.svg)
DND has been clear about direction and quiet about timing. Canada Buys is collecting expressions of interest, industry days are running, and the April 14 release of the CPCSC Level 1 self-assessment guide finally shows what attestation involves. What it does not give suppliers is a contract.
Doing nothing means being caught flat-footed when an opportunity drops. Spinning up a full program with no contract value to anchor it burns cash against a hypothetical revenue line. The new guide makes a middle path available, and we call it theoretical scoping.
Key Insight: Theoretical scoping, defined
Theoretical scoping is treating a plausible future DND contract as if it were already real: pick the smallest defensible boundary, run the six scoping steps, and self-assess against the 13 controls now. About 80 percent of the implementation work carries forward when the real contract lands, so only the boundary documentation needs revision later.
Why waiting for the RFP is the most expensive strategy
A supplier who starts scoping the day an RFP lands is buying compliance in a seller's market. Every defence-adjacent vendor in the procurement window is calling the same handful of consultants, identity providers, and MSPs. Lead times stretch, standard configurations get billed as custom work, and reactive scoping pulls your CTO, head of IT, and security lead off the work that actually wins the contract.
The April 14 release closes the information gap that used to justify waiting. The 13 controls are published, the six scoping steps are documented, the required evidence is named.
What theoretical scoping means
Theoretical scoping mirrors what mature security teams already do for SOC 2 and ISO 27001: define a defensible boundary, build the program inside it, extend when business reality changes.
For CPCSC it means three things:
- Pick the smallest realistic boundary in which your organization would receive, store, or transmit Specified Information if a typical defence contract came in.
- Run the six scoping steps from the CPCSC Level 1 Scoping Guide against that hypothetical scope, exactly as you would for a real contract.
- Self-assess against the 13 controls, document gaps, and file the evidence you already have.
This is the early-stage version of building an effective security program. When scope changes later, control implementations, policies, and evidence routines carry forward. Only the boundary documentation needs revision. About 80 percent of the work is independent of any specific contract.
The 6 scoping steps, applied theoretically
Each step has a defensible interpretation when no contract exists yet.
1. Identify the relevant Specified Information. Without a contract, write down a documented assumption: unclassified contract details, possibly controlled goods information, protected information at a typical sensitivity for your segment.
2. Identify where the information lives and moves. Walk the data lifecycle as if a contract were active: received (email or portal), edited (cloud collaboration tools, laptops), stored (SharePoint, OneDrive, project shares), transmitted (email, share links), destroyed (offboarding, disposal logs).
3. Identify in-scope assets. For most knowledge-work organizations this is small: M365 or Google Workspace, the laptops that would touch SI, mobile devices accessing SI email, project storage. Add any on-prem element such as a CAD workstation.
4. Identify specialized and out-of-scope assets. Specialized includes anti-malware, firewalls, MDM, IoT supporting the in-scope environment. Out-of-scope is anything that does not store, transmit, or process SI. Exclusions need documented reasoning.
5. Identify the surrounding environment. Staff who would access SI, your MSP, identity provider, email and collaboration ESPs, remote access paths. CPCSC treats ESPs as part of your scope, so M365 is in scope and you remain responsible for its configuration.
6. Validate the boundary against the 13 controls. The honesty check. A scope that excludes all endpoints fails malicious code protection. A scope with no email path fails MFA on remote access. If a control cannot be honestly tested, the scope is too narrow.
Warning: scope too narrow to honestly test
A scope that excludes every endpoint cannot test malicious code protection. A scope with no remote access path cannot test MFA. If any of the 13 controls has nothing in scope to apply to, the boundary is not a smaller scope, it is an undefensible one. Expand until every control can be honestly evaluated.
A sensible default scope
For most Canadian defence-adjacent suppliers, the realistic default looks like this:
- M365 or Google Workspace as document, email, and identity layer
- Laptops of the project team that would handle SI
- Mobile devices accessing work email through an MDM profile
- One or two cloud storage locations (SharePoint site, project drive)
- Identity and MFA stack including conditional access
That boundary is defensible, maps cleanly onto the 13 controls, and reflects actual data flow. If you have on-prem elements such as engineering workstations, CAD, or a small server room, include them. The SOC 2 on-prem consulting work we do uses the same logic: scope to where regulated data actually lives, not the entire enterprise.
Key Insight: the sensible default boundary
For a typical Canadian defence-adjacent knowledge-work supplier, the minimum defensible boundary is M365 or Google Workspace, the project-team laptops that would touch SI, MDM-enrolled mobile devices, one or two cloud storage locations, and the identity and MFA stack. Anything narrower fails the boundary validation check.
What stays in and what stays out, at a glance:
| Stays in scope | Stays out of scope |
| M365 or Google Workspace tenant handling SI | Marketing website and corporate intranet |
| Project-team laptops that would touch SI | Sales CRM and support desk that do not store SI |
| Mobile devices accessing SI email via MDM | Dev environments for unrelated product lines |
| Identity, MFA, conditional access and SharePoint project sites | Personal devices architected out at the identity layer |
One-line justifications are enough for anything on the right-hand side.
