HomeITSP.10.171 ControlsIdentification and Authentication › 03.05.03
ITSP.10.171 · 03.05.03

Multi-factor Authentication

Level 1 (Mandatory April 2026)
IA — Identification and Authentication

Control Description

Implement strong multi-factor authentication for access to privileged and non-privileged accounts.

Assessment Objective

Verify that strong MFA is implemented for both privileged and non-privileged account access.

Assessment Scope

This control includes 2 determination statements that assessors evaluate during a CPCSC assessment. Each determination must be satisfied with documented evidence to demonstrate control effectiveness.

CPCSC Context

This is one of the 13 controls required for CPCSC Level 1 self-assessment, mandatory from April 2026 for all Department of National Defence (DND) contract awards. Level 1 is a self-attestation — no third-party assessor is required.

How Solymus Helps

Solymus maps your evidence directly to ITSP 03.05.03, providing tamper-evident, KMS-signed receipts for every artifact you upload. The platform generates audit-ready evidence packages with per-artifact verification URLs that assessors can independently validate.

Level 1 is free for a limited time — start your self-assessment today and build a cryptographic evidence chain before the April 2026 deadline.

Frequently Asked Questions

What is ITSP 03.05.03 (Multi-factor Authentication)?

ITSP 03.05.03 is a security control in the Identification and Authentication family of ITSP.10.171, Canada's adaptation of NIST SP 800-171 Rev 3. It requires organizations to implement strong multi-factor authentication for access to privileged and non-privileged accounts.

Is ITSP 03.05.03 required for CPCSC Level 1?

Yes. ITSP 03.05.03 is one of the 13 controls required for CPCSC Level 1 self-assessment, mandatory from April 2026 for all DND contract awards.

How does Solymus help with this control?

Solymus provides a structured readiness assessment for ITSP 03.05.03, tamper-evident evidence collection with KMS-signed receipts, and exportable evidence packages that map directly to this control for audit submission.

Other IA — Identification and Authentication Controls

Start Your CPCSC Readiness Assessment

Free Level 1 assessment covers 13 controls. Build your tamper-evident evidence chain today.

Start Free (Level 1)