What is CPCSC?
CPCSC (Canadian Protected Computing Security Certification) is a cybersecurity compliance framework required for Canadian contractors and service providers who handle Protected B government information. It's Canada's equivalent to the US CMMC framework.
Quick Answer
CPCSC is based on ITSP.10.171 (IT Security Standard for Protecting Controlled Information) and requires implementation of security controls across physical, technical, and administrative domains. It ensures government contractors maintain adequate cybersecurity to protect classified Canadian government data.
Who Needs CPCSC?
Any organization contracting with Canadian federal government that handles Protected B information:
- IT service providers to federal departments
- Defense contractors handling classified information
- Cloud service providers hosting government data
- Consultants accessing government systems
- Subcontractors in government supply chain
- Systems integrators and software developers
Canadian Information Classification
Protected A
Low sensitivity information. Disclosure could cause injury to individuals or organizations. Requires basic security controls. Examples: personnel evaluations, medical records.
Protected B
Medium sensitivity information. Most common classification for contractors. Requires comprehensive ITSP.10.171 controls. Examples: law enforcement investigations, contract details, procurement information, personnel files.
Protected C
High sensitivity information. Disclosure could cause serious harm to national security. Requires enhanced controls beyond standard CPCSC. Limited to critical national security programs.
CPCSC Requirements (Protected B)
Technical Controls
- Access control and authentication
- Encryption for data at rest and in transit
- Network security and segmentation
- Malware protection and security monitoring
- Vulnerability management and patching
- Audit logging and event monitoring
Administrative Controls
- Security policies and procedures
- Personnel security screening (reliability status or secret clearance)
- Security awareness training
- Incident response procedures
- Risk management program
- Vendor management
Physical Controls
- Physical access controls to Protected B areas
- Visitor management
- Equipment security and disposal
- Environmental controls
Timeline & Costs
Protected B Certification:
6-12 months | $80K-$400K total cost
Breakdown:
- Gap Assessment: $15K-$25K (4-6 weeks)
- Implementation: $40K-$300K (16-32 weeks)
- Assessment Fee: $15K-$50K (2-4 weeks)
- Annual Maintenance: 20-30% of implementation
CPCSC vs CMMC
Similarities:
- Both protect government controlled information
- Both require third-party assessment
- Similar technical control requirements
- Comparable costs and timelines
Key Differences:
- CPCSC based on ITSP.10.171; CMMC based on NIST SP 800-171
- CPCSC emphasizes personnel security screening more heavily
- CPCSC has fewer formal certification levels
- CMMC more mature with established assessor ecosystem
Getting Started
Steps to achieve CPCSC compliance:
- Gap Assessment: Evaluate current controls against ITSP.10.171 requirements
- Scope Definition: Identify systems that process Protected B information
- Implementation Plan: Prioritize control implementation based on risk
- Technical Implementation: Deploy required security controls and tools
- Documentation: Create security plans, policies, and procedures
- Personnel Screening: Obtain reliability status for relevant staff
- Internal Testing: Validate controls before formal assessment
- Third-Party Assessment: Engage authorized CPCSC assessor
- Certification: Receive certification upon successful assessment
- Continuous Compliance: Maintain controls and re-certify as required
Need Help with CPCSC Compliance?
Pilotcore provides CPCSC gap assessments, implementation, and certification support for Canadian government contractors. Our team has experience with both CPCSC and CMMC frameworks.
