How to meet Level 1 cyber security certification requirements
This page guides suppliers with federal contracts who need to meet cybersecurity certification requirements.
On this page
- Overview
- What kind of information the Canadian Program for Cyber Security Certification protects
- Recognition of Cybersecurity Maturity Model (CMMC) certification
- Get ready to complete your Level 1 self assessment
- Complete the self-assessment online
- Practical steps for meeting the requirements
- Evidence suppliers must keep
- Available support documents
Overview
In 2025 Canada introduced the Canadian industrial security standard, which describes security requirements for suppliers that bid or work on Government of Canada defence contracts. These requirements help to protect networks, systems and applications from malicious cyber activity, by enabling Canadian suppliers to better identify, assess, and manage cyber risks. This strengthens the resilience of our supply chain.
Beginning in summer 2026, suppliers bidding on defence contracts may need to obtain Level 1 certification under the Canadian Program for Cyber Security Certification (CPCSC). The Canadian Program for Cyber Security Certification (CPCSC) – Level 1 sets a basic, reasonable level of “cyber hygiene” for suppliers that handle Certain types of sensitive, unclassified information on behalf of the Government of Canada.
Level 1 self-assessment will be required at contract award, and not during the bidding process.
You may meet the requirements by:
- completing an annual cyber security self-assessment
- having an existing valid Cybersecurity Maturity Model (CMMC) certification
The Level 1 self-assessment confirms the implementation status of 13 security requirements and controls found in the Canadian Centre for Cyber Security’s publication Protecting specified information in non-Government of Canada systems and organizations (ITSP.10.171).
Suppliers can attest that they meet the 13 controls without using the online self-assessment tool, however, it provides important guidance and information and its use is encouraged.
Going forward, defence contracts, and other sensitive contracts outside defence, will need to be certified under the CPCSC ITSP.10.171 standard, based on their risk level. Suppliers are therefore encouraged to proactively pursue Level 1 certification requirements.
What kind of information the Canadian Program for Cyber Security Certification protects
Canada’s defence industry faces ongoing cyber threats targeting contractors and subcontractors, putting certain federal defence information at risk and creating potential impacts across the supply chain. The CPCSC identifies mandatory cyber security requirements for industry in defence contracting.
The CPCSC protects federal Specified Information (SI) on suppliers’ networks, systems and applications.
SI is sensitive, non-classified, government information that must be protected when handled, processed, or stored by non-Government of Canada organizations.
A Government of Canada authority identifies and qualifies in a contract which information requires safeguarding. How this information is shared and protected is set out by the Treasury Board of Canada Secretariat in its security and privacy policies.
SI may include:
- unclassified information with contract details not intended for public release, between the contractor and Department of National Defence
- controlled goods information
- protected information
You can learn more about protecting specified information in non-Government of Canada systems and organizations by reading the Canadian Industrial Security Standard.
Recognition of Cybersecurity Maturity Model certification
The CPCSC aligns with United States (U.S.) Cybersecurity Maturity Model certification (CMMC) requirements, but does not duplicate the U.S. certification system. Both countries use the same technical controls, so suppliers don’t need to meet two separate standards.
The Government of Canada may accept a contractor’s valid CMMC certification on a case‑by‑case basis, after confirming that the assessment covers the required scope. Canada also reserves the right to verify compliance with specific CMMC controls, when necessary. Any verification would be carried out by the contract technical authority.
Proof of CMMC certification can be sent to tpsgc.pacertcybersecur-apcybersecurcert.pwgsc@tpsgc-pwgsc.gc.ca for verification and assessment.
Get ready to complete your Level 1 self-assessment
Gather information about what security features are in scope, what computer assets you have, what information you have that may need to be protected, and what you currently do to protect your organization.
Make a list of:
- where Government of Canada information is stored
- which systems, devices, and people access it
- which cloud services and tools handle it
You don’t need a formal security program for Level 1. You should know where SI content exists in your computer systems to apply the controls effectively.
Organizations seeking Level 1 certification should ensure that they have an active Canada Buys account if they intend to participate in procurements or hold contracts that require the CPCSC Level 1. They are responsible for retaining the results of their CPCSC self-assessment, whether it completed using the online tool, or by another means.
