Request Demo
Platform CapabilitiesPolicy Creation and ManagementFile Sharing and CollaborationFile Transfer AutomationFully Governed Email DataData Streaming with Next-gen DRMControlled AI Data AccessSecure Data Intake Via Online FormsUse CasesControl Data ExchangeMeet Regulatory RequirementsSafeguard Private AI DataPartnersTechnology PartnersMSP & MSSP PartnersResellers & Channel PartnersResourcesResource CenterDevelopersCustomersCompanyAbout UsManagementInvestorsCareersTechnical SupportNewsroomTrust PageVulnerability CenterContact UsRequest Demo
Mouseover to personalize your Kiteworks website experience

CPCSC

Achieve Canadian Program for Cyber Security Certification with tiered ITSP.10.171 controls protecting specified information for defence suppliers under Canadian jurisdiction.

CPCSC Content

How Kiteworks Supports CPCSC Compliance

The Canadian Program for Cyber Security Certification (CPCSC) establishes mandatory cyber security standards for the Canadian defence supply chain, requiring suppliers and subcontractors to implement specific security controls to protect "specified information" — sensitive unclassified data identified by the Government of Canada as requiring safeguarding. Managed by Public Services and Procurement Canada and underpinned by the ITSP.10.171 standard developed by the Canadian Centre for Cyber Security, CPCSC requires certification across three tiered levels. Kiteworks provides a comprehensive platform that supports defence suppliers in achieving CPCSC certification, with pre-mapped ITSP.10.171 controls covering 80% of Level 2 requirements (79 of 98 controls).

CPCSC Three-Level Model

CPCSC introduces three certification levels, each scaled to the sensitivity of the information being handled:

LevelDescriptionAssessmentKiteworks Support
Level 1 (Foundational)13 controls; required in select defence contracts beginning Summer 2026Annual self-assessmentFull coverage of foundational safeguarding requirements
Level 2 (Advanced)98 controls aligned with ITSP.10.171 / NIST SP 800-171Triannual third-party assessment plus annual affirmationComprehensive support for 79 of 98 controls (80%)
Level 3 (Expert)200 controls for the most sensitive defence engagementsTriannual Government of Canada assessment plus annual affirmationAdvanced data protection and sovereignty controls for highest-sensitivity contracts

Specified Information Protection

Protecting "specified information" — Canada's equivalent of CUI under U.S. CMMC — is at the heart of CPCSC. Kiteworks provides comprehensive coverage through:

  • Content Classification: Tag and categorize specified information according to Treasury Board Secretariat sensitivity designations.
  • Automated Policy Enforcement: The Data Policy Engine applies role-based and attribute-based access controls consistently across email, file sharing, MFT, SFTP, web forms, APIs, and AI integrations.
  • Dissemination Controls: Enforce distribution limitations and handling instructions associated with each classification.
  • Next-Gen DRM: Prevent unauthorized copying, printing, or redistribution of specified information once shared externally.

ITSP.10.171 Control Mapping

CPCSC Level 2 maps directly to the 98 security controls in ITSP.10.171, the Canadian Centre for Cyber Security's adaptation of NIST SP 800-171. Because the technical requirements are functionally identical, organizations already pursuing U.S. CMMC certification can leverage the same Kiteworks deployment to achieve CPCSC certification. Kiteworks addresses controls across all 17 requirement families, with particularly strong coverage in the following critical areas:

Access Control (AC Family)

Kiteworks enforces granular access control across every channel through which specified information moves:

  • Limit system access to authorized users, processes, and devices
  • Eight default administrative roles enforce separation of duties with least-privileged defaults
  • Role-based and attribute-based access controls applied consistently across all data exchange channels
  • Geofencing through configurable IP controls enforces jurisdictional boundaries
  • Centralized identity management via LDAP, Active Directory, SAML 2.0, and Kerberos with automatic provisioning

Audit and Accountability (AU Family)

CPCSC Level 2 assessors require documented evidence of operational control implementation — not just policy statements. Kiteworks delivers:

  • Zero-throttle audit logging: Every file access, transfer, and policy decision captured in real time with no log gaps, no delays, and no premium licensing.
  • SIEM integration: Native Splunk Forwarder and syslog feeds deliver evidence to security operations continuously.
  • Tamper-evident integrity: Audit data is restricted to the Compliance admin role — even system administrators cannot modify records.
  • Pre-built compliance reports: Automated, framework-specific evidence generation that turns months of manual collection into hours.

Identification and Authentication (IA Family)

Strong identification and authentication is critical for CPCSC. Kiteworks provides:

  • Multi-factor authentication supporting RADIUS, PIV/CAC, time-based OTP, and enterprise authenticators
  • Replay-resistant authentication mechanisms
  • Password complexity and rotation enforcement
  • Integration with enterprise identity providers (SAML 2.0, LDAP, Active Directory, Kerberos)

System and Communications Protection (SC Family)

Kiteworks addresses System and Communications Protection requirements through:

  • FIPS 140-3 validated encryption: AES-256 double encryption at rest and TLS in transit
  • Customer-owned encryption keys: Neither Kiteworks nor any third party can access specified information without customer authorization
  • Hardened virtual appliance: Embedded firewall and intrusion detection at the boundary
  • Single-tenant isolation: Eliminates the multi-tenant exposure inherent to U.S.-headquartered cloud services

Canadian Data Sovereignty by Architecture

ITSP.10.171 requires that specified information remain under Canadian jurisdictional control. Kiteworks is one of the few platforms that can enforce this requirement architecturally rather than contractually:

  • Canadian deployment options: On-premises, private cloud in Canadian data centres, or hybrid deployment with single-tenant isolation
  • Data sovereignty routing: Specified information routed exclusively through assigned Canadian jurisdictions based on LDAP or SAML attributes
  • CLOUD Act mitigation: Customer-owned keys and Canadian-resident infrastructure close the architectural sovereignty gap that contracts alone cannot
  • Geofencing controls: Configurable IP controls enforce jurisdictional boundaries at the infrastructure level

One Deployment for CPCSC and CMMC

Because ITSP.10.171 is a direct adaptation of NIST SP 800-171 with no substantial technical changes, Canadian defence suppliers operating in both Canadian and U.S. defence supply chains can use a single Kiteworks deployment to support both CPCSC and CMMC certification simultaneously. This eliminates duplicate tooling, reduces assessment burden, and provides consistent operational evidence for both Canadian Centre for Cyber Security and DoD assessors. By deploying Kiteworks, defence suppliers can accelerate their path to CPCSC certification while ensuring specified information never leaves Canadian jurisdiction.