CPCSC requirements for AI tooling: What you need to know

The Canadian Centre for Cyber Security (CPCSC) has established specific requirements for AI tooling used by government departments and federally regulated entities under the Communications Security Establishment Act section 21. These requirements focus on three core areas: data residency and sovereignty per ITSG-33 control SC-7, security controls aligned with ITSG-33 baseline security standards, and comprehensive vendor assessment protocols following section 21.1 of the CSE Act. Organizations deploying AI tools must demonstrate compliance through documented security assessments, verified Canadian data residency, and thorough vendor vetting processes.

---

Understanding CPCSC's AI governance framework

The CPCSC operates under the Communications Security Establishment Act and provides mandatory cybersecurity direction for federal departments per section 15.1. Their AI guidance, detailed in publication ITSM.10.089, establishes baseline security requirements for artificial intelligence deployments processing Protected B information or higher.

The framework addresses AI-specific risks including data poisoning, model theft, and unauthorized inference attacks. Unlike general IT security guidance, these requirements recognize AI's unique attack surface and data sensitivity concerns under ITSG-33 security control families SI-3 and SI-4.

"Under the Communications Security Establishment Act section 21, federal departments must implement ITSG-33 security controls specifically adapted for AI systems. Traditional IT security frameworks fail to address model poisoning attacks, adversarial inputs, and the unique data residency challenges that AI workloads present to Canadian sovereignty."

Federal departments must complete SA-2 security assessments under ITSG-33 before deploying any AI tool that processes Protected B information or higher. This assessment follows ITSG-33 security control families AC (Access Control), SC (System and Communications Protection), and SI (System and Information Integrity), adapted for AI-specific threats.

---

Data residency and sovereignty requirements

CPCSC mandates under ITSG-33 control SC-7 that all data processed by AI tools remain within Canadian borders throughout the entire processing lifecycle. This includes training data, inference inputs, model weights, and any derived outputs or metadata processed under federal jurisdiction.

The requirement extends beyond simple geographic storage under section 21.1 of the CSE Act. Organizations must verify that:

• All compute infrastructure operates within Canada per SC-7 network boundary protection
• Data transit occurs exclusively through Canadian networks meeting SC-8 transmission confidentiality
• Backup and disaster recovery systems maintain Canadian residency under CP-9 controls
• Third-party processors and subcontractors comply with residency requirements per SA-9 external system services

Verification requires documented attestations from AI providers, including infrastructure location certificates and network topology diagrams meeting AC-2 account management requirements. Monthly compliance reports must confirm ongoing adherence to residency requirements under CA-2 security assessments.

The CLOUD Act (18 U.S.C. § 2703) creates additional complexity for US-owned AI providers. Even with Canadian data centers, US companies remain subject to US government data requests under section 2703(f) warrants, potentially compromising Canadian data sovereignty protected under the CSE Act.

---

Security control implementation

CPCSC requires AI tools to implement security controls from ITSG-33 families AC (Access Control), SC (System and Communications Protection), and SI (System and Information Integrity) per section 15.1 of the Communications Security Establishment Act. Each control must be tailored to address AI-specific vulnerabilities identified in ITSM.10.089.

Access Control (AC) Requirements:

• Multi-factor authentication for all administrative access per AC-2 account management
• Role-based permissions aligned with data classification levels under AC-3 access enforcement
• Session monitoring and automated logout procedures meeting AC-12 session termination
• Privileged access management with approval workflows per AC-6 least privilege

System Protection (SC) Requirements:

• Encryption in transit using TLS 1.3 or equivalent meeting SC-8 transmission confidentiality
• Encryption at rest using FIPS 140-2 Level 3 validated modules per SC-13 cryptographic protection
• Network segmentation isolating AI workloads under SC-7 boundary protection
• Intrusion detection systems monitoring AI-specific attack patterns per SI-4 information system monitoring

Information Integrity (SI) Requirements:

• Model validation and testing procedures under SI-3 malicious code protection
• Input sanitization preventing prompt injection attacks per SI-10 information input validation
• Output monitoring detecting potential data leakage meeting SI-4 system monitoring
• Incident response procedures for AI-specific security events per IR-4 incident handling

"ITSG-33 control SI-10 (Information Input Validation) requires specific adaptation for AI systems to prevent adversarial prompts and model manipulation. Federal departments must implement input sanitization that accounts for prompt injection attacks and adversarial examples—threats that don't exist in conventional applications but pose significant risks to AI model integrity."

