CPCSC Level 1 vs Level 2: what defence suppliers need to know

CPCSC has three certification levels. For most Canadian defence suppliers, the decision comes down to Level 1 and Level 2. They share the same framework but differ significantly in scope, cost, and verification process. Here's what you need to know about each.

Level 1 in plain terms

Level 1 is the baseline. It covers 13 controls drawn from Canada's ITSP.10.171 guidance and represents the minimum cybersecurity posture the government expects of any defence supplier.

The 13 controls cover the basics: strong authentication, software patching, incident response, access control, and an inventory of what you own. For an organization that has done any deliberate security work, many of these are already in place.

Verification for Level 1 is self-assessment. You review the controls, confirm your implementation, and self-attest in Canada Buys before a contract award. There is no third-party audit. The attestation is your declaration that you meet the requirements, with legal accountability attached.

Level 1 is live since April 2026 and mandatory in select DND contracts from summer 2026.

Level 2 in plain terms

Level 2 is materially more demanding. It covers 98 controls and requires a third-party assessment by an SCC-accredited certification body.

The controls span access control, incident response, configuration management, risk assessment, supply chain risk management, system and communications protection, and more. You also need a System Security Plan: a formal document describing your controls, how they are implemented, and who owns them.

Once assessed and certified, your Level 2 certification is valid for three years. You submit an annual affirmation to confirm your posture has not changed materially.

Level 2 mandates begin rolling into DND contracts from spring 2027.

Which level do you need?

This depends on the contracts you hold or plan to pursue. The DND solicitation documents for a specific contract will state whether Level 1, Level 2, or Level 3 is required.

Level 1 applies to most suppliers providing goods and services under standard commercial terms. It is the floor, and from summer 2026, no covered contract can be awarded without it.

Level 2 applies to suppliers handling Controlled Unclassified Information or working on systems with a higher security classification. As the program matures, more contract categories will require Level 2.

The effort difference

Level 1 can typically be achieved by a small supplier in four to eight weeks with focused effort: reviewing the 13 controls, closing gaps, documenting the implementation, and completing the self-attestation in Canada Buys.

Level 2 preparation typically takes three to six months, depending on your starting posture. The 98 controls require significant documentation, including a complete System Security Plan. Third-party assessment adds scheduling time and cost. Suppliers aiming to be Level 2-ready by the spring 2027 mandate need to start the process in late 2026 at the latest.

The cost difference

Level 1 assessment costs are internal: staff time to review controls, close gaps, and document. There is no third-party assessment fee.

Level 2 involves third-party assessment fees from an SCC-accredited certification body. These vary by organization size and complexity. Add the internal cost of preparing your System Security Plan, closing the 98 control gaps, and participating in the assessment itself.

Where most suppliers start

Most suppliers assessed by HuCortex are partially compliant at Level 1 and have significant gaps at Level 2. The most common weak points are: no formal System Security Plan, insufficient access control documentation, incomplete supply chain risk management, and no formal configuration management process.

A gap assessment maps exactly where you are relative to the level you need and gives you a prioritized list of what to do first. HuCortex offers a two-week gap assessment for both Level 1 and Level 2 preparation.