CPCSC Level 2 Control

Last updated June 25, 2026

03.05.04Identification and authentication

CPCSC Level 2 03.05.04: Replay-Resistant Authentication

Apply replay-resistant authentication to prove that users, devices, and authenticators are unique, protected, and trustworthy for CPCSC Level 2 readiness. This guide separates the official ITSP.10.171 control language from practical implementation, evidence, auditor questions, and related controls.

Open Level 2 Guide Browse Level 2 Controls

Formal Control Language

Official ITSP.10.171 wording for 03.05.04. Use the Cyber Centre publication and contract requirements as the source of truth for certification, assessment, or procurement submissions.

  • Implement replay-resistant authentication mechanisms for access to privileged and non-privileged accounts.

Contains information sourced from Government of Canada material used under the Open Government Licence - Canada.

What This Means In Plain English

Replay-Resistant Authentication is part of the CPCSC Level 2 Identification and authentication family. This is about proving each user, device, and authenticator is unique, managed, protected, and strong enough for the sensitivity of the work.

For a founder, CISO, engineer, or compliance owner, the practical question is whether replay-resistant authentication is visible in real operating evidence: a setting, workflow, ticket, log, approval, review, or exception record that can survive an external assessment.

Level 2 is different from Level 1 because the evidence has to survive an external assessment. A policy statement helps, but the stronger answer is a record that shows who did the work, when it ran, what system setting or workflow enforced it, and how exceptions were handled.

How To Implement It

1

Define the in-scope systems, owners, users, vendors, and data flows affected by replay-resistant authentication.

2

Use unique accounts, MFA, password or authenticator standards, lifecycle controls, and technical settings that prevent shared or weak authentication paths.

3

Translate the formal requirement into one or two operating procedures: who performs it, how often, where it is recorded, and who approves exceptions.

4

Configure the relevant systems so the control is enforced by identity, endpoint, cloud, network, ticketing, monitoring, vendor, or documentation workflows rather than memory.

5

Keep evidence in a consistent folder, GRC system, ticket queue, or audit workspace so an assessor can trace the control from requirement to implementation to review.

Evidence Normally Gathered

Replay-Resistant Authentication: identity provider settings.

Replay-Resistant Authentication: MFA reports.

Replay-Resistant Authentication: password policy screenshots.

Replay-Resistant Authentication: authenticator inventory.

Replay-Resistant Authentication: account lifecycle tickets.

Replay-Resistant Authentication: device authentication settings.

Replay-Resistant Authentication: owner assignment and review cadence.

Replay-Resistant Authentication: exception, remediation, or POA&M records when the control is not fully implemented.

Common Auditor Questions

Where is replay-resistant authentication implemented in the in-scope environment?

Who owns replay-resistant authentication, and how do they know it is operating?

Show the evidence that proves replay-resistant authentication ran during the assessment period.

What happens when replay-resistant authentication fails, is bypassed, or has an exception?

How does this control connect to the system security plan, risk register, POA&M, and related CPCSC controls?

Sources

Source and attribution.

Formal control language is sourced from the Canadian Centre for Cyber Security ITSP.10.171 publication. CPCSC Level 2 assessment context references the Government of Canada CPCSC program overview and ITSP.10.171-01 assessment guidance.

CPCSC Program OverviewITSP.10.171ITSP.10.171-01Open Government Licence - Canada