TL;DR: Canada’s CPCSC framework pushes defence suppliers beyond perimeter VPNs toward identity-driven, continuously verified access, and Appgate maps its ZTNA approach to AC, IA, SC, AU, CM, IR, and SI controls under ITSP.10.171. For practitioners, the shift is less about replacing remote access and more about producing audit-ready proof that access is explicit, segmented, monitored, and revocable.
NHIMG editorial — based on content published by Appgate: Canada’s Program for Cyber Security Certification and ZTNA control mapping
Questions worth separating out
Q: How should defence suppliers implement ZTNA for CPCSC compliance?
A: They should design ZTNA around explicit identity, device posture, and resource-level authorization rather than broad network trust.
Q: Why does CPCSC put so much weight on continuous verification?
A: Because a one-time login does not prove that access remained appropriate for the full session.
Q: What do teams get wrong when they keep VPN-style access for regulated systems?
A: They often assume that authenticated network entry is enough.
Practitioner guidance
- Map CPCSC access paths to named identities Inventory every remote access path to Specified Information and tie it to a specific user, device, role, and target resource.
- Rework segmentation around policy scopes Replace broad VPN reach with resource-level entitlements that only expose the systems required for each role.
- Treat session re-evaluation as a control requirement Set posture checks, timeout thresholds, and termination rules so access is revalidated during the session, not only at login.
What's in the full article
Appgate's full article covers the operational detail this post intentionally leaves for the source:
- Control-family-by-control-family CPCSC mapping across AC, IA, SC, AU, CM, IR, SI, and CA.
- Examples of how Device Claim Scripts, policy simulation, and configuration exports support assessment evidence.
- Specific authentication, session, and logging behaviours that map to CPCSC control expectations.
- The vendor's own certification and validation references for procurement and assurance review.
👉 Read Appgate's CPCSC and ZTNA control mapping guide →
CPCSC and ZTNA: what it means for identity control evidence?
Explore further
CPCSC turns access control into an evidence discipline, not just a connectivity design. Defence suppliers are no longer being asked whether users can connect. They are being asked whether every connection is explicit, scoped, logged, and defensible under assessment. That is a governance shift, not a tooling preference, and it forces IAM, PAM, and network teams to work from the same control narrative.
A few things that frame the scale:
- NHIs outnumber human identities by 25x to 50x in modern enterprises, according to the Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who is accountable when access logs or policy decisions are missing during assessment?
A: Accountability sits with the organisation that claims the control, because the inability to reconstruct access decisions weakens audit and incident-response evidence. For CPCSC, missing logs mean missing proof that identity, access, and monitoring controls actually operated as designed.
👉 Read our full editorial: CPCSC makes zero trust access a control evidence problem