DND has been clear about direction and quiet about timing. Canada Buys is collecting expressions of interest, industry days are running, and the April 14 release of the CPCSC Level 1 self-assessment guide finally shows what attestation involves. What it does not give suppliers is a contract.
Doing nothing means being caught flat-footed when an opportunity drops. Spinning up a full program with no contract value to anchor it burns cash against a hypothetical revenue line. The new guide makes a middle path available, and we call it theoretical scoping.
Key Insight: Theoretical scoping, defined
Theoretical scoping is treating a plausible future DND contract as if it were already real: pick the smallest defensible boundary, run the six scoping steps, and self-assess against the 13 controls now. About 80 percent of the implementation work carries forward when the real contract lands, so only the boundary documentation needs revision later.
A supplier who starts scoping the day an RFP lands is buying compliance in a seller's market. Every defence-adjacent vendor in the procurement window is calling the same handful of consultants, identity providers, and MSPs. Lead times stretch, standard configurations get billed as custom work, and reactive scoping pulls your CTO, head of IT, and security lead off the work that actually wins the contract.
The April 14 release closes the information gap that used to justify waiting. The 13 controls are published, the six scoping steps are documented, the required evidence is named.
Theoretical scoping mirrors what mature security teams already do for SOC 2 and ISO 27001: define a defensible boundary, build the program inside it, extend when business reality changes.
For CPCSC it means three things:
This is the early-stage version of building an effective security program. When scope changes later, control implementations, policies, and evidence routines carry forward. Only the boundary documentation needs revision. About 80 percent of the work is independent of any specific contract.
Each step has a defensible interpretation when no contract exists yet.
1. Identify the relevant Specified Information. Without a contract, write down a documented assumption: unclassified contract details, possibly controlled goods information, protected information at a typical sensitivity for your segment.
2. Identify where the information lives and moves. Walk the data lifecycle as if a contract were active: received (email or portal), edited (cloud collaboration tools, laptops), stored (SharePoint, OneDrive, project shares), transmitted (email, share links), destroyed (offboarding, disposal logs).
3. Identify in-scope assets. For most knowledge-work organizations this is small: M365 or Google Workspace, the laptops that would touch SI, mobile devices accessing SI email, project storage. Add any on-prem element such as a CAD workstation.
4. Identify specialized and out-of-scope assets. Specialized includes anti-malware, firewalls, MDM, IoT supporting the in-scope environment. Out-of-scope is anything that does not store, transmit, or process SI. Exclusions need documented reasoning.
5. Identify the surrounding environment. Staff who would access SI, your MSP, identity provider, email and collaboration ESPs, remote access paths. CPCSC treats ESPs as part of your scope, so M365 is in scope and you remain responsible for its configuration.
6. Validate the boundary against the 13 controls. The honesty check. A scope that excludes all endpoints fails malicious code protection. A scope with no email path fails MFA on remote access. If a control cannot be honestly tested, the scope is too narrow.
Warning: scope too narrow to honestly test
A scope that excludes every endpoint cannot test malicious code protection. A scope with no remote access path cannot test MFA. If any of the 13 controls has nothing in scope to apply to, the boundary is not a smaller scope, it is an undefensible one. Expand until every control can be honestly evaluated.
For most Canadian defence-adjacent suppliers, the realistic default looks like this:
That boundary is defensible, maps cleanly onto the 13 controls, and reflects actual data flow. If you have on-prem elements such as engineering workstations, CAD, or a small server room, include them. The SOC 2 on-prem consulting work we do uses the same logic: scope to where regulated data actually lives, not the entire enterprise.
Key Insight: the sensible default boundary
For a typical Canadian defence-adjacent knowledge-work supplier, the minimum defensible boundary is M365 or Google Workspace, the project-team laptops that would touch SI, MDM-enrolled mobile devices, one or two cloud storage locations, and the identity and MFA stack. Anything narrower fails the boundary validation check.
What stays in and what stays out, at a glance:
| Stays in scope | Stays out of scope |
| M365 or Google Workspace tenant handling SI | Marketing website and corporate intranet |
| Project-team laptops that would touch SI | Sales CRM and support desk that do not store SI |
| Mobile devices accessing SI email via MDM | Dev environments for unrelated product lines |
| Identity, MFA, conditional access and SharePoint project sites | Personal devices architected out at the identity layer |
One-line justifications are enough for anything on the right-hand side.
Most security teams already have versions of these artifacts for SOC 2 or ISO 27001 and only need to reframe them for CPCSC.
Scoping artifacts to prepare
Full detail is in the CPCSC consulting overview and the CPCSC Level 1 Readiness Scorecard.
Updated April 14, 2026 — Final CPCSC Level 1 Requirements
Take the scorecard to find out.
Theoretical scoping is a starting boundary, not a finish line. Four things tend to expand scope when the contract arrives:
Key Insight: what actually triggers a rescope
Four contract facts expand scope: a named project team or facility, specific data handling clauses, physical locations tied to controlled goods, and subcontractors in the SI path. Everything else, including account management, MFA, device management, and patching evidence, carries forward from the theoretical scope.
Most of the program carries forward: account management, MFA, device management, malware protection, patching, evidence routines. What gets redone is boundary documentation: asset lists, diagrams, rationale, possibly the SSP. This is the same logic that makes SOC 2 readiness work accelerate later compliance projects.
Each entity in a defence supply chain is responsible for its own scoping and self-assessment. Primes confirm subs handling SI have appropriate certification and scope. Subs do not assume the prime covers them; they scope themselves and hold proof ready. Government of Canada has indicated it will accept valid CMMC certifications case-by-case after confirming scope coverage. For a side-by-side view of how the two regimes line up, see CPCSC vs CMMC.
Most of the cost in CPCSC Level 1 is scoping, documentation, and routine implementation, not exotic technology. The 13 controls map to standard security hygiene most well-run organizations are already doing. The value is in proving it. The underlying standard, ITSP.10.171, deliberately avoids prescribing vendors.
That cost profile collapses if work waits. Hiring scarcity, vendor leverage, and compressed timelines are why reactive scoping runs three to five times more than proactive. A theoretical scope built carefully often becomes the basis for SOC 2 or ISO 27001 readiness later; the MFA, access review, and patching evidence that satisfies CPCSC Level 1 also covers a meaningful slice of SOC 2 CC6 and ISO 27001 Annex A.
Yes. The self-assessment guide and online tool are available now. Complete the self-assessment, save the result page with the expiry date, and store the proof. Attestation attaches to a contract award, not to bidding, so nothing stops you from doing the work in advance against a theoretical scope.
You rescope. The contract typically expands the boundary by adding a project team, a facility, or new handling requirements. Control implementations carry forward. Asset lists, diagrams, and rationale get revised. Expect a few weeks to update evidence if the new scope adds significant technology or facilities.
If they access SI, yes. Home devices, personal mobile devices, and anything that can reach SI are in scope. Most suppliers require MFA, MDM enrollment, and conditional access on any device accessing work email or SharePoint. To keep home devices out, architect them out at the identity layer and prove the restriction works.
Small enough to be honest, large enough to test all 13 controls. A scope excluding every endpoint cannot test malicious code protection. A scope with no remote access cannot test MFA. The minimum defensible boundary is usually M365 or equivalent, the laptops of the team that would handle SI, mobile devices accessing work email, and the identity stack.