CPCSC
6 min readCPCSC Readiness Consulting for Canadian Defence Suppliers
What CPCSC readiness actually involves for a Canadian defence supplier: the gap assessment, the controls, the System Security Plan, and how to choose a consultant.
If you supply Canada's Department of National Defence, CPCSC is no longer optional. The Canadian Program for Cyber Security Certification is being written into defence contracts, and Level 1 became available to suppliers in April 2026, with requirements landing in select solicitations from summer 2026. Getting ready is its own project. Here's what a CPCSC readiness engagement actually involves, in plain terms, so you know what you're buying before you hire anyone.
What CPCSC readiness actually means
Readiness is the work of moving from where your security sits today to a state where you can attest or be assessed against the program with confidence. CPCSC is built on Canada's ITSP.10.171 guidance, which is the Canadian adaptation of NIST SP 800-171 and organizes security requirements into 17 families covering areas like access control, incident response, configuration management, and supply chain risk management.
For Level 1, that means honestly confirming you implement the 13 baseline requirements and self-attesting through the Canada Buys portal. For Level 2, it means implementing the full 98 requirements, documenting them, and passing an assessment by a certification body accredited by the Standards Council of Canada. Readiness is everything that has to be true before either of those steps.
What a readiness assessment covers
A proper readiness assessment starts by scoping which of your systems handle the specified information a contract is protecting, then measures your current controls against the level you need. The output should be a clear gap list, not a vague maturity score.
- Scope: which systems, people, and data fall inside the assessment boundary
- A control-by-control gap analysis against the 13 Level 1 or 98 Level 2 requirements
- Evidence review: what you can actually prove versus what you currently assert
- A prioritized remediation plan with effort and sequence, not just a list of failures
The gap between 'we have IT' and 'attestation-ready'
Most suppliers have real security in place. What they usually lack is the documentation and evidence that an attestation or assessment demands. The common shortfalls are a missing or incomplete System Security Plan, thin access control records, no formal configuration management process, and supply chain risk management that exists in practice but not on paper.
This matters because Level 1 self-attestation is a formal declaration with accountability attached, and Level 2 assessors work from evidence. 'We do that' is not the same as being able to show it.
What a readiness engagement should deliver
A good engagement hands you artifacts you can actually use, not just a list of findings. At minimum, expect these.
- A System Security Plan that describes each control, how it is implemented, and who owns it
- A remediation roadmap tied to your contract timeline
- The evidence package your attestation or an assessor will need
- For Level 2, a mock assessment so there are no surprises on the day
How to choose a CPCSC readiness partner
The program is new and the consulting market around it is filling up fast. A few questions separate genuine help from the checkbox shops.
- Do they work from the actual ITSP.10.171 requirements, or a generic security checklist?
- Can they produce a defensible System Security Plan, not just a gap spreadsheet?
- Do they understand the difference between Level 1 self-attestation and Level 2 third-party assessment, and route you to the right one?
- Will a senior person own the outcome, or do you get handed to a junior after the sales call?
- Remember that a readiness consultant prepares you. They are not the accredited certification body that performs a Level 2 assessment. Those are separate roles by design, so be wary of anyone who blurs them.
How HuCortex runs CPCSC readiness
HuCortex runs readiness for Canadian defence suppliers as a structured engagement: a discovery call, a two-week gap assessment against the controls you need, hands-on implementation support, then attestation or assessment preparation. We focus on small and mid-sized suppliers, the part of the supply chain the program is most concerned about.
If you're not sure where you stand against CPCSC, book a 45-minute readiness call and we'll tell you honestly.
Ready to take the next step?
HuCortex works with Canadian businesses on CPCSC readiness, PIPEDA compliance, and managed security. Start with a free assessment.