Menu
CRS Logo White

The CPCSC Assessment Tool That Works Where Specified Information Lives

A single HTML file that replaces cloud GRC platforms for Canada’s defence supply chain. 100% offline. Air-gap ready. Deploys in seconds. Purpose-built for ITSP.10.171 and SCC 3PAO assessment.

97

ITSP.10.171 CONTROLS

375

DETERMINATION STMTS

17

SECURITY DOMAINS

3

CERTIFICATION LEVELS
Request a Demo / Free Trial

Sources: DND CPCSC Programme β€’ ITSP.10.171 β€’ PSPC Defence Procurement

⚠ Β  Spring 2026: CPCSC certification is now mandatory for new DND contracts. New RFPs require certification before your bid is read. Β Contact us today β†’

THE PROBLEM

Canada’s Defence Supply Chain Has a Compliance Crisis

CPCSC is now mandatory. Every DND supplier handling Specified Information must certify. The supply chain isn’t ready.

10,000+

DND Suppliers

Canada’s defence supply chain includes thousands of companies β€” most are SMBs with limited compliance resources and no formal cybersecurity programme.

97

Controls Required

ITSP.10.171 mandates 97 security controls across 17 domains β€” with 375 individual determination statements to evaluate, document, and evidence.

Limited

Upcoming 3PAOs Available

SCC-accredited third-party assessor organisations are still ramping up. The assessment backlog will grow as RFP enforcement begins.

Zero

Offline Tools Available

Every competitor is cloud-based β€” sending your Specified Information to someone else’s server. Air-gapped and restricted DND environments have no options.

BACKGROUND

What is CPCSC?

TheΒ Canadian Programme for Cyber Security Certification (CPCSC)Β is the Government of Canada’s mandatory cybersecurity framework for the defence supply chain β€” jointly administered byΒ DNDΒ andΒ PSPC, based onΒ ITSP.10.171.

πŸ›Β  Regulatory Basis

  • Developed by the Canadian Centre for Cyber Security (CCCS)
  • Based on ITSP.10.171 β€” Canada’s adaptation of NIST SP 800-171
  • Mandated by DND / PSPC for defence supply chain suppliers
  • Applies to any organization handling Specified Information under DND contracts

βš– Who Must Comply

  • Direct DND suppliers (Tier 1)
  • Subcontractors to DND primes (Tier 2 / Tier 3)
  • Manufacturers, R&D labs, testing facilities with DND contracts
  • IT/software companies supporting DND programmes
  • Cross-border operators with both U.S. DoD (CMMC) and Canadian DND obligations

πŸ“‹ What Must Be Demonstrated

  • 97 security controls across 17 domains (ITSP.10.171)
  • 375 determination statements evaluated per control
  • Documented System Security Plan (SSP)
  • Evidence per control; POA&Ms for gaps
  • Level 2: triennial 3PAO assessment + annual affirmation

πŸ”— CPCSC & CMMC Relationship

  • CPCSC is structurally aligned with CMMC 2.0
  • Both derive from NIST SP 800-171 / ITSP.10.171
  • Cyber Risk Service is one of very few firms offering both CMMC + CPCSC advisory

CERTIFICATION TIERS

Three Certification Levels

CPCSC defines three progressive levels based on the sensitivity of Specified Information and the nature of the DND contract.

Level 1 β€” Basic Cyber Hygiene

ANNUAL SELF-ASSESSMENT

Assessment type:Β Annual self-assessment; annual affirmation to DND/PSPC

Who needs it:Β Suppliers handling low-sensitivity Specified Information

Controls:Β Subset of 97 β€” foundational hygiene requirements

Scoring:Β Binary MET / NOT MET per control

Tool support: Full L1 assessment mode with exportΒ 

Level 2β€” Advanced Cyber Hygiene

TRIENNIAL 3PAO + ANNUAL AFFIRMATION

Assessment type:Β SCC-accredited Third-Party Assessor Organisation (3PAO), every 3 years

Who needs it:Β Suppliers handling sensitive Specified Information

Controls:Β All 97 ITSP.10.171 controls β€” full weighted scoring

Scoring:Β Weighted compliance score; SPRS-style methodology

Tool support:Β Full L2 mode; OSCAL export for 3PAO portal

Level 3β€” Expert Cyber Hygiene

GOVERNMENT-LED (DND) ASSESSMENT

Assessment type:Β Conducted directly by the Department of National Defence

Who needs it:Β Highest-risk DND contracts; critical programme suppliers

Controls:Β All 97 + enhanced controls from NIST SP 800-172

Scoring:Β Full government-administered assessment process

Tool support:Β Tool provides foundation; Cyber Risk Service provides advisory

THE SOLUTION

One File. Every Feature. Zero Infrastructure.

