StratoKey's CDP Platform sits between you and your SaaS applications. Before any CI reaches a SaaS system, the CDP Platform, which is deployed to your environment, intercepts and replaces the CI with a token. The token is what is transmitted to the SaaS application.
SOLUTIONS
Meet CPCSC Compliance Requirements
Canada's new cybersecurity certification program requires defense contractors to protect Controlled Information (CI) across every system that it touches, including your SaaS applications.
StratoKey's CDP Platform tokenizes CI before it enters your cloud applications, keeping it under your control and out of scope for SaaS vendors, reducing your CPCSC compliance burden without disrupting your operations.
Learn How StratoKey Can Help Support CPCSC Compliance
Please provide details so we can best assist you.
What is CPCSC?
The Canadian Program for Cyber Security Certification (CPCSC) is Canada's mandatory cybersecurity certification program for defence suppliers, built on ITSP.10.171 (Canada's version of NIST SP 800-171 Rev. 3).
Like the US CMMC program it mirrors, CPCSC requires prime contractors and subcontractors to implement and certify specific cybersecurity controls protecting CI across every system that processes, stores, or transmits it, including SaaS applications.
Requirements flow down through the supply chain. A Contract Cyber Security Risk Assessment (CCSRA) determines the certification level required for each participant based on what CI they handle and their associated risk profile.
CPCSC operates across three levels:
- 1Level 1
Annual self-assessment. Mandatory for new Department of National Defence (DND) contracts from April 2026. - 2Level 2
External assessment by an accredited certification body, plus annual affirmation. Implementation timeline to be confirmed. - 3Level 3
Assessment conducted by National Defence, plus annual affirmation. Phased into select contracts from April 2027.
StratoKey Can Help Reduce CPCSC Compliance Scope With Tokenization
- Your SaaS applications leave CPCSC scope entirely. Vendors receive tokens, not CI.
- Your CI never leaves your environment. Real data stays under your control, always.
- Your team keeps working the way they already do. StratoKey operates in the background, invisibly.
StratoKey is Your Complete Cloud Data Protection Platform to Help Meet A Wide Range of ITSP.10.171 Controls
The StratoKey CDP platform goes beyond tokenization and encryption of CI to provide features that help organizations meet a wider range of compliance requirements, not merely a small subset.
Tokenization
Secure Controlled Information (CI) with tokenization. CI remains securely encrypted (FIPS 140-3 validated) and stored in a vault, keeping sensitive data out of SaaS environments. Supports ITSP.10.171 03.13.08, 03.13.10, and 03.13.11 (cryptographic protection and transmission confidentiality).
Access Control
Enforces user identification, group policies, and advanced authentication to keep access to CI within your control. Supports ITSP.10.171 03.01.02 and 03.01.03 (access control enforcement and information flow enforcement).
Audit Controls
Logs every user interaction with secured CI, supporting audit and reporting requirements and enabling rapid incident response. Supports ITSP.10.171 03.03.01 and 03.03.02 (event logging and audit record review).
Monitoring & Policy Enforcement
Logs every user interaction with secured CI, supporting audit and reporting requirements and enabling rapid incident response. Supports ITSP.10.171 03.03.01 and 03.03.02 (event logging and audit record review).
Frequently Asked Questions About CPCSC
Does CPCSC apply to foreign companies bidding on Canadian defense contracts?
Yes. CPCSC applies to all suppliers handling Controlled Information under National Defense contracts, whether Canadian or foreign. The requirement flows down through the supply chain, meaning foreign subcontractors handling CI are also in scope. Foreign companies should also be aware that Canada's Controlled Goods Program (CGP) may apply separately, requiring registration with the Controlled Goods Directorate for any party that examines, possesses, or transfers controlled goods or related technical data.
What is the difference between CPCSC and CMMC? Can I use my CMMC certification?
CPCSC and CMMC are separate programs. Both are built on NIST SP 800-171, but they use different versions of the standard. CPCSC is based on Rev. 3 via ITSP.10.171 while CMMC is based on Rev. 2.
There is currently no formal recognition between CPCSC and CMMC certifications.
Does CPCSC apply to my SaaS applications?
Yes. CPCSC requires protection of Controlled Information across every system that processes, stores, or transmits it, including SaaS applications. If your team uses SaaS platforms to handle CI, those applications are in scope.
Your SaaS vendors are not responsible for your compliance, and your on-premise security controls do not follow your data into the cloud. This leaves a gap that many defense suppliers are not prepared for.
StratoKey solves this by tokenizing CI before it reaches your SaaS applications. Your vendors never receive real data, only tokens, which removes your SaaS stack from CPCSC scope entirely.
Is Your SaaS Stack Ready for CPCSC Compliance?
Level 1 CPCSC requirements apply to new National Defence contracts starting April 2026. If your team uses SaaS applications to handle CI, you need a plan before your next request for proposal (RFP) lands. StratoKey removes your SaaS applications from CPCSC scope entirely, so you can bid with confidence.
Learn How StratoKey Can Help Support NIS2 Compliance
Please provide details so we can best assist you.
CPCSC Canada’s Cybersecurity Bar for Defense Contractors
Sian Parany | January 9, 2026
On 12 March 2025, the Canadian Program for Cyber Security Certification (CPCSC) officially launched, marking a turning point for Canadian firms that..
DoD Finalizes DFARS Rule with CMMC Requirement for Contractors
Sian Parany | September 19, 2025
On September 10, 2025, the DoD issued its final rule amending DFARS to make the Cybersecurity Maturity Model Certification (CMMC) a contractual..
Meeting NIST Encryption Standards with the Cloud Data Protection Platform
Sian Parany | September 2, 2025
The shift to cloud services has brought speed and flexibility, but it has also raised the stakes for data security. Regulators and customers now..


