How do the 98 controls in Level 2 differ from Level 1’s 13 controls?

Answer

Level 2 expands from 13 to 98 controls, requires external certification, comprehensive documentation, and addresses all ITSP.10.171 security families.

CPCSC Level 2 represents a significant escalation in security requirements, expanding from Level 1's 13 controls to 98 controls drawn from the ITSP.10.171 standard.

Understanding these differences is essential for organizations planning to pursue higher-level defence contracts, as the jump from Level 1 to Level 2 involves substantially more technical implementation, documentation, external verification, and ongoing compliance effort.

Scope and Depth Expansion

The 13 Level 1 controls represent fundamental cyber hygiene covering basic account management, access controls, physical security, and protective technologies like multifactor authentication and antivirus.

They're designed to be achievable for small and medium businesses without large IT departments, focusing on practical, high-impact security measures.

The 98 Level 2 controls, in contrast, provide comprehensive coverage across all 17 security requirement families in ITSP.10.171, including detailed requirements for audit and accountability, configuration management, incident response, risk assessment, supply chain security, and numerous other domains not addressed at Level 1.

Think of Level 1 as securing the front door and windows of your house, while Level 2 means securing every door, window, ventilation opening, implementing a monitored alarm system, establishing security protocols for everyone who enters, and maintaining detailed logs of all activities.

Security Requirement Families

Level 2 controls span the full range of security families. You'll need robust implementations in the following areas:

• Access Control (AC): Account management, access enforcement, information flow controls, separation of duties, least privilege, session controls, remote access, wireless security, and mobile device management
• Awareness and Training (AT): Comprehensive security literacy and role-based training programs
• Audit and Accountability (AU): Extensive logging, audit record management, time synchronization, and protection of audit information
• Configuration Management (CM): Baseline configurations, change control processes, security impact analysis, least functionality principles, software authorization lists, and detailed component inventories
• Identification and Authentication (IA): Device authentication, replay-resistant mechanisms, and comprehensive authenticator management beyond basic passwords
• Incident Response (IR): Formal incident handling capabilities, monitoring, testing, training, and documented response plans
• Additional Families: Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical Protection (PE), Risk Assessment (RA), Security Assessment and Monitoring (CA), System and Communications Protection (SC), System and Information Integrity (SI), Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR)

Documentation and Formalization Requirements

While Level 1 allows relatively informal documentation—simple policies stored in shared folders are acceptable—Level 2 requires comprehensive, formal documentation.

You'll need a System Security Plan (SSP) describing your security implementation comprehensively, detailed policies and procedures for each security domain, configuration management documentation showing baseline configurations and change control, risk assessment documentation identifying and analyzing security risks, incident response plans with detailed procedures and responsibilities, training program documentation with records of completion, audit and accountability procedures defining what's logged and how logs are reviewed, and supply chain risk management procedures for evaluating and monitoring vendors and subcontractors.

This documentation must be maintained under configuration control, regularly reviewed and updated, and made available to external assessors during certification audits.

Technical Implementation Complexity

Many Level 2 controls require sophisticated technical implementations beyond Level 1's scope.

Information flow enforcement means implementing network segmentation, encrypted tunnels, boundary protection devices, and data loss prevention technologies that control where specified information can transit.

System and communications protection includes boundary protection, transmission confidentiality, cryptographic key management, secure name/address resolution, and protection against denial of service attacks.

System and information integrity requires flaw remediation processes, malicious code protection, spam protection, software and firmware integrity verification, and security alert management.

Configuration management demands automated mechanisms for tracking changes, detecting unauthorized changes, and ensuring systems remain in compliance with baseline configurations.

These technical requirements often necessitate investment in security tools, network infrastructure, and specialized expertise that small organizations may not currently possess.

External Assessment Requirement

Perhaps the most significant difference between Level 1 and Level 2 is the assessment methodology. Level 1 uses annual self-assessment where you attest to your own compliance using the online tool.

Level 2 requires tri-annual assessment by an accredited third-party certification body that will independently verify your implementation of all 98 controls through interviews, documentation review, technical testing, and observation.

These external assessors are accredited by the Standards Council of Canada and follow rigorous assessment procedures based on NIST SP 800-171A.

Between the tri-annual full assessments, you must complete annual affirmations confirming you've maintained compliance.

The external assessment process is similar to financial audits or ISO 27001 certification—assessors will challenge your claims, test your technical implementations, review evidence thoroughly, and issue a formal assessment report identifying any deficiencies that must be remediated before certification is granted.

Cost Implications

The cost difference between Level 1 and Level 2 is substantial. Level 1 is free from a government fee perspective—you invest time in implementation and the annual self-assessment process, but there are no assessment fees.

Level 2 involves significant costs including external assessor fees (typically ranging from tens of thousands to over $100,000 depending on organization size and complexity), potential gaps identified during assessment requiring remediation investments, additional security tools and infrastructure needed to satisfy technical controls, personnel costs for implementation and ongoing compliance, documentation development and maintenance, and training programs for employees.

Organizations should budget 12-24 months and significant investment for achieving Level 2 certification if starting from Level 1 baseline.

Risk-Based Application

The expansion from 13 to 98 controls reflects the government's risk-based approach to security requirements.

Level 1 is deemed sufficient for low-risk contracts involving basic administrative support, unclassified communications, limited network integration, and prototype discussions.

Level 2 applies when contracts involve controlled defence information, elevated system privileges, more complex cyber-sensitive work, or greater integration with government networks.

The additional 85 controls in Level 2 provide defense-in-depth appropriate for these higher-risk scenarios, addressing threat vectors and attack surfaces that are less critical in Level 1 contexts but become significant concerns when more sensitive information or capabilities are involved.

Organizational Maturity Requirements

Successfully implementing Level 2 controls requires greater organizational security maturity than Level 1.

You need dedicated security personnel or managed security service providers, formal governance structures with clear roles and responsibilities, repeatable, documented processes for security operations, executive commitment to security investments and culture, integration of security into business processes rather than treating it as an IT afterthought, and sustained attention to compliance rather than one-time implementation.

Organizations considering Level 2 should assess their security maturity honestly and plan for cultural and organizational changes beyond just technical implementations.

Strategic Considerations for Pursuit

Not every defence contractor needs or should pursue Level 2. If your contracts involve only low-risk scenarios suited to Level 1, the investment in Level 2 may not generate return.

However, if you aspire to pursue larger, more sensitive defence contracts, or if key customers have indicated future requirements will include Level 2, then proactive pursuit makes strategic sense despite the investment.

The decision should align with business development strategy, competitive positioning, and long-term revenue goals.

Some companies pursue Level 2 proactively as a competitive differentiator, while others wait until specific contract opportunities justify the investment. Either approach can be valid depending on your market, capabilities, and growth strategy.

Learn More

Additional resources for understanding CPCSC levels:

• Canadian Program for Cyber Security Certification: Level 1 - Canada.ca
• Protecting Specified Information (ITSP.10.171)