Level 1 cyber certification scoping guide
This guide helps organizations learn what parts of their work to check for basic cyber security under the Canadian Program for Cyber Security Certification (CPCSC) Level 1. It lists the assets, systems, computers, devices, people, and facilities to include in their assessment.
On this page
- Overview
- Scoping steps
- Mapping the scope to Level 1 requirements
- Document your scope boundaries
- People and content subject to scoping
- Categories of assets
- Use of external service providers
- Required documentation for Level 1
- More detail about devices, records, and systems
Overview
Deciding what’s in scope means figuring out what parts of your workplace need to be checked for cyber security. It involves identifying the specific set of organizational assets and activities that store, transmit, or process “specified information.”
Level 1 scoping helps you identify which of your systems and infrastructure must meet the cyber security requirements of an existing Government of Canada (GC) contract. You can also do scoping ahead of time to get ready to bid on a future contract or simply to increase the maturity of your cyber security posture.
We define specified information (SI) as any GC information that must be protected when handled, processed, or stored by a non-GC organization. SI is something we need to protect through cyber security controls.
More on specified information.
Use this guide with the CPCSC Level 1 Self-Assessment Guide and related ITSP.10.171 guidance.
Scoping is a business decision.
Organizations must identify all assets and environments that have SI. Our focus on cyber security makes this task an important part of your pre-contractual and ongoing contractual obligations. Scoping includes the people, places, and technology you use to meet CPCSC Level 1 requirements. This may be your whole organization (enterprise-wide) or a limited workspace like a local team (bounded enclave).
Consider which parts of your organization, including your systems, facilities, and staff, will need access to SI to support a GC contract. If they require access to SI in support of a GC contract, they should be in scope.
Scoping steps
Step 1: Identify the relevant specified information
Find the contract information that matters for this work (specified information). Write down what your organization will handle (use, save, or send). You can use your contract, security clauses, and any handling instructions to confirm what counts.
Step 2: Identify where the information lives and moves
Figure out where the information is handled in real life, where it is:
- received (comes in)
- created (made)
- edited (changed)
- stored (saved)
- printed (put on paper)
- emailed (shared)
- transferred (moved to another place or system)
- backed up (copied for recovery)
- destroyed or sanitized (deleted or wiped)
Step 3: Identify in-scope assets
Make a list of everything inside your proposed scope that uses, saves, or sends the information. This can include user devices, apps, servers, email tools, cloud services, storage locations, USB drives or other removable media, and paper files.
Step 4: Identify specialized and out-of-scope assets
List any specialized assets that might handle the information and need special attention. This can include assets that provide protection functions such as antivirus and firewalls and equipment like internet of things (IoTs).
Also list anything outside the boundary that does not use, save, or send the information (out of scope).
Step 5: Identify the surrounding environment
Identify what is around and connected to your scope:
- people (staff, admins, support)
- external service providers (ESPs)
- support work that keeps things running (operations)
- admin access paths (how admins log in and manage systems)
- remote access paths (how people connect from outside)
- sharing information with outside groups (external exchanges)
Step 6: Validate the boundary against the Level 1 requirements
Check that your scope is big enough to test all CPCSC Level 1 requirements that apply to you. If your boundary is so small that you cannot honestly check a requirement, your scope is likely too narrow.
Mapping the scope to Level 1 requirements
Use your scoping work and compare it with the Level 1 requirements below.
03.01.01 Account management
Your scope should list the systems and services that have accounts in the in-scope area. This includes regular user accounts, admin accounts, service accounts, shared accounts, and any outside (external) accounts.
03.01.02 Access enforcement
Your scope should show where access is allowed or blocked. For example: device sign-in, permissions on shared drives, cloud permissions, admin rights, and remote access.
03.01.20 Use of external systems
Your scope should list any outside systems used to view, use, save, or send the information. This can include bring-your-own devices (BYOD), home computers, personal phones, third-party tools, and subcontractor systems.
03.01.22 Publicly accessible content
Your scope should list any systems that the public can access and that could expose the information. It should also clearly separate public websites/content from the private systems where the information is handled.
03.05.01 User identification, authentication, and re-authentication
Your scope should list the systems that check who a user is when they sign in to the in-scope area.
03.05.02 Device identification and authentication
Your scope should list any systems or services that trust a device based on the device’s identity (for example, a computer name/certificate) or that require a device to prove who it is.
03.05.03 Multifactor authentication
Your scope should show where multi-factor authentication (MFA) is required. Pay special attention to remote access, cloud access, admin access, and email or collaboration tools.
03.08.03 Media sanitization
Your scope should list every type of media that could hold the information. This includes computers and servers, phones and tablets, USB drives and backups, printers/copiers that store data, and paper records where secure wiping or disposal is needed.
03.10.01 Physical access authorizations
Your scope should list the places where someone must be approved before they can enter. This can include offices, records storage areas, server rooms, equipment rooms, and (when it applies) home work spaces.
03.10.07 Physical access control
Your scope should explain how you control, track, or limit physical access to the in-scope area.
03.13.01 Boundary protection
Your scope should show the “edges” of the in-scope area—both outside edges and key inside separation points. This includes internet connections, firewalls, routers, VPNs, cloud boundaries, email paths, and remote admin paths.
