Canadian defence-adjacent suppliers keep running into the same pattern. A team clears CPCSC Level 1 in a few weeks, files self-attestation in Canada Buys, and concludes CPCSC is manageable. Then a contracting authority signals an upcoming bid will require Level 2, and the team plans a similar effort.
That mental model is the cost cliff. Level 1 and Level 2 are not the same exercise scaled up. They are categorically different programs sharing an acronym, and the jump gets steeper for organizations with on-premise infrastructure.
Key Insight
Level 1 and Level 2 are not the same exercise scaled up. They are categorically different programs, and the gap widens for suppliers running on-premise infrastructure.
Level 1 is a self-attested baseline: 13 controls drawn from six families of ITSP.10.171, assessed as Met or Not Met. Controls cover foundational hygiene: account management, MFA on remote and admin access, media sanitization, boundary protection, flaw remediation, malicious code protection. Evidence is straightforward: account lists, device inventories, training records, patching logs, MFA configuration, firewall settings. It needs to exist and match how the business operates. For an organization with a clean cloud-only footprint, mature M365 or Workspace tenancy, and an ESP enforcing MFA, Level 1 can be done in weeks. That is the data point that sets the wrong expectation for Level 2.
Public Level 2 documentation is still evolving. What is known: CPCSC aligns with the US CMMC framework, Canada and the US are using the same technical controls, and the Government of Canada may accept a valid CMMC certification on a case-by-case basis after confirming scope. Based on that alignment, Level 2 is expected to require third-party assessment rather than self-attestation, drawing from the full ITSP.10.171 control set (which mirrors the roughly 110 controls in NIST SP 800-171).
The shape of the work includes:
This is the difference between attesting that a few hygiene controls exist and demonstrating, to an outside party, that a full security program is operating.
| Dimension | Level 1 | Level 2 (expected, based on alignment with US CMMC L2) |
| Attestation type | Annual self-attestation filed via Canada Buys | Third-party assessment expected |
| Control set | 13 controls from six ITSP.10.171 families | Full ITSP.10.171 control set, roughly 110 controls in NIST SP 800-171 |
| Evidence depth | Configuration and inventories matching how the business operates | Operating evidence across monitoring, vulnerability management, IR, and training |
| Typical timeline | Weeks for a cloud-clean supplier | Expected to require 12 to 18 months of deliberate program build |
Cloud-heavy organizations inherit a meaningful share of Level 2-tier controls from the platform: identity, MFA, device posture, audit logging, encryption at rest, network segmentation, and configuration baselines. The supplier still owns configuration, access reviews, and evidence, but the underlying technical control is platform-provided. On-prem shifts the work back onto the team:
None of this is exotic. The difference under Level 2 is that each piece has to be documented, evidenced, and operating consistently enough to survive external review. The same dynamic shows up in SOC 2 environments with on-premise infrastructure: cloud-native peers compress the work and on-prem operators carry it themselves.
Warning: The On-Prem Cost Cliff
Cloud-heavy suppliers inherit a meaningful share of Level 2-tier controls from the platform. On-prem operators inherit none of it. Every control layer, identity, logging, boundary, configuration, physical access, backup, incident response, has to be built, evidenced, and operated by the internal team.
Honest Level 2 cost ranges will look unhelpfully wide until the public CPCSC pricing landscape settles. Any number quoted today is more guess than estimate. The variables that move cost up or down can still be discussed, and the same ones driving CMMC Level 2 cost in the US will drive CPCSC Level 2 cost in Canada, because the underlying control work is the same.
Two suppliers in the same industry can land in very different places depending on how these stack up. Map them for a specific environment before treating any external estimate as load-bearing.
Seven Cost Levers to Map First
Scope size, hosting model, site count, tooling maturity, gap depth, audit prep effort, and assessor fees. Any Level 2 cost range pulled from the market without mapping these to a specific environment is noise.
Updated April 14, 2026 — Final CPCSC Level 1 Requirements
Take the scorecard to find out.
The highest Level 2 costs follow a pattern: a contract surfaces with a Level 2 requirement, the timeline is tight, and the program starts from a standing position with the bid clock running. Assessor calendars tighten, experienced consultants get booked, and engineering contractors charge more for short-notice work. Internal teams burn out. The work itself takes shortcuts: documentation written to pass rather than support the program, tools deployed without being operationalized, evidence assembled rather than generated.
Suppliers who start twelve to eighteen months ahead of a credible Level 2 bid avoid almost all of this. The same controls cost less when built deliberately, and evidence is easier to produce when it is a byproduct of how the team already operates.
Warning: Reactive Prep Is the Most Expensive Prep
Starting Level 2 work after a bid surfaces compresses the timeline, tightens assessor calendars, and forces shortcuts that cost more than they save. A 12 to 18 month runway is the antidote, and it costs a fraction of a reactive build.
The trajectory that scales from Level 1 to Level 2 with the least friction is the one where the supplier builds an effective security program first, then maps frameworks onto it. Level 1 sits on that foundation easily. Level 2 sits on a more mature version. So does SOC 2, ISO 27001, and any future framework drawing from the same control families. Building only what each framework requires produces a stack of certifications glued together. It works for the audit. It does not scale, because every new requirement triggers another standalone project. This is the pattern that shows up across CPCSC engagements: suppliers who treat Level 1 as a foundation are most of the way to Level 2 by the time they need it. Suppliers who treat it as a paper exercise face the full cliff.
Public signals are still maturing. For any specific bid, ask the contracting authority early. A few practical moves:
Level 1 is a self-attested assessment against 13 controls from six families of ITSP.10.171, filed annually through Canada Buys. Level 2 is expected to require third-party assessment against the full ITSP.10.171 control set, based on alignment with the US CMMC Level 2 model, with more evidence depth and operational rigor around monitoring, vulnerability management, and incident response.
Ask the contracting authority for the specific opportunity. Level requirements are tied to the sensitivity classification of the work and the Specified Information involved. Level 1 covers a meaningful share of defence-adjacent contracts. Level 2 is expected to apply to higher-sensitivity work and to flow down through primes to subcontractors holding the same information.
Based on alignment with the US CMMC model, Level 2 is expected to require third-party assessment rather than self-attestation. Confirm the current requirement with the cyber security program office before planning around it.
The Government of Canada has signaled it may accept a valid CMMC certification on a case-by-case basis, after confirming the assessment covers the required scope. Recognition is not automatic. Suppliers holding CMMC certification should send proof to the cyber security program office and confirm scope coverage before relying on it for a Canadian bid.