.svg)
ITSP.10.171 Control Families
CPCSC Level 1 maps to six control families defined in CCCS's ITSP.10.171 standard, aligned with NIST 800-171 Rev 3. These form the basis for the self-attestation requirement.
CPCSC Compliance
Everything Canadian defence contractors need to know about the Canadian Program for Cyber Security Certification and ITSP.10.171 requirements.
What CPCSC Requires
Access Control & Identity Management
Organizations must implement controls for user identification, authentication, access authorization, and privileged account management across all systems handling Controlled Unclassified Information (CUI).
Security Assessment & Monitoring
Continuous monitoring, vulnerability scanning, and periodic security assessments are required to maintain an accurate picture of the security posture and detect threats.
Incident Response
CPCSC requires documented incident response plans with defined roles, communication procedures, and reporting obligations to the Canadian Centre for Cyber Security.
Configuration Management
Systems must be configured according to secure baselines with change control processes that track, approve, and document modifications to hardware, software, and firmware.
Physical & Environmental Protection
Physical access to information systems and facilities must be controlled, monitored, and logged, with protections for equipment and media containing CUI.
Ready to assess your CPCSC readiness?
Answer 16 questions mapped to the 6 ITSP.10.171 control families. Get a detailed report with domain-level scores and actionable next steps.
Take the Free Readiness ScorecardExplore CPCSC in the Framework Explorer
Compare CPCSC with CMMC, ISO 27001, and other frameworks side-by-side.
Frequently Asked Questions
What is CPCSC?
+
The Canadian Program for Cyber Security Certification (CPCSC) is Canada's framework for verifying that defence contractors meet baseline cybersecurity requirements. It is aligned with ITSP.10.171, published by the Canadian Centre for Cyber Security, and is modelled after the U.S. CMMC program.
When does CPCSC become mandatory?
+
CPCSC Level 1 self-attestation becomes mandatory for DND contract eligibility starting April 2026. Level 2 third-party certification follows in April 2027.
What is ITSP.10.171?
+
ITSP.10.171 is the technical standard published by the Canadian Centre for Cyber Security (CCCS) that defines the security controls CPCSC is built on. It is aligned with NIST 800-171 Rev 3 and organized into six control families.
What is the difference between CPCSC Level 1 and Level 2?
+
Level 1 requires a self-attestation that your organization meets the baseline security controls in ITSP.10.171. Level 2 requires a third-party assessment by an accredited certification body, providing higher assurance for contracts involving more sensitive information.
How does CPCSC compare to CMMC?
+
CPCSC is Canada's equivalent of the U.S. CMMC program. Both require defence contractors to meet cybersecurity standards based on NIST 800-171, but CPCSC uses ITSP.10.171 as its technical foundation and is administered by the Canadian Centre for Cyber Security rather than the U.S. DoD.
Who needs CPCSC certification?
+
Any organization bidding on or performing work on Canadian Department of National Defence (DND) contracts that involve controlled unclassified information will need CPCSC certification. This includes prime contractors and subcontractors in the defence supply chain.
Rather Talk to a Human?
Skip the reading. Book a strategy call and we will walk through what CPCSC compliance actually looks like for your organization.
Book a Strategy Call