CPCSC Level 1 vs Level 2: The Cost Cliff Suppliers Miss

Canadian defence-adjacent suppliers keep running into the same pattern. A team clears CPCSC Level 1 in a few weeks, files self-attestation in Canada Buys, and concludes CPCSC is manageable. Then a contracting authority signals an upcoming bid will require Level 2, and the team plans a similar effort.

That mental model is the cost cliff. Level 1 and Level 2 are not the same exercise scaled up. They are categorically different programs sharing an acronym, and the jump gets steeper for organizations with on-premise infrastructure.

What Level 1 Actually Is

Level 1 is a self-attested baseline: 13 controls drawn from six families of ITSP.10.171, assessed as Met or Not Met. Controls cover foundational hygiene: account management, MFA on remote and admin access, media sanitization, boundary protection, flaw remediation, malicious code protection. Evidence is straightforward: account lists, device inventories, training records, patching logs, MFA configuration, firewall settings. It needs to exist and match how the business operates. For an organization with a clean cloud-only footprint, mature M365 or Workspace tenancy, and an ESP enforcing MFA, Level 1 can be done in weeks. That is the data point that sets the wrong expectation for Level 2.

What Changes at Level 2

Public Level 2 documentation is still evolving. What is known: CPCSC aligns with the US CMMC framework, Canada and the US are using the same technical controls, and the Government of Canada may accept a valid CMMC certification on a case-by-case basis after confirming scope. Based on that alignment, Level 2 is expected to require third-party assessment rather than self-attestation, drawing from the full ITSP.10.171 control set (which mirrors the roughly 110 controls in NIST SP 800-171).

The shape of the work includes:

• Third-party assessment against the full control set, with scope, System Security Plan, and evidence reviewed by an external assessor.
• Continuous monitoring: SIEM or equivalent log aggregation, vulnerability management with defined remediation windows, configuration baselines, and incident response that has been exercised, not just documented.
• Role-based security awareness training with evidence of completion across staff handling Specified Information.
• Expanded personnel, supply chain, risk management, and governance controls that Level 1 does not exercise in depth.

This is the difference between attesting that a few hygiene controls exist and demonstrating, to an outside party, that a full security program is operating.

Why On-Prem Makes the Cliff Steeper

Cloud-heavy organizations inherit a meaningful share of Level 2-tier controls from the platform: identity, MFA, device posture, audit logging, encryption at rest, network segmentation, and configuration baselines. The supplier still owns configuration, access reviews, and evidence, but the underlying technical control is platform-provided. On-prem shifts the work back onto the team:

• Boundary protection: a firewall appliance configured, monitored, and reviewed.
• Audit logging: a SIEM or equivalent pipeline across endpoints, servers, network devices, and identity, with review on a defined cadence.
• Vulnerability management: scanning internal assets and patching within defined timeframes.
• Configuration management: hardening baselines and change control that produces evidence.
• Physical access: logged entry, visitor escort, secured server rooms, periodic access list reviews.
• Backup and recovery: tested restorations, not just a backup job.
• Incident response: a documented plan, exercised on a schedule, with after-action notes.

None of this is exotic. The difference under Level 2 is that each piece has to be documented, evidenced, and operating consistently enough to survive external review. The same dynamic shows up in SOC 2 environments with on-premise infrastructure: cloud-native peers compress the work and on-prem operators carry it themselves.

The Variables That Drive Cost

Honest Level 2 cost ranges will look unhelpfully wide until the public CPCSC pricing landscape settles. Any number quoted today is more guess than estimate. The variables that move cost up or down can still be discussed, and the same ones driving CMMC Level 2 cost in the US will drive CPCSC Level 2 cost in Canada, because the underlying control work is the same.

