Protecting Controlled Information in Non-Government of Canada Systems and Organizations (ITSP.10.171)

Security requirements for protecting Government of Canada Controlled Information in non-government systems, including access control, incident response, encryption, and supply chain risk management.

This document sets out security requirements for protecting Controlled Information when it is handled outside Government of Canada systems. It focuses on ensuring confidentiality while recognizing that many non-government organizations support federal programs and services.

The guidance applies to organizations that process, store, or transmit Controlled Information such as Protected A or Protected B data under contractual or partnership arrangements. It clarifies expectations for safeguarding information in environments that are not owned or directly operated by the federal government. The intent is to establish a consistent baseline of protection regardless of where the information resides. This helps reduce risk across extended delivery and supply chains.

The document aligns closely with international best practices while adapting them to the Canadian context. It draws from established security frameworks but tailors requirements to reflect federal policy, terminology, and legal obligations. This approach supports interoperability while maintaining national standards. Organizations are given a clear reference point for meeting contractual security obligations.

At the core of the publication is a structured set of security requirements grouped into control families. These families address areas such as access control, incident response, system integrity, and risk management. Each family outlines expectations that organizations must meet to protect confidentiality. The structure supports consistent implementation across diverse environments.

Access control requirements emphasize limiting information access to authorized users and systems. The document stresses the importance of managing identities, credentials, and privileges to reduce the risk of unauthorized disclosure. Least-privilege principles are reinforced as a foundational safeguard. Proper access controls help contain the impact of compromised accounts.

The guidance places strong emphasis on incident response and reporting. Organizations are expected to prepare for security incidents before they occur, including defining roles, procedures, and escalation paths. Timely detection and response are treated as critical to limiting harm. Clear expectations support coordination between organizations and federal partners during incidents.

System and communications protection requirements focus on safeguarding information as it moves and resides within systems. Encryption, secure configurations, and protection of network boundaries are highlighted as essential controls. These measures reduce exposure to interception and unauthorized access. The document reinforces the need for layered defenses rather than reliance on a single control.

Risk management is addressed as an ongoing responsibility rather than a one-time activity. Organizations are expected to assess risks associated with their systems, environments, and partners. This includes understanding how threats, vulnerabilities, and impacts may change over time. Continuous risk awareness supports informed security decisions.

The publication also addresses supply chain and third-party considerations. Organizations must account for risks introduced by vendors, service providers, and subcontractors. Responsibilities for protecting Controlled Information cannot be transferred entirely to third parties. Clear oversight and contractual safeguards are necessary to maintain security.

Operational practices such as configuration management, patching, and monitoring are treated as essential to maintaining confidentiality. The document highlights that many compromises result from poor system hygiene rather than advanced attacks. Consistent maintenance reduces the likelihood of exploitation. These practices help ensure that protections remain effective over time.

Accountability and documentation are recurring themes throughout the guidance. Organizations are expected to document how requirements are met and to demonstrate compliance when required. This supports transparency and trust between organizations and federal partners. Documentation also aids internal governance and improvement.

Organizations often have questions about how to apply these requirements in practice, how to scope controls appropriately, and how to balance security with operational needs. This guide is designed to address those questions in a structured and practical manner. It supports prioritization, consistency, and measurable implementation without unnecessary complexity.

This is a public document intended for broad distribution and citation. Document status: UNCLASSIFIED. Publisher: Canadian Centre for Cyber Security, Government of Canada. Intended audience: non-government organizations that handle Controlled Information on behalf of the Government of Canada.

• Click here to download