Supply chain integrity risk assessments: Evaluation criteria (ITSAP.10.071)

Summary

Published by the Canadian Centre for Cyber Security (April 2026), this ITSAP awareness note outlines the high-level criteria used by the Government of Canada (GC) when conducting supply chain integrity (SCI) risk assessments on ICT products and services. The guidance describes the factors assessed during SCI reviews — including geopolitical context, foreign ownership, control and influence (FOCI), business practices, cyber maturity, product vulnerability, exploitation history and product sensitivity — and explains how organisations should weigh these factors within their own risk management frameworks.

Key Points

SCI risk assessments evaluate threats, vulnerabilities and potential impacts to confidentiality, integrity and availability of GC systems and data.
Geopolitical context matters: supplier location, local laws (data residency, surveillance) and ties to military/intelligence bodies can increase risk.
FOCI risks arise from foreign ownership, control or influence (ownership stakes, board/executive links, strategic partnerships).
Business practices (sanctions exposure, legal violations, corruption, transparency) are indicators of reputational and security risk.
Cyber maturity is judged by standards/certifications, incident response capability and data protection across the product lifecycle.
Product risk is driven by vulnerability history, volume/severity of flaws and whether the product has been actively exploited by threat actors.
Product sensitivity depends on functionality, deployment location in the network and the type/volume of data processed — core functions and internet-facing devices are higher risk.

Context and relevance

This document is a practical baseline for any organisation that buys, deploys or approves ICT products and services. It aligns supply chain risk assessment to broader risk-management processes and clarifies what the GC considers when approving technology for use in its infrastructure. As supply chain threats and nation-state activity rise, these criteria help procurement, security and risk teams make defensible, consistent decisions about suppliers and products.

Why should I read this?

Short version: if you’re involved in buying, approving or managing IT kit, read it. It’s a concise checklist of what the Canadian government looks at when judging supply-chain risk — geopolitical footprints, foreign ties, dodgy business practice flags, cyber hygiene, known vulnerabilities and how sensitive the product really is. Reading this saves you time and gives you a ready-made framework to shape supplier due diligence and procurement decisions.

Author note

Punchy takeaway: this is not just theoretical—treat it as a checklist to harden procurement and vendor risk reviews. If your organisation interfaces with Canadian systems or follows similar risk standards, the criteria here are essential reading.