CPCSC compliance consulting

Know what CPCSC will ask of you.

Scope the contract, map Specified Information, and prepare evidence before a DND, PSPC, or prime-contract CPCSC requirement puts certification work on the clock.

CPCSC, the Canadian Program for Cyber Security Certification, is contract-dependent. Pilotcore prepares the evidence path for ITSP.10.171 requirements, Level 1 self-assessment, the 13 controls, and Level 2 assessment preparation.

Get the Level 1 guide

Founder-led by Nelson Ford, CMMC CCP and CISSP. 30-minute call. No obligation.

Walk away with

The pieces that make CPCSC work easier to defend.

A scope you can defend

What is in and out of CPCSC for contract-designated Specified Information before remediation spend.

A ranked ITSP.10.171 gap list

Level 1 self-assessment and Level 2 assessment-preparation gaps separated from lower-priority cleanup.

Evidence your team can maintain

Policies, records, diagrams, and proof points aligned to CPCSC requirements and the 13 Level 1 controls.

Founder-led preparation

A clearer path before assessment pressure.

CPCSC preparation should leave your team able to explain scope, controls, documents, and evidence. Formal assessment decisions sit with the formal certification process. Pilotcore stays on the preparation side so your team is ready to explain the work.

Nelson Ford

Nelson Ford

Founder and principal consultant. CPCSC preparation support for technical teams that need practical implementation and evidence they can maintain.

CMMC CCP CISSP Cloud expertise

Sequence

Move from contract trigger to evidence without guessing.

The work starts with scope. Then controls, documents, and evidence become easier to sequence.

  1. Applicability and scope Map the CPCSC clause, DND, PSPC, or prime-contract trigger, Specified Information path, systems, users, suppliers, and supporting records.
  2. ITSP.10.171 gap report Compare the current environment against CPCSC requirements, including Level 1 self-assessment controls and Level 2 assessment-preparation needs.
  3. Implementation and evidence Sequence technical controls, policies, diagrams, owner review, and evidence records your team can maintain.
  4. Assessment preparation Check whether the story in your documents matches the controls and evidence that exist. Pilotcore prepares; assessment decisions stay with the applicable program body or accredited certification body.

Level comparison

Level 1 vs Level 2 are different planning problems.

The right path depends on contract language, information type, supplier role, and current control maturity.

Area Level 1 Level 2
Typical use case Baseline cyber hygiene for suppliers in scope of designated defence contracts. More rigorous protection for organisations handling higher-risk or more sensitive contractual information.
Assessment model Annual self-assessment under current Government of Canada guidance. Triannual external cyber security assessment led by an accredited certification body, plus annual affirmation.
Compliance planning focus Scope, baseline controls, policies, evidence, and attestation records. 98-control assessment preparation, deeper evidence, compliance remediation planning, and annual affirmation planning.
Common blockers Unclear scope, missing policies, incomplete MFA or access controls, weak evidence trail. Complex environments, inherited cloud responsibilities, supplier flowdown, and technical measures where the contract scope or control mapping requires them.
How Pilotcore helps Gap review, control mapping, documentation, evidence checklist, and technical remediation plan. Compliance roadmap, technical implementation guidance, evidence preparation, and control review.
Timeline

Timelines vary by scope and maturity. The right sequence depends on how much evidence already exists and how fast your team can access it.

  • 1-2 weeks Initial scope review and gap analysis for a focused environment.
  • 2-6 weeks Level 1 self-assessment preparation for a smaller team with mature Microsoft 365 or cloud controls and limited documentation gaps.
  • 6-12+ weeks Larger environments, missing policies, weak identity controls, unclear asset scope, or deeper technical remediation.
  • Longer roadmap Level 2 assessment preparation, complex supplier chains, multi-site environments, or heavy cloud and on-premises integration.
Cost factors

We can give you a scoped estimate based on your baseline and contract scope before you start.

  • Number of users, devices, systems, and locations
  • Whether cloud, Microsoft 365, endpoint, backup, and logging controls are already mature
  • Existing SOC 2, ISO 27001, CMMC, NIST 800-171, or security-program documentation
  • Clarity of in-scope data, systems, and subcontractor responsibilities
  • Amount of missing policy and procedure documentation
  • Whether your team needs advisory support only or hands-on technical implementation
  • Level 1 self-assessment versus Level 2 preparation
Deliverables
  • CPCSC applicability and scope notes
  • ITSP.10.171 control gap report
  • Prioritised remediation roadmap
  • Evidence checklist and evidence tracker
  • Policy and procedure recommendations
  • System and security-boundary diagram recommendations
  • Cloud, endpoint, logging, and backup control recommendations
  • Executive summary for leadership or bid-no-bid planning
  • Control and evidence review notes for self-assessment or assessor review
  • Next-step plan for Level 1 self-attestation or Level 2 preparation

Guide

Get the CPCSC Level 1 guide.

Use this if you want a narrower starting point before a CPCSC compliance call. We will email the guide link to the address you enter. We can give you a scoped estimate based on your baseline and contract scope before you start.

If you already know you need the broader service, use the CPCSC call above or below.

Common buyer questions

Frequently asked questions about CPCSC compliance

Short answers for supplier teams checking fit before a guide request or CPCSC compliance call.

What is CPCSC Level 1 and who needs it?

CPCSC (Canadian Program for Cyber Security Certification) Level 1 applies when a Canadian defence procurement requires it and the supplier handles contract-designated specified information below the classified level on supplier systems, networks, or applications. Level 1 uses 13 requirements from ITSP.10.171 and is an annual self-assessment. Government guidance says Level 1 became available in April 2026 and may appear in select defence contracts as early as summer 2026. Always confirm the clause and scope in the solicitation.

How long does CPCSC compliance planning usually take?

Timelines vary by scope, current security maturity, documentation quality, and how quickly your team can gather evidence. A focused scope review can take 1-2 weeks. Remediation can take 2-12+ weeks depending on identity, endpoint, cloud, and policy gaps.

What affects CPCSC compliance cost?

Cost changes with the number of systems, users, and locations in scope, the size of the ITSP.10.171 gap, and whether your team wants advisory support or hands-on implementation help. We can give you a scoped estimate based on your baseline and contract scope before you start.

Can my team handle CPCSC itself?

Yes, if you have security expertise, ITSP.10.171 familiarity, engineering capacity, and a disciplined evidence process. Many smaller suppliers still use support because scope, cloud responsibilities, supplier boundaries, and evidence ownership can be hard to prove under time pressure.

How does CPCSC differ from CMMC?

CPCSC applies when Canadian defence procurement requires it. CMMC applies to US DoD contracts. CPCSC centers on federal Specified Information and ITSP.10.171. CMMC centers on FCI, CUI, FAR 52.204-21, NIST SP 800-171, and the CMMC model.

Related CPCSC reading

Next step

Ready to pressure-test your CPCSC plan?

Book a 30-minute call to discuss scope, timeline, evidence, and whether you need a full engagement, a narrow remediation sprint, documentation cleanup, or no consultant yet.

Founder-led by Nelson Ford, CMMC CCP and CISSP. No obligation.