What is ITSP.10.171?
ITSP.10.171 is the Information Technology Security Program (ITSP) Guideline 10.171 published by the Canadian Centre for Cyber Security (CCCS)—part of the Canadian government's Communications Security Establishment (CSE).
In plain English: ITSP.10.171 is Canada's official security control framework for protecting "Controlled Information" (defence, government, and critical infrastructure data) from cyber threats.
Key Facts:
- Published: 2020 (updated periodically)
- Adapted from: NIST SP 800-171 Rev 3 (US government security baseline)
- Terminology: Uses "Controlled Information" (CI) instead of US "Controlled Unclassified Information" (CUI)
- Scope: Government, defence, critical infrastructure, and supply chain security
- Authority: Canadian Centre for Cyber Security (CCCS)
- Mandatory for: All Canadian defence suppliers (via CPCSC certification)
Why ITSP.10.171 Exists
The US published NIST SP 800-171 to protect DoD defence data. Canada used NIST 800-171 as a foundation but adapted it for Canadian law, Canadian threat landscape, and Canadian defence priorities. The result is ITSP.10.171.
Reasons for adaptation:
- Canadian legal context: Different privacy laws (PIPEDA, Provincial privacy laws), access to information regulations, and trade secret protection
- Defence procurement: Canada's defence supply chain has unique characteristics (smaller market than US, more reliance on NATO standards)
- Threat landscape: Nation-state threats facing Canada differ from those facing the US
- Technology environment: Canadian companies have different infrastructure maturity levels than US military contractors
- International alignment: Canada needed to harmonise with NATO security standards and Five Eyes intelligence sharing agreements
The 17 ITSP.10.171 Control Families
ITSP.10.171 comprises 97 controls organized into 17 control families. Each family addresses a different aspect of information security:
AC
Access Control
22 controls
Who can access systems, data, and physical facilities. User accounts, permissions, and logical access.
AT
Awareness & Training
3 controls
Employee security training, awareness programs, and competency verification.
AU
Audit & Accountability
9 controls
Logging, auditing, and tracking who did what, when, and why. Non-repudiation of actions.
CA
Assessment & Monitoring
4 controls
Security assessments, vulnerability scanning, continuous monitoring, and compliance verification.
CM
Configuration Mgmt
9 controls
System baselines, change management, patch management, and configuration control.
IA
ID & Authentication
11 controls
User identification, authentication (passwords, MFA), and credential management.
IR
Incident Response
8 controls
Incident detection, response procedures, recovery, and post-incident analysis.
MA
Maintenance
6 controls
System maintenance, updates, remote access during maintenance, and maintenance records.
MP
Media Protection
4 controls
Physical storage media (hard drives, USB, paper). Encryption, disposal, and sanitization.
PE
Physical Protection
6 controls
Physical access to facilities, environmental controls, surveillance, and physical security measures.
PS
Personnel Security
5 controls
Background checks, security clearances, termination procedures, and personnel agreements.
PL
Planning
2 controls
Security policy development, information security plans, and strategy alignment.
RA
Risk Assessment
3 controls
Risk identification, analysis, prioritisation, and risk management strategies.
SA
System & Services Acquisition
5 controls
Vendor security requirements, contract clauses, system development security, and third-party risk.
SC
System & Comms Protection
16 controls
Network security, encryption, boundary protection, firewalls, VPNs, and secure communications.
SI
System & Info Integrity
7 controls
Malware protection, patch management, flaw remediation, and system monitoring.
SR
Supply Chain Risk Mgmt
3 controls
Supply chain security, vendor assessments, and management of supply chain risks.
