Canada’s Program for Cyber Security Certification (CPCSC) is reshaping what it means to be a “trusted” defense supplier. If you handle Specified Information on your own systems, you are expected to move beyond loose VPN access and basic perimeter controls to something tighter, more verifiable, and more adaptable. That is exactly where Zero Trust Network Access (ZTNA) comes in.
CPCSC is built on ITSP.10.171, a standard that defines 97 controls across 17 families, closely aligned with NIST SP 800 171 Revision 3. Many of those controls focus on how users are identified, how access is granted, how sessions are monitored, and how systems are segmented and protected. ZTNA is designed to address those areas directly.
Where ZTNA Lines Up with CPCSC Requirements
At a high level, ZTNA helps Canadian defense suppliers meet CPCSC expectations in four big ways, all of which show up repeatedly across ITSP.10.171.
1. Stronger access control and identity enforcement
ZTNA replaces broad, network level access with fine grained, identity driven access to specific resources. Users, devices, and processes must be identified and authenticated before any connection is allowed, which addresses core Access Control (AC) and Identification and Authentication (IA) controls.
2. Segmentation and reduced attack surface
Instead of exposing large chunks of network to anyone with a VPN client, ZTNA builds point to point connections only to authorized destinations and keeps everything else invisible. This supports System and Communications Protection (SC) requirements around boundary protection, public access protection, and network segmentation.
3. Continuous verification, not one time checks
CPCSC emphasizes ongoing monitoring and the ability to respond when risk changes. ZTNA aligns with that by re evaluating attributes (user, device, context) throughout a session, enforcing timeouts, and terminating connections when conditions change.
4. Rich audit trails for assessment and incident response
CPCSC assessments and incident response both depend on reliable logs. ZTNA generates detailed records for each connection attempt, policy decision, and session, which feed Audit and Accountability (AU), Security Assessment (CA), Incident Response (IR), and Continuous Monitoring controls.
How AppGate ZTNA Helps Meet CPCSC Control Families
Access Control (AC): From “on the network” to “only what you need”
AppGate ZTNA enforces a default deny model for network access. Users don’t “join the network” in a broad sense; they receive entitlements to specific resources based on identity, role, device posture, and other attributes.
Key ways this supports CPCSC AC controls:
- Account management and enforcement: AppGate ZTNA integrates with identity providers (SAML, OIDC, LDAP, Active Directory) so account types, role assignments, and deprovisioning flow directly into access decisions.
- Information flow enforcement and separation of duties: Network segmentation and scoped entitlements control which users and devices can reach which systems, preventing cross domain flows and conflicting privileges.
- Least privilege and remote access: Policies grant only the minimum set of destinations needed per role, with Single Packet Authorization (SPA) hiding everything else by default, and all remote access is strongly authenticated and logged.
- Session lock and termination: Inactivity timeouts, network layer session locks, and auto termination when conditions change (for example, posture or role) satisfy CPCSC’s session management requirements.
Identification & Authentication (IA): Proving “who” and “what” before access
For CPCSC, you must show that every user and device accessing Specified Information is uniquely identified and authenticated.
AppGate ZTNA supports IA by:
- Unique identification: Using identity provider records and device certificates or profiles to ensure each user and device is uniquely recognized.
- Authentication and MFA: Enforcing authentication through SAML, OIDC, RADIUS, or LDAP, and applying MFA for remote and privileged access (TOTP, SMS, push, hardware tokens, biometrics).
- Replay resistance and cryptographic proof: Combining SPA one time tokens with mutual TLS (mTLS) sessions and signed, short lived tokens to prevent credential replay and spoofing.
System & Communications Protection (SC): Cloaking, encryption, and segmentation
AppGate ZTNA directly targets SC controls by changing how systems are exposed and how data travels across networks.
Highlights:
- Boundary protection and public access protection: Gateways become enforced ingress/egress points, SPA cloaks protected resources from unauthenticated hosts, and only authenticated, authorized users can establish connections.
- Network segmentation: Software defined network segmentation ensures each user device session is a cryptographic tunnel only to approved resources, blocking lateral movement.