Documentation to have ready
Most security teams already have versions of these artifacts for SOC 2 or ISO 27001 and only need to reframe them for CPCSC.
Scoping artifacts to prepare
- In-scope asset list. Systems, endpoints, applications. Owner, type, model, approval date, role in handling SI.
- Logical and physical boundary diagrams. Network diagram showing in-scope environment, boundary devices, ESPs, and connections. Physical diagram if a facility is in scope.
- Scoping rationale. Short document explaining inclusions and exclusions. Marketing systems do not store, transmit, or process SI is sufficient.
- Out-of-scope and specialized asset list. The complement to the in-scope list.
- List of employees with SI access. Names, roles, systems, how access is granted and removed.
- Evidence of security tasks. Configurations, MFA screenshots, patching logs, account review notes, visitor logs if applicable.
- Notes on external systems and remote access. BYOD treatment, ESP arrangements. Personal devices accessing SI email need documented MFA, MDM, and conditional access.
Full detail is in the CPCSC consulting overview and the CPCSC Level 1 Readiness Scorecard.
Updated April 14, 2026 — Final CPCSC Level 1 Requirements
Are you ready for CPCSC Level 1?
Take the scorecard to find out.
When the real contract lands: rescope
Theoretical scoping is a starting boundary, not a finish line. Four things tend to expand scope when the contract arrives:
- A specific project team or facility named in the contract joins the in-scope environment.
- Specific data handling clauses (SI must stay in Canada, certain documents off cloud collaboration) translate into new control evidence.
- Specific physical locations. Controlled goods work may bring physical security controls into scope that a pure cloud boundary did not require.
- Subcontractors. Primes confirm subs are certified and scoped. Subs scope themselves.
Key Insight: what actually triggers a rescope
Four contract facts expand scope: a named project team or facility, specific data handling clauses, physical locations tied to controlled goods, and subcontractors in the SI path. Everything else, including account management, MFA, device management, and patching evidence, carries forward from the theoretical scope.
Most of the program carries forward: account management, MFA, device management, malware protection, patching, evidence routines. What gets redone is boundary documentation: asset lists, diagrams, rationale, possibly the SSP. This is the same logic that makes SOC 2 readiness work accelerate later compliance projects.
Subcontractor scoping
Each entity in a defence supply chain is responsible for its own scoping and self-assessment. Primes confirm subs handling SI have appropriate certification and scope. Subs do not assume the prime covers them; they scope themselves and hold proof ready. Government of Canada has indicated it will accept valid CMMC certifications case-by-case after confirming scope coverage. For a side-by-side view of how the two regimes line up, see CPCSC vs CMMC.
Cost discipline
Most of the cost in CPCSC Level 1 is scoping, documentation, and routine implementation, not exotic technology. The 13 controls map to standard security hygiene most well-run organizations are already doing. The value is in proving it. The underlying standard, ITSP.10.171, deliberately avoids prescribing vendors.
That cost profile collapses if work waits. Hiring scarcity, vendor leverage, and compressed timelines are why reactive scoping runs three to five times more than proactive. A theoretical scope built carefully often becomes the basis for SOC 2 or ISO 27001 readiness later; the MFA, access review, and patching evidence that satisfies CPCSC Level 1 also covers a meaningful slice of SOC 2 CC6 and ISO 27001 Annex A.
Frequently Asked Questions
Can I do CPCSC Level 1 self-assessment without a contract?
Yes. The self-assessment guide and online tool are available now. Complete the self-assessment, save the result page with the expiry date, and store the proof. Attestation attaches to a contract award, not to bidding, so nothing stops you from doing the work in advance against a theoretical scope.
What happens to my scope when I actually win a DND contract?
You rescope. The contract typically expands the boundary by adding a project team, a facility, or new handling requirements. Control implementations carry forward. Asset lists, diagrams, and rationale get revised. Expect a few weeks to update evidence if the new scope adds significant technology or facilities.
Do I need to include employee home computers in scope?
If they access SI, yes. Home devices, personal mobile devices, and anything that can reach SI are in scope. Most suppliers require MFA, MDM enrollment, and conditional access on any device accessing work email or SharePoint. To keep home devices out, architect them out at the identity layer and prove the restriction works.
How small can a theoretical scope reasonably be?
Small enough to be honest, large enough to test all 13 controls. A scope excluding every endpoint cannot test malicious code protection. A scope with no remote access cannot test MFA. The minimum defensible boundary is usually M365 or equivalent, the laptops of the team that would handle SI, mobile devices accessing work email, and the identity stack.
Further reading
Ready to Start Your Compliance Journey?
Get a clear, actionable roadmap with our readiness assessment.
About the Author
Former security architect for Bank of Canada and Payments Canada. 20+ years building compliance programs for critical infrastructure.
Ready for CPCSC Level 1?
Score your readiness across the 6 expected control families. Free.
Take the Scorecard