• Scope size and boundary clarity. A tight enclave around the team handling Specified Information is materially less work than an enterprise-wide scope. Scoping is the single biggest cost lever.
• Cloud, on-prem, or hybrid. Cloud platforms inherit controls. On-prem requires the supplier to operate every layer.
• Single-site versus multi-site. Each location adds physical access work, facility documentation, and assessment travel.
• Existing tooling maturity. A supplier already running a SIEM, vulnerability scanner, MDM, and identity platform starts closer to the line.
• Gap remediation depth. Closing gaps usually costs more than the assessment itself, especially when it requires new tooling or hiring.
• Audit preparation effort. Building the SSP, organizing evidence, and rehearsing is non-trivial. Internal teams underestimate this consistently.
• Assessor fees. Third-party assessment carries assessor cost, and capacity in a new certification market tends to be tight early on.

Two suppliers in the same industry can land in very different places depending on how these stack up. Map them for a specific environment before treating any external estimate as load-bearing.

Reactive Prep Is the Most Expensive Prep

The highest Level 2 costs follow a pattern: a contract surfaces with a Level 2 requirement, the timeline is tight, and the program starts from a standing position with the bid clock running. Assessor calendars tighten, experienced consultants get booked, and engineering contractors charge more for short-notice work. Internal teams burn out. The work itself takes shortcuts: documentation written to pass rather than support the program, tools deployed without being operationalized, evidence assembled rather than generated.

Suppliers who start twelve to eighteen months ahead of a credible Level 2 bid avoid almost all of this. The same controls cost less when built deliberately, and evidence is easier to produce when it is a byproduct of how the team already operates.

Build the Foundation, Then Layer the Framework

The trajectory that scales from Level 1 to Level 2 with the least friction is the one where the supplier builds an effective security program first, then maps frameworks onto it. Level 1 sits on that foundation easily. Level 2 sits on a more mature version. So does SOC 2, ISO 27001, and any future framework drawing from the same control families. Building only what each framework requires produces a stack of certifications glued together. It works for the audit. It does not scale, because every new requirement triggers another standalone project. This is the pattern that shows up across CPCSC engagements: suppliers who treat Level 1 as a foundation are most of the way to Level 2 by the time they need it. Suppliers who treat it as a paper exercise face the full cliff.

Knowing Which Level Future Contracts Will Require

Public signals are still maturing. For any specific bid, ask the contracting authority early. A few practical moves:

• Watch the risk classification of contracts in your pipeline. Higher-sensitivity work attracts higher certification requirements.
• Track how primes in your supply chain are positioning. If customers are pursuing Level 2, expect the requirement to flow down to subcontractors holding Specified Information.
• Engage the cyber security program office directly when the bid context is unclear.
• Build the foundation now, even if Level 1 is the immediate requirement. Doing Level 1 well in a way that supports a future Level 2 program costs little extra. Rebuilding later costs a lot.

Frequently Asked Questions

What is the difference between CPCSC Level 1 and Level 2?

Level 1 is a self-attested assessment against 13 controls from six families of ITSP.10.171, filed annually through Canada Buys. Level 2 is expected to require third-party assessment against the full ITSP.10.171 control set, based on alignment with the US CMMC Level 2 model, with more evidence depth and operational rigor around monitoring, vulnerability management, and incident response.

Does my organization need Level 2?

Ask the contracting authority for the specific opportunity. Level requirements are tied to the sensitivity classification of the work and the Specified Information involved. Level 1 covers a meaningful share of defence-adjacent contracts. Level 2 is expected to apply to higher-sensitivity work and to flow down through primes to subcontractors holding the same information.

Can I get Level 2 certified by self-assessment?

Based on alignment with the US CMMC model, Level 2 is expected to require third-party assessment rather than self-attestation. Confirm the current requirement with the cyber security program office before planning around it.

Does a US CMMC Level 2 certification count for CPCSC Level 2?

The Government of Canada has signaled it may accept a valid CMMC certification on a case-by-case basis, after confirming the assessment covers the required scope. Recognition is not automatic. Suppliers holding CMMC certification should send proof to the cyber security program office and confirm scope coverage before relying on it for a Canadian bid.

Further Reading

• CPCSC Compliance Consulting: What a Consultant Actually Does for Defence Contractors
• ITSP.10.171 Explained: The Standard Behind CPCSC
• CPCSC vs CMMC: How the Two Programs Compare
• SOC 2 with On-Premise Infrastructure: A Consultant's View
• CPCSC Level 1 Readiness Scorecard