A single HTML file that does what entire GRC platforms charge $100K/year to do β€” without a single network request.

97

CONTROLS

375

STATEMENTS

94

EDITABLE ODPS

7

EXPORT FORMATS

6

CRYPTO LAYERS

71

TOTAL FEATURES

⚑

97 ITSP.10.171 Controls

Complete Level 1 and Level 2 assessment with all 17 security domains. Every control mapped to its official ITSP.10.171 requirement.

πŸ“Š

Weighted SPRS-Style Scoring

Calculates your compliance score using weighted methodology β€” 1, 3, or 5 points per control by risk significance. N/A controls excluded automatically.

πŸ›‘οΈ

Auto POA&M Enforcement

Kanban board + Gantt timeline for remediation tracking. Due-date alerts, cost estimator, and priority-sorted gap analysis built in.

πŸ“€

OSCAL 1.1.2 Export

Machine-readable JSON assessment results for direct SCC 3PAO handoff. Compatible with OSCAL-based GRC tools and assessment workflows.

πŸ”’

AES-256-GCM Encryption

Six independent cryptographic layers with PBKDF2 750,000 iterations. FIDO2 WebAuthn passkeys. Your data never leaves your device.

🌐

100% Offline Operation

Zero network requests. No cloud. No CDN. No telemetry. Runs on air-gapped machines and restricted DND facilities. Single HTML file.

FEATURE DEEP DIVE

71 Features Across 8 Modules

Every module maps directly to ITSP.10.171 requirements and SCC 3PAO expectations.

πŸ“‹Assessment Core

  • 97 ITSP.10.171 native controls across all 17 security families
  • 375 Determination Statements β€” granular objectives per control
  • 94 Organizational-Defined Parameters (ODPs) β€” editable to your environment
  • Level 1 / Level 2 toggle β€” switch mode without losing data
  • Weighted scoring β€” 1, 3, or 5 points per control by risk significance
  • SPRS-style compliance score β€” adapted for CPCSC
  • 5 status options: Not Assessed / Met / Not Met / Partially Met / N/A
  • Dynamic maximum score β€” N/A controls excluded automatically
  • Demo mode β€” “Maple Defence Inc.” pre-loaded for training

πŸ”­ Scoping & Level Finder

  • CCSRA Worksheet (7 questions) β€” determines required certification level
  • Scoping Wizard (7-step guided workflow) β€” defines system boundary
  • Scoping Statement generator β€” exportable boundary documentation
  • System boundary mapping β€” environment of operation documentation
  • CCSRA Report export (.txt) β€” level determination output

πŸ”’Evidence Vault

  • Per-control evidence attachment β€” files, URLs, documentation
  • Evidence sufficiency scoring β€” structured checklist of required types
  • AES-256-GCM encryption at rest β€” evidence encrypted with device key
  • Evidence included in encrypted backup β€” full package preserved
  • Auto-populated evidence checklists β€” required types pre-listed

πŸ“„SSP Builder

  • 10-section SSP structure β€” complete System Security Plan scaffolding
  • Narrative editor per section β€” free-text with formatting
  • SSP HTML export β€” single-file SSP document for 3PAO submission
  • Control implementation status integrated β€” auto-reflects assessment
  • Version history β€” maintain SSP versions across cycles

πŸ“ŠCAP / POA&M Management

  • Kanban board β€” visual workflow (To Do / In Progress / Complete)
  • Gantt timeline view β€” project-style timeline with due dates
  • Due-date alerts β€” flags overdue and upcoming tasks
  • Cost estimator per item β€” budget remediation by control gap
  • Priority-sorted gap analysis β€” gaps ranked by weight and risk
  • POA&M PDF export β€” formatted plan for management and 3PAO
  • Risk Heatmap β€” visual heat map by domain and risk level

πŸ€–AI-Assisted Drafting

  • Claude Sonnet generates remediation narratives per control
  • Save / edit / regenerate β€” full control over AI content
  • 60–80% faster documentation drafting vs. manual writing
  • Structured remediation guidance for Not Met controls
  • AI Assisted Gap Narrative β€” one-click drafting per control

