Complete guide to ITSP.10.171, the Canadian Centre for Cyber Security's framework for protecting Controlled Information in the defence supply chain.
ITSP.10.171 is the Canadian Centre for Cyber Security's adaptation of NIST SP 800-171 Rev 3, and it is the technical standard behind CPCSC. It defines 97 security controls across 17 families for protecting Controlled Information in the Canadian defence supply chain: AC (22), AT (3), AU (9), CA (4), CM (9), IA (11), IR (8), MA (6), MP (4), PE (6), PS (5), PL (2), RA (3), SA (5), SC (16), SI (7), and SR (3). Level 1 of CPCSC is a 13-control self-assessment drawn from 6 of those families (AC, IA, MP, PE, SC, SI) and becomes mandatory in April 2026. Solymus maps every uploaded artifact to the exact ITSP.10.171 control ID and produces a cryptographic receipt you can verify without an account.
ITSP.10.171 is the Information Technology Security Program (ITSP) Guideline 10.171 published by the Canadian Centre for Cyber Security (CCCS)—part of the Canadian government's Communications Security Establishment (CSE).
In plain English: ITSP.10.171 is Canada's official security control framework for protecting "Controlled Information" (defence, government, and critical infrastructure data) from cyber threats.
Key Facts:
The US published NIST SP 800-171 to protect DoD defence data. Canada used NIST 800-171 as a foundation but adapted it for Canadian law, Canadian threat landscape, and Canadian defence priorities. The result is ITSP.10.171.
Reasons for adaptation:
ITSP.10.171 comprises 97 controls organized into 17 control families. Each family addresses a different aspect of information security:
ITSP.10.171 does not have built-in "levels." The framework contains all 97 controls. However, CPCSC certification uses ITSP.10.171 to create three tiers:
| CPCSC Level | Controls Required | From ITSP.10.171 | Assessment Model | Timeline |
|---|---|---|---|---|
| Level 1 | 13 controls | AC, IA, MP, PE, SC, SI (subset) | Self-assessment | Mandatory Apr 2026 |
| Level 2 | 97 controls | All 17 families (all controls) | Third-party certified | Mandatory Apr 2027 |
| Level 3 | 97+ controls | All ITSP.10.171 + 6 maturity domains | Continuous monitoring | High-security contracts |
In summary: CPCSC Level 2 and 3 require full ITSP.10.171 compliance. CPCSC Level 1 is a subset of the core controls (13 out of 97).
While ITSP.10.171 is based on NIST SP 800-171 Rev 3, Canada made several adaptations:
ITSP uses "Controlled Information" (CI). NIST uses "Controlled Unclassified Information" (CUI). Different legal definitions in each country.
ITSP references Canadian privacy law (PIPEDA, Provincial Acts). NIST references US federal regulations (FOIA, Espionage Act).
ITSP control wording emphasizes Canadian context. Example: Personnel security references Canadian Controlled Goods Program (CGP) instead of US security clearances.
ITSP has more emphasis on supply chain risk management (SR family) due to Canada's smaller defence market and greater reliance on suppliers.
ITSP acknowledges Canadian-specific threats (state-sponsored attacks, espionage risks to defence primes) while remaining NATO-aligned.
ITSP includes maturity domain guidance for continuous improvement beyond baseline compliance.
Not all 97 ITSP.10.171 controls are required for CPCSC Level 1. Canada selected 13 core controls across 6 families as the "Level 1 baseline." These controls are the absolute minimum for defence suppliers.
Which controls made the cut? The 13 controls that have the highest impact on protecting Controlled Information:
For details on each control, see our CPCSC Level 1 Checklist.
If you are a Canadian defence supplier, here is how to get started:
Official ITSP.10.171: Available from the Canadian Centre for Cyber Security (CCCS) website. Free PDF download.
Related Canadian standards:
Cross-reference: If you also work with US defence contracts, compare ITSP.10.171 to NIST 800-171 and CMMC.
Start free with Solymus today. Map your controls to ITSP.10.171, collect evidence, and prepare for CPCSC certification.
ITSP.10.171 is the Canadian Centre for Cyber Security's Information Technology Security Program Guideline 10.171, defining 97 security controls across 17 families for protecting Controlled Information. It is the technical standard behind CPCSC.
ITSP.10.171 is Canada's adaptation of NIST SP 800-171 Rev 3. The control catalogue structure is parallel, which is why the same Solymus evidence pipeline can cross-walk between the two frameworks and produce receipts that satisfy both CPCSC and CMMC/DFARS regulators.
97 controls distributed across 17 families. CPCSC Level 1 is a 13-control subset drawn from 6 of those families.
AC (Access Control, 22), AT (Awareness and Training, 3), AU (Audit and Accountability, 9), CA (Security Assessment, 4), CM (Configuration Management, 9), IA (Identification and Authentication, 11), IR (Incident Response, 8), MA (Maintenance, 6), MP (Media Protection, 4), PE (Physical and Environmental Protection, 6), PS (Personnel Security, 5), PL (Planning, 2), RA (Risk Assessment, 3), SA (System and Services Acquisition, 5), SC (System and Communications Protection, 16), SI (System and Information Integrity, 7), SR (Supply Chain Risk Management, 3).
CPCSC is the certification program; ITSP.10.171 is the technical standard against which CPCSC assessments are conducted. Achieving a CPCSC certification at any level means demonstrating implementation of the required ITSP.10.171 controls.