.svg)
CPCSC Level 1 attestation becomes a procurement requirement for Department of National Defence contracts in April 2026. Companies that can't attest won't bid. The timeline isn't theoretical anymore, and the question most IT directors and security leads are asking isn't whether they need to comply. It's whether they can get there without outside help, and what a consultant actually contributes that an internal team can't do alone.
The honest answer: it depends on where the organization stands today. A company with a mature SOC 2 program and documented controls has a different path than one running security informally with no evidence trail. But in both cases, CPCSC introduces requirements that are specific to the Canadian defence supply chain, and the scoping, mapping, and documentation work is where most teams stall.
This guide breaks down what CPCSC compliance consulting actually involves, what the 14 security domains require at Level 1, how existing programs accelerate the work, and how to evaluate whether external help makes sense.
What CPCSC Requires and Why It's Different
The Canadian Program for Cyber Security Certification isn't a voluntary best-practice framework. It's a mandatory procurement condition, modeled after the U.S. CMMC program but built on Canada's own technical standard, ITSP.10.171.
Level 1 is a self-assessment against 13 security requirements drawn from 6 of the 17 ITSP.10.171 control families, covering 71 assessment objectives. Companies attest annually through their Canada Buys profile. Level 2 brings third-party certification starting April 2027, covering the full 97 controls across all 17 families.
The structural similarities to CMMC are real, but so are the differences. CPCSC uses Canadian-authored controls, Canadian assessment methodology, and Canadian governance through PSPC, the Canadian Centre for Cyber Security, and the Standards Council of Canada. Companies operating in both jurisdictions need separate certifications with no mutual recognition.
Key Distinction
What makes CPCSC consulting different from general cybersecurity advisory work is the specificity. The controls map to a defined standard. The assessment objectives are published. The attestation mechanism is prescribed. A consultant's value isn't in defining what security looks like in the abstract. It's in navigating the specific requirements, scoping them to the organization's actual environment, and building the evidence package that supports attestation.
The 14 Security Domains at Level 1
ITSP.10.171 organizes controls into 17 families. At Level 1, the self-assessment draws from a subset, but companies serious about defence contracting should understand the full landscape. The domains group into operational themes:
Access and Identity
Access Control and Identification & Authentication cover who can access what, how identities are verified, and how sessions are managed. MFA, least privilege, remote access controls, and account management sit here. This is typically the largest control area and the one with the most overlap for companies already running SOC 2 programs.
Monitoring and Accountability
Audit logging, monitoring, and security assessment require organizations to maintain audit trails, review logs, and conduct periodic assessments of their security posture. The expectation isn't just that logging exists, but that someone reviews it and acts on findings.
Incident Response and System Integrity
Incident response and system integrity cover incident handling procedures, flaw remediation, malware protection, and system monitoring. Companies need documented incident response plans with defined roles, not just a general understanding that the IT team handles problems.
Configuration and Maintenance
Configuration management and system maintenance address baseline configurations, change control, least functionality, and controlled maintenance activities. Hardening standards and configuration baselines are common gap areas for organizations that have operated with informal change processes.
Data and Communications Protection
Media protection and system communications security cover encryption at rest and in transit, media sanitization, and boundary protection. Government-specific handling requirements for controlled information are the differentiator here.
Physical and Personnel Security
Physical protection and personnel controls are where commercially focused companies see the biggest gaps. Facility access controls, visitor management, personnel screening, and termination procedures aren't typically addressed in SOC 2 with the specificity CPCSC expects.
Risk and Planning
Risk assessment and security planning require vulnerability scanning, risk analysis, risk response strategies, and documented system security plans. The governance layer that many operational teams skip.
Supply Chain and Awareness
Supply chain risk management and security awareness training round out the control families. Supplier assessments, acquisition controls, role-based training requirements, and security culture expectations apply here.
Each domain has specific assessment objectives. A consultant's job is to determine which objectives apply to the organization's scope, assess current state against each one, and build the documentation that demonstrates compliance.
What a CPCSC Consultant Actually Does
The work breaks into distinct phases, each addressing a specific part of the certification problem.
Scoping
CPCSC doesn't apply uniformly across every system in an organization. It applies to systems that store, process, or transmit specified information related to defence contracts. The first task is determining what's in scope.
This involves identifying which systems handle controlled information, which personnel access it, which third parties interact with it, and which physical locations house it. The scoping decision directly affects how many controls apply and how much work is required. Getting it wrong in either direction, too narrow and the attestation is incomplete, too broad and the organization is committing to controls across systems that don't need them, is one of the most common mistakes. Organizations running SOC 2 on on-prem or hybrid infrastructure will recognize this scoping challenge.