- Cryptographic protection and key management: All data in transit is encrypted with FIPS validated mTLS; key management uses CCCS/FIPS approved practices and organizational PKI, satisfying CPCSC’s cryptography related controls.
Audit & Accountability (AU): Turning ZTNA events into CPCSC evidence
AppGate ZTNA logs every access attempt—successful or failed—and every policy and administrative action with full context: user identity, device, source IP, target resource, policy used, timestamp, and outcome.
This supports CPCSC AU requirements by:
- Event logging and user accountability: Ensuring all actions are attributable to a unique identity and discouraging shared accounts.
- Review, reporting, and protection: Forwarding logs to SIEM platforms, enabling dashboards and alerts, and protecting logs through role based access controls and tamper evident forwarding.
- Fail secure logging behavior: If logging fails, AppGate ZTNA is designed to deny access instead of allowing unlogged sessions.
Configuration Management (CM): Baselines, changes, and device posture
CPCSC expects you to manage system baselines, control configuration changes, and enforce least functionality.
AppGate ZTNA contributes by:
- Baseline configurations via ZTNA Operator: Using a GitOps/Kubernetes model to define and version control controller, gateway, and client configurations, with alerts on drift.
- Change control and impact analysis: Capturing full configuration change history and offering policy simulation to understand the security impact before changes go live.
- Least functionality and authorized software: Only exposing necessary ports and services, and using Device Claim Scripts to detect prohibited or unauthorized software before granting access.
Incident Response (IR) and System & Information Integrity (SI): Containment and health
When something goes wrong, AppGate ZTNA becomes a containment tool and a source of incident detail.
IR and SI support include:
- Incident handling: Administrators or automated workflows can immediately revoke user or device access across all sessions and tighten policies in response to an incident or advisory.
- Monitoring and reporting: ZTNA logs feed incident reports and help satisfy obligations to PSPC and CCCS.
- Flaw remediation and malicious code protection: Device Claim Scripts can enforce patch levels, confirm AV/EDR status, and block access from devices that don’t meet integrity criteria.
- Fail closed security functionality verification: AppGate ZTNA performs self checks; if core functions such as authentication and encryption cannot be verified, it denies access.
CPCSC Levels And ZTNA: What Changes As You Move Up
CPCSC Level 1 asks for a smaller set of controls across fewer families, but still expects you to control access, protect communications, and maintain basic integrity and media protections. ZTNA helps by tightening remote access, identity, and basic segmentation for those foundational requirements.
At Level 2, all 17 families and 97 controls are in scope, and a third party assessor will look closely at how access is enforced, how logging works, and how monitoring and incident response are handled. AppGate ZTNA’s configuration exports, policies, Device Claim Scripts, and audit logs become primary evidence for many AC, IA, SC, AU, CM, IR, SI, and CA controls.
Level 3 adds more DND defined controls and increases assessment rigor. While many of those additions are procedural or organizational, the same ZTNA behaviors—strict entitlements, segmentation, cryptographic protection, and detailed logging—remain part of the underlying technical story.
Why AppGate ZTNA Fits CPCSC’s Zero Trust Direction
CPCSC is built on ITSP.10.171, which in turn aligns with NIST SP 800 171 Rev. 3 and broader Zero Trust guidance.
AppGate ZTNA:
- Is explicitly designed around Zero Trust principles: default deny, least privilege, verify explicitly, assume breach, and continuous validation.
- Holds certifications and validations like FIPS 140 3, NIAP Common Criteria, SOC 2 Type 2, and DISA Category Assurance List approval, supporting System & Services Acquisition (SA) requirements for choosing secure solutions.
- Has existing mapping to CMMC 2.0, with CPCSC coverage extended through the additional Planning (PL), System & Services Acquisition (SA), and Supply Chain Risk Management (SR) families.
For Canadian defense suppliers, the result is straightforward: ZTNA gives you a concrete way to tighten and prove access control, segmentation, and monitoring in line with CPCSC expectations, and AppGate ZTNA provides the specific configurations, scripts, and evidence that map directly to the controls in ITSP.10.171.
Download the CPCSC Controls Mapping Guide to see how AppGate ZTNA aligns with CPCSC control requirements and supports your certification efforts.