Bidding on a Government of Canada contract? Book a free SA&A readiness assessment →
Bidding on a Government of Canada contract? Book a free SA&A readiness assessment →
Canadian Federal & Provincial GovernmentAutomated Security Assessment & Authorization for Canadian government vendors. Navigate RFSA, SLSA, and TBIPS procurement with confidence — from initial authorization through continuous monitoring.
ITSG-33 is a completely different compliance world from HIPAA or SOC 2. Iron Fort is purpose-built for the SA&A process — not a generic GRC tool retrofitted for it.
Technology companies pursuing contracts with federal departments (TBS, DND, SSC, CRA, IRCC, etc.). Iron Fort maps your controls to ITSG-33 Annex 3 profiles and generates SA&A documentation packages.
Suppliers bidding on Ontario, BC, Alberta, or Quebec government technology procurement. Provincial SA&A requirements align closely with ITSG-33 — Iron Fort handles the mapping.
AWS, Azure, and GCP resellers or managed service providers seeking Government of Canada Protected A/B cloud authorization. Iron Fort supports the CSP SA&A process end-to-end.
Vendors bidding on DND or RCMP contracts requiring ITSG-33 Medium or High profiles. Iron Fort handles classification levels from Unclassified through Protected B.
Companies processing Government of Canada data — statistical, demographic, or program delivery data — requiring formal Authorization to Operate (ATO) under the SA&A lifecycle.
Vendors with existing authorizations approaching expiry or subject to continuous monitoring requirements under GC Security Control Profiles. Iron Fort automates the ongoing SA&A lifecycle.
Iron Fort supports the full GC data sensitivity spectrum, with control profiles tailored to each classification level.
Public-facing or low-sensitivity GC data. ITSG-33 Low profile. ~80 applicable controls.
Sensitive personal information (e.g., name + address). ITSG-33 Medium profile. ~200 controls.
Highly sensitive data (SIN, tax, health, biometric). ITSG-33 High profile. 330+ controls with enhanced requirements.
Classified information (Confidential, Secret, Top Secret) requires additional GC-specific processes outside standard SA&A scope.
Iron Fort covers the entire ITSG-33 Security Assessment & Authorization lifecycle — from initial scoping through Authority to Operate and continuous monitoring.
Automated mapping of your existing controls to ITSG-33 Annex 3 security control profiles based on your data classification level. Gap analysis with prioritized remediation roadmaps.
Auto-generate the complete SA&A documentation set: System Security Plan (SSP), Privacy Impact Assessment (PIA) inputs, Statement of Applicability (SOA), and Risk Acceptance documentation.
Structured evidence vault organized by ITSG-33 control families. Provides assessors (internal or third-party) with organized, accessible evidence — reducing assessment time significantly.
Generate security and privacy attestation packages formatted for ProServices, TBIPS, RFSA, and SLSA solicitations. Respond to GC security questionnaires faster with pre-mapped control evidence.
Ongoing monitoring of security controls post-ATO. Automated alerts for control drift, patch compliance gaps, and configuration deviations — satisfying ITSG-33 continuous monitoring requirements.
Maps your cloud environment to SSC's 12 GC Cloud Guardrails and CCCS Medium Cloud Security Profile. Continuous validation of guardrail compliance for Protected B cloud environments.
SA&A documentation templates available in both English and French as required by the Official Languages Act for federal government submissions. AI-assisted translation review.
Running ITSG-33 alongside SOC 2 or ISO 27001? Iron Fort maps overlapping controls and collects shared evidence once — reducing the total compliance burden for multi-standard programs.
The ITSG-33 SA&A lifecycle has six phases — Iron Fort automates or accelerates each one.
Define system boundaries, identify data classification levels, assign SA&A roles (AO, SA&A Coordinator, System Owner). Iron Fort provides structured onboarding templates.
Document the system in SSP format: architecture diagrams, data flows, interconnections, user types, and operating environment. Auto-populated from infrastructure discovery.
Select and tailor the ITSG-33 control profile appropriate to your classification level. Document control implementation statements for all applicable controls.
Facilitate assessor review with a structured evidence vault. Iron Fort tracks assessment findings, generates Plans of Action & Milestones (PoA&M), and manages remediation workflows.
Compile the Authorization Package for the Authorizing Official (AO). Includes SSP, SAR, risk summary, and residual risk acceptance documentation — generated from Iron Fort evidence.
Ongoing control monitoring, annual security reviews, and change management impact assessments. Automated alerts keep your ATO current and renewal seamless.
"The SA&A process took us 14 months the first time — manually. With Iron Fort on our second Protected B contract, we completed the documentation package in 6 weeks. The assessor said it was the most thorough SSP they'd reviewed."
"We bid on three TBIPS solicitations in one year. Iron Fort's procurement package builder let us respond to all three GC security questionnaires in a day — same evidence, reformatted. We won two of the three."
"Continuous monitoring was the piece we kept failing on — we'd get authorized, then drift on controls and face re-assessment. Iron Fort's alerts catch drift immediately. We've maintained our ATO clean for two years now."
ITSG-33 ("IT Security Guidance — IT Security Risk Management: A Lifecycle Approach") is the Canadian Centre for Cyber Security (CCCS) framework that defines how federal government departments and their suppliers must manage IT security risks. Any technology vendor storing, processing, or transmitting Government of Canada information — regardless of sensitivity level — must demonstrate compliance with the applicable ITSG-33 security control profile as part of the Security Assessment & Authorization (SA&A) process. Without a valid ATO, contracts are not awarded and systems cannot operate on GC networks.
These are Government of Canada procurement vehicle types: RFSA (Request for Supply Arrangement) is a pre-qualification mechanism that establishes a pool of qualified vendors; SLSA (Standing List of Qualified Security Assessment Service Providers) is specific to cybersecurity assessment firms; TBIPS (Task-Based Informatics Professional Services) is the main IT services procurement vehicle used across federal departments. Each has different security attestation requirements, and Iron Fort generates documentation packages tailored to each vehicle's specific security questionnaire format.
Yes. Iron Fort's assessor collaboration portal gives your third-party Security Assessment Service Provider (SASP) read-only access to your evidence vault, organized by ITSG-33 control family. This eliminates weeks of back-and-forth evidence requests, reduces assessment fieldwork time, and produces a cleaner Security Assessment Report (SAR). Iron Fort is assessment-firm agnostic — it works with any CCCS-approved or departmentally-accepted SASP.
SSC's 12 GC Cloud Guardrails are a mandatory baseline for any cloud service processing GC data. Iron Fort continuously validates your cloud environment against all 12 guardrails — enforcing guardrails like MFA for privileged accounts (Guardrail 1), network segmentation (Guardrail 6), data location restrictions (Guardrail 5), and logging & monitoring (Guardrail 11). Guardrail compliance status is updated daily and can be exported for ATO package updates or departmental reporting.
Yes. Iron Fort supports multi-system SA&A programs where different systems operate at different classification levels. Each system has its own scoped SA&A workspace with the appropriate ITSG-33 control profile. Shared controls (like identity management or logging infrastructure) are mapped once and credited to all applicable systems — reducing duplication across your government portfolio.
For a first-time Protected A authorization, Iron Fort customers typically complete documentation in 6–10 weeks (vs. 12–18 months manually). Protected B takes 10–16 weeks for documentation. Third-party assessment fieldwork adds 4–8 weeks depending on system complexity and assessor availability. Continuous monitoring and annual re-assessments are significantly faster after the initial authorization is in place.
Book a free 30-minute readiness assessment. We'll review your target GC contract, identify applicable ITSG-33 control profiles, and outline your path to Authorization to Operate.