How many controls does CPCSC Level 1 require?

CPCSC Level 1 requires 13 self-assessed controls drawn from ITSP.10.171 across 6 families: Access Control (4 controls), Identification and Authentication (3 controls), Media Protection (1 control), Physical Protection (2 controls), System and Communications Protection (1 control), and System and Information Integrity (2 controls).

What are the 13 CPCSC Level 1 control IDs?

The 13 controls use ITSP.10.171 numbering: AC 03.01.01, 03.01.02, 03.01.20, 03.01.22; IA 03.05.01, 03.05.02, 03.05.03; MP 03.08.03; PE 03.10.01, 03.10.07; SC 03.13.01; SI 03.14.01, 03.14.02.

Is Level 1 a self-assessment or third-party assessment?

Level 1 is a self-assessment. A company representative attests that the 13 controls are implemented. No third-party assessor is required for Level 1. Level 2 and Level 3 require third-party assessment by accredited CPCSC assessors.

When is CPCSC Level 1 required?

Phase 2 of CPCSC begins April 2026. From that date, CPCSC Level 1 self-assessment is mandatory for new contracts awarded by the Canadian Department of National Defence.

What evidence do I need for each Level 1 control?

Each control requires artifacts that demonstrate the control is implemented and operating. Typical evidence includes screenshots of configurations, written policies, access control lists, training records, incident response logs, and system diagrams. Solymus generates a cryptographic receipt for each piece of evidence you upload, binding it to the specific ITSP.10.171 control ID.

CPCSC Level 1 Checklist: 13 Controls You Must Implement by April 2026

Overview: CPCSC Level 1 Certification

CPCSC Level 1 is a self-assessment of 13 core security controls across 6 control families. It is mandatory at contract award starting April 2026. Every DND defence prime must verify that all contractors meet Level 1 readiness before awarding contracts.

Key Facts:

13 controls in 6 families (Access Control, Identification & Authentication, Media Protection, Physical Protection, System Protection, System Integrity)
Self-assessment model — you assess your own controls, no external auditor required
Evidence-based — you must collect and document proof that each control is implemented
Mandatory — all defence suppliers must meet Level 1 by April 2026
Tamper-evident — Solymus cryptographically verifies your evidence so assessors trust it

The 13 Level 1 Controls

Access Control (AC)

4 controls — Who can access your systems and data

AC-03.01.01

Account Management

Access Control

Enforce authorisation policies for creating, enabling, and disabling accounts. Only authorised personnel can create accounts.

Example Evidence: Account creation policy, user access review logs, deactivation procedures

AC-03.01.02

Access Enforcement

Access Control

Enforce approved authorizations for logical and physical access. Systems must deny access by default.

Example Evidence: Access control lists (ACLs), permission matrix, system logs showing enforced denials

AC-03.01.20

Use of External Systems

Access Control

Restrict or prohibit the use of external systems (removable media, mobile devices, personal computers). If allowed, enforce controls.

Example Evidence: External system policy, device management logs, USB restrictions

AC-03.01.22

Publicly Accessible Content

Access Control

Manage information posted on public-facing websites. Only approved content is published; no controlled information is exposed.

Example Evidence: Content review process, approval logs, web server configurations

Identification & Authentication (IA)

3 controls — Proving who you are

IA-03.05.01

Identification

Identification & Auth

Systems must uniquely identify each user. No shared accounts. Every action is traceable to an individual.

Example Evidence: Active Directory users, user account policies, audit logs showing individual IDs

IA-03.05.02

Authentication

Identification & Auth

Systems must authenticate user identity before granting access. Multi-factor authentication (MFA) is strongly recommended.

Example Evidence: MFA implementation, password policies, authentication logs, 2FA verification

IA-03.05.03

Authenticator Management

Identification & Auth

Passwords and authentication credentials must meet complexity requirements. Protect against reuse. Reset regularly.

Example Evidence: Password policy (minimum length, complexity), expiration settings, rotation logs

Media Protection (MP)

1 control — Protecting physical storage

MP-03.08.03

Media Sanitization

Media Protection

When disposing of storage media (hard drives, USB sticks, paper), data must be irreversibly destroyed. Shredding, incineration, or cryptographic overwriting.

Example Evidence: Media destruction policy, certificates of destruction, disposal vendor contracts

Physical Protection (PE)

2 controls — Protecting physical infrastructure

PE-03.10.01

Physical Access Authorizations

Physical Protection

Access to physical facilities (data centres, server rooms, offices) is restricted to authorised personnel only. Badges, alarms, locked doors.

