.svg)
In a compliance landscape that increasingly assumes cloud-first architecture, media protection controls tend to get deprioritized. The assumption is that if data lives in a managed cloud service, the physical handling of media is someone else's problem. For organizations entering the Canadian defence supply chain under CPCSC, that assumption breaks down quickly.
ITSP.10.171 includes two control families that deal directly with how controlled information is stored, transmitted, and destroyed: Media Protection (MP) and System and Communications Protection (SC). Together, they address the full data lifecycle, from the moment information is written to a device through its transmission across networks to its eventual destruction. These are not theoretical controls. They carry specific technical requirements that catch organizations off guard, particularly those coming from commercial compliance frameworks where media handling is a footnote rather than a control family.
This post breaks down both families, identifies where existing SOC 2 and ISO 27001 programs provide coverage, and highlights the gaps that consistently surface during readiness assessments.
Media Protection (MP): What Media Actually Means
When most technical teams hear media protection, they think of USB drives and backup tapes. The scope under ITSP.10.171 is considerably broader. Media includes hard drives (internal and external), solid-state drives, removable storage devices, mobile devices that store controlled information, printed documents, and backup media of any type. If it stores or has stored controlled information, it is in scope.
The MP family addresses five operational concerns: who can access media, how it is marked, where and how it is stored, how it is transported, and how it is sanitized when no longer needed.
Access and Marking
Media containing controlled information must be restricted to authorized personnel. This sounds straightforward until you consider the full inventory: developer laptops with local database copies, external drives used for data migrations, backup volumes in a colocation facility, printed reports from a client meeting. Each of these is media, and each needs an access control mechanism appropriate to its type.
Marking requirements establish that media must be identifiable by its classification level. For organizations handling Protected B information, this means labelling physical media and maintaining records of what controlled information resides on which devices. The intent is traceability: if a drive leaves the building, the organization should know what classification of data it carried.
Key Takeaway
Media under ITSP.10.171 is not limited to USB drives and tapes. It includes every device, disk, and document that stores or has stored controlled information, including endpoints, backup volumes, and printed materials.
Storage and Transport
Storage controls require that media be physically secured when not in active use. For removable media, this typically means locked storage in a controlled area. For servers and workstations, it means the physical security controls from the PE (Physical Protection) family apply to anywhere media resides.
Transport controls become relevant whenever media moves between locations, whether that is a backup tape going to an offsite facility, a laptop traveling with an employee, or a hard drive being shipped for disposal. The controls require documented procedures for authorized transport, including chain-of-custody records for sensitive media. Organizations with on-premises infrastructure tend to handle this better than those that have always been cloud-native, simply because they have had to think about physical assets.
Sanitization: The Control That Catches Everyone
Media sanitization is the MP control that creates the most compliance gaps. The requirement is not just that data be deleted before media is decommissioned or repurposed. It requires documented sanitization procedures, validated sanitization methods appropriate to the media type and classification level, and evidence that sanitization was performed.
The Canadian Centre for Cyber Security (CCCS) provides specific guidance on acceptable sanitization methods, ranging from clear (logical overwrite) to purge (cryptographic erase or degaussing) to destroy (physical destruction). The method required depends on the classification of the information and whether the media will be reused within the same classification environment.
Common Pitfall
Many organizations sanitize data in practice but lack the documentation to prove it. Formalizing the procedure, establishing a cadence, and maintaining before-and-after evidence transforms an informal habit into a demonstrable control. Without that documentation, an assessor has no way to verify that sanitization actually occurs.
A practical sanitization program includes: a written procedure specifying methods by media type, a log or register of sanitization events with dates and responsible personnel, verification steps (such as spot-checking wiped drives), and a defined escalation path for media that cannot be sanitized through standard methods and requires physical destruction.
System and Communications Protection (SC): Encryption Is Not Enough
The SC family covers how controlled information is protected as it moves across networks and sits at the boundary between trusted and untrusted environments. It is the complement to MP: where MP addresses data at rest on physical media, SC addresses data in transit and the infrastructure that protects it.
Boundary Protection
Boundary protection controls require that the organization define and enforce the boundaries of its information system, controlling what traffic flows in and out. This includes firewalls, intrusion detection and prevention systems, DMZ architecture, and network segmentation that isolates systems processing controlled information from general-purpose networks.
For organizations with on-premises infrastructure, boundary protection is often well-established. For those operating primarily in cloud environments, the boundary is less obvious but no less important. Virtual network boundaries, security groups, network access control lists, and private endpoints all contribute to the SC boundary protection posture. The key is that the boundaries are defined, documented, and monitored, not just configured and forgotten.
