Live Now:
CPCSC Level 1 requires 13 security controls from ITSP.10.171 covering access control, authentication, media protection, physical security, network protection, and system integrity.
These controls represent fundamental cybersecurity hygiene that every organization handling Specified Information should maintain. Understanding these controls in business terms helps executives appreciate both the effort required and the value delivered.
Maintain a current list of all user accounts showing who can access what systems. Add accounts when people join, disable them immediately when they leave or change roles, avoid shared accounts, and review all accounts quarterly.
This control prevents unauthorized access through orphaned accounts or excessive permissions lingering after job changes. Implementation typically involves a spreadsheet or database tracking names, roles, access levels, and status changes, coordinated with HR onboarding and offboarding processes.
Apply the principle of "least privilege" by granting the minimum access required for each person's job on a need-to-know basis. Avoid giving administrator rights broadly, review folder permissions regularly, and organize access by role groups rather than individuals.
This minimizes damage from compromised accounts or insider threats by limiting what any single user can access or damage.
Maintain a list of systems approved for handling Specified Information. Prohibit personal email, cloud storage, or devices for government work.
Evaluate cloud vendors for security features including data location, foreign access, multifactor authentication, encryption, and VPN support. This prevents information leakage through unsecured consumer services and ensures all systems meet minimum security standards.
Train staff to recognize Specified Information and review all public-facing content (website updates, news releases, publications, social media) before publishing to prevent accidental disclosure. Periodically audit public content for inadvertent exposure.
This addresses the insider threat of well-meaning employees accidentally posting sensitive information without realizing the implications.
Require each user to have their own unique login credentials, not shared accounts. Enforce strong password policies and automatic screen locks after inactivity (15 minutes for laptops, 5 minutes for phones).
Password managers help users handle multiple complex passwords without resorting to unsafe practices like writing them down or reusing passwords.
Maintain an inventory of devices allowed on your network and use technical controls to block unauthorized devices from connecting via network, WiFi, or USB.
This prevents rogue devices, contractor laptops, or employees' personal devices from introducing malware or providing unauthorized access paths.
Implement MFA for privileged accounts and systems storing Specified Information. This adds a second verification factor beyond passwords—typically an authenticator app or SMS code—dramatically reducing risk from stolen or guessed passwords.
Include clear procedures for what to do if someone loses their authentication device.
Before disposing of any storage media (hard drives, USB keys, phones, printers with memory), securely wipe them using software that prevents data recovery, or physically destroy them.
Maintain logs documenting what was disposed, how it was sanitized, and when. This prevents data breaches from discarded equipment ending up in the wrong hands.
Track who has keys, badges, or codes to areas containing Specified Information. Remove access promptly when people leave or change roles. Set expiry dates for temporary access.
This creates accountability and prevents unauthorized physical access through old credentials.
Use locks, keycards, or biometric systems to control physical access. Maintain visitor logs, escort all visitors in sensitive areas, and store printed Specified Information in locked cabinets. Don't leave classified printouts unattended.
Physical security complements technical controls since having physical access to equipment can bypass many software protections.
Install firewalls to control traffic, block unnecessary inbound connections, and separate public-facing systems from internal ones handling Specified Information. Keep firewall settings current and document changes.
This creates network segmentation preventing attackers who breach public systems from easily reaching sensitive internal systems.
Install operating system, browser, and software updates promptly, especially critical security patches. Enable automatic updates where possible and maintain logs of major updates.
Vulnerabilities in outdated software are among the most common attack vectors, making timely patching critical.
Deploy reputable antivirus with automatic updates and real-time scanning. Respond promptly when threats are detected and document incidents.
Built-in tools like Microsoft Defender are acceptable; business solutions offer additional features. This provides baseline defense against malware, ransomware, and other malicious software.
These 13 controls work together as a system, not just a checklist. Access controls limit who can reach information, authentication verifies identity, logging creates accountability, physical protections address non-digital threats, network controls contain breaches, and regular updates close vulnerabilities.
Organizations implementing these controls thoroughly will find they've built a security foundation that protects against most common threats, not just satisfying contract requirements.
Additional information about meeting Level 1 certification requirements is available from official government sources.
Preparing for CPCSC (Canadian Program for Cyber Security Certification) demands deep knowledge of the certification framework, careful evidence preparation, and hands-on technical implementation. Plurilock delivers with compliance readiness specialists serving Canadian defense suppliers who bring proven experience guiding contractors through cybersecurity certification programs on both sides of the border.
As an established CMMC readiness provider for U.S. defense contractors, we were among the first to extend that expertise north—launching CPCSC readiness services early and serving Canadian defense suppliers from the program's earliest days. We don't conduct audits; we get you ready for them, then help you stay ready.
Why we're the superior choice:
CPCSC-ready—with proven defense contractor experience guiding every step.
A plurilock representative will contact you within one business day.
Contact Plurilock
+1 (888) 776-9234 (Plurilock)