CPCSC Level 1: What Suppliers to the Government of Canada Need to Know
If your business sells to — or wants to sell to — the federal government, especially in defence, a new requirement is heading your way. The Canadian Program for Cyber Security Certification (CPCSC) introduces certified cyber-hygiene levels for suppliers, and Level 1 is the entry point most small businesses will encounter first. Here’s the plain-language version.
This is a general overview of an evolving program, not legal or procurement advice. Confirm current requirements and timelines through official Government of Canada sources before bidding.
What CPCSC is
CPCSC is Canada’s framework for making sure suppliers handling sensitive (but unclassified) government information meet a baseline of cybersecurity. It’s broadly comparable in spirit to the U.S. CMMC program: defined certification levels, with higher levels for more sensitive information. It’s being phased into federal procurement — particularly defence contracts — so for some bids, certification becomes a condition of eligibility rather than a nice-to-have.
Level 1 is the foundational tier: a basic, reasonable standard of cyber hygiene for organizations that handle certain sensitive unclassified information on behalf of the government.
Who needs Level 1
You’re most likely to need it if you:
- Bid on, or subcontract under, federal contracts (defence and beyond over time) that involve sensitive unclassified information.
- Are in the supply chain of a prime contractor who must flow requirements down to you.
Even if you’re not bidding today, certification can become a differentiator — and primes increasingly prefer suppliers who are already certified.
What Level 1 expects
Level 1 focuses on fundamental controls — the same cyber-hygiene practices that show up everywhere in this field: access control, authentication, patching, anti-malware, and basic protection of the information you handle. If you’ve worked through the CCCS baseline controls or pursued CyberSecure Canada, you’ll find heavy overlap — those efforts give you a real head start.
How to prepare
- Find out if it applies to you. Talk to the primes you work with and watch the solicitations you bid on for CPCSC language.
- Do a gap assessment against the foundational controls. Be honest about where you actually stand.
- Close the gaps — MFA, patching, access control, anti-malware, and documentation are the usual suspects. Our MFA rollout guide is a good starting point.
- Document everything. Certification is about demonstrating controls, so written policies and evidence matter as much as the controls themselves.
- Plan ahead. Build certification into your timeline before a contract requires it, not after a bid is on the line.
The bigger picture
CPCSC is part of a clear trend: governments and large buyers are pushing cybersecurity requirements down through their supply chains — the same dynamic we covered in Bill C-8 and the Critical Cyber Systems Protection Act. The businesses that treat certification as a growth enabler — opening doors to contracts competitors can’t bid on — will come out ahead of those scrambling to comply at the last minute.
If federal or defence work is on your roadmap, getting your cyber hygiene to a certifiable standard now is an investment that pays off the moment a CPCSC requirement lands in a bid you want to win.