Everything Canadian defence suppliers need to know about third-party ITSP.10.171 certification
The Canadian Program for Cyber Security Certification (CPCSC) rolled out in three phases. Understanding where we are in the journey is critical to your preparation.
Mar 2025 – Mar 2026
The CPCSC standard (based on ITSP.10.171) was published, establishing the 13 Level 1 controls and full 97-control framework for Levels 2 and 3.
Apr 2026 – Mar 2027
All Canadian defence suppliers must achieve CPCSC Level 1 (self-assessment, 13 controls). Assessor accreditation for Level 2 certification begins. This is when you build your evidence chain and prepare for third-party assessment.
Apr 2027 – Mar 2028
Level 2 certification (97 controls, third-party verified) becomes mandatory for suppliers in certain contract categories. Level 3 enters select high-security contracts.
Level 2 is not an upgrade to Level 1—it's a certification that proves all 97 controls are met and verified by an accredited third-party assessor.
| Aspect | CPCSC Level 1 | CPCSC Level 2 |
|---|---|---|
| Controls Required | 13 controls (6 families) | All 97 controls (17 families) |
| Assessment Type | Self-attestation | Third-party verification by accredited assessor |
| Evidence Requirements | Self-selected documentation | Tamper-evident, cryptographically signed evidence chain |
| Timeline | Mandatory by Apr 2026 | Mandatory by Apr 2027 (select contracts) |
| Cost | Free (with Solymus Level 1) | C$10,000/mo early bird (2026), C$15,000/mo standard (2027+) |
| Certification Authority | Self-signed | Accredited CPCSC assessor |
| Certificate of Truth | Not included | Yes—audit-ready certificate from assessor |
CPCSC Level 2 requires implementation and evidence across all 17 control families. Each family addresses a critical security domain. Click on any family below to explore specific controls in detail.
Level 2 assessors expect more than Level 1 self-signed documentation. You need an audit-ready evidence chain that proves control implementation and effectiveness.
Solymus provides tamper-evident evidence ingestion, KMS-signed cryptographic receipts, and per-artifact verification URLs—everything assessors require for Level 2 certification.
Start free with Solymus Level 1. Ingest evidence for the 13 mandatory controls. Set up automated logging from your cloud providers and security tools. Build the habits and policies that will scale to Level 2.
Upgrade to Solymus Level 2 to unlock the full 97-control framework. Solymus automatically maps your evidence to every ITSP.10.171 control family. Track gaps and close them before your assessor arrives.
Export your evidence package with cryptographically signed KMS receipts and per-artifact verification URLs. Your assessor validates authenticity in seconds. You receive a Certificate of Truth from the accredited assessor.
Build your evidence chain now—free for a limited time—with Solymus Level 1.
CPCSC Level 2 certification becomes mandatory on April 1, 2027, for Canadian defence suppliers in certain contract categories. However, Phase 2 (now through March 2027) is the preparation window. If you're a supplier to a DND prime contractor, you may face earlier deadlines from your customer. We recommend starting your Level 2 preparation now to avoid last-minute scrambling.
CPCSC Level 2 requires all 97 controls across 17 families. These controls are taken directly from ITSP.10.171 (Canada's adaptation of NIST SP 800-171 Rev 3). The 17 families are: Access Control (22), Audit & Accountability (9), Awareness & Training (3), Configuration Management (9), Identification & Authentication (11), Incident Response (8), Maintenance (6), Media Protection (4), Physical & Environmental Protection (6), Personnel Security (5), Planning (2), Risk Assessment (3), System & Communications Protection (16), System & Information Integrity (7), Supply Chain Risk Management (3), Security Assessment (4), and Services Acquisition (5).
Yes. CPCSC Level 2 requires certification by an accredited third-party assessor. This is different from Level 1, which is self-attestation. The assessor validates your evidence, verifies control implementation, and issues a Certificate of Truth. Assessor accreditation is managed by CPCSC and rolled out during Phase 2 (now through March 2027).
CPCSC is Canada's national cybersecurity certification program for defence suppliers. CMMC (Cybersecurity Maturity Model Certification) is the U.S. equivalent. While both are derived from NIST SP 800-171 Rev 3, CPCSC uses the ITSP.10.171 standard and operates under Canadian regulatory authority. If you supply to both Canadian and U.S. defence customers, you may need both certifications. Solymus supports CMMC on our roadmap for Level 3 customers.
ITSP.10.171 is Canada's Security Assurance and Cryptography Standard published by CSE (Communications Security Establishment). It's Canada's adaptation of NIST SP 800-171 Rev 3 and serves as the foundation for CPCSC. When you achieve CPCSC Level 2 or Level 3, you are implementing and demonstrating compliance with ITSP.10.171. The 97 controls in the CPCSC framework map directly to ITSP.10.171 control families and requirements.
Deepen your understanding of CPCSC and ITSP.10.171:
Build an audit-ready evidence chain. Free for a limited time. Credit card required to activate Level 2—but Level 1 is always free.