ITSP.10.171 Levels and CPCSC Certification
ITSP.10.171 does not have built-in "levels." The framework contains all 97 controls. However, CPCSC certification uses ITSP.10.171 to create three tiers:
| CPCSC Level |
Controls Required |
From ITSP.10.171 |
Assessment Model |
Timeline |
| Level 1 |
13 controls |
AC, IA, MP, PE, SC, SI (subset) |
Self-assessment |
Mandatory Apr 2026 |
| Level 2 |
97 controls |
All 17 families (all controls) |
Third-party certified |
Mandatory Apr 2027 |
| Level 3 |
97+ controls |
All ITSP.10.171 + 6 maturity domains |
Continuous monitoring |
High-security contracts |
In summary: CPCSC Level 2 and 3 require full ITSP.10.171 compliance. CPCSC Level 1 is a subset of the core controls (13 out of 97).
How ITSP.10.171 Differs from NIST 800-171
ITSP.10.171 vs NIST SP 800-171 Rev 3
While ITSP.10.171 is based on NIST SP 800-171 Rev 3, Canada made several adaptations:
Controlled Information vs CUI
ITSP uses "Controlled Information" (CI). NIST uses "Controlled Unclassified Information" (CUI). Different legal definitions in each country.
Legal Framework
ITSP references Canadian privacy law (PIPEDA, Provincial Acts). NIST references US federal regulations (FOIA, Espionage Act).
Control Language
ITSP control wording emphasizes Canadian context. Example: Personnel security references Canadian Controlled Goods Program (CGP) instead of US security clearances.
Supply Chain Focus
ITSP has more emphasis on supply chain risk management (SR family) due to Canada's smaller defence market and greater reliance on suppliers.
Threat Landscape
ITSP acknowledges Canadian-specific threats (state-sponsored attacks, espionage risks to defence primes) while remaining NATO-aligned.
Maturity Emphasis
ITSP includes maturity domain guidance for continuous improvement beyond baseline compliance.
Mapping ITSP.10.171 to CPCSC Level 1 (13 Controls)
Not all 97 ITSP.10.171 controls are required for CPCSC Level 1. Canada selected 13 core controls across 6 families as the "Level 1 baseline." These controls are the absolute minimum for defence suppliers.
Which controls made the cut? The 13 controls that have the highest impact on protecting Controlled Information:
- Access Control (AC): 4 controls — Account management, access enforcement, external system restriction, public-facing content controls
- Identification & Authentication (IA): 3 controls — Unique identification, authentication, authenticator management
- Media Protection (MP): 1 control — Media sanitization / disposal
- Physical Protection (PE): 2 controls — Physical access authorisation, alternate work site security
- System & Communications Protection (SC): 1 control — Boundary protection / network security
- System & Information Integrity (SI): 2 controls — Flaw remediation, malicious code protection
For details on each control, see our CPCSC Level 1 Checklist.
Getting Started with ITSP.10.171 Compliance
If you are a Canadian defence supplier, here is how to get started:
- Read ITSP.10.171 from CCCS: Download the official guideline from the Canadian Centre for Cyber Security website
- Assess your current state: Map your existing controls to ITSP.10.171 families. Which controls do you meet? Which need work?
- Prioritize based on CPCSC Level: If you are starting with Level 1, focus on the 13 core controls first. Don't implement all 97 immediately
- Implement gaps: Deploy controls you are missing (MFA, encryption, firewall rules, policies, etc.)
- Collect evidence: Export logs, configurations, and test results proving each control is implemented
- Use Solymus: Upload evidence to Solymus to map controls automatically and generate compliance packages for assessors
ITSP.10.171 Resources
Official ITSP.10.171: Available from the Canadian Centre for Cyber Security (CCCS) website. Free PDF download.
Related Canadian standards:
- ITSP.10.080 - Minimum cryptography guidance
- ITSP.40.111 - Secure network architecture
- CSE Cryptography Algorithms selection guidelines
Cross-reference: If you also work with US defence contracts, compare ITSP.10.171 to NIST 800-171 and CMMC.
Ready to Implement ITSP.10.171 Compliance?
Start free with Solymus today. Map your controls to ITSP.10.171, collect evidence, and prepare for CPCSC certification.