ITSP.10.171: The New Standard That Is Transforming Cybersecurity for Canadian Defense Contractors

Imagine that your company could work with the Canadian government (and more specifically, the Canadian Department of National Defence) while ensuring that all sensitive data is protected as if inside a digital fortress. That is exactly what the ITSP.10.171 standard enables.

Although this standard is generally intended for Canadian government suppliers, it primarily serves as a reference for the Canadian Defense CPCC cybersecurity certification. Its goal is to ensure that the Canadian Defense supply chain is well-protected, to prevent disruptions or delivery issues.

Why ITSP.10.171 is important for Canadian Defense

Every Canadian Defense supplier handles sensitive information: contractual data, technical information, operational secrets, and even information related to national security.

If this data is not properly protected and falls into the wrong hands, the consequences could be catastrophic for Canada.

For example: imagine that a critical Canadian Defense supplier is infected by ransomware. The service interruption at that supplier could last from 1 week to 5 weeks, or even longer. During that time, Canadian Defense cannot be served. The consequences could be significant for the safety of Canadians, especially during this period of great geopolitical turmoil.

The purpose of the Canadian standard ITSP.10.171 is to provide a clear and actionable framework to protect sensitive information held by the Canadian government, in order to reduce the risks of unauthorized access and its consequences.

We’re talking about CI in Canada

In Canada, the term CUI is replaced by CI (Controlled Information), which encompasses Protected A, B, and C information.

Therefore, CUI and CI should not be confused, because although they have the same level of sensitivity, they are not the same information.

Inspired by the U.S. NIST 800-171 Rev. 3

ITSP.10.171 is inspired by the U.S. NIST 800-171 Rev. 3, but adapted to the Canadian context:

• The required certification level does not depend on the type of data you have, but on your level of exposure to cyber risks. For example, Defence Canada expects satellite communications service providers to obtain PCCC Level 3 certification because they are critical infrastructure. In the U.S., these companies would most likely need to obtain CMMC Level 2 certification if they only handle CUI.
• ITSP.10.171 incorporates current requirements such as supply chain risk management.
• Etc.

ITSP.10.171 consists of 17 domains

Here are the 17 domains of ITSP.10.171. You will note that these are the same domains as NIST 800-171 Rev 3.

1. Access Control
2. Awareness and Training
3. Auditing and Accountability
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Personnel Security
10. Physical Protection
11. Risk Assessment
12. Security Assessment and Monitoring
13. Systems and Communications Protection
14. Information and Systems Integrity
15. Planning
16. Systems and Services Acquisition
17. Supply Chain Risk Management

3 more domains than the U.S. CMMC

The Canadian PCCC certification consists of the 17 domains of ITSP.10.171. If you are already compliant with the U.S. CMMC, you will need to address 3 additional domains to achieve PCCC compliance.

• Planning
• Procurement of systems and services
• Supply chain risk management