Gap Assessment
With scope defined, the consultant assesses the organization's current state against each applicable ITSP.10.171 requirement. This isn't a questionnaire exercise. It's a control-by-control evaluation of what exists, what's documented, what's operating, and what's missing.
The output is a gap register: a structured list of where the organization meets requirements, where partial controls exist that need strengthening, and where entirely new controls are required. For each gap, the assessment should estimate the effort, cost, and timeline to remediate.
Control Mapping
Organizations with existing compliance programs, whether SOC 2, ISO 27001, or CMMC, already have controls that map to ITSP.10.171 requirements. A consultant maps existing controls to CPCSC requirements, identifies where the overlap is genuine (not just thematic), and documents the mapping.
SOC 2 to CPCSC Overlap
The SOC 2 to CPCSC mapping shows strong alignment in access control, system operations, risk assessment, and change management. SOC 2 CC6 maps to CPCSC Access Control, Identification & Authentication, and Physical Protection. The controls align, but the evidence needs to be reframed for the CPCSC context. Predictable gap areas for SOC 2 organizations: physical security specifics, personnel screening depth, media protection for government handling procedures, and supply chain risk management at the subcontractor level.
Remediation Planning and Implementation
The gap register becomes a remediation roadmap. A consultant prioritizes gaps by risk, effort, and dependency (some controls depend on others being in place first), then works with the internal team to implement the missing controls.
This is where consulting engagements diverge significantly. Some organizations need help writing policies. Others need technical implementation, configuring MFA across legacy systems, deploying log aggregation, or establishing encrypted channels for controlled information. The best engagements combine both: policy development that reflects actual operational practice, not templates that describe how things should work in theory.
Self-Assessment Documentation
For Level 1, the deliverable is the self-assessment documentation that supports the Canada Buys attestation. This includes the System Security Plan (SSP), the self-assessment results, the Plan of Action and Milestones (POA&M) for any gaps that aren't fully remediated, and the supporting evidence for each control.
Documentation Quality Matters
The SSP is the core document. It describes the system boundary, the security controls in place, how they're implemented, and who's responsible. A generic template that will invite questions during any future Level 2 assessment is a liability, not an asset. The SSP needs to accurately reflect the organization's actual security posture.
How Existing SOC 2 Programs Accelerate CPCSC
Companies with active SOC 2 Type II certifications have a significant head start. The mapping between SOC 2 Trust Services Criteria and ITSP.10.171 shows strong overlap in access control, system operations, change management, and risk assessment. Organizations in this position aren't starting from zero. They're extending an existing program into a new regulatory context.
The acceleration is real but not automatic. Three conditions determine how much time SOC 2 actually saves:
| Condition | Why It Matters |
| Control implementation depth | SOC 2 controls that exist on paper but operate informally don't carry over. CPCSC assessment objectives require demonstrated, documented controls. A program backed by continuous evidence collection translates more directly than one maintained through annual audit preparation. |
| Evidence reframing | SOC 2 evidence is structured around Trust Services Criteria. CPCSC evidence needs to be organized against ITSP.10.171 control families. The underlying security activity might be identical, but the evidence package needs to speak the CPCSC language. |
| Gap areas are predictable | Physical security, personnel screening, media handling, and supply chain controls consistently require new work for SOC 2 organizations entering the defence space. A consultant who understands both frameworks can identify these gaps in days rather than weeks. |
For companies holding both SOC 2 and considering CMMC for U.S. defence contracts, the three-framework mapping, SOC 2 to CPCSC to CMMC, is a program design exercise. The goal is one security program with multiple compliance outputs, not three separate programs. Companies already operating in the Canadian compliance landscape with SOC 2 have the foundation for this approach.
The Assess/Build/Operate Model for CPCSC
Engagement Structure
- Assess (2-4 weeks): Scope the environment, map existing controls, run the gap assessment, produce the remediation roadmap. The output is a clear picture of where the organization stands and what it takes to reach Level 1 attestation.
- Build (4 weeks to 4 months): Implement missing controls, write policies, configure technical safeguards, develop evidence collection processes. Duration depends on existing program maturity.
- Operate (ongoing): Maintain controls, collect evidence continuously, prepare for annual re-attestation. For Level 2, this includes preparing for third-party assessment. This is where the security program either becomes sustainable or reverts to pre-audit practices.
When a Consultant Makes Sense
Not every organization needs external help for CPCSC Level 1. Companies with dedicated security teams who understand ITSP.10.171, have experience with self-assessment methodologies, and have the bandwidth to pull resources from other priorities can manage it internally.
A consultant adds the most value in three situations:
The organization has never been through a compliance certification. CPCSC is specific enough that general security knowledge doesn't automatically translate to certification readiness. The assessment methodology, evidence standards, and documentation expectations have patterns that experienced consultants recognize and teams encountering them for the first time don't.
