Get the guide
Nelson Ford, founder and principal consultant of Pilotcore

Built by Nelson Ford, CMMC CCP and CISSP

Pilotcore

Get the CPCSC Level 1 guide for supplier self-assessment planning

Request Pilotcore's practical guide for sorting scope, the 13 published Level 1 controls, and the evidence records you may need before CPCSC appears in a contract, supplier questionnaire, or renewal discussion.

A scope map, 13-control planning list, and evidence checklist
Plain-language prompts for accounts, devices, MFA, patching, media, and access
Notes on self-assessment proof timing, expiry, and evidence retention
A clear guardrail: readiness planning, not certification advice
Pilotcore CPCSC Level 1 readiness guide book cover

This is not official government guidance. It is readiness planning, not legal advice, certification advice, or an assessor opinion.

Get the CPCSC guide by email

We will email the scope, controls, and evidence planning guide.

Enter your work email and we'll send the guide link.

By submitting, you agree to our Terms of Service and Privacy Policy.

Your information is encrypted and protected

We respect your privacy. Unsubscribe anytime.

Built for suppliers that want a planning aid before CPCSC language appears in a DND or PSPC opportunity.

See what's inside the guide below.

Audience

Who should download this guide?

This guide is for organisations that:

  • Need a fast way to organize CPCSC Level 1 scope before a supplier questionnaire, bid, renewal, or prime-contractor request.
  • Handle or may handle federal Specified Information on supplier systems.
  • Need a plain-English view of the 13 published Level 1 controls before self-assessment planning.
  • Want an evidence list you can compare against MFA, managed devices, patching, logging, access review, and vendor-access practices.

If you are unsure whether CPCSC applies to your organisation, the guide can help you ask the right scoping questions.

What you'll get

Inside the guide.

The guide gives you a short planning path. The public reference page carries the fuller explanation.

  • Scope map.

    A short worksheet for identifying systems, users, devices, vendors, remote access, facilities, and processes that may store, process, or transmit Specified Information.

  • Level 1 planning list.

    The 13 published CPCSC Level 1 controls grouped into the six Level 1 families, with short implementation prompts so your team can spot the obvious gaps.

  • Evidence checklist.

    Examples of the records worth collecting before an attestation cycle: account lists, device lists, access review notes, MFA screenshots, patch records, media disposal notes, visitor logs, and firewall settings.

Guardrail

Practical planning, not an official assessment.

This page and the guide are not official government guidance. They are Pilotcore readiness planning, not legal advice, certification advice, or an assessor opinion.

Use the guide alongside current Government of Canada Level 1 requirements, scoping guidance, Level 1 criteria, CanadaBuys self-attestation instructions, and your contract language.

Send me the Level 1 guide

Readiness consulting

Want help applying the guide to your environment?

If CPCSC is tied to an active opportunity, renewal, or supplier questionnaire, Pilotcore can help translate the guide into a practical readiness plan for your systems, team, and timeline.

  • scope and applicability review
  • ITSP.10.171 gap analysis
  • remediation roadmap
  • evidence planning notes
  • technical control recommendations
  • control and evidence review before self-attestation or assessment
Book a CPCSC readiness review Explore CPCSC readiness consulting

Comparing programs? Read CPCSC vs CMMC.

Frequently asked

CPCSC Level 1 questions.

What is CPCSC Level 1?

CPCSC Level 1 is the entry-level readiness tier for organisations in scope of designated Canadian defence procurement requirements. It focuses on baseline cybersecurity practices and self-assessment expectations based on current program guidance.

Who needs CPCSC Level 1?

Organisations that bid on or support certain DND/PSPC defence contracts may need CPCSC Level 1 readiness, including subcontractors and suppliers that handle federal Specified Information. That can include non-public contract details with DND, controlled goods information, and protected information. Always confirm against the specific solicitation language.

Is this guide official government guidance?

No. This is not official government guidance. It is Pilotcore readiness planning, not legal advice, certification advice, or an assessor opinion. Use it alongside current Government of Canada, PSPC, Canadian Centre for Cyber Security, and solicitation-specific guidance.

Can Pilotcore certify my company for CPCSC?

No. The guide and Pilotcore services are readiness support only. CPCSC is still rolling out; Level 1 uses self-assessment when required by contract, and future higher-level assessments stay with accredited bodies or third-party assessors. Pilotcore can help prepare the scope, controls, documentation, and evidence before that step.

Can CMMC, SOC 2, ISO 27001, or NIST 800-171 work help with CPCSC?

Often, yes. Existing controls and documentation can reduce the effort, but they still need to be mapped to CPCSC and ITSP.10.171 expectations and the actual contract scope.