On October 30, 2024, the Canadian Centre for Cyber Security (CCCS) — a unit of the Communications Security Establishment (CSE) — published an updated edition of its "Protecting Your Organization from Software Supply Chain Threats" (ITSAP.10.070), and the Cyber Centre's foundational "Top 10 IT Security Actions" guidance was refreshed in early 2025 with supply chain language aligned to the emerging Bill C-26 regime. Bill C-26, the Critical Cyber Systems Protection Act (CCSPA), received Royal Assent on June 20, 2024 as part of An Act respecting cyber security, and the first governor-in-council regulations prescribing "vital services" and "vital systems" are under consultation. For operators in Canada's federally regulated critical sectors — telecommunications, finance, energy, and transportation — the supply chain bar is rising quickly.
What Does the CCSPA Require?
The Critical Cyber Systems Protection Act, enacted under Bill C-26 as Act S.C. 2024, establishes four core obligations for designated operators of "vital systems": establish and maintain a cyber security program, mitigate supply-chain risks specifically, report cyber security incidents to the Cyber Centre within 72 hours, and comply with cyber security directions from the Governor in Council. Section 9 of the CCSPA is the supply chain article and requires designated operators to "take reasonable steps to mitigate supply chain and third-party service provider risks." The Act applies to six initial classes of designated operators: telecommunications service providers, interprovincial or international pipelines, nuclear energy systems, transportation systems under federal jurisdiction, banking systems, and the clearing and settlement system.
When Does Bill C-26 Come Into Force?
The CCSPA received Royal Assent on June 20, 2024 but comes into force on a day or days to be fixed by order of the Governor in Council. Regulations setting out the "designated operators" and the specific programmatic requirements have been under Treasury Board consultation since the summer of 2024 with industry consultation sessions continuing into 2025. The Government has signalled that the first coming-into-force order will be made in 2025, with the first cyber security program submission window typically 90 days after designation. Penalty provisions are immediately triggered once designation and the required regulations are in force.
How Does ITSAP.10.070 Shape Supply Chain Practice?
ITSAP.10.070 "Protecting Your Organization from Software Supply Chain Threats" is the CCCS's authoritative guidance on supply chain controls and maps to Canada's broader ITSG-33 control catalogue. The 2024 revision expanded the document's treatment of SBOMs, endorsing SPDX and CycloneDX and pointing to the CCCS's companion ITSM.10.189 "Developer Guidance" for secure-by-design expectations. The guidance prescribes five practices: map the supply chain, assess supplier security, require SBOMs, continuously monitor component vulnerabilities, and incorporate supply chain considerations into incident response. It explicitly calls out commercial software, open-source software, hardware, and cloud services as components of the supply chain.
How Does OSFI B-13 Intersect With Supply Chain Controls?
The Office of the Superintendent of Financial Institutions (OSFI) issued Guideline B-13 "Technology and Cyber Risk Management" with an effective date of January 1, 2024 for federally regulated financial institutions (FRFIs). Section 4 "Technology Operations and Resilience" and Section 5 "Cyber Security" together require FRFIs to maintain an inventory of technology assets, assess third-party technology risk, and manage vulnerability remediation timelines by severity. Principle 3.4 explicitly references third-party technology and cyber risk, which OSFI reads to include embedded open-source software. B-13 replaces the 2013 "Cyber Security Self-Assessment Guidance" and moves the expectation from self-assessment to documented controls.
What About IT Security Guidelines ITSG-33 and Federal Procurement?
ITSG-33 "IT Security Risk Management: A Lifecycle Approach" is Canada's counterpart to NIST SP 800-53 and is used by all federal departments. Its Annex 3 "Security Control Catalogue" includes SA-12 Supply Chain Protection, SA-15 Development Process, Standards, and Tools, and SA-22 Unsupported System Components, all of which now explicitly contemplate SBOMs in the 2024 draft update circulated internally. Federal procurement vehicles — including Shared Services Canada's Cloud Framework Agreement and Public Services and Procurement Canada's Cyber Protection Supply Arrangement — are revising evaluation criteria to require suppliers to demonstrate SBOM production and vulnerability response processes.
What Are the Penalties Under the CCSPA and Related Laws?
The CCSPA prescribes administrative monetary penalties under section 89 of up to CAD 1 million per violation for individuals and up to CAD 15 million per violation for entities, with each day of continuing contravention counted separately. Section 107 adds offences for contravening orders or knowingly providing false information, carrying fines up to CAD 15 million and imprisonment up to 5 years on indictment. For federally regulated financial institutions, OSFI can issue a Notice of Non-Compliance and pursue enforcement under the Office of the Superintendent of Financial Institutions Act. PIPEDA exposure remains parallel, and Quebec's Law 25 — fully in force since September 22, 2024 — adds administrative penalties up to CAD 10 million or 2% of worldwide turnover.
How Safeguard Helps
Safeguard delivers the SBOM-based supply chain evidence the CCCS ITSAP.10.070 guidance expects, with SPDX 2.3 and CycloneDX 1.5 support out of the box. Griffin AI reachability analysis and vulnerability prioritisation help designated operators meet the CCSPA section 9 "reasonable steps" standard by focusing remediation on components that are actually exercised at runtime. TPRM workflows track supplier assurance for OSFI B-13 and the CCCS top-10 supply chain items, and policy gates enforce build-time controls against critical CVEs, unsigned artifacts, and license violations. Compliance mapping spans ITSG-33, OSFI B-13, the CCSPA, and ISO 27001:2022 so operators can produce a consolidated evidence package for multiple Canadian regulators from a single platform.