πŸ“€3PAO Assessor Prep

  • SCC-3PAO Assessor Prep β€” evidence packages in assessor-ready format
  • Gap Analysis report β€” all gaps with weights and priorities
  • Client Comparison dashboard β€” scores across clients side by side
  • Assessor Prep export β€” structured handoff for SCC-accredited 3PAO
  • ISO 27001:2022 cross-reference β€” maps to ISO and SOC 2

πŸ‘₯Multi-User RBAC

  • Admin role β€” full access: users, clients, all settings
  • Reviewer role β€” view findings, approve assessments, trigger exports
  • Assessor role β€” assess assigned domains only; scoped access
  • WebAuthn FIDO2 passkeys β€” Face ID, Touch ID, Windows Hello
  • PBKDF2-SHA-256 PIN hashing β€” 200,000 iterations
  • Approval workflow β€” Reviewer sign-off before 3PAO export
  • 500-entry rolling audit log β€” every action timestamped
  • Multi-client workspace β€” manage multiple organizations

HOW WE COMPARE

Why Offline Beats Cloud for Defence Compliance

Your CPCSC assessment handles Specified Information β€” data that should never leave your facility.

Factor

Data Location

Breach Exposure

Air-Gap / Restricted

Protected B

ITAR Compatibility

Subscription Risk

Regulatory Risk

 CRS TOOL (offline)

βœ“ Stays on your device β€” always. No egress, no cloud sync, no telemetry.

βœ“ Zero breach surface. No central target. Your gaps are known only to you.

βœ“ Fully compatible. No internet required. Runs on air-gapped machines.

 βœ“ Architecture-native data sovereignty. No controls required for data to stay local.

βœ“ Operates entirely offline β€” no ITAR cloud transmission concerns.

βœ“ Licensed copy is yours. Vendor discontinuation doesn’t affect your data.

 βœ“ Specified Information never leaves your facility by design.

Cloud SaaS Tools

βœ— Data lives on vendor servers in unknown jurisdictions.

βœ— One vendor breach exposes every client’s security weaknesses.

βœ— Cloud SaaS requires internet β€” excluded from restricted DND facilities.

βœ— Requires extensive TBS cloud authorizations and contractual controls.

 βœ— Data transmission may implicate ITAR restrictions.

Β βœ— Vendor discontinues = assessment history potentially lost.

βœ— Organization remains liable for data on vendor servers.

SECURITY ARCHITECTURE

6 Cryptographic Layers

Six independent cryptographic protections ensure complete data sovereignty from assessment start to 3PAO submission.

Evidence at Rest

AES-256-GCM + Device Key

All evidence and assessment data encrypted in browser IndexedDB

FIPS 197 / NIST 800-38D

Encrypted Backups

AES-256-GCM + PBKDF2 (750K iter)

Full backup archives including evidence files (.enc)

NIST 800-132

User Passwords

PBKDF2-SHA-256 + Salt (200K iter)

All user credentials β€” no plaintext ever stored

NIST 800-63B

License Keys

AES-256-GCM + HMAC

Per-organization license key integrity and tamper detection

FIPS 198

Authentication

FIDO2 WebAuthn Passkeys

Face ID, Touch ID, Windows Hello β€” passwordless sign-in

FIDO2 / W3C WebAuthn

Brute-Force Protection

5-Attempt Lockout + 500-entry Log

Account protection + full action accountability trail

NIST 800-53 AC-7

WHO IT’S FOR

Built for the Entire CPCSC Ecosystem

From individual consultants to restricted DND facilities β€” one tool serves every stakeholder in Canada’s defence supply chain.

🍁

DND Suppliers

Direct suppliers and subcontractors at every tier of the defence supply chain

10,000+ organizations

πŸ”

SCC-Accredited 3PAOs

Third-party assessor organisations conducting CPCSC Level 2 certifications

Growing assessor pool

πŸ›‘οΈ

Restricted Facilities

Air-gapped DND environments, Protected B facilities, and ITAR-restricted sites

Offline only option

πŸ“‹

Consultants & MSPs

Cybersecurity consultants and managed service providers serving the defence sector

Multi-client workspace

AIR-GAP READY

The Only Tool Built for Restricted DND Networks

Other CPCSC tools are cloud-based and prohibited in restricted environments. Ours works where Specified Information actually lives.

