The Canadian Centre for Cyber Security's Baseline Cyber Security Controls publication (ITSM.10.089) defines the minimum security controls for Canadian organizations. Referenced in federal procurement requirements, Bill C-8 CCSPA guidance, and increasingly in provincial government supplier requirements, CCCS baseline alignment is becoming a de facto Canadian cybersecurity standard.
The Canadian Centre for Cyber Security (CCCS), part of the Communications Security Establishment (CSE), is Canada's national authority on cybersecurity. Its Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089) provides a prioritized, practical set of security controls aligned to the Canadian threat landscape.
Unlike some international frameworks, the CCCS baseline is authored by the same federal body - the CSE - that receives mandatory incident reports under Bill C-8. CCCS guidance carries significant weight with Canadian regulators, and demonstrating alignment with the CCCS baseline strengthens compliance posture across multiple frameworks simultaneously, as it maps closely to CIS Controls IG1/IG2 and NIST CSF.
The CCCS baseline is organized around practical security domains that Lavawall® monitors continuously.
Documented incident response plan that covers detection, containment, eradication, recovery, and post-incident review. The CCCS baseline aligns with Bill C-8's 72-hour incident reporting requirements - having a plan is prerequisite to meeting the reporting timeline.
Timely patching of all operating systems and applications, particularly internet-facing systems. This maps directly to Lavawall®'s cross-platform patch management capability - Windows, Mac, Linux, and 7,533+ applications monitored and patched automatically.
Anti-malware, host-based firewalls, and endpoint detection and response (EDR) enabled on all devices. Lavawall® monitors endpoint security status and configuration compliance continuously.
Regular, tested, offline backups. The CCCS baseline specifically addresses ransomware resilience - backups that cannot be encrypted by ransomware. Lavawall® monitors backup status and generates alerts when backup jobs fail.
MFA for all privileged accounts and all remote access. Lavawall® monitors MFA enrollment status across M365, Entra ID, AWS, and Google Workspace continuously - and alerts when accounts have MFA disabled or bypassed.
Password hygiene enforcement across the organization. Integration with password manager platforms and monitoring for weak credential indicators in M365 and directory services.
Principle of least privilege, user access reviews, and removal of dormant accounts. Lavawall® monitors account lifecycle and generates alerts for inactive privileged accounts and unusual access patterns.
Attack surface reduction through decommissioning unnecessary software, services, and network exposure. Lavawall® maintains application and service inventory and flags unauthorized or unexpected software.
Every CCCS baseline control domain maps directly to what Lavawall® monitors. Patch compliance, MFA status, backup health, endpoint security, account lifecycle, and application inventory are all continuously tracked. Achieving CCCS baseline compliance is often the fastest compliance win available - many organizations are closer than they think, and Lavawall® shows the exact gaps in 48 hours.
For organizations with basic IT capacity - Lavawall® directly addresses most CCCS baseline controls
CISSP/CISA gap assessment plus Lavawall® deployment - full CCCS baseline coverage
Complete CCCS baseline program for government suppliers and critical infrastructure
Lavawall® shows your CCCS baseline compliance score in 48 hours. ThreeShield turns the gaps into a prioritized remediation plan. Most organizations reach CCCS baseline compliance within 30-60 days.
Get Your CCCS Baseline ScoreAlso covers CIS Controls v8.1 · NIST CSF 2.0 · Bill C-8 CCSPA