What is the ITSP.10.171 standard that CPCSC is based on?

Answer

ITSP.10.171 is the Canadian technical standard defining security requirements for CPCSC certification, based on NIST SP 800-171.

ITSP.10.171, titled "Protecting Specified Information in Non-Government of Canada Systems and Organizations," is the foundational technical standard that defines the security requirements for CPCSC certification. Understanding this document is essential because it contains the actual security controls you must implement, not just high-level principles.

Authoring and Authority

ITSP.10.171 is an unclassified publication issued under the authority of the Head, Canadian Centre for Cyber Security (Cyber Centre), which is Canada's national authority on cybersecurity.

Published in October 2025 with an effective date of April 2, 2025, this practitioner-series document provides Government of Canada departments and agencies with recommended security requirements for protecting the confidentiality of Specified Information when it resides in non-government systems.

Relationship to U.S. Standards

ITSP.10.171 is explicitly a Canadian version of the National Institute of Standards and Technology (NIST) Special Publication 800-171, titled "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations."

The Canadian document states clearly: "There are no substantial technical changes between this publication and NIST SP 800-171." The primary modifications arise from differences in Canadian laws, policies, directives, standards, and guidelines rather than technical security approaches.

This relationship is why CPCSC aligns so closely with U.S. CMMC—they're based on the same technical foundation.

Key Terminology Adaptation

The most significant terminological change is the use of "Specified Information" instead of "Controlled Unclassified Information (CUI)," the term used in the U.S. document. This reflects Canadian information classification systems and legal frameworks.

Other adaptations reference Canadian authorities like the Treasury Board of Canada Secretariat rather than U.S. agencies, and cite Canadian privacy laws and regulations rather than U.S. equivalents.

Alignment with ITSP.10.033

The controls in ITSP.10.171 align with the Canadian Centre for Cyber Security's "Security and Privacy Controls and Assurance Activities Catalogue (ITSP.10.033)," which itself is a Canadian version of NIST SP 800-53 Rev. 5.

This family of related standards creates a coherent framework spanning different security contexts, from government systems (ITSP.10.033) to contractor systems handling government information (ITSP.10.171).

Structure and Organization

ITSP.10.171 organizes security requirements into 17 families covering different aspects of cybersecurity. Each family contains multiple specific requirements with detailed discussion sections explaining rationale, implementation approaches, and related considerations.

The 17 families are:

• Access Control (AC)
• Awareness and Training (AT)
• Audit and Accountability (AU)
• Configuration Management (CM)
• Identification and Authentication (IA)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Personnel Security (PS)
• Physical Protection (PE)
• Risk Assessment (RA)
• Security Assessment and Monitoring (CA)
• System and Communications Protection (SC)
• System and Information Integrity (SI)
• Planning (PL)
• System and Services Acquisition (SA)
• Supply Chain Risk Management (SR)

Organization-Defined Parameters

Many security requirements include "organization-defined parameters" (ODPs) indicated by square brackets in the control text. These provide flexibility, allowing your organization to specify values for designated parameters based on your specific protection needs, risk tolerance, and operational requirements.

For example, a requirement might state "limit consecutive invalid logon attempts to [organization-defined number]" allowing you to choose whether that's 3, 5, or another reasonable number.

ODPs are determined based on laws, regulations, policies, standards, guidance, and mission needs, then become part of your specific requirement once specified.

Development Methodology

The standard was developed by starting with the ITSP.10.033 medium impact baseline controls and tailoring them to eliminate selected controls or parts of controls that are primarily the responsibility of the federal government, not directly related to protecting confidentiality of Specified Information, or adequately addressed by other related controls.

This tailoring process ensures contractors aren't burdened with requirements that don't apply to their context while maintaining robust protection for government information.

Companion Assessment Guidance

The Cyber Centre plans to produce a companion publication based on NIST SP 800-171A, "Assessing Security Requirements for Controlled Unclassified Information," which will provide comprehensive assessment procedures.

Until the Canadian version is available, organizations and assessors can reference NIST SP 800-171A as guidance for assessing whether security requirements are properly implemented.

Why Executives Should Care

ITSP.10.171 is not just a compliance checklist—it represents current best practices for cybersecurity based on decades of experience and lessons learned from breaches across government and industry.

Organizations that implement these controls thoroughly aren't just checking boxes for contracts; they're building genuinely more secure operations that protect against real threats.

The standard is also periodically updated to address emerging threats and technologies, so staying current with ITSP.10.171 means your security posture evolves with the threat landscape.

Learn More

For additional information, please refer to the official documentation:

• Protecting Specified Information in Non-Government of Canada Systems and Organizations (ITSP.10.171)