There’s a version of the CPCSC Level 1 story that sounds almost reassuring. It’s a self-assessment. Thirteen security requirements. You check the boxes yourself, submit the attestation in Canada Buys, and you’re done for another year. No third-party auditor. No site visit. No expensive external review.
Some organizations heard that and exhaled. They shouldn’t have.
What “Self-Assessment” Actually Means
A self-assessment doesn’t mean a reduced requirement. It means there’s no external party checking your work in real time. The 13 Level 1 requirements are drawn from ITSP.10.171, Canada’s adaptation of NIST SP 800-171 Revision 3, organized across six control families: access control, identification and authentication, media protection, physical protection, systems and communications protection, and system and information integrity. Incident response, configuration management, logging, and governance are Level 2 territory—not Level 1.
Those 13 requirements map to approximately 71 assessment objectives. That’s not 13 checkboxes—it’s 71 specific conditions that should be true of your environment if you want to attest accurately. Attesting that you’ve implemented a control when you haven’t doesn’t reduce your risk. It creates different risk—risk that lives in your contractual obligations, your professional reputation, and your organization’s readiness for the Level 2 assessment that may follow.
The US experience under CMMC’s predecessor offers an instructive parallel. Under the older DFARS 252.204-7012 self-attestation regime, contractors routinely submitted inflated compliance scores. The Department of Defense’s shift to mandatory third-party assessments under CMMC was a direct response to the gap between what contractors claimed and what was actually in place. Canada built CPCSC with that lesson explicitly in mind. CPCSC Level 2’s mandatory third-party assessment requirement is a direct consequence of it—and of the recognition that self-reporting, without validation, produces unreliable results.
Most available guidance, compliance toolkits, and consulting playbooks for NIST 800-171-style compliance are for Revision 2. CPCSC aligns with ITSP.10.171, which tracks NIST 800-171 Revision 3.
The Rev 3 Problem Most Organizations Haven’t Noticed
There’s a related issue catching organizations off guard: the vast majority of publicly available guidance, compliance toolkits, and consulting playbooks for NIST 800-171-style compliance were written against Revision 2. CPCSC aligns with ITSP.10.171, which tracks NIST 800-171 Revision 3.
Revision 3 is not a minor update. It restructures how requirements are organized, adjusts expectations around supply chain security and configuration management, and changes assessment language in ways that affect what counts as sufficient evidence. An organization that has assessed itself against Rev 2 guidance is probably reasonably prepared on most fronts—but Rev 3 adds requirements that weren’t in Rev 2, and those gaps tend to remain invisible until a structured review or a future third-party assessor surfaces them.
The practical risk at Level 1 isn’t immediate exposure. There’s no third-party assessor at the door. The risk is more insidious: you build a compliance posture on an imprecise foundation, carry it forward into a Level 2 assessment, and discover the gaps at the worst possible moment—during a mandatory third-party certification review for a significant contract.
What 15% Should Tell You
Only about 15% of organizations pass NIST 800-171 assessments on their first attempt. That figure reflects what happens when organizations that believe they’re ready encounter the scrutiny of a structured review. Most had good intentions. Many had done real preparation work. The gap between “we think we have this” and “the controls are actually in place and evidenced” consistently turns out to be wider than expected—wider than most organizations realize until the assessment is already underway.
Level 1 is simpler than what Level 2 certification demands. But the same pattern applies to self-assessments: organizations tend to overestimate their readiness, and the Level 1 self-attestation has a structural quirk that makes this worse. The entity doing the assessing is the same entity being assessed. There’s no external voice asking the uncomfortable follow-up questions, no assessor pushing back on “we have a policy for that” with “can I see evidence of how it operates?”
What Confidence in Your Attestation Actually Requires
The right goal isn’t to complete the attestation. It’s to be confident the attestation is accurate. That requires a few things that are less obvious than they sound:
- A documented inventory of what you’re protecting. Level 1 applies when specified information is in scope. Do you have a clear, defensible picture of where that information lives, who can access it, and how it flows through your systems and processes? Without that inventory, it’s difficult to know whether controls are applied to the right assets in the first place.
- Evidence that controls are operating, not just implemented. Saying you have access control is different from having logs, configuration records, and documented processes that demonstrate it’s working. A structured readiness review examines the evidence, not just the intention—and finds the difference between the two.
- Gap visibility before you attest. If a control hasn’t been implemented, or can’t be evidenced, you need to know before you submit. The appropriate response to a gap is to close it, document the closure, or include it in a Plan of Action and Milestones. Attesting over a gap isn’t a strategy—it’s a liability that compounds as your compliance posture moves toward Level 2.
The organizations that complete Level 1 attestations with real confidence are the ones that ran through the requirements honestly beforehand—not with the goal of passing a test, but with the goal of understanding where they actually stand. A structured readiness assessment before the attestation is exactly how you get there. It closes gaps before they become problems, produces the documentation you’ll need when Level 2 arrives, and turns the self-attestation from an exercise in hope into something you can stand behind. ■
Key Takeaways
- CPCSC Level 1 is a self-assessment, but “self-assessment” means no external party checking your work—not a reduced requirement: the 13 requirements map to approximately 71 specific assessment objectives that must be true of your actual environment
- Most available compliance guides and toolkits were built against NIST 800-171 Revision 2; CPCSC aligns with ITSP.10.171 and Revision 3—organizations relying on Rev 2 guidance may have invisible gaps that only surface under structured review
- Only about 15% of organizations pass NIST 800-171 assessments on their first attempt, reflecting a consistent and significant gap between perceived readiness and evidenced readiness
- The self-attestation risk at Level 1 isn’t immediate regulatory exposure—it’s carrying an imprecise compliance posture forward into Level 2, where a mandatory third-party assessment will find what internal review missed
- A structured readiness assessment before attestation—covering gap analysis, evidence review, and a prioritized remediation roadmap—is how you attest with confidence rather than optimism
Ready to know where you actually stand before you attest? Plurilock’s CPCSC Compliance Readiness Assessment is built for exactly this moment: gap analysis against CPCSC Level 1 and Level 2 controls, a prioritized remediation roadmap, System Security Plan review or development, and documentation that supports a defensible attestation. Contact us before your next contract award.
