Key Takeaways
- Canada’s new Program for Cyber Security Certification (CPCSC) will require defense suppliers handling sensitive but unclassified government information to certify against ITSP.10.171, Canada’s adaptation of NIST SP 800‑171.
- Certification occurs in three tiers: Level 1 (annual self‑assessment of 13 controls), Level 2 (triennial third‑party assessment of 98 controls plus annual affirmations), and Level 3 (triennial government assessment of 200 controls). Non‑certified suppliers will be barred from defense procurements.
- CPCSC aligns closely with the U.S. CMMC framework, allowing organizations seeking contracts in both jurisdictions to leverage a single security baseline and avoid duplicate efforts.
- Kiteworks announces broad support for CPCSC, highlighting its pre‑mapped ITSP.10.171 controls, automated audit‑evidence generation, Canadian data‑sovereignty deployment options, FIPS 140‑3 validated encryption, and dual CPCSC/CMMC readiness.
- The platform’s defense‑in‑depth architecture, unified secure data‑exchange capabilities, and detailed solution guide aim to accelerate compliance, reduce implementation costs, and preserve contract eligibility for Canadian defense suppliers.
Introduction to CPCSC and Its Strategic Importance
Kiteworks has announced extensive support for Canada’s newly introduced Program for Cyber Security Certification (CPCSC), a framework designed to elevate the cybersecurity posture of defense suppliers. Overseen by Public Services and Procurement Canada in partnership with the Department of National Defence, the Standards Council of Canada, and the Canadian Centre for Cyber Security, CPCSC mandates that any contractor handling sensitive but unclassified government information achieve certification against ITSP.10.171. This standard mirrors the U.S. NIST SP 800‑171, ensuring that Canadian requirements are technically equivalent to those already familiar to many defense contractors operating south of the border. By establishing a mandatory certification regime, Canada seeks to close gaps identified in allied nations and to protect its defense supply chain from increasingly sophisticated cyber threats.
Structure and Phasing of the Certification Levels
The CPCSC model is organized into three progressive levels, each building on the previous one. Level 1 requires suppliers to perform an annual self‑assessment covering 13 foundational controls, serving as an entry point for organizations beginning their compliance journey. Level 2 escalates the rigor: suppliers must undergo third‑party assessments every three years across 98 controls, complemented by annual affirmations of continued compliance. Level 3 represents the highest tier, mandating triennial assessments conducted directly by the Government of Canada across an expanded set of 200 controls. Failure to attain the requisite level for a given contract will result in disqualification from defense procurement, underscoring the program’s enforcement mechanism and the urgency for suppliers to achieve certification promptly.
Alignment with U.S. CMMC and Cross‑Border Benefits
CPCSC’s deliberate alignment with NIST SP 800‑171 creates a direct technical equivalence with the U.S. Cybersecurity Maturity Model Certification (CMMC) framework. This congruence enables defense suppliers pursuing contracts in both Canada and the United States to leverage a unified set of controls, thereby avoiding duplicative efforts and reducing overall compliance costs. As Frank Balonis, CISO and SVP of Operations at Kiteworks, notes, organizations that have already invested in CMMC readiness can extend those investments to satisfy CPCSC requirements with minimal additional work. The shared baseline also promotes interoperability among Five Eyes partners, facilitating smoother collaboration on joint defense initiatives while ensuring that Canadian data‑sovereignty obligations are respected.
Readiness Challenges Highlighted by U.S. Experience
Data from the United States—where NIST SP 800‑171 has been in effect for several years—illustrates the scale of the readiness challenge facing contractors. Surveys indicate that fewer than half of U.S. defense contractors report feeling prepared for Level 2 CMMC assessments, and many have yet to complete formal gap analyses or implement sufficient governance structures. These findings suggest that a substantial portion of the supplier base will require significant effort to meet the forthcoming CPCSC obligations. Consequently, platforms that can accelerate gap identification, remediation, and evidence collection are poised to become critical enablers for Canadian suppliers seeking to maintain contract eligibility.
