In the current landscape of federal procurement, security isn't just a "feature" — it is a prerequisite. If your business intends to provide services to the Government of Canada involving sensitive information, you must navigate the Contract Security Program (CSP), managed by Public Services and Procurement Canada (PSPC).

This guide breaks down the accreditation process, the different levels of screening, and how to ensure your cloud environment is ready for audit.

If you’re a Canadian business leader working with government clients — or hoping to — you’ve probably heard the acronyms PBMM and ITSG-33 thrown around in security conversations. For many organizations, these frameworks feel technical, abstract, and difficult to translate into day to day business decisions.

The truth is simple: you don’t need to be a cybersecurity expert to understand how these standards impact your ability to win contracts, protect data, and operate confidently. This article breaks down PBMM and ITSG 33 in clear, practical terms — and explains what they mean for your organization.

Navigate our useful links and reference library to further your knowledge on key concepts and material.

Key references include:

• Public Services and Procurement Canada (PSPC): Security screening for government contracts

• The Contract Security Manual (CSM): Official Reference Guide
• Canadian Centre for Cyber Security (CCCS): Cloud Security Risk Management Approach
• CCCS - ITSG-33 Guidance: Security Control Catalogue
• Government of Canada PBMM Profile: Security Control Profile for Cloud-based Services