Make a few internal rules for your organization
Level 1 is flexible. Use short, written rules such as:
- password control rules
- what systems, tools, and devices people in your organization can use for work
- how user access is granted
- how employee devices are integrated and approved
- how old media, devices, and content files are destroyed
Policies should be communicated to all employees and be part of the core documents for human resource (HR) and information technology (IT) staff. The policy should be a few pages long and stored in a shared folder or posted in your corporate intranet where you have other important policy documents.
Complete the self-assessment online
The annual self-assessment can be completed using the Canadian Centre for Cyber Security’s self-assessment tool. If you have already familiarized yourself with the standards and reviewed your business’ policies, the assessment can be completed in less than an hour.
If you need to implement one or more of the controls, you may need to save your self- assessment and return to it later.
Once you have completed the self-assessment:
- you will be presented with the results page with an expiry date, and asked to print or save the page for future reference
- you must provide proof of self-attestation and expiry date to your CanadaBuys profile, and when you submit a bid
Confirming the self-assessment results and expiration date in CanadaBuys (organizational supplier profile questionnaire) is required if the organization is bidding on, and/or working under, a defence contract that requires a CPCSC Level 1 certification.
Practical steps for meeting each control’s requirements
The guidance explains how suppliers can implement each control using practical, low-cost steps. It is designed for organizations of all sizes, including small and medium sized businesses.
There are 13 controls in Level 1, grouped into 6 general cyber hygiene best practices, that help you manage and keep your information safe.
Here is the full Canadian Program for Cyber Security Certification: Level 1 criteria
The general best practices are:
Access control: Managing who can access computer systems
Control 1: Manage user accounts
What to do:
- keep a list of all user accounts and what they can access
- add new accounts when people join; disable them when they leave or change roles
- avoid using generic or shared accounts wherever possible
- set calendar reminders to review all accounts, at least quarterly
How to do it:
- use a spreadsheet with the fields
- name
- role
- system access
- account created date
- employee status
- account modified date
- account deleted date
- ask HR to notify IT when employee roles change and update their access if needed
- disable user accounts soon after an employee departs as a core part of the offboarding process
- temporarily disable user accounts for employees on extended leave if they shouldn’t be accessing your system when they are off
Control 2: Give people only the access they need
What to do:
- assign the minimum access required to perform a job on a ‘need to know’ basis
- avoid giving “administrator” rights to those who don’t absolutely need it
- review folder permissions and shared drives regularly
How to do it:
- in your network management tools create basic access groups for types of user teams, such as exec, finance, sales, project staff, HR, IT, administrator
- grant access and permissions by group, not by individual user
- review access when people switch teams
Control 3: Use only approved systems and devices
What to do:
- make a list of systems that are approved for handling specified information (SI) content
- don’t allow employees to use personal emails, personal cloud storage, and personal devices for government work
- get basic security information from cloud vendors including learning where their data is stored and which foreign countries have access to it
Ask vendors about multifactor authentication, end to end encryption, use of virtual private networks (VPNs), and any other security packages they offer.
How to do it:
- maintain a one-page “approved systems list”
- train staff during onboarding about what tools they may or may not use for work
- review new tools before adopting them in your organization
Control 4: Prevent sensitive information from being shared publicly
What to do:
- make sure staff know what SI looks like
- review your organization’s website updates, news releases, sales literature, bulk email publications and social media posts before publishing anything
- periodically check public content for accidental disclosures
How to do it:
- use a checklist: “Does this publication contain SI, client names, or confidential technical details?”
