Kiteworks | Your Private Data Network

Enabling Zero Trust Data Exchange in One Platform

Free Trial EXPLORE KITEWORKS

Achieve CPCSC Compliance: Certify Your Defence Supply Chain Without the Complexity

CPCSC is Canada’s mandatory cyber security certification for defence suppliers handling sensitive unclassified government information. Managed by Public Services and Procurement Canada, the program requires certification across three levels: Level 1 (13 controls, self-assessment, required in select defence contracts beginning Summer 2026), Level 2 (98 controls, triannual third-party assessment plus annual affirmation), and Level 3 (200 controls, triannual Government of Canada assessment plus annual affirmation). Levels 2 and 3 are currently under development and will be introduced in a phased approach. The underlying standard, ITSP.10.171, is a Canadian adaptation of NIST SP 800-171 developed by the Canadian Centre for Cyber Security. Defence suppliers that cannot certify are excluded from procurement—no certification, no contract eligibility.

The Kiteworks Private Data Network supports CPCSC compliance with pre-mapped ITSP.10.171 controls, FIPS 140-3 validated encryption, zero-throttle audit logging, and Canadian deployment options that ensure specified information never leaves Canadian jurisdiction. Kiteworks supports 80% of ITSP.10.171 Level 2 controls—79 of 98. The remaining 19 are organizational, physical, or process-based requirements.

Get a Demo

HomePlatformAchieve CPCSC Compliance: Certify Your Defence Supply Chain Without the Complexity
A Compressed Timeline, Complex Controls, and a Sovereignty Challenge Unlike Any Other Framework

A Compressed Timeline, Complex Controls, and a Sovereignty Challenge Unlike Any Other Framework

Canadian defence suppliers face 98 controls across 17 requirement families, a sovereignty dimension that the equivalent U.S. program does not impose, and a certification timeline that is already active. Only 46% of contractors in the parallel U.S. CMMC program consider themselves prepared for Level 2 certification, and 62% lack adequate governance controls.

Meet 98 Security Controls Across 17 Requirement Families

CPCSC Level 2 requires triannual third-party assessment across 98 controls spanning access control, audit and accountability, identification and authentication, system and communications protection, and 13 additional families. Each control includes organization-defined parameters that must be specified and documented. Defence suppliers must demonstrate that controls operate effectively across every channel through which specified information moves—email, file sharing, SFTP, managed file transfer, and web forms. Fragmented tools create fragmented evidence and multiply the assessment burden.

Meet 98 Security Controls Across 17 Requirement Families
Protect Specified Information Under Canadian Jurisdiction

Protect Specified Information Under Canadian Jurisdiction

ITSP.10.171 protects “specified information”—any data a Government of Canada authority identifies as requiring safeguarding. This data must remain under Canadian jurisdictional control. Yet 40% of Canadian organizations cite Canada–U.S. data sharing changes as their top regulatory concern, and 21% flag the CLOUD Act as a direct sovereignty threat. Defence suppliers using U.S.-headquartered multi-tenant cloud services face an architectural sovereignty gap that contracts cannot close.

Produce Audit-Ready Evidence for Accredited Certification Bodies

CPCSC Level 2 assessors require documented evidence of control implementation—not policy statements, but operational proof. Organizations must produce complete audit trails, demonstrate access control enforcement, and provide continuous monitoring evidence. Manual evidence collection from fragmented systems takes months. Failed assessments delay certification, jeopardize contracts, and trigger reassessment cycles.

Produce Audit-Ready Evidence for Accredited Certification Bodies

How Kiteworks Helps Canadian Defence Suppliers Achieve CPCSC Certification

Unify Secure Data Exchange Under One Policy Engine

Unify Secure Data Exchange Under One Policy Engine

Kiteworks consolidates secure email, file sharing, managed file transfer, SFTP, web forms, APIs, and AI integrations under a single governance architecture. The Data Policy Engine enforces role-based and attribute-based access controls consistently across every channel. Eight default administrative roles enforce separation of duties with least-privileged defaults. Integration with LDAP, Active Directory, SAML 2.0, and Kerberos enables centralized identity management with automatic provisioning. Multi-factor authentication supports RADIUS, PIV/CAC, time-based OTP, and enterprise authenticators.

