HomeITSP.10.171 ControlsAccess Control › 03.01.20
ITSP.10.171 · 03.01.20

Use of External Systems

Level 1 (Mandatory April 2026)
AC — Access Control

Control Description

Control and restrict the use of external systems to access organizational systems or process specified information.

Assessment Objective

Verify that use of external systems is prohibited unless authorized, security requirements are established, and portable storage device use is restricted.

Assessment Scope

This control includes 5 determination statements that assessors evaluate during a CPCSC assessment. Each determination must be satisfied with documented evidence to demonstrate control effectiveness.

CPCSC Context

This is one of the 13 controls required for CPCSC Level 1 self-assessment, mandatory from April 2026 for all Department of National Defence (DND) contract awards. Level 1 is a self-attestation — no third-party assessor is required.

How Solymus Helps

Solymus maps your evidence directly to ITSP 03.01.20, providing tamper-evident, KMS-signed receipts for every artifact you upload. The platform generates audit-ready evidence packages with per-artifact verification URLs that assessors can independently validate.

Level 1 is free for a limited time — start your self-assessment today and build a cryptographic evidence chain before the April 2026 deadline.

Frequently Asked Questions

What is ITSP 03.01.20 (Use of External Systems)?

ITSP 03.01.20 is a security control in the Access Control family of ITSP.10.171, Canada's adaptation of NIST SP 800-171 Rev 3. It requires organizations to control and restrict the use of external systems to access organizational systems or process specified information.

Is ITSP 03.01.20 required for CPCSC Level 1?

Yes. ITSP 03.01.20 is one of the 13 controls required for CPCSC Level 1 self-assessment, mandatory from April 2026 for all DND contract awards.

How does Solymus help with this control?

Solymus provides a structured readiness assessment for ITSP 03.01.20, tamper-evident evidence collection with KMS-signed receipts, and exportable evidence packages that map directly to this control for audit submission.

Other AC — Access Control Controls

Start Your CPCSC Readiness Assessment

Free Level 1 assessment covers 13 controls. Build your tamper-evident evidence chain today.

Start Free (Level 1)