- assign one person to review all external communications
- have a document training session with employees
Identification and authentication: Verifying who uses your systems
Control 5: Use individual accounts and strong passwords
What to do:
- each user must have their own private, unique login credential
- require strong passwords
- lock systems after a period of inactivity
How to do it:
- enable automatic screen lock on laptops after 15 minutes and 5 minutes on company phones
- use password managers when there are too many for staff to easily manage
- train new staff on good password habits
Control 6: Approve devices before they connect
What to do:
- keep a list of devices allowed on your network
- block unauthorized devices from connecting to systems
How to do it:
- use software to lock out all unapproved devices from connecting to your network, your corporate Wireless Fidelity (WiFi), or connecting to a laptop via Universal Serial Bus (USB)
- keep an inventory of all corporate laptops, mobile units, and external drives using asset numbers
- maintain a device list with: owner, employee user name, type, model, approval date
- set your WiFi firewall to restrict non approved access
Control 7: Enable Multifactor Authentication
What to do:
- for Level 1, Enable Multifactor Authentication (MFA) is required for privileged accounts and for systems that store SI
How to do it:
- install an authenticator app (preferred) or short message service (SMS) based code generator
- train staff on how MFA works
- establish a clear recovery process outlining what to do if someone loses a work device
Media Protection: Erasing and destroying decommissioned computer storage
Control 8: Wipe or destroy old devices
What to do:
- ensure computer storage drives, printers, USB keys, mobile devices, and any electronic storage capable media are wiped before disposal
- destroy media if it cannot be securely erased beyond recovery
How to do it:
- use wiping software that prevents data recovery by reformatting and overwriting entire drives multiple times using secure algorithms
- physically destroy USB keys using shredders or certified services
- low value mobile devices and hard drives, which contained SI, should be physically destroyed rather than selling them, or donating for secondary use
- create a log of your discarded inventory noting what was disposed, how it was wiped or destroyed, where it was sent after disposal, and when it was decommissioned
Physical protection: Protecting your onsite equipment and data
Control 9: Keep a list of who can access secure areas
What to do:
- track who has keys, badges, or codes to areas containing SI
- remove access when people leave or change roles
How to do it:
- use a spreadsheet to track who has access to what and the type of access
- set expiry dates for temporary access from guests, contractors, and term staff
- collect keys and badges promptly after the user no longer needs them
Control 10: Control physical entry
What to do:
- use locks, keycards, biometric systems, and physical security to control access
- sign in visitors and escort them everywhere there is SI
- store printed SI securely in locked cabinets and don’t allow recently printed files to sit unattended in a tray or on a desk
How to do it:
- keep visitor logs, either paper or electronic
- post reminders near doors warning employees not to let in people without access
- use locked cabinets or rooms to store SI
Systems and communications protection: Securing your networks
Control 11: Use basic network protections
What to do:
- install a router or firewall to control online traffic
- block unnecessary inbound connections
- separate public-facing computer systems from internal ones
How to do it:
- keep firewall settings updated
- review allowed and blocked traffic frequently
- document any changes you make to your network setup in a log
System and information integrity: Defending computer systems from cyber threats
Control 12: Apply security updates
What to do:
- install updates for operating systems, browsers, and software
- apply critical patches quickly, as soon as you are aware of them
- track what has been updated
How to do it:
- turn on automatic updates
- keep a log of major updates on key systems
- subscribe to vendor security advisories
Control 13: Use antivirus and anti‑malware software
What to do:
- install reputable antivirus software
- enable automatic updates and real‑time scanning
- respond to threats when they occur
How to do it:
- use built‑in tools such as Microsoft Defender, or business antivirus solutions
- schedule regular scans
- document incidents and how they were resolved
Evidence suppliers must keep
For Level 1, keep evidence for the duration of your attestation cycle, or at least one year. Here are some examples:
- account lists
- device lists
- access review notes
- copies of security policies
- security, IT, and information management training records
- logs of updates, patching, and sanitization
- visitor logs
- firewall settings or screenshots
- MFA configuration screens
Evidence of compliance does not need to be complex, it must exist and be consistent with your business practices.
Available support documents
The CPCSC has a number of resources for suppliers available, including the CPCSC Level 1 Scoping Guide, which helps organizations understand and define what parts of their work need to be included in a self‑assessment under the program. Other documents are available by request. This includes:
- CPCSC System Security Plans Guidelines
- CPCSC Supply Chain Implementation Guidance for Industry
- CPCSC Procedural Guidance - Protecting Specified Information in Non Federal Systems and Organizations.
To obtain any of these documents, please email the Government of Canada’s cyber security program office at tpsgc.pacertcybersecur-apcybersecurcert.pwgsc@tpsgc-pwgsc.gc.ca.