1. Do you Need FSC or DOS
Before applying, you must identify which level of organizational screening your contract requires.
2. The Step-By-Step Accreditation Process
You cannot simply "buy" a CSP clearance; it is a journey that begins with a government requirement.
Step 1: Secure a Sponsor
You cannot self-initiate a CSP application. You must be sponsored by:
• A government department (the "Contracting Authority").
• A prime contractor (if you are a subcontractor).
Step 2: Complete the Application for Registration (AFR)
Once sponsored, you must submit an AFR. This document asks for detailed information on:
• Legal Structure: Who owns your company? (Foreign ownership is heavily scrutinized).
• Key Senior Officials (KSOs): Your CEO, President, and Board members must be identified and screened.
Step 3: Appoint your Company Security Officer (CSO)
The CSO is the most important person in this process. They are your primary point of contact with PSPC and are responsible for ensuring your company remains compliant every day.
Step 4: Personnel Security Screening
Every employee working on the contract must undergo a Reliability Status check (for DOS) or a Security Clearance (for FSC). This involves:
• Criminal record checks and digital fingerprints.
• Credit checks.
• Background/Reference verifications.
3. The "IT Inspection" – Where Most Firms Fail
Holding a DOS or FSC clearance is only half the battle. If your contract requires you to store government data on your own systems, you need Document Safeguarding Capability (DSC) and Authority to Process (ATP).
To get this, an IT Security Inspector from the CSP will audit your systems. They will look for:
• Data Residency: Is your data stored on Canadian soil (e.g., Azure Toronto or Quebec City regions)?
• Encryption: Is data encrypted at rest and in transit?
• Access Controls: Do you use Multi-Factor Authentication (MFA) and "Least Privilege" access?
The 2026 Update: As of 2026, the Canadian Program for Cyber Security Certification (CPCSC) is being phased in. Defence suppliers are now required to meet specific "Levels" of cyber maturity (Level 1 self-assessment to Level 3 National Defence audit) to even qualify for bidding.
4. How to Speed Up Your Application
The average timeline for DOS is 4 months, and FSC can take 6+ months. To avoid delays:
1. Be Proactive with Documentation: Have your corporate articles of incorporation and ownership charts ready.
2. Pre-Configure Your Cloud: Don't wait for the inspector. Ensure your M365 environment is "PBMM-ready" before you apply.
3. Appoint an Experienced CSO: If your CSO is new to the process, consider professional training or consulting.
Navigating the Contract Security Program is a full-time job. Trusted Workspace specializes in helping Canadian businesses build "Audit-Ready" environments.
We don't just tell you what the rules are; we deploy the PBMM-compliant infrastructure you need to pass your IT inspection on the first try.
Ready to get your CSP Accreditation?
Contact us today and book a Free Discovery and Compliance Strategy Session with our experts!
Let us review your current M365 setup and provide a roadmap to Protected B compliance.