Cryptographic Protection
This is the SC control area that frequently trips up organizations, not because they lack encryption, but because they lack the right kind of encryption.
ITSP.10.171 requires that cryptographic mechanisms protecting controlled information use validated algorithms and implementations. Saying you use TLS is not a sufficient answer. The questions an assessor will ask include: which TLS version and cipher suites are permitted, whether the implementation uses a validated cryptographic module (such as one validated under the Cryptographic Module Validation Program, CMVP), and whether key management practices follow documented procedures.
The CCCS guidance on cryptographic algorithms (ITSP.40.111) specifies acceptable algorithms for Protected B information. Organizations should verify their configurations against this guidance rather than relying on cloud provider defaults, which may include cipher suites that are broadly acceptable for commercial use but do not meet Government of Canada requirements.
Encryption at rest carries similar specificity. Whole-disk encryption on endpoints, database-level encryption, and object storage encryption all need to use validated mechanisms. Key management, including generation, storage, rotation, and destruction of cryptographic keys, must follow a documented lifecycle.
Validated vs. Standard Encryption
Using AES-256 or TLS 1.2 is good practice, but ITSP.10.171 asks whether the underlying cryptographic library is CMVP-validated and whether the cipher suites are on the CCCS-approved list. Cloud provider defaults may not satisfy this requirement.
Transmission Confidentiality and Integrity
Beyond encryption, SC controls require that the confidentiality and integrity of transmitted information be protected end to end. This means not only encrypting data in transit but also verifying that it has not been altered. Integrity checking mechanisms (such as message authentication codes or digital signatures on sensitive data transfers) are expected where the classification warrants it.
For organizations handling Protected B, this is particularly relevant for data exchanges with government partners, where the receiving party may have specific requirements for how data is packaged, encrypted, and verified on receipt.
Collaborative Computing and Network Disconnect
Two SC controls that often get overlooked are collaborative computing and network disconnect.
Collaborative computing controls address tools like video conferencing, shared document editing, and messaging platforms. The controls require that organizations identify what collaborative tools are authorized for use with controlled information and restrict the use of unauthorized tools. This is less about banning specific products and more about maintaining a defined list of approved tools with documented security configurations.
Network disconnect controls require that sessions be terminated after a defined period of inactivity. This applies to remote access sessions, VPN connections, and any interactive session to systems processing controlled information. The timeout period should be documented in the system security plan, and enforcement should be automated rather than relying on user behavior.
Where SOC 2 and ISO 27001 Overlap, and Where They Do Not
Organizations with existing SOC 2 or ISO 27001 certifications have meaningful coverage of some MP and SC controls, but the overlap is uneven.
| Area | SOC 2 / ISO 27001 Coverage | ITSP.10.171 Gap |
| Encryption in transit and at rest | SOC 2 CC6.1/CC6.7, ISO 27001 A.8.24 address encryption | Requires CMVP-validated modules and CCCS-approved algorithms, not just industry-standard encryption |
| Network security and boundary protection | SOC 2 CC6.6, ISO 27001 A.8.20-8.22 cover network security | Greater documentation depth expected for boundary architecture |
| Media sanitization | ISO 27001 A.7.14, SOC 2 CC6.5 touch on disposal | Requires specific methods by media type and a sanitization log with evidence |
| Media marking and transport | Not typically required by commercial frameworks | Classification markings on physical media and documented chain-of-custody for transport |
| Collaborative computing restrictions | SOC 2/ISO address authorized software and acceptable use | Specific documentation of which tools are approved for use with controlled information |
| Cryptographic algorithm validation | Accepts AES-256 without implementation validation | Requires proof that the specific cryptographic implementation is CMVP-validated |
Common Gaps in Readiness Assessments
Based on what surfaces during CPCSC readiness work, three gaps appear consistently in the MP and SC families.
Undocumented sanitization procedures
The work happens, but the evidence does not exist. Teams wipe drives, scrub databases, and shred documents, but there is no written procedure, no log, and no verification step. This is one of the fastest controls to close because the operational practice already exists. The fix is procedural documentation, a tracking mechanism, and periodic verification.
Encryption that does not meet validation requirements
Organizations encrypt data and assume compliance. The gap is in validation. Using TLS 1.2 with a strong cipher suite is good practice, but if the underlying cryptographic library is not CMVP-validated, or if the cipher suite includes algorithms not on the CCCS-approved list, the control does not satisfy ITSP.10.171. Closing this gap requires a cryptographic inventory: documenting every encryption mechanism in use, the library or module providing it, its validation status, and the algorithms and key lengths configured.
