CPCSC Readiness Platform

CPCSC Compliance Evidence — Organized, Proven, Assessment-Ready

Solymus maps your evidence to ITSP.10.171 controls, tracks your readiness, and produces tamper-evident records that auditors can independently verify.

Book a CPCSC Readiness Briefing View Pricing

CPCSC ITSP.10.171 NIST 800-171 Rev 3

What is CPCSC?

The Canadian Program for Cyber Security Certification is mandatory for all DND suppliers.

The Canadian Program for Cyber Security Certification, launched March 2025 by the Government of Canada
Mandatory for all DND suppliers and subcontractors handling sensitive defence information
Based on ITSP.10.171 — Canada's adaptation of NIST SP 800-171 Rev 3
17 control families covering 100+ security requirements across access control, audit, identification, incident response, and more
Three certification levels: Level 1 (self-assessment), Level 2 (third-party assessment), Level 3 (government-led assessment for highest-sensitivity contracts)

CPCSC Rollout Timeline

Key dates for Canadian defence suppliers.

March 2025 Launched

Phase 1 — Program Launch

CPCSC officially launched by the Government of Canada. Framework published, assessor accreditation process begins.

April 2026 Upcoming

Phase 2 — Level 1 Mandatory

Level 1 certification (self-assessment) required in DND contracts. Suppliers must demonstrate basic cyber hygiene controls.

Spring 2026+

Phase 3 — Level 2 Assessments

Third-party CPCSC assessments begin for contracts requiring Level 2 certification. Independent assessors evaluate ITSP.10.171 compliance.

2027

Phase 4 — Level 3

Government-led assessments for highest-sensitivity defence contracts. Full ITSP.10.171 compliance with additional requirements.

How Solymus Helps

From evidence collection to assessment-ready exports.

CPCSC Control Mapping

Map your evidence to ITSP.10.171 controls across all 17 families. Auto-mapping by evidence type with manual override.

Evidence Organization

Upload policy documents, configurations, screenshots, and audit logs. Evidence organized by control family for assessment readiness.

Readiness Dashboard

Real-time visibility into your CPCSC readiness posture. Track coverage across control families and identify gaps at a glance.

Remediation Tracking

Identify missing evidence and track remediation progress. Prioritize gaps by control family and assessment impact.

Tamper-Evident Records

Every artifact hashed (SHA-256), signed (AWS KMS ECDSA P-256), and linked to a daily Merkle chain. Tampering is mathematically detectable.

Assessment-Ready Exports

Export evidence packages with verification URLs per artifact. Assessors verify signatures independently using standard cryptographic libraries.

Clear Boundaries

What Solymus is and isn't.

What We Do

Organize and map evidence to ITSP.10.171 / CPCSC controls
Sign every artifact with AWS KMS (ECDSA P-256)
Chain evidence in daily Merkle trees for tamper detection
Track readiness and identify gaps by control family
Export assessment-ready packages with verification URLs
Provide public verification API for assessors

What We Don't Do

Guarantee CPCSC certification (your assessor makes that call)
Store or process classified or protected data
Replace your compliance program or security team
Provide legal opinions or regulatory advice
Modify or delete evidence after creation
Act as a CPCSC assessor or certification body

Frequently Asked Questions

Common questions from Canadian defence suppliers.

No. Certification is determined by your CPCSC assessor, not by any tool. Solymus supports audit-ready evidence with cryptographic verification, but your assessor evaluates whether your implementation meets CPCSC requirements. We give you the evidence trail; you own the compliance program.

Yes. Export packages are self-contained — they include the receipt, cryptographic signature, Merkle proof, daily root, public key, and verification instructions. Your assessor can verify mathematically using standard libraries (Python cryptography, OpenSSL) without calling any ProlixoTech API.

CMMC support is on our roadmap for Canadian suppliers with cross-border U.S. defence contracts. CPCSC and CMMC share a common foundation in NIST SP 800-171, so your evidence carries across both frameworks.

Most organizations start uploading evidence within minutes of creating an account. Upload your first artifact and Solymus handles hashing, signing, and control mapping automatically. The platform is designed for continuous use, not a one-time export.

Solymus supports evidence collection and readiness tracking for all CPCSC levels. Our Starter tier is designed for Level 1 readiness (self-assessment), while Guided provides full ITSP.10.171 mapping for Level 2 preparation (third-party assessment). Enterprise supports multi-entity organizations working toward any level.

Your exported evidence packages are self-contained and independently verifiable. They include all cryptographic material needed for offline verification using standard libraries. No ProlixoTech account or API required after export.