Kiteworks has announced broad support for the Canadian Program for Cyber Security Certification (CPCSC), positioning its platform to help defense suppliers meet the country’s new mandatory cybersecurity requirements. As Canada begins introducing Level 1 self-assessment obligations into select defense contracts in Summer 2026—with Level 2 and Level 3 certifications to follow—the company’s pre-mapped ITSP.10.171 controls, Canadian deployment flexibility, and automated audit evidence capabilities are designed to accelerate compliance and preserve contract eligibility.
The CPCSC framework, overseen by Public Services and Procurement Canada in collaboration with the Department of National Defence, the Standards Council of Canada, and the Canadian Centre for Cyber Security, mandates that defense suppliers handling sensitive but unclassified government information certify against ITSP.10.171. This standard is Canada’s adaptation of NIST SP 800-171.
The certification model is structured across three progressive levels:
- Level 1 requires suppliers to complete an annual self-assessment covering 13 foundational controls
- Level 2 introduces third-party assessments every three years across 98 controls, along with annual affirmations
- Level 3 expands to 200 controls, assessed triennially by the Government of Canada
Failure to achieve certification will disqualify suppliers from participating in defense procurement. Data from the United States—based on the same NIST 800-171 framework—highlights the scale of readiness challenges: fewer than half of contractors report preparedness for Level 2, while many have yet to complete gap analyses or implement sufficient governance controls.
CPCSC’s alignment with NIST SP 800-171 is intended to promote interoperability across Five Eyes partners and allow Canadian defense suppliers to demonstrate equivalent security postures to organizations certified under the U.S. Cybersecurity Maturity Model Certification (CMMC). For organizations pursuing contracts in both countries, the shared control baseline enables efficiencies, as investments in one certification pathway directly support the other.
“Canadian defense suppliers face the same NIST 800-171 control requirements that have challenged U.S. contractors for years—but with the added complexity of Canadian data sovereignty obligations and the reality that Levels 2 and 3 are still under development,” said Frank Balonis, CISO and SVP of Operations at Kiteworks. “Kiteworks has been helping defense contractors navigate CMMC certification since the program’s inception. CPCSC is built on the same foundational standard, which means our pre-mapped controls, our FedRAMP-validated security architecture, and our compliance evidence generation work for both programs from a single deployment. Canadian suppliers don’t need to start from scratch—they need a platform that’s already proven against these exact requirements.”
Kiteworks outlined several platform capabilities aimed at supporting CPCSC compliance:
• Pre-mapped ITSP.10.171 controls: The platform supports 79 out of 98 Level 2 controls, covering critical domains such as access control, audit and accountability, identification and authentication, media protection, system and communications protection, system and information integrity, and supply chain risk management. The remaining controls primarily relate to organizational and physical measures, including personnel policies and training.
• Comprehensive audit logging: The system captures all file interactions and policy actions in real time without throttling or additional licensing requirements. Integration with SIEM tools via syslog and a native Splunk Forwarder enables rapid delivery of audit evidence for certification assessments.
• Canadian data sovereignty support: Deployment options include on-premises environments, private cloud infrastructure within Canadian data centers, or hybrid models. Features such as single-tenant architecture, customer-managed encryption keys, and geofencing ensure sensitive data remains within Canadian jurisdiction.
• FIPS 140-3 validated encryption: The platform employs AES-256 double encryption for data at rest and TLS 1.3 for data in transit, meeting ITSP.10.171 confidentiality requirements through validated cryptographic modules.
• Dual CPCSC and CMMC certification readiness: Given the technical equivalence between ITSP.10.171 and NIST SP 800-171, a single deployment can support both Canadian CPCSC and U.S. CMMC certification efforts. Kiteworks’ FedRAMP Authorization and CMMC 2.0 compliance reporting further support cross-border defense procurement.
• Defense-in-depth architecture: A hardened virtual appliance integrates firewall, web application firewall (WAF), and AI-driven intrusion detection capabilities. A deny-by-default network posture and zero-trust segmentation model address key boundary protection and system integrity requirements.
• Unified secure data exchange platform: Kiteworks consolidates multiple communication and data transfer channels—including email, file sharing, managed file transfer, SFTP, web forms, APIs, and AI integrations—into a single control plane governed by centralized policies, logging, and security architecture.
A full CPCSC Solution Guide, including a detailed mapping of all 98 ITSP.10.171 Level 2 controls, is available here.
______
About Kiteworks
Kiteworks’ mission is to empower organizations to effectively manage risk in every send, share, receive, and use of private data. The Kiteworks platform provides customers with a secure data exchange that delivers data governance, compliance, and protection in a unified control plane. Kiteworks unifies, tracks, controls, and secures sensitive data moving within, into, and out of their organization, significantly improving risk management and ensuring regulatory compliance on all private data exchanges. Headquartered in Silicon Valley, Kiteworks protects over 100 million end-users and thousands of global enterprises and government agencies.
Media Contact
David Schutzman
PR Manager
Join our LinkedIn group Information Security Community!