Example Evidence: Badge access system logs, door lock audits, physical security policy, visitor logs

PE-03.10.07

Alternate Work Sites

Physical Protection

When employees work remotely, the same access controls apply. Home offices must be secure. Data must not be left visible on desks.

Example Evidence: Remote work policy, VPN requirements, encryption enforcement, device management logs

System & Communications Protection (SC)

1 control — Network security

SC-03.13.01

Boundary Protection

System Protection

Monitor and control network traffic at the boundary. Firewalls, intrusion detection, network segmentation. Only approved traffic enters/exits.

Example Evidence: Firewall rules, IDS/IPS logs, network diagrams, security zone definitions

System & Information Integrity (SI)

2 controls — Protecting against malware and flaws

SI-03.14.01

Flaw Remediation

System Integrity

Identify security vulnerabilities (patches, updates, fixes) and apply them promptly. Document and track patching schedules.

Example Evidence: Patch management policy, update logs, vulnerability scanner results, compliance reports

SI-03.14.02

Malicious Code Protection

System Integrity

Deploy anti-malware tools on all systems. Scan for viruses, ransomware, spyware. Keep definitions current.

Example Evidence: Antivirus deployment, definition update logs, scan reports, endpoint protection console logs

What Evidence Do You Need?

For each of the 13 controls, you need to collect evidence proving that the control is implemented. Evidence is not a document certifying compliance. Evidence is the actual artifact showing that the control works.

Examples of good evidence:

📋

Policies & Procedures

Written policies describing how the control is implemented

📊

Audit Logs

System logs showing the control in action (authentication, access denials, patches applied)

🔐

Configuration Exports

System configuration files (firewall rules, password policies, encryption settings)

🎫

Certificates & Reports

Security scan results, penetration test reports, vendor attestations

💼

Business Records

Contracts, SLAs, vendor assessments, maintenance records

✅

Test Results

Results from security tests, vulnerability scans, compliance checks

Bad Evidence

A self-signed document saying "We comply with AC-03.01.01" is NOT evidence. Assessors will reject it. Good evidence is:

Generated by the actual systems in use (logs, exports, scan results)
Time-stamped and verifiable
Shows the control working, not a promise that it works
Not forged or easily fabricated

This is why Solymus uses cryptographic verification—evidence is tamper-evident and auditors trust it immediately.

How to Implement CPCSC Level 1: 6-Step Guide

Assess Your Current State

For each of the 13 controls, determine: Do we meet this control? What do we have? What are we missing?

Close Gaps

For controls you don't meet, implement the needed security tools. Examples: enable MFA, deploy antivirus, configure firewall, enforce password policies.

Document Policies

Write or update policies for each control family. Example: "Password Policy," "Access Control Policy," "Media Destruction Procedure."

Collect Evidence

Export logs, configuration files, and test results. Gather audit trails, system screenshots, scan reports. Store them securely.

Upload to Solymus

Use Solymus to upload evidence. The platform automatically maps evidence to controls and generates cryptographic receipts.

Export Your Compliance Package

Download your CPCSC Level 1 compliance package with evidence index, control mappings, and verification URLs ready for auditors.

Timeline: When to Start

You don't have time to waste. CPCSC Level 1 is mandatory in April 2026. That is approximately 12 months away. Here is a recommended timeline:

Now (March 2026): Start gap assessment. Identify which controls you meet and which need work.
April–June 2026: Implement missing controls. Deploy MFA, firewall updates, antivirus, encryption. Document policies.
July–August 2026: Collect evidence. Export logs and configurations. Run security tests and scans.
September–November 2026: Upload evidence to Solymus. Review control mappings. Refine evidence quality.
December 2026–March 2027: Export compliance package. Share with defence primes. Prepare for Level 2 assessment (starting April 2027).

Ready to Build Your Evidence Chain?

Start free with Solymus Level 1 today. Upload your first evidence, map to controls, and get a compliance readiness score.

Start Free (Level 1) Read the Docs

CPCSC Level 1 Checklist: 13 Controls You Must Implement by April 2026

TL;DR — CPCSC Level 1 checklist in one paragraph

Overview: CPCSC Level 1 Certification

The 13 Level 1 Controls

Access Control (AC)

Identification & Authentication (IA)

Media Protection (MP)

Physical Protection (PE)

System & Communications Protection (SC)

System & Information Integrity (SI)

What Evidence Do You Need?

Bad Evidence

How to Implement CPCSC Level 1: 6-Step Guide

Assess Your Current State

Close Gaps

Document Policies

Collect Evidence

Upload to Solymus

Export Your Compliance Package

Timeline: When to Start

Ready to Build Your Evidence Chain?

Expected questions