Enforce Canadian Data Sovereignty by Architecture

Kiteworks offers on-premises, private cloud in Canadian data centres, or hybrid deployment—combined with single-tenant isolation that eliminates multi-tenant exposure. Customer-owned encryption keys ensure neither Kiteworks nor any third party can access specified information without customer authorization. Geofencing through configurable IP controls enforces jurisdictional boundaries at the infrastructure level. Data sovereignty controls route specified information exclusively through assigned Canadian jurisdictions based on LDAP or SAML attributes.

Enforce Canadian Data Sovereignty by Architecture
Generate Assessment-Ready Evidence in Hours, Not Months

Generate Assessment-Ready Evidence in Hours, Not Months

Kiteworks’ comprehensive audit log captures every file access, transfer, and policy decision in real time with zero throttling—no log gaps, no delays, no premium licensing. SIEM integration via syslog and native Splunk Forwarder feeds evidence to security operations continuously. Pre-built compliance reports automate framework-specific evidence generation. Audit data access is restricted to the Compliance admin role—even system administrators cannot modify records—ensuring tamper-evident integrity that satisfies assessor requirements.

Frequently Asked Questions

The Canadian Program for Cyber Security Certification is Canada’s mandatory cyber security certification for defence suppliers handling sensitive unclassified government information. It applies to all companies bidding on or performing defence contracts involving specified information. Level 1 (self-assessment, 13 controls) will be required in select defence contracts beginning Summer 2026. Levels 2 (triannual third-party assessment, 98 controls) and 3 (triannual Government of Canada assessment, 200 controls) are currently under development and will be introduced in a phased approach. No certification means no contract eligibility.

ITSP.10.171 is the Canadian cyber security standard underpinning CPCSC, developed by the Canadian Centre for Cyber Security. It is a direct adaptation of NIST SP 800-171 with no substantial technical changes—only modifications reflecting Canada’s regulatory landscape, including different terminology (“specified information” instead of “controlled unclassified information”) and different governing authorities (Treasury Board Secretariat policies instead of NIST directives). Organizations already working toward U.S. CMMC certification will find the control requirements functionally identical.

Kiteworks supports 80% of ITSP.10.171 Level 2 controls—79 of 98—through a unified secure data exchange platform. Key capabilities include the Data Policy Engine enforcing RBAC and ABAC access controls across all channels, zero-throttle audit logging with real-time SIEM integration, FIPS 140-3 validated AES-256 double encryption with customer-owned keys, a hardened virtual appliance with embedded firewall and intrusion detection, multi-factor authentication, and Canadian deployment options ensuring data sovereignty.

Yes. Because ITSP.10.171 is technically equivalent to NIST SP 800-171, a single Kiteworks deployment supports certification against both CPCSC for Canadian contracts and CMMC for U.S. DoW contracts. Kiteworks is FedRAMP Authorized with pre-mapped NIST 800-171 controls and provides CMMC 2.0 compliance reports with a Controls Addendum covering all 110 practices. The same infrastructure generates evidence for CPCSC certification bodies.

Kiteworks provides architecture-level sovereignty through on-premises, Canadian-hosted private cloud, or hybrid deployment with single-tenant isolation. Customer-owned encryption keys mean specified information is encrypted with keys only the customer controls—Kiteworks cannot decrypt customer data. Geofencing restricts access by geographic location, and data sovereignty controls route specified information exclusively through assigned Canadian jurisdictions based on LDAP or SAML attributes.

SECURE YOUR PRIVATE DATA EXCHANGES

GET A DEMO

FEATURED RESOURCES

Canadian Program for Cyber Security Certification (CPCSC) Compliance Support With Kiteworks

Canadian Program for Cyber Security Certification (CPCSC) Compliance Support With Kiteworks

Briefs
CMMC 2.0 Is Here: What Defense Contractors Need to Know About Level 2 Certification

CMMC 2.0 Is Here: What Defense Contractors Need to Know About Level 2 Certification

Videos
2026 Data Security and Compliance Risk: Data Sovereignty in Canada

2026 Data Security and Compliance Risk: Data Sovereignty in Canada

Report
VIEW MORE RESOURCES

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Schedule a Demo
Explore Kiteworks