The organization has existing compliance programs but not CPCSC. The mapping work, identifying genuine overlap versus superficial similarity, requires framework-specific knowledge. A consultant who works across SOC 2, ISO 27001, and CPCSC regularly can identify the gap areas and remediation path faster than a team doing the cross-reference for the first time. The SOC 2 consultant evaluation checklist covers the questions that apply across frameworks.
The deadline pressure is real and bandwidth is limited. Level 1 attestation is now a contract eligibility requirement. Organizations that need to attest within a defined timeline and can't afford to have their security or IT leadership fully consumed by the compliance project use consultants to accelerate the timeline without pulling key people off operational responsibilities.
What to Look For in a CPCSC Consultant
The CPCSC consulting market in Canada is still forming. A few evaluation criteria matter:
Framework depth, not just breadth. The consultant should understand ITSP.10.171 at the control level, not just the program overview. Ask about specific assessment objectives and how they interpret ambiguous requirements.
Multi-framework experience. Companies entering defence contracting often hold or need SOC 2, ISO 27001, or CMMC. A consultant who only knows CPCSC can't advise on program design that serves multiple frameworks efficiently.
Operational, not just advisory. The gap between advice and implementation is where most compliance projects stall. The consultant should be able to help implement controls, not just identify what's missing.
Canadian defence supply chain context. CPCSC exists within the broader Canadian defence procurement ecosystem, including PSPC industrial security requirements, security clearances, and contract-specific security provisions. General cybersecurity consultants without this context miss the connections.
CPCSC Readiness Assessment
Build an effective security program that maps to CPCSC, SOC 2, and beyond.
Moving Forward
The CPCSC Level 1 self-assessment guide covers the specific requirements and assessment objectives in detail. For organizations evaluating their readiness, the CPCSC Level 1 Readiness Scorecard provides a structured assessment against the control families, with a detailed gap analysis that identifies where the organization stands and what needs attention.
CPCSC certification is a procurement requirement, but the security program behind it is what determines whether the organization can win and deliver on defence contracts sustainably. The companies that treat it as a documentation exercise will attest. The ones that treat it as a program-building opportunity will compete.
Frequently Asked Questions
What does a CPCSC consultant do that an internal team cannot?
A CPCSC consultant brings framework-specific knowledge of ITSP.10.171 assessment objectives, experience mapping existing controls from SOC 2 or ISO 27001, and familiarity with the documentation standards that support Canada Buys attestation. Internal teams can manage the work if they have the bandwidth and framework expertise, but most organizations encountering CPCSC for the first time underestimate the scoping and evidence requirements.
How long does it take to prepare for CPCSC Level 1 certification?
Organizations with existing compliance programs (SOC 2, ISO 27001) typically reach Level 1 attestation readiness in 6 to 10 weeks with consultant support. Organizations building from informal security practices should plan for 3 to 5 months. The primary variables are scope complexity, the number of control gaps, and internal team availability for remediation work.
Can SOC 2 certification count toward CPCSC compliance?
SOC 2 controls don't automatically satisfy CPCSC requirements, but they provide significant overlap. Access control, system operations, change management, and risk assessment map strongly between SOC 2 Trust Services Criteria and ITSP.10.171 families. The evidence needs to be reframed for the CPCSC context, and gap areas in physical security, personnel screening, and media handling typically require new controls.
What is the difference between CPCSC Level 1 and Level 2?
Level 1 is a self-assessment against 13 requirements from 6 control families (71 assessment objectives), attested annually through Canada Buys. Level 2 requires third-party certification by an SCC-accredited body against all 97 ITSP.10.171 controls across 17 families. Level 2 applies to contracts involving controlled information and takes effect April 2027.
How much does CPCSC compliance consulting cost?
Costs vary based on organizational complexity, existing program maturity, and scope. A Level 1 assessment and remediation engagement for a company with existing SOC 2 controls typically costs less than half of what a company starting from scratch would invest. The assessment phase alone usually runs 2 to 4 weeks. Full implementation pricing depends on the gap register findings.
Is CPCSC the same as CMMC for Canadian companies?
CPCSC and CMMC share a common lineage in NIST 800-171 and serve similar purposes in their respective defence supply chains, but they are separate programs with no mutual recognition. Companies bidding on both Canadian DND and U.S. DoD contracts need certification under both programs. The control families overlap significantly, making a single security program with dual compliance outputs the most efficient approach.
Ready to Start Your Compliance Journey?
Get a clear, actionable roadmap with our readiness assessment.
About the Author
Former security architect for Bank of Canada and Payments Canada. 20+ years building compliance programs for critical infrastructure.
Ready for CPCSC Level 1?
Score your readiness across the 6 expected control families. Free.
Take the Scorecard