The Gaming Boardroom

Where the gambling industry comes to think

Protecting specified information in non-Government of Canada systems and organisations (ITSP.10.171) – Canadian Centre for Cyber Security

Steve Tyler

Protecting specified information in non-Government of Canada systems and organisations (ITSP.10.171) – Canadian Centre for Cyber Security

Summary

This guidance (effective 2 April 2025) is the Canadian adaptation of NIST SP 800-171, tailored to the Canadian legal, policy and compliance environment. It sets out recommended security requirements for protecting the confidentiality of “specified information” when that information is processed, stored or transmitted in non-Government of Canada (non-GC) systems and organisations. The document is intended for use by GC departments and agencies when contracting or entering agreements with third parties, and for non-GC organisations that handle GC specified information.

ITSP.10.171 contains a subset of controls drawn from the Cyber Centre’s ITSP.10.033-01 medium impact profile (which aligns with NIST SP 800-53 Rev. 5). Requirements are organised into 17 families (access control; identification & authentication; incident response; media protection; supply chain risk management; etc.). Organisation-defined parameters (ODPs) are included to allow tailoring to specific contexts. The publication emphasises scoping (isolate components that handle specified information where possible), use of system security plans, plans of action and milestones (POAMs) for deficiencies, and contractual terms for external service providers. It is not a full privacy control catalogue; some privacy controls are covered only where they overlap confidentiality requirements. A companion assessment publication based on NIST SP 800-171A is planned; in the meantime, NIST SP 800-171A may be used as a reference.

Key Points

  • Canadian version of NIST SP 800-171 with no substantive technical changes — modifications reflect Canadian laws, policies and directives.
  • Applies to non-GC system components that handle, process, store or transmit specified information, and to protections for those components.
  • Organises requirements into 17 families (AC, AT, AU, CM, IA, IR, MA, MP, PS, PE, RA, SA, SC, SI, PL, SA, SR) to match common security topics.
  • Includes organisation-defined parameters (ODPs) so GC departments/agencies and providers can tailor values (e.g., inactivity timeouts, retention periods, authorised functions).
  • Designed to be used in contracts and service agreements — requires non-GC organisations and service providers to meet specified security requirements and monitoring obligations.
  • Encourages scoping and isolation of components that process specified information to limit the security footprint (logical or physical separation, DMZs, containers).
  • System security plans, POAMs and continuous monitoring are core compliance and risk-management mechanisms referenced throughout.
  • Supply chain risk management is integral — procurement, acquisition practices and supplier assessment requirements are emphasised.

Why should I read this?

Short answer: if your organisation handles Government of Canada data, this is the checklist you’ll be judged against. It’s written in plain terms and tells you what to put into contracts, system security plans, and operational procedures so you don’t get tripped up later. Read it to know where to scope systems, what parameters you must define, and what to demand from suppliers — saves time and keeps you out of compliance trouble.

Source

Source: https://cyber.gc.ca/en/guidance/protecting-specified-information-non-government-canada-systems-and-organizations-itsp10171