Kiteworks’ Pre‑Mapped ITSP.10.171 Controls
To address these challenges, Kiteworks highlights that its platform already supports 79 of the 98 Level 2 controls outlined in ITSP.10.171. The covered domains include access control, audit and accountability, identification and authentication, media protection, system and communications protection, system and information integrity, and supply chain risk management. The remaining controls pertain primarily to organizational and physical safeguards—such as personnel policies, training, and facility security—which organizations must address internally. By providing a pre‑mapped control set, Kiteworks reduces the initial engineering lift required to align technical systems with the certification standard, allowing suppliers to focus resources on the procedural and managerial aspects of compliance.
Automated Audit Logging and Evidence Generation
A cornerstone of Kiteworks’ offering is its comprehensive audit logging capability. The platform captures every file interaction and policy action in real time, without throttling or the need for additional licensing. This granular, immutable log stream can be forwarded to SIEM solutions via syslog or a native Splunk Forwarder, enabling rapid delivery of the audit evidence demanded during CPCSC assessments. By automating evidence collection, Kiteworks helps suppliers overcome one of the most time‑intensive components of certification—proving that controls are operating effectively and consistently over the required assessment periods.
Canadian Data Sovereignty and Deployment Flexibility
Recognizing Canada’s stringent data‑sovereignty requirements, Kiteworks offers multiple deployment models that keep sensitive information within national borders. Organizations may choose an on‑premises installation, a private cloud hosted in Canadian data centers, or a hybrid configuration that blends both approaches. Key features supporting sovereignty include single‑tenant architecture, customer‑managed encryption keys, and geofencing controls that prevent data from leaving authorized jurisdictions. This flexibility ensures that suppliers can satisfy both the technical controls of ITSP.10.171 and the legal mandates governing data residency without compromising security or operational agility.
Encryption Standards and Defense‑in‑Depth Architecture
Kiteworks employs FIPS 140‑3 validated cryptographic modules, utilizing AES‑256 double encryption for data at rest and TLS 1.3 for data in transit to meet the confidentiality requirements of ITSP.10.171. Beyond encryption, the platform adopts a defense‑in‑depth posture: a hardened virtual appliance integrates a firewall, web application firewall (WAF), and AI‑driven intrusion detection. A deny‑by‑default network stance combined with zero‑trust segmentation addresses boundary protection and system integrity controls, reducing the attack surface and limiting lateral movement should a breach occur. These layers collectively satisfy many of the technical controls related to system and communications protection, as well as system and information integrity.
Unified Secure Data Exchange and Dual Certification Readiness
Kiteworks consolidates disparate communication channels—email, file sharing, managed file transfer, SFTP, web forms, APIs, and AI integrations—into a single secure data‑exchange platform governed by a centralized control plane. This unification simplifies policy enforcement, logging, and monitoring across all data flows, thereby supporting the audit and accountability, identification and authentication, and media protection domains of ITSP.10.171. Moreover, because ITSP.10.171 is technically identical to NIST SP 800‑171, a single Kiteworks deployment can concurrently support both CPCSC and U.S. CMMC certification efforts. The platform’s existing FedRAMP Authorization and CMMC 2.0 compliance reporting further streamline cross‑border defense procurement, allowing suppliers to demonstrate equivalent security postures to agencies in both nations without maintaining parallel solutions.
Solution Guide and Ongoing Support
Kiteworks has published a full CPCSC Solution Guide, which includes a detailed mapping of all 98 ITSP.10.171 Level 2 controls to platform capabilities. This resource serves as a practical playbook for suppliers embarking on the compliance journey, offering step‑by‑step guidance on control implementation, evidence collection, and audit preparation. By providing such documentation alongside its technology, Kiteworks aims to lower the barrier to entry for organizations that may lack deep internal cybersecurity expertise, thereby broadening the pool of eligible defense contractors.
About Kiteworks
Kiteworks’ mission is to empower organizations to manage risk across every instance of sending, sharing, receiving, and using private data. The platform delivers a unified secure data exchange that combines data governance, compliance, and protection within a single control plane, tracking and securing sensitive information as it moves within, into, and out of an enterprise. Headquartered in Silicon Valley, Kiteworks protects over 100 million end‑users and serves thousands of global enterprises and government agencies, positioning it as a trusted partner for defense suppliers navigating emerging cybersecurity mandates like CPCSC.
Media Contact
David Schutzman
PR Manager
[email protected]
Join our LinkedIn group Information Security Community!