03.14.01 Flaw remediation
Your scope should list the systems, apps, platforms, and services in scope that need updates and patching, or that might need fixes for known weaknesses.
03.14.02 Malicious code protection
Your scope should list where malware protection is used or required, such as on laptops and desktops, servers, email services, and other in-scope systems.
Document your scope boundaries
Support your documentation with:
- a list of in-scope assets (systems, endpoint devices, and applications)
- diagrams showing how systems connect (logical boundaries) and where equipment is found (physical boundaries)
- reasons why some assets are out-of-scope
People and content subject to scoping
When you set your scope, look at your people, processes, technology, and building facilities from a cyber security perspective.
People
- Staff, contractors, or partners who use and have access to SI
- Managed Service Providers (MSPs) or third-party providers who configure or manage the computer systems in your scope
Identify the people who access, administer, support, secure, or otherwise interact with the in-scope environment.
This may include:
- employees
- contractors
- temporary staff
- administrators
- help desk and technical support staff
- managed service provider employees
Processes and activities
- Any task or work activity (for example, procurement, reporting, or communication) where you store, send, or protect SI
- Information includes SI content that is created, accessed, edited, generated by an automated system, or printed
- Stored content means stored information on a computer, electronic media, or paper records
- Information is transmitted when content moves from one computer asset to another electronically or is physically moved
Look at processes to answer questions like:
- Where is the information received?
- Where is it stored?
- Who handles it?
- How is it sent externally?
- How is access approved?
- How are systems patched, protected, and sanitized?
- Consult people across your organization
- include IT security and cyber security experts
- include those who protect information and systems
- involve business leaders who manage operations and investments
- Make sure everyone affected by the work is part of the process
- Scoping and cyber maturity should be a shared effort
- Consult people across your organization
Technology
- Laptops, desktops, mobile devices where you view or store SI
- Local in-house or online cloud-based systems (such as file storage, communications tools)
- Security services (for example, firewalls, endpoint protection security software)
Facilities
- Physical locations where you store or access SI
- Places where you store or use SI can include offices, home-based work environments, cloud data centers
This may include:
- offices and home-based work locations where SI is held
- server rooms
- filing cabinets or physical record storage
- off-site data storage centers
Categories of assets
In-scope assets are all methods that process, store, or transmit SI.
Examples may include:
- laptops and desktop computers
- mobile devices such as phones or tablets
- file shares, cloud storage, and collaboration platforms
- email systems used to send or receive information
- servers, virtual machines, and applications that host information
- backup media (USB sticks, hard drives) or backup repositories
- printers and scanners that can store information
Use of external service providers
Level 1 guidance says external service providers (ESPs) can be part of your scope. ESPs are defined as an outside company or person you use for IT or cyber security work, including the people, technology, or locations they use to deliver and manage those services.
You can use external service providers (ESPs), such as cloud email providers or managed service providers (MSPs), but you are still responsible to verify if:
- ESPs operate within your agreed security scope and if they do their security measures meet CPCSC Level 1 requirements
- the contract you have with your service provider meets your data location (residency) and privacy requirements and they enforce multifactor authentication (MFA) and secure sign-in rules
Examples may include:
- Microsoft 365 or other cloud collaboration services
- managed service providers
- managed security service providers
- cloud email or hosting providers
- outsourced backup or continuity services
- externally hosted identity or remote access services
Required documentation for Level 1
Some of you may be familiar with the US Cybersecurity Maturity Model (CMMC) Level 1 scoping guidance and best practices. Please note there may be differences between other countries' requirements and what is expected under CPCSC. Specifically, when declaring your compliance with the CPCSC Level 1 requirements, you should be ready to share with the CPCSC staff the following documents:
- a scoping rationale (an explanation of why each asset is in scope or not) describing asset inclusion/exclusion
- a simple network diagram that shows where systems are (physical) and how they connect (logical)
- a list of in-scope assets that include devices and systems
- a list of out-of-scope and specialized assets, if you have any
- identified facilities (such as workplaces), physical storage and handling points
- proof of security tasks (for example: contracts, agreements, configurations and key security settings)
- a list of employees who access SI and their roles
- notes on external systems, remote access, and employees’ personal computers or phones used for work
More detail about devices, records, and systems
Employee home devices
If employees use their own devices to access SI, consider them in your scope. And if applicable, require MFA and device security for remote access.
Work or personal mobile devices
Any mobile device is in scope if it can access SI, even if it’s only used for email.
Paper records, printers and scanners
Level 1 scoping treats paper documents as a type of storage; include it. If a machine can scan, store, and transmit SI, it can be in scope.
Excluding devices
You cannot exclude a device just because someone thinks it is ‘not important.’ Include or exclude devices based on whether they can access SI.
Processes
Processes may not define the scope boundaries by themselves but remain important to identify where SI is created, handled, shared, approved, patched, or accessed.
Subcontractor’s systems
Subcontractors are responsible for their own scoping exercise and also expected to follow scoping guidelines.
If you are a prime contractor, you should make any of your subcontractors hold the appropriate certification and that if they store, use, or send the same SI as you are, they apply the same rigorous scoping exercise and that you document they have done so.
If your subcontractors will not have access to SI, you should make sure you have evidence of that decision and document the rationale that confirms this.