Organizations must document security control implementation through detailed system security plans meeting SA-2 requirements. These plans require annual updates per CA-2 security assessments and immediate revision following any significant system changes under CM-3 configuration change control.

---

Vendor assessment and qualification

CPCSC mandates comprehensive vendor assessments for AI tool providers under section 21.1 of the Communications Security Establishment Act. The assessment process evaluates technical capabilities, security posture, and organizational trustworthiness through standardized criteria following SA-9 external system services controls.

Technical Assessment Requirements:

• Security architecture documentation meeting SA-3 system security plan requirements
• Penetration testing reports from qualified assessors per CA-8 penetration testing
• Vulnerability management procedures and response times under RA-5 vulnerability scanning
• Business continuity and disaster recovery capabilities meeting CP-2 contingency plan controls

Organizational Assessment Requirements:

• Corporate ownership structure and foreign investment disclosure per section 21 CSE Act requirements
• Personnel security screening procedures for staff with data access meeting PS-3 personnel screening
• Supply chain security documentation for hardware and software components under SA-12 supply chain protection
• Financial stability assessment and insurance coverage verification following SA-9 external services controls

Vendors must provide annual attestations confirming ongoing compliance with assessment criteria per CA-2 security assessments. Any changes to ownership, infrastructure, or security procedures trigger reassessment requirements under CM-3 configuration change control.

The assessment includes specific scrutiny of foreign ownership or control under section 21.1 of the CSE Act. Vendors with US corporate parents, investors, or board members face additional requirements documenting measures to prevent foreign government access to Canadian data under 18 U.S.C. § 2703 (CLOUD Act).

---

Compliance monitoring and reporting

CPCSC requires ongoing compliance monitoring through automated and manual processes following CA-7 continuous monitoring controls under ITSG-33. Organizations must establish monitoring capabilities detecting potential security incidents, compliance violations, and system anomalies per SI-4 information system monitoring requirements.

Automated Monitoring Requirements:

• Real-time security event correlation and alerting meeting AU-6 audit review requirements
• Data residency verification through network monitoring per SC-7 boundary protection
• Access control compliance checking and violation reporting under AC-2 account management
• System performance monitoring detecting potential attacks following SI-4 system monitoring

Manual Review Requirements:

• Monthly vendor compliance attestation review per SA-9 external system services
• Quarterly security control effectiveness assessments meeting CA-2 security assessment requirements
• Annual comprehensive security assessments following CA-1 security assessment policy
• Incident investigation and root cause analysis procedures per IR-4 incident handling

Compliance reporting follows standardized templates provided in CPCSC publication ITSM.50.062. Reports must document security control status, identified vulnerabilities, remediation activities, and ongoing risk assessments meeting PM-4 plan of action requirements.

"Under ITSG-33 control CA-7 (Continuous Monitoring), federal departments must implement real-time visibility into AI system behavior combined with quarterly CA-2 security assessments. This dual approach ensures both immediate threat detection and systematic evaluation of security control effectiveness for AI workloads processing Protected B information."

Non-compliance incidents must be reported to CPCSC within 24 hours of discovery per IR-6 incident reporting requirements. The reporting includes incident details, impact assessment, containment measures, and remediation timelines following IR-4 incident handling procedures.

