15 Minute Assessment

Free CPCSC Compliance
Self-Assessment

Check your organization's CPCSC (CP-CSC) compliance readiness with our free self-assessment tool. Based on ITSP.10.171 (April 2025), this 15-minute assessment evaluates all 17 control families required for Canadian Defence contractors under the Canadian Program for Cyber Security Certification. Answer 34 questions and receive an instant compliance score, gap analysis, and prioritized roadmap to CPCSC certification.

Start Free Assessment

34 questions•~15 minutes•100% Free

What You'll Get

Actionable insights to guide your CPCSC certification journey

Compliance Score

Measure against all ITSP.10.171 control families

Gap Analysis

Identify which areas need the most attention

Personalized Roadmap

Get a timeline estimate for certification

17 ITSP.10.171 Control Families Assessed

All 17 control families are mandatory under CPCSC. Priority levels below reflect implementation effort for compliance scoring and timeframe estimates.

High Implementation Effort

Controls requiring significant technical complexity and infrastructure changes, typically taking 3-6+ months to implement. All controls are mandatory per ITSP.10.171.

Access Control
Audit and Accountability
Configuration Management
Identification and Authentication
Security Assessment and Monitoring
System and Communications Protection
System and Information Integrity

Moderate Implementation Effort

Controls requiring moderate technical or process work, typically taking 1-3 months to implement. All controls are mandatory per ITSP.10.171.

Awareness and Training
Incident Response
Maintenance
Media Protection
Personnel Security
Physical Protection
Risk Assessment

Lower Implementation Effort

Controls primarily involving documentation and policy work, typically taking days to weeks to implement. All controls are mandatory per ITSP.10.171.

Planning
System and Services Acquisition
Supply Chain Risk Management

How It Works

Simple, fast, and no commitment required

Answer Questions

Respond to questions about your current security practices across 17 control families.

Get Your Score

Receive an instant compliance score with a breakdown by control family.

Review Roadmap

See a prioritized list of gaps and estimated timeline to certification readiness.

Why CPCSC Compliance Matters Now

Canada's mandatory cybersecurity certification for defence contractors is here

March 2025CPCSC Phase 1 launched by PSPC — Canada's CMMC equivalent for DND contractors

Spring 2026New defence RFPs require mandatory CPCSC cybersecurity certification

3–6 MonthsTypical implementation timeline for CPCSC Level 1 ITSP.10.171 controls

17 FamiliesMandatory control families defined by CCCS in ITSP.10.171, based on NIST 800-171 Rev 3

CPCSC vs CMMC

How Canada's cybersecurity certification compares to the US CMMC

Aspect	CPCSC (Canada)	CMMC (United States)
Security Standard	ITSP.10.171 (NIST 800-171 Rev 3)	NIST SP 800-171 Rev 2
Assessment Bodies	SCC-accredited Canadian 3PAOs	Cyber-AB accredited C3PAOs
Information Protected	Protected A/B/C & Specified Information	Controlled Unclassified Information (CUI)
Approach	Risk-based	Data type-based
Certification Levels	3 levels (self-assessment to DND)	3 levels (self-assessment to govt)
Mandatory From	Spring 2026 (phased)	2025 (phased)

Cross-border contractors need both certifications. Significant control overlap allows shared implementation for cost efficiency.

Frequently Asked Questions

Common questions about CPCSC, CP-CSC, and this self-assessment

What is CPCSC (CP-CSC)?

CPCSC stands for the Canadian Program for Cyber Security Certification. Launched by Public Services and Procurement Canada (PSPC) on March 12, 2025, it is Canada's official cybersecurity certification for defence contractors — often called "CMMC Canada." CPCSC requires contractors to meet the ITSP.10.171 security standard published by the Canadian Centre for Cyber Security (CCCS).

What is ITSP.10.171?

ITSP.10.171 is the CCCS standard that defines mandatory cybersecurity requirements for CPCSC certification. It specifies 17 control families — including Access Control, Incident Response, Risk Assessment, and System Protection — adapted from NIST SP 800-171 Revision 3 for the Canadian defence context.

How is CPCSC different from CMMC?

CPCSC evaluates against ITSP.10.171 (based on NIST 800-171 Rev 3), while CMMC uses Rev 2. CPCSC takes a risk-based approach while CMMC is data-type-based. CPCSC uses SCC-accredited Canadian assessment bodies, while CMMC uses Cyber-AB accredited C3PAOs. There is currently no reciprocity agreement — cross-border contractors need both certifications.

Who needs CPCSC certification?

All companies bidding on Canadian Department of National Defence (DND) contracts — including both prime contractors and subcontractors, whether Canadian or foreign. As of Spring 2026, new defence RFPs require mandatory CPCSC cybersecurity requirements.

What are the CPCSC certification levels?

Level 1 requires an annual cybersecurity self-assessment. Level 2 requires a formal external assessment by an SCC-accredited certification body. Level 3 requires an assessment conducted directly by the Department of National Defence.

What is the CPCSC implementation timeline?

Phase 1 (March 2025) launched the framework. Phase 2 (Fall 2025) began requiring Level 1 for select contracts. Phase 3 (Spring 2026) requires Level 2 for select contracts. Phase 4 (2027) incorporates Level 3 into defence RFPs. Organizations typically need 3–6 months for Level 1.

How long does this self-assessment take?

Approximately 15 minutes. It includes 34 questions covering all 17 ITSP.10.171 control families. You receive instant results including your compliance score, gap analysis, and a prioritized roadmap to certification readiness.

Is this CPCSC assessment free?

Yes — 100% free with no commitment required. You receive instant results including your compliance score, gap analysis across all 17 ITSP.10.171 control families, and a personalized roadmap to CPCSC certification.

About This Assessment

This is a self-assessment tool to help you understand your CPCSC compliance readiness. It is not a formal audit or certification. The assessment and results are based on ITSP.10.171 (April 2025) and are provided for informational purposes only.

Priority levels reflect implementation effort for scoring purposes — all ITSP.10.171 controls are mandatory. For formal certification, consult qualified CPCSC assessors.

Ready to Check Your CPCSC Compliance?

Start your free assessment and get clarity on your CP-CSC readiness before Spring 2026 deadlines.