Last revised: January 2026

CPCSC Level 1 Alignment Statement

Aligned with ITSP.10.171

The Canadian Program for Cyber Security Certification (CPCSC) Level 1 establishes foundational cyber hygiene requirements for organizations that work with the Government of Canada, particularly within the defense supply chain.

CPCSC Level 1 is anchored in ITSP.10.171, the Canadian Centre for Cyber Security’s guidance for protecting specified information in non-Government of Canada systems. This page describes how DataPeak aligns with the CPCSC Level 1 requirements and supports customer self-assessment obligations.

1. Overview of CPCSC Level 1 (ITSP.10.171)

CPCSC Level 1 defines a baseline set of security controls that suppliers must implement to protect sensitive government information and systems. The program is designed to:

  • Establish minimum cyber hygiene expectations

  • Reduce the risk of unauthorized access and data exposure

  • Support Canada’s industrial security and defense procurement objectives

CPCSC Level 1 relies on a self-assessment model, enabling broad adoption while laying the foundation for more advanced certification levels.

2. Policy Objectives

CPCSC Level 1 aims to:

  • Ensure that only authorized users and trusted devices can access systems and data

  • Limit the risk of unauthorized access, data exposure, and accidental disclosure

  • Establish a minimum standard of cyber hygiene aligned with recognized best practices

  • Strengthen the overall security posture of Canada’s defense supply chain

3. Alignment with ITSP.10.171

CPCSC Level 1 requirements are directly mapped to thirteen foundational controls from ITSP.10.171. These controls focus on high-impact, widely applicable security practices, including:

  • Account and access management

  • User and device authentication

  • Protection of publicly accessible content

  • Media sanitization

  • Physical and network boundary protection

  • Vulnerability and malware management

Each selected control addresses common cyber risks and supports a practical, risk-based approach to security.

4. Self-Assessment Model

CPCSC Level 1 is based on self-attestation. Organizations are responsible for:

  • Assessing their own implementation of the 13 controls

  • Documenting security practices and procedures

  • Maintaining evidence of control implementation

This approach lowers barriers to entry for suppliers, encourages adoption of baseline cyber hygiene, and supports continuous improvement. While Level 1 is self-assessed, it prepares organizations for more rigorous evaluation at higher CPCSC levels.

5. CPCSC Level 1 Requirements at a Glance

The following 13 ITSP.10.171 controls form the basis of CPCSC Level 1:

Control ID

03.01.01

03.01.02

03.01.22

03.05.01

03.05.02

Device Identification & Authentication

03.05.03

Multifactor Authentication

03.08.03

03.10.01

03.10.07

03.13.01

03.14.01

03.14.02

Control Description

Account Management

Access Enforcement

03.01.20

Use of External Systems

Publicly Accessible Content

User Identification & Authentication

Rationale as Foundational Cyber Hygiene

Ensures only authorized users can access systems

Enforces access control policies to limit unauthorized access

Controls data exposure through external systems

Prevents accidental disclosure of sensitive information

Verifies user identity before granting access

Ensures only trusted devices can connect

Strengthens access security through multiple verification factors

Media Sanitization

Ensures data is securely erased before reuse or disposal

Physical Access Authorizations

Restricts who can physically access systems and data

Physical Access Control

Implements mechanisms to limit physical access to sensitive areas

Boundary Protection

Protects networks from external threats

Flaw Remediation

Ensures timely identification and patching of vulnerabilities

Malicious Code Protection

Detects and prevents malware infections

6. How DataPeak Supports CPCSC Level 1 Alignment

DataPeak’s SaaS platform supports customer CPCSC Level 1 alignment through:

  • Strong identity and access management controls

  • Encryption in transit and at rest

  • Secure system configuration and monitoring

  • Malware protection and vulnerability management

  • Inherited physical and environmental controls from cloud providers

Customers remain responsible for performing their own CPCSC Level 1 self-assessment and attestation.

7. Related Frameworks

CPCSC Level 1 alignment complements and aligns with:

  • ITSP.10.171

  • NIST SP 800-171

  • Foundational cyber hygiene practices recognized internationally

Official Program Reference

Canadian Program for Cyber Security Certification (CPCSC) – Level 1
https://www.canada.ca/en/public-services-procurement/services/industrial-security/security-requirements-contracting/cyber-security-certification-defence-suppliers-canada.html#a2

For questions, contact info@factr.me.

You may also view FactR Limited’s Privacy Policy and Terms & Conditions