What are the three CPCSC certification levels and how do they differ?

Level 1 - Basic Cyber Hygiene (Available April 2026): Level 1 became available on April 1, 2026, and began appearing in select defence contracts in summer 2026. This level requires an annual cybersecurity self-assessment confirming implementation of 13 security requirements and controls from the ITSP.10.171 standard. It represents basic, reasonable "cyber hygiene" practices that any organization handling sensitive government information should maintain. The government provides an online self-assessment tool to help suppliers understand and document compliance. Level 1 is designed for low-risk situations such as administrative or business support contracts, unclassified non-technical communications, basic IT services without sensitive data, suppliers with limited network integration, or prototype discussions without detailed technical specifications. Level 2 - Moderate Security (Starting Spring 2027): Level 2 requires significantly more rigor, consisting of 98 security controls that must be verified through external assessment every three years by an accredited certification body, plus annual affirmation of continued compliance between full assessments. These assessments are conducted by organizations accredited through the Standards Council of Canada (SCC), Canada's official accreditation body. Level 2 applies when contracts involve handling controlled defence information or more complex cyber-sensitive work where the risk of compromise is higher. This level addresses scenarios like work involving specific defence technologies, elevated system privileges, or integration with more sensitive government networks. Level 3 - High Security (Future Implementation): Level 3 is reserved for the highest risk scenarios and requires 200 security controls with triannual assessments conducted directly by Government of Canada authorities rather than third-party assessors. This level applies to the most sensitive work involving weapon systems, military platforms, critical infrastructure access, or information shared with Five Eyes intelligence partners. The government-led assessment approach ensures the highest level of oversight and security for contracts where compromise could have serious national security implications. The Risk-Based Philosophy: This tiered approach reflects a fundamental principle: security requirements should be proportional to risk. A company providing basic administrative support doesn't need the same intensive controls as one developing missile guidance systems. By matching certification levels to contract risk, CPCSC balances security effectiveness with practical business considerations, avoiding the burden of requiring maximum security for every contract regardless of actual risk. Progression Path: Many companies will start with Level 1 and potentially progress to Level 2 or 3 as they pursue more sensitive contracts. The technical controls are based on the same underlying NIST standards across all levels, so investments in Level 1 compliance provide a foundation for higher levels. However, each level requires substantially more documentation, technical implementation, and external verification, making the progression a significant undertaking that should align with business strategy. Implementation Timeline: The phased rollout gives suppliers time to prepare. Level 1 is already being incorporated into contracts, Level 2 accreditation infrastructure is being established through 2026-2027, and Level 3 requirements will be finalized based on lessons learned from the initial rollout. Organizations should monitor government communications for specific timelines affecting their contracts.

Answer

CPCSC has three progressive certification levels with 13, 98, and 200 controls respectively, designed for increasing risk scenarios.

CPCSC establishes three progressive certification levels, each designed for different risk scenarios with increasing security requirements. Understanding which level applies to your contracts is fundamental to planning your cybersecurity investments and compliance strategy.

Level 1 - Basic Cyber Hygiene (Available April 2026)

Level 1 became available on April 1, 2026, and began appearing in select defence contracts in summer 2026. This level requires an annual cybersecurity self-assessment confirming implementation of 13 security requirements and controls from the ITSP.10.171 standard.

It represents basic, reasonable "cyber hygiene" practices that any organization handling sensitive government information should maintain. The government provides an online self-assessment tool to help suppliers understand and document compliance.

Level 1 is designed for low-risk situations such as the following:

• Administrative or business support contracts
• Unclassified non-technical communications
• Basic IT services without sensitive data
• Suppliers with limited network integration
• Prototype discussions without detailed technical specifications

Level 2 - Moderate Security (Starting Spring 2027)

Level 2 requires significantly more rigor, consisting of 98 security controls that must be verified through external assessment every three years by an accredited certification body, plus annual affirmation of continued compliance between full assessments.

These assessments are conducted by organizations accredited through the Standards Council of Canada (SCC), Canada's official accreditation body. Level 2 applies when contracts involve handling controlled defence information or more complex cyber-sensitive work where the risk of compromise is higher.

This level addresses scenarios like the following:

• Work involving specific defence technologies
• Elevated system privileges
• Integration with more sensitive government networks

Level 3 - High Security (Future Implementation)

Level 3 is reserved for the highest risk scenarios and requires 200 security controls with triannual assessments conducted directly by Government of Canada authorities rather than third-party assessors.

This level applies to the most sensitive work and scenarios such as the following:

• Weapon systems
• Military platforms
• Critical infrastructure access
• Information shared with Five Eyes intelligence partners

The government-led assessment approach ensures the highest level of oversight and security for contracts where compromise could have serious national security implications.

The Risk-Based Philosophy

This tiered approach reflects a fundamental principle: security requirements should be proportional to risk. A company providing basic administrative support doesn't need the same intensive controls as one developing missile guidance systems.

By matching certification levels to contract risk, CPCSC balances security effectiveness with practical business considerations, avoiding the burden of requiring maximum security for every contract regardless of actual risk.

Progression Path

Many companies will start with Level 1 and potentially progress to Level 2 or 3 as they pursue more sensitive contracts. The technical controls are based on the same underlying NIST standards across all levels, so investments in Level 1 compliance provide a foundation for higher levels.

However, each level requires substantially more documentation, technical implementation, and external verification, making the progression a significant undertaking that should align with business strategy.

Implementation Timeline

The phased rollout gives suppliers time to prepare. Level 1 is already being incorporated into contracts, Level 2 accreditation infrastructure is being established through 2026-2027, and Level 3 requirements will be finalized based on lessons learned from the initial rollout.

Organizations should monitor government communications for specific timelines affecting their contracts.

Learn More

For additional information, please refer to the following resource:

• Canadian Program for Cyber Security Certification: Level 1 - Canada.ca