up:: The Mandates MOC
CCCS (Canada)
The Canadian Centre for Cyber Security (CCCS), often called the Cyber Centre, is Canada’s national authority for cyber security, and its post-quantum guidance sets a Government of Canada migration roadmap that anchors on two dates: complete the migration of high-priority systems by the end of 2031 and the remaining systems by the end of 2035. The approved algorithms come from the NIST suite, ML-KEM for key establishment and ML-DSA and SLH-DSA for signatures, as published in the CCCS algorithm standard ITSP.40.111.
The guidance comes as a family of publications rather than a single document: a roadmap (ITSM.40.001) that carries the dates, an approved-algorithms standard (ITSP.40.111) that carries the algorithm picks, and a preparation guide (ITSAP.00.017) that carries the inventory-first, agility-first advice. Together they place Canada firmly inside the international 2031-and-2035 consensus while keeping the language grounded in Canada’s own PROTECTED-information classifications.
The short version:
- The CCCS is Canada’s national cyber authority, part of the Communications Security Establishment (CSE), and its post-quantum guidance is the Canadian counterpart to the U.S. NIST and NSA guidance and to the UK’s NCSC.
- The migration roadmap for the Government of Canada (ITSM.40.001) sets an initial departmental plan by April 2026, annual progress reporting from April 2026, high-priority systems migrated by the end of 2031, and the remainder by the end of 2035.
- The approved algorithms live in ITSP.40.111, which endorses ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) at their full NIST parameter sets.
- Classical public-key schemes stay approved with a phase-out horizon: their standalone use, without a post-quantum pairing, is to end by the end of 2035, and key sizes step up before then.
- Canada’s 2031-and-2035 dates align closely with the U.S., EU, and UK horizons, so a plan built for a Canadian federal system maps cleanly onto the wider international timeline.
Think of the CCCS guidance as a staged renovation permit for the Government of Canada’s cryptography. One document draws the schedule with two inspection dates, the critical structures done by the first and the whole building by the second. A second document is the approved-materials list, naming exactly which post-quantum parts pass. A third is the survey handbook that says to inventory the whole property before touching anything, because you cannot sequence a renovation of systems you have not mapped.
What is the CCCS?
The CCCS is Canada’s single unified source of expert advice, guidance, services, and support on cyber security, operating as part of the Communications Security Establishment. It sets the cryptographic baseline that Government of Canada systems are built and assessed against, and it publishes the guidance that industry and provinces reference.
- Standing. The Cyber Centre is the public-facing authority within CSE, Canada’s signals-intelligence and cyber-defense agency. It issues the ITSP (technical), ITSM (management), and ITSAP (awareness) series that define Canada’s cryptographic and cyber-security expectations.
- What it does. It publishes approved-algorithm standards, migration roadmaps, and preparation guidance; advises federal departments; and supports critical infrastructure and the broader Canadian economy. On cryptography it maintains ITSP.40.111, the approved-algorithms standard that everything downstream references.
- How it compares. The CCCS plays the role that BSI plays for Germany, ANSSI for France, and the NCSC for the UK: a national technical authority that names which cryptographic mechanisms are fit for government use and layers a national migration timeline on top of the NIST algorithm standards.
Source: Canadian Centre for Cyber Security, “Preparing your organization for the quantum threat to cryptography (ITSAP.00.017),” February 2025, cyber.gc.ca.
What is Canada’s post-quantum migration roadmap?
Canada’s post-quantum roadmap for the Government of Canada is document ITSM.40.001, “Roadmap for the migration to post-quantum cryptography for the Government of Canada,” published by the Cyber Centre on June 23, 2025. It sets the dates that a Canadian federal migration program is measured against, and it scopes itself deliberately.
| Milestone | What the roadmap requires |
|---|---|
| April 2026 | Develop an initial departmental PQC migration plan |
| April 2026 onward (annual) | Report on PQC migration progress every year |
| End of 2031 | Complete PQC migration of high-priority systems |
| End of 2035 | Complete PQC migration of the remaining systems |
Source: Canadian Centre for Cyber Security, “Roadmap for the migration to post-quantum cryptography for the Government of Canada (ITSM.40.001),” June 23, 2025, cyber.gc.ca.
Two scope points change how the roadmap is read:
- It covers non-classified systems. The roadmap applies to non-classified IT systems, which in the Government of Canada means those handling UNCLASSIFIED, PROTECTED A, and PROTECTED B information, and it covers infrastructure managed internally and through third parties such as cloud providers. For classified systems, departments are directed to contact the Cyber Centre for tailored advice.
- The early dates carry the weight. The 2035 endpoint is the headline, but the April 2026 planning date and the annual reporting cadence are what actually start the program, because migration cannot be sequenced until each department has inventoried its cryptography and drafted a plan.
Which post-quantum algorithms does Canada approve?
Canada’s approved algorithms are set in ITSP.40.111, “Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information,” and the post-quantum additions are the NIST-standardized suite at their full parameter ranges. The edition in force when this note was verified is version 5, effective May 29, 2026.
| Function | Approved post-quantum algorithm | Parameter sets |
|---|---|---|
| Key establishment | ML-KEM | ML-KEM-512, ML-KEM-768, ML-KEM-1024 |
| Digital signatures | ML-DSA | ML-DSA-44, ML-DSA-65, ML-DSA-87 |
| Digital signatures, hash-based | SLH-DSA | all SHA2 and SHAKE variants at the 128, 192, and 256 levels (s and f) |
Source: Canadian Centre for Cyber Security, “Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP.40.111),” version 5, effective May 29, 2026, cyber.gc.ca.
The classical schemes stay approved with a defined runway rather than being cut immediately:
- RSA and finite-field Diffie-Hellman. Approved at a 2048-bit minimum, stepping up to 3072 bits by the end of 2030, with standalone use, meaning without a post-quantum key-establishment scheme alongside, to be phased out by the end of 2035.
- Elliptic-curve schemes. ECDH, ECDSA, and EdDSA remain approved on the standard curves, with curve P-224 phased out by the end of 2030, and standalone use of the elliptic-curve public-key schemes phased out by the end of 2035.
- The pairing model. ITSP.40.111 frames the phase-out as ending the use of classical public-key schemes “without a post-quantum” scheme, so running a classical algorithm alongside a post-quantum one through the transition is contemplated, which is a hybrid posture in substance even where the document does not use the label.
Source: Canadian Centre for Cyber Security, “Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP.40.111),” version 5, effective May 29, 2026, cyber.gc.ca, §5 and §6.
What does the CCCS recommend for preparing an organization?
For organizations broadly, the CCCS advice is inventory-first and agility-first, captured in ITSAP.00.017, “Preