HomeITSP.10.171 ControlsSystem and Services Acquisition › 03.16.02
ITSP.10.171 · 03.16.02

Unsupported System Components

Level 2 (Required April 2027)
SA — System and Services Acquisition

Control Description

The Unsupported System Components control (03.16.02) within the System and Services Acquisition family establishes requirements for Canadian defence suppliers handling controlled information under ITSP.10.171 / CPCSC.

Assessment Objective

Assessors verify that the organization has implemented and documented unsupported system components practices consistent with ITSP.10.171 requirements, and that evidence demonstrates ongoing control effectiveness.

CPCSC Context

This control is part of the full 97-control ITSP.10.171 baseline required for CPCSC Level 2 third-party certification, expected to be mandatory from April 2027. Organizations should begin preparing now to ensure readiness.

How Solymus Helps

Solymus maps your evidence directly to ITSP 03.16.02, providing tamper-evident, KMS-signed receipts for every artifact you upload. The platform generates audit-ready evidence packages with per-artifact verification URLs that assessors can independently validate.

Begin with free Level 1 to establish your evidence chain, then upgrade to Level 2 when you need full 97-control coverage and third-party assessment readiness.

Frequently Asked Questions

What is ITSP 03.16.02 (Unsupported System Components)?

ITSP 03.16.02 is a security control in the System and Services Acquisition family of ITSP.10.171, Canada's adaptation of NIST SP 800-171 Rev 3. It requires organizations to the Unsupported System Components control (03.16.02) within the System and Services Acquisition family establishes requirements for Canadian defence suppliers handling controlled information under ITSP.10.171 / CPCSC.

Is ITSP 03.16.02 required for CPCSC Level 1?

No. ITSP 03.16.02 is required at CPCSC Level 2 (third-party certification, April 2027) but is not in the Level 1 subset of 13 controls.

How does Solymus help with this control?

Solymus provides a structured readiness assessment for ITSP 03.16.02, tamper-evident evidence collection with KMS-signed receipts, and exportable evidence packages that map directly to this control for audit submission.

Other SA — System and Services Acquisition Controls

Start Your CPCSC Readiness Assessment

Free Level 1 assessment covers 13 controls. Build your tamper-evident evidence chain today.

Start Free (Level 1)