How long does CPCSC Level 2 preparation take?

Most Canadian defence suppliers ask this question when they first hear about CPCSC Level 2: how long is this going to take? The honest answer is three to six months, depending on where you're starting from. Here's a realistic breakdown of the phases involved and what drives the timeline.

The factors that determine your timeline

• Current security posture: if you have existing security documentation and active policies, your starting point is much higher
• Organization size and complexity: a 20-person firm with a single office prepares faster than a 200-person firm with multiple locations and complex supply chain relationships
• Internal resource availability: preparation requires time from IT, operations, and leadership; competing priorities slow things down
• Existing documentation: if you have versions of the required policies and security plans that just need updating, that's faster than starting from scratch

Phase 1: gap assessment (2-4 weeks)

The first phase is understanding where you stand. A gap assessment maps your current controls against the 98 Level 2 requirements and produces a prioritized implementation plan: gaps ranked by effort and risk, with a realistic timeline for closing each one.

Many organizations try to skip this step and go straight to implementation. Without a clear gap assessment, you don't know the scope of the work, which means you'll either under-invest and fail the assessment, or over-invest on controls you already have.

At HuCortex, the gap assessment takes two weeks and produces a plan you can action immediately.

Phase 2: System Security Plan development (3-6 weeks)

The System Security Plan (SSP) is the most important document in your Level 2 package. It describes each of the 98 controls: what the control requires, how you have implemented it, who is responsible for it, and what evidence demonstrates compliance.

A well-written SSP takes three to six weeks to produce, because it requires input from multiple people across IT, operations, and management, and it needs to accurately reflect your actual implementation.

Phase 3: control implementation (6-12 weeks)

This is the largest phase for most organizations. Once you know your gaps (Phase 1) and have a documentation framework (Phase 2), you implement what's missing.

The timeline depends on the size of the gap identified in Phase 1. Organizations with a high baseline may spend six weeks on implementation. Those starting from scratch may spend three months.

• Setting up MFA and conditional access policies
• Creating and testing a formal incident response plan
• Documenting a configuration baseline for all systems
• Establishing a supply chain risk management process
• Setting up security logging and centralized monitoring
• Running staff security awareness training

Phase 4: mock assessment and remediation (2-4 weeks)

Before the formal third-party assessment, a mock assessment is strongly recommended. This surfaces documentation gaps that weren't visible in Phase 1: controls that are implemented but not properly documented, or policies that were written but never formally adopted.

Mock assessments typically identify several items that would have caused delays in the real assessment.

Phase 5: third-party assessment (scheduling-dependent)

The formal Level 2 assessment is conducted by an SCC-accredited certification body. Assessment scheduling depends on assessor availability, which is currently constrained in Canada.

Book your assessment slot before you start your preparation program, not after. Organizations that wait until they feel ready to schedule often find the next available slot is months out.

The realistic total

For a mid-sized defence supplier starting from a partial security baseline, expect four to six months of active work plus assessor scheduling lead time.

Given the spring 2027 Level 2 mandate, suppliers who have not started preparation by fall 2026 are at serious risk of missing the deadline.

HuCortex runs CPCSC Level 2 preparation programs for Canadian defence suppliers. If you want a realistic estimate of your timeline based on your specific posture, start with a 45-minute readiness call.