CPCSC Level 1 Self-Assessment: What Apr 14 Actually Requires

On April 14, 2026, the Government of Canada published the CPCSC Level 1 self-assessment guide, the scoping guide, and practical implementation steps. The release pinned down timeframes, confirmed the binary scoring mechanic, and published the path for recognizing a valid CMMC certification. If you bid on Department of National Defence contracts, or sit one tier below a prime that does, you need this on paper before summer 2026.

What the April 14 release clarified

Timeframes are locked. Several controls now carry specific numbers (24 hours, 90 days, 30/90/180 days, weekly, 12 months) where ITSP.10.171 alone left cadence to discretion. These are the bar you attest against, not your internal policy cycle.

Scoring is binary. Each of the 13 questions is scored Met or Not Met. Every sub-requirement (lettered A through H on longer questions) has to be implemented. One Not Met sub-requirement fails the question, and one failed question forces the assessment to restart. No partial credit, no compensating control discussion at Level 1.

CMMC recognition exists. Canada may accept a valid CMMC certification case-by-case after confirming scope. That matters for any supplier already certified for U.S. defence work.

The 13 controls

The guide groups 13 controls into 6 cyber hygiene best practices.

Access control (Q1 to Q4). Account management (03.01.01) is the longest, eight sub-requirements covering creation, monitoring, disable conditions, notification timing, and inactivity logout. Access enforcement (03.01.02) applies those authorizations to systems holding Specified Information. External systems (03.01.20), BYOD, personal phones, subcontractor systems, are prohibited unless authorized with terms covering work scope and data sensitivity. Publicly accessible content (03.01.22) requires external publishers to be trained to keep Specified Information off public systems, with periodic review.

Identification and authentication (Q5 to Q7). Every user is uniquely identified and re-authenticates on role change, credential change, privilege escalation, or session end (03.05.01). Devices are uniquely identified before connecting, with authentication where feasible and documented exceptions where not (03.05.02). Strong MFA on all remote access and admin accounts, app-based or hardware-based preferred, SMS only as last resort (03.05.03).

Media protection (Q8). Any media that held Specified Information is sanitized before disposal, reuse, or leaving your control (03.08.03). Covers drives, USB sticks, phones that synced corporate email, multi-function printers with scan history, and paper.

Physical protection (Q9 to Q10). Maintained list of who is authorized to enter the physical location, reviewed at least every 12 months (03.10.01). Enforcement at entry and exit, audit logs, escorted visitors, secured keys and combinations, controlled output devices so unauthorized people cannot pull SI off a printer tray (03.10.07).

Boundary protection (Q11). Monitor and control communications at external and key internal interfaces. Publicly accessible components sit on separated subnetworks. Connections to external systems go through managed interfaces, firewalls, VPN gateways, secure proxies (03.13.01).

System and information integrity (Q12 to Q13). Identify, report, and correct flaws, with updates installed within severity-based windows (03.14.01). Malicious code protection at entry and exit points that updates, runs scheduled and real-time scans, and blocks or quarantines findings (03.14.02).

The specific numbers that matter

Any policy you are drafting has to match these exact numbers.

Why first attempts often fail

The scoring mechanic is unforgiving. Q1 has eight sub-requirements. Seven done and one in flight means Not Met, and one Not Met question forces a restart. No SOC 2-style exception report, no CMMC-style POA&M at Level 1. All 71 sub-requirements operate, or they do not.

First attempts usually nail access control, MFA, and patching basics. They get caught on three specifics: the 24-hour HR-to-IT account notification path, device-level evidence that patches landed within the severity window, and the physical access review for offices nobody formally documented in years. Any one of those gaps fails the assessment.

The self-assessment itself is not the work. The work is the program that produces evidence consistent enough to claim Met on every question. The self-assessment then takes under an hour because you are recording what is already true.

Evidence you actually need

The guide is explicit that evidence does not need to be complex. It needs to exist and be consistent with how the business operates.

• Account lists with status changes traceable to date
• Device lists with owner, type, and approval date
• Access review notes, dated and signed off
• Copies of the security policies the controls reference
• Training records for security, IT, and information management
• Logs of updates, patching, and sanitization activity
• Visitor logs, paper or electronic
• Firewall and MFA configuration screens confirming scope

Evidence is retained for the attestation cycle, at least one year. The program office wants operational artifacts you should already have if the controls are running, not a vendor-curated GRC export.

Mapping to what you already have

Microsoft 365 with Defender and Intune at Business Premium or higher covers MFA, conditional access, account lifecycle, device identification, endpoint malicious code protection, and update management. Most boundary control runs at the cloud edge. You still need policies and evidence.

An active SOC 2 Type II maps directly to account management, access enforcement, MFA, boundary protection, flaw remediation, and malicious code protection. Gaps are physical and media controls (SOC 2 treats these lightly for cloud-only environments) and the specific timeframes, which need to be evidenced as enforced. Our SOC 2 consultants Canada practice spends most of the CPCSC mapping conversation here.

A valid CMMC certification may be accepted case-by-case after Canada confirms the assessment scope. Technical controls overlap because both descend from the same NIST source. See our CPCSC vs CMMC comparison for governance differences.

On-prem with limited cloud reliance is harder because there is no cloud dashboard to point to. The same evidence constraints we documented for SOC 2 on on-prem infrastructure apply.

Frequently Asked Questions

Do I need CPCSC Level 1 to bid on a defence contract?

Not to bid. From summer 2026, suppliers awarded contracts requiring Level 1 attest at contract award. Primes and DND will ask about readiness during bid evaluation, so be ready before bidding rather than scrambling between award and start of work.

How long does the CPCSC Level 1 self-assessment take?

Under an hour if policies and standards are in place and your team is familiar with them. The actual work happens in the months before, building controls and evidence that let you honestly answer Met. The hour itself is the reward, not the engagement.

Can a CMMC certification substitute for CPCSC Level 1?

Possibly. The April 14 guide states Canada may accept a valid CMMC certification case-by-case after confirming scope. Proof goes to the cyber security program office at the dedicated PWGSC mailbox. Treat it as a request, not automatic substitution, and confirm acceptance before relying on it for a bid.

What counts as a valid Level 1 scope?

A bounded enclave that contains all Specified Information and the systems supporting it. Even one shared mailbox can qualify. The risk with very narrow scope is validation: if the boundary is so small you cannot honestly test a requirement, the scope is too narrow. All 13 controls must be testable inside the boundary you draw.

What are the specific CPCSC Level 1 timeframes?

Account notifications within 24 hours, privileged inactivity logout within 24 hours, inactive accounts disabled after 90 days, patching within 30 days critical/high, 90 days moderate, 180 days low, weekly malicious code scans, and physical access list review at least every 12 months.

What happens if one sub-requirement is Not Met?

The question fails, and a single failed question forces the entire self-assessment to restart. Level 1 has no partial credit, no exception reports, and no plan of action and milestones. Every sub-requirement has to operate before you attest.

Further reading

• CPCSC compliance consulting: what a consultant actually does
• ITSP.10.171 explained: the standard behind CPCSC
• CPCSC vs CMMC: where the two programs diverge
• SOC 2 to CPCSC mapping guide
• CPCSC Level 1 Readiness Scorecard

The April 14 release made the requirements concrete. The work now is building an effective security program that produces evidence consistently, so the annual self-assessment is a recording exercise rather than a remediation project. We build that foundation first, then map CPCSC, SOC 2, ISO 27001, and ISO 42001 onto it. The binary scoring mechanic does not give room to learn on the job.