Collaborative computing blind spots
Organizations often have no documented policy on which communication and collaboration tools are authorized for discussions involving controlled information. Team members use whatever is convenient, including personal messaging apps, consumer-grade video conferencing, and cloud storage services that have not been evaluated for handling controlled data. The fix is a controlled information handling policy that names authorized tools and specifies prohibited uses, paired with periodic review as the toolset evolves.
Implementation Approach
For organizations mapping their existing security program to MP and SC requirements, a practical sequence is:
- Inventory all media types that store or have stored controlled information. Include endpoints, servers, removable media, backup systems, and printed materials. This inventory becomes the scope for every MP control.
- Build a cryptographic inventory. Document every encryption mechanism in use across the environment, including the algorithm, key length, library or module, validation status, and where it is applied (in transit, at rest, or both). Compare against CCCS ITSP.40.111 guidance.
- Formalize sanitization procedures. If the practice already exists, document it. Define methods by media type, establish a sanitization log, and add a verification step. If the practice does not exist, build it now because this control is non-negotiable.
- Document boundary architecture. Create or update network diagrams that clearly show the boundaries of systems processing controlled information, the controls at each boundary (firewall rules, security groups, access control lists), and monitoring mechanisms.
- Establish a collaborative computing policy. Identify which tools are authorized for use with controlled information, configure them according to documented security baselines, and communicate the policy to all personnel with access to controlled data.
- Set session timeout policies. Configure and document automatic session termination for remote access and interactive sessions to in-scope systems.
For organizations already holding SOC 2 or ISO 27001, the mapping from existing controls to ITSP.10.171 accelerates most of this work. The areas requiring net-new effort are typically sanitization documentation, cryptographic validation, and media-specific access and marking controls.
Building Your CPCSC Security Program?
We build effective security programs that produce CPCSC compliance as a byproduct.
Frequently Asked Questions
Does CPCSC require FIPS 140-validated cryptographic modules?
ITSP.10.171 requires validated cryptographic mechanisms. In practice, this aligns with CMVP (which includes FIPS 140) or mechanisms approved by the CCCS for the relevant classification level. Organizations should consult ITSP.40.111 for the specific algorithms and validation requirements applicable to their data classification. Relying solely on a cloud provider's default encryption configuration, without verifying its validation status, is a common mistake.
If we are entirely cloud-based, do media protection controls still apply?
Yes. Media protection applies to any device or medium that stores controlled information, including cloud-hosted virtual disks, SaaS application data stores, endpoint devices used to access controlled information, and any local copies or caches. The scope shifts from tape libraries and server rooms to endpoint management, cloud storage configurations, and virtual machine disk handling, but the controls still apply.
How does CPCSC media sanitization compare to CMMC?
Both CPCSC and CMMC derive their media sanitization requirements from a common ancestry in NIST 800-171. The practical requirements are similar: documented procedures, methods appropriate to media type, and evidence of execution. CMMC Level 1 includes a subset of media protection controls (MP.L1-3.8.3 on media sanitization), while ITSP.10.171 includes a broader set covering access, marking, storage, and transport in addition to sanitization. Organizations pursuing both certifications should build to the more comprehensive ITSP.10.171 requirements and verify coverage against NIST 800-171 controls.
What qualifies as acceptable evidence for media sanitization?
Assessors expect a written sanitization procedure, a log of sanitization events (including date, media identifier, method used, and personnel responsible), and evidence of periodic verification. For physical destruction, certificates of destruction from a qualified vendor are standard. For logical sanitization, tool output or screenshots confirming the wipe, combined with spot-check verification records, satisfy the evidence requirement. The key is traceability from procedure to execution to verification.
Moving Forward
Media protection and communications security are the control families where the gap between commercial compliance and defence requirements is particularly tangible. An organization can have a mature security program, pass SOC 2 and ISO 27001 audits, and still have meaningful gaps in how it handles, transmits, and destroys controlled information.
The good news is that most of the operational practices already exist in well-run environments. The work is in formalizing procedures, validating cryptographic implementations against government standards, and building the documentation trail that turns good practice into demonstrable compliance.
For organizations preparing for CPCSC Level 1 self-assessment, MP and SC controls are worth addressing early. They involve cross-functional coordination (IT, security, facilities, and procurement), and the cryptographic inventory alone can take time to compile. Starting now avoids the scramble later.
If your team is working through ITSP.10.171 readiness and wants a structured assessment of your MP and SC control posture, reach out to discuss where you stand and what needs to close.
Ready to Start Your Compliance Journey?
Get a clear, actionable roadmap with our readiness assessment.
About the Author
Former security architect for Bank of Canada and Payments Canada. 20+ years building compliance programs for critical infrastructure.
Ready for CPCSC Level 1?
Score your readiness across the 6 expected control families. Free.
Take the Scorecard