---

Practical implementation considerations

Implementing CPCSC requirements for AI tooling requires coordinated effort across technical, legal, and compliance teams following section 15.1 of the Communications Security Establishment Act. Organizations should begin with a comprehensive gap analysis identifying current capabilities against ITSG-33 baseline controls.

Phase 1: Assessment and Planning Start by documenting current AI tool usage and data flows per SA-3 system security plan requirements. Many organizations discover shadow IT AI deployments during this assessment phase. Catalog all AI tools, their data sources, processing locations, and user populations meeting CM-8 information system component inventory controls.

Phase 2: Vendor Evaluation Evaluate existing AI vendors against CPCSC requirements under SA-9 external system services controls. Request compliance documentation, security certifications, and data residency attestations per section 21.1 CSE Act requirements. Be prepared for lengthy vendor qualification processes, particularly for international providers subject to foreign jurisdiction data access laws.

Phase 3: Technical Implementation Deploy security controls and monitoring capabilities required by ITSG-33 baseline controls. This includes network segmentation per SC-7, encryption implementation meeting SC-13 requirements, and access control system deployment following AC-2 controls. Technical implementation often requires 3-6 months depending on organizational complexity.

Phase 4: Process Development Establish ongoing compliance processes including monitoring per CA-7, reporting following ITSM.50.062 templates, and incident response procedures meeting IR-4 requirements. Train staff on new procedures and conduct regular compliance exercises to validate process effectiveness under CA-2 security assessments.

Organizations like Augure have built their AI platforms specifically to meet these Canadian compliance requirements, with infrastructure operating exclusively within Canadian borders and designed to satisfy ITSG-33 controls without US corporate exposure under the CLOUD Act.

---

Penalties and enforcement

CPCSC has enforcement authority over federal departments and agencies through section 24 of the Communications Security Establishment Act, enabling mandatory system shutdowns for non-compliance. Additional enforcement includes security clearance revocations under the Security of Information Act and formal ministerial direction per section 15.1 of the CSE Act.

For federally regulated private sector entities, CPCSC works with sector-specific regulators to enforce compliance under their respective statutory authorities. Financial institutions face additional oversight through OSFI under the Bank Act section 244, while telecommunications providers answer to the CRTC regarding AI tool compliance under the Telecommunications Act section 24.

The Privacy Commissioner of Canada can impose administrative monetary penalties up to C$25 million for privacy violations involving AI tools under PIPEDA section 11.1. Recent enforcement actions demonstrate increasing willingness to pursue maximum penalties for significant violations affecting personal information processing.

Criminal charges under Criminal Code sections 342.1 (unauthorized computer use) and 430 (mischief in relation to computer data) may apply in cases involving deliberate non-compliance or security incidents resulting from inadequate controls, with penalties up to 10 years imprisonment for section 342.1 offences.

---

Moving forward with compliant AI deployment

CPCSC requirements for AI tooling reflect the reality that artificial intelligence creates new security and sovereignty challenges requiring specialized approaches under the Communications Security Establishment Act. Organizations cannot simply apply traditional IT security frameworks to AI deployments and expect adequate protection under ITSG-33 baseline controls.

Successful compliance requires understanding both the technical requirements under ITSG-33 and the underlying policy objectives driving CPCSC guidance in ITSM.10.089. The focus on Canadian data residency per SC-7 controls, comprehensive vendor assessment following SA-9 requirements, and AI-specific security controls addresses legitimate national security and privacy concerns under federal jurisdiction.

Organizations evaluating AI tools should prioritize Canadian providers like Augure that have built compliance into their platform architecture rather than attempting to retrofit international solutions subject to foreign data access laws. This approach reduces ongoing compliance overhead while ensuring consistent adherence to Canadian regulatory requirements under the CSE Act.

For detailed guidance on implementing CPCSC-compliant AI tooling in your organization, visit augureai.ca to explore solutions designed specifically for Canadian regulatory requirements under federal jurisdiction.