βœ“ Zero network requests β€” no cloud, no CDN, no external dependencies
βœ“ AES-256-GCM encrypted backups β€” military-grade data at rest
βœ“ Single HTML file β€” transfers via secure media or cross-domain solution
βœ“ System fonts only β€” no external font downloads required
βœ“ All data in browser storage β€” never transmitted, never leaves the device
βœ“ No fetch(), XHR, WebSocket, or any network API calls
βœ“ No CDN, no external stylesheets, no external scripts
βœ“ Compatible with Protected B, ITAR, and air-gapped DND environments

πŸ›‘οΈ

Restricted Environment Ready

DND Secure Facilities β€’ Protected B
Air-Gapped Networks β€’ ITAR Environments
SIPR Equivalent β€’ Intelligence Community

Premium tier includes deployment validation documentation and dedicated support.

OUTPUTS

7 Export Formats

Everything your SCC-accredited 3PAO needs β€” plus management reporting, OSCAL machine-readable data, and secure backup.

πŸ–¨ Print Report (PDF)

Executive summary + full assessment report for management

πŸ“‹ POA&M Report (PDF)

Formatted remediation plan β€” all gaps, priorities, timelines, costs

βš™οΈ OSCAL JSON (v1.1.2)

Machine-readable assessment data for 3PAO portal submission

πŸ“„ SSP HTML

Complete System Security Plan β€” 3PAO-ready single-file document

πŸ”Encrypted Backup (.enc)

Full assessment + evidence β€” AES-256-GCM + PBKDF2 (750K iter)

πŸ“ CCSRA Report (.txt)

Level determination worksheet β€” level finder results and rationale

πŸ—ΊΒ  Scoping Statement (.txt)

System boundary documentation β€” environment and information scope

PROCESS

11-Step Assessment Workflow

From first login to 3PAO submission β€” a structured, tool-guided process.

1

Create Admin account and accept EULA

2

Create Client profile and set contract scope

3

Run CCSRA Worksheet β†’ determine required Level

4

Run Scoping Wizard β†’ define system boundary

5

Select Assessment Mode (L1 / L2)

6

Assess controls across all 17 domains

7

Attach evidence + verify sufficiency per control

8

Create POA&Ms for Not Met / Partially Met

9

Build SSP using SSP Builder (10 sections)

10

Run Gap Analysis + Assessor Prep package

11

Export OSCAL + SSP + backup β†’ submit to 3PAO

CONSULTING

Consulting Service β€” 4-Phase Program

End-to-end CPCSC advisory from gap assessment through 3PAO submission.

Phase 1 β€” Gap Assessment

  • Current posture vs. all 97 controls
  • 375 determination statements reviewed
  • CUI/Specified Information scope definition
  • Risk-prioritized remediation roadmap
  • Written Gap Assessment Report
  • Β 

Phase 2 β€” Remediation Support

  • System Security Plan (SSP) development
  • Policy library (15+ documents)
  • Technical control implementation support
  • Staff awareness training delivery
  • MFA, endpoint, segmentation guidance
  • Β 

Phase 3 β€” 3PAO Preparation

  • Full internal mock assessment (97 controls)
  • Evidence package development
  • Determination statement review
  • 3PAO selection and scheduling support
  • OSCAL export and portal submission prep

Phase 4 β€” Ongoing Retainer

  • Annual policy review and update cycle
  • Continuous monitoring advisory
  • Change management for system changes
  • Re-assessment readiness (triennial 3PAO)
  • Annual affirmation support

PRICING

Annual Subscriptions β€” All Tiers

From individual contractors to classified facilities. Updates, support, and new features included.

Starter

Contact us

per year β€’ up to 3 clients

Small subcontractors getting started with CPCSC readiness

Professional

Contact us

per year β€’ up to 15 clients

Mid-size defense contractors handling multiple contracts

Consultant (POPULAR)

Contact Us

per year β€’ unlimited clients

CCPs, RPs, and consultants serving multiple organizations

Enterprise

Contact us

per year β€’ unlimited clients

3PAOs, prime contractors, and large assessment teams

Classified

Contact us

per year β€’ air-gap certified

SCIFs, Top Secret facilities with deployment validation and SLA

Ready to See It in Action?

Request a Demo
Visit cyberiskservice.com
Cyber Risk Service
Back To Top