information as part of their contracts. Meeting Level 1 is required to bid on and keep many defense contracts.

What CPCSC Level 1 Requires

Access control — limit who can access systems and data to authorized users only.
Multi-factor authentication (MFA) — required for all accounts touching controlled information.
Logging and monitoring — capture system activity so it can be reviewed when something goes wrong.
Incident response — a documented plan for detecting, reporting, and handling security events.
Security awareness training — staff must be trained on basic security and their responsibilities.
System updates and protection — keep systems patched, run endpoint protection, and remove known vulnerabilities.
Documented policies — written policies and procedures for the controls above.
Defined scope — a clear list of the systems, locations, and people that handle controlled information.

What Assessors or program reviewers Will Check

Assessors or program reviewers may request:

Documented policies covering each required control.
Evidence that MFA is enforced on every in-scope account.
System activity logs showing what is being captured and reviewed.
Incident response documentation, including a tested plan and contact list.
Training records showing who was trained, when, and on what.
A defined system scope describing where controlled information lives and moves.

Common CPCSC Level 1 Failure Points

No defined scope — contractors cannot show which systems are in or out.
Missing or informal documentation — controls exist in practice but are not written down.
Lack of evidence — no logs, screenshots, or records to prove a control is in place.
Weak logging — events are not captured, retained, or reviewed.
Poor access control — shared accounts, no MFA, or stale user permissions.

What Happens If You Don't Meet Requirements

Falling short of CPCSC Level 1 has direct contracting consequences. Expect delays in contract approval while gaps are documented. You will likely be required to remediate findings before any award is finalized, and open audit findings can block your progress through procurement until they are resolved and verified.

Run a CPCSC audit check

Not sure if you meet these requirements? Start the free 2-minute CPCSC assessment and see what will fail.

Frequently Asked Questions

What is CPCSC Level 1?

The foundational tier of the Canadian Program for Cyber Security Certification, covering the basic cybersecurity practices contractors must implement when handling controlled information.

Who needs CPCSC certification?

Canadian defense contractors and subcontractors handling controlled information for Department of National Defence contracts.

What happens if you fail a CPCSC audit?

Contract approval is delayed or blocked, and you must remediate all findings before an award.

How long does it take to prepare?

Most small contractors need 4 to 12 weeks to close common gaps.

More: CPCSC Risk Engine · Common CPCSC failure points · Evidence you need before an assessment