Canadian Cyber Security (CPCSC) and ITSP-10.171 Explained -

What is CPCSC?

The Canadian Program for Cyber Security Certification (CPCSC) is an effort designed to protect Government of Canada (GC) Controlled Information (CI) handled by its contractors. It directly mirrors the United States’ Cybersecurity Maturity Model Certification (CMMC) program, which requires Department of Defense (DoD) contractors to implement certain cybersecurity protections to protect U.S. Government information, followed by certification to validate successful cybersecurity implementation.

CPCSC, similar to CMMC Level 2, requires implementation of the NIST SP 800-171 cybersecurity standard. However, CPCSC requires implementation of NIST SP 800-171 Revision 3, the current NIST publication, while Revision 2 remains the current standard for U.S. defense contractors.

The CPCSC program was published by the Canadian Centre for Cyber Security in April 2025 in a publication referred to as ITSP.10.171: Protecting controlled information in non-Government of Canada systems and organizations.

Who does CPCSC apply to?

Per the ITSP.10.171 publication, CPCSC applies to GC contractors that are handling (processing, storing, or transmitting) CI. If you are a contractor handling CI, you are obligated to implement the cybersecurity protections outlined in NIST SP 800-171 Revision 3 to protect that CI. Eventually, a certification process for validating implementation of the requirements will be revealed.

What are the cybersecurity requirements in CPCSC?

NIST SP 800-171 Revision 3 outlines 97 security controls across 17 families, including:

Access control
Awareness and training
Audit and accountability
Configuration management
Identification and authentication
Incident response
Maintenance
Media protection
Personnel security
Physical protection
Risk assessment
Security assessment and monitoring
System and communications protection
System and information integrity
Planning
System and services acquisition
Supply chain risk management

In short, contractors will need to implement the 97 security controls upon all assets handling CI, as well as provide justification and evidence of their implementation commensurate with the corresponding NIST SP 800-171A Assessment Objectives. This justification and evidence will eventually be presented to an assessor as to receive a CPCSC certification.

How Totem Tech can help with CPCSC

If you are a Canadian GC contractor looking to begin implementing the cybersecurity requirements in NIST SP 800-171 Revision 3, Totem Tech can help. Our Totem™ Cybersecurity Compliance Planning tool contains the 97 NIST SP 800-171 Revision 3 security controls and their Assessment Objectives. Using Totem™, you can begin assessing your implementation, identifying gaps, and building corrective action plans for achieving compliance. Contact us below to learn more.