Blog > CPCSC

ITSP.10.171: The New Standard That Is Transforming Cybersecurity for Canadian Defense Contractors

Imagine that your company could work with the Canadian government (and more specifically, the Canadian Department of National Defence) while ensuring that all sensitive data is protected as if inside a digital fortress. That is exactly what the ITSP.10.171 standard enables.

Although this standard is generally intended for Canadian government suppliers, it primarily serves as a reference for the Canadian Defense CPCC cybersecurity certification. Its goal is to ensure that the Canadian Defense supply chain is well-protected, to prevent disruptions or delivery issues.

Why ITSP.10.171 is important for Canadian Defense

Every Canadian Defense supplier handles sensitive information: contractual data, technical information, operational secrets, and even information related to national security.

If this data is not properly protected and falls into the wrong hands, the consequences could be catastrophic for Canada.

For example: imagine that a critical Canadian Defense supplier is infected by ransomware. The service interruption at that supplier could last from 1 week to 5 weeks, or even longer. During that time, Canadian Defense cannot be served. The consequences could be significant for the safety of Canadians, especially during this period of great geopolitical turmoil.

The purpose of the Canadian standard ITSP.10.171 is to provide a clear and actionable framework to protect sensitive information held by the Canadian government, in order to reduce the risks of unauthorized access and its consequences.

We’re talking about CI in Canada

In Canada, the term CUI is replaced by CI (Controlled Information), which encompasses Protected A, B, and C information.

Therefore, CUI and CI should not be confused, because although they have the same level of sensitivity, they are not the same information.

 

Inspired by the U.S. NIST 800-171 Rev. 3

ITSP.10.171 is inspired by the U.S. NIST 800-171 Rev. 3, but adapted to the Canadian context:

  • The required certification level does not depend on the type of data you have, but on your level of exposure to cyber risks. For example, Defence Canada expects satellite communications service providers to obtain PCCC Level 3 certification because they are critical infrastructure. In the U.S., these companies would most likely need to obtain CMMC Level 2 certification if they only handle CUI.

  • ITSP.10.171 incorporates current requirements such as supply chain risk management.

  • Etc.

ITSP.10.171 consists of 17 domains

Here are the 17 domains of ITSP.10.171. You will note that these are the same domains as NIST 800-171 Rev 3.

  1. Access Control

  2. Awareness and Training

  3. Auditing and Accountability

  4. Configuration Management

  5. Identification and Authentication

  6. Incident Response

  7. Maintenance

  8. Media Protection

  9. Personnel Security

  10. Physical Protection

  11. Risk Assessment

  12. Security Assessment and Monitoring

  13. Systems and Communications Protection

  14. Information and Systems Integrity

  15. Planning

  16. Systems and Services Acquisition

  17. Supply Chain Risk Management

3 more domains than the U.S. CMMC

The Canadian PCCC certification consists of the 17 domains of ITSP.10.171. If you are already compliant with the U.S. CMMC, you will need to address 3 additional domains to achieve PCCC compliance.

  • Planning

  • Procurement of systems and services

  • Supply chain risk management

 

Need expert advice for your situation?

Our specialists are here to help.

Take advantage of a free, no-commitment consultation to discuss your challenges, priorities, and find solutions tailored for your company.

Contact an expert now
A man pointing to computer screen