Last revised: April 2026

Aligned with ITSP.10.171

The Canadian Program for Cyber Security Certification (CPCSC) Level 1 establishes foundational cyber hygiene requirements for organizations that work with the Government of Canada, particularly within the defense supply chain.

CPCSC Level 1 is anchored in ITSP.10.171, the Canadian Centre for Cyber Security’s guidance for protecting specified information in non-Government of Canada systems. This page describes how DataPeak aligns with the CPCSC Level 1 requirements and supports customer self-assessment obligations.

1. Overview of CPCSC Level 1 (ITSP.10.171)

CPCSC Level 1 defines a baseline set of security controls that suppliers must implement to protect sensitive government information and systems. The program is designed to:

  • Establish minimum cyber hygiene expectations

  • Reduce the risk of unauthorized access and data exposure

  • Support Canada’s industrial security and defense procurement objectives

CPCSC Level 1 relies on a self-assessment model, enabling broad adoption while laying the foundation for more advanced certification levels.

2. Policy Objectives

CPCSC Level 1 aims to:

  • Ensure that only authorized users and trusted devices can access systems and data

  • Limit the risk of unauthorized access, data exposure, and accidental disclosure

  • Establish a minimum standard of cyber hygiene aligned with recognized best practices

  • Strengthen the overall security posture of Canada’s defense supply chain

3. Alignment with ITSP.10.171

CPCSC Level 1 requirements are directly mapped to thirteen foundational controls from ITSP.10.171. These controls focus on high-impact, widely applicable security practices, including:

  • Account and access management

  • User and device authentication

  • Protection of publicly accessible content

  • Media sanitization

  • Physical and network boundary protection

  • Vulnerability and malware management

Each selected control addresses common cyber risks and supports a practical, risk-based approach to security.

4. Self-Assessment Model

CPCSC Level 1 is based on self-attestation. Organizations are responsible for:

  • Assessing their own implementation of the 13 controls

  • Documenting security practices and procedures

  • Maintaining evidence of control implementation

This approach lowers barriers to entry for suppliers, encourages adoption of baseline cyber hygiene, and supports continuous improvement. While Level 1 is self-assessed, it prepares organizations for more rigorous evaluation at higher CPCSC levels.

5. CPCSC Level 1 Requirements at a Glance

The following 13 ITSP.10.171 controls form the basis of CPCSC Level 1:

CPCSC Level 1 Alignment Statement

Control ID

03.01.01

03.01.02

03.01.20

03.01.22

03.05.01

03.05.02

03.05.03

03.08.03

03.10.01

03.10.07

03.13.01

03.14.01

03.14.02

Control Description

Account Management

Access Enforcement

Use of External Systems

Publicly Accessible Content

User Identification & Authentication

Device Identification & Authentication

Multifactor Authentication

Media Sanitization

Physical Access Authorizations

Physical Access Control

Boundary Protection

Flaw Remediation

Malicious Code Protection

Rationale as Foundational Cyber Hygiene

Ensures only authorized users have access

Enforces access control policies to limit unauthorized access

Controls data exposure through external systems

Prevents accidental disclosure of sensitive information

Verifies user identity before granting access

Ensures only trusted devices can connect

Strengthens access security through multiple verification factors

Ensures data is securely erased before reuse or disposal

Restricts who can physically access systems and data

Implements mechanisms to limit physical access to sensitive areas

Protects networks from external threats

Ensures timely identification and patching of vulnerabilities

Detects and prevents malware infections

Met / Not Met

Met

Met

Met

Met

Met

Met

Met

Met

Met

Met

Met

Met

Met

6. How DataPeak Supports CPCSC Level 1 Alignment

DataPeak’s SaaS platform supports customer CPCSC Level 1 alignment through:

  • Strong identity and access management controls

  • Encryption in transit and at rest

  • Secure system configuration and monitoring

  • Malware protection and vulnerability management

  • Inherited physical and environmental controls from cloud providers

Customers remain responsible for performing their own CPCSC Level 1 self-assessment and attestation.

7. Related Frameworks

CPCSC Level 1 alignment complements and aligns with:

  • ITSP.10.171

  • NIST SP 800-171

  • Foundational cyber hygiene practices recognized internationally

Official Program Reference

Canadian Program for Cyber Security Certification (CPCSC) – Level 1
https://www.canada.ca/en/public-services-procurement/services/industrial-security/security-requirements-contracting/cyber-security-certification-defence-suppliers-canada.html#a2

For questions, contact info@factr.me.

You may also view FactR Limited’s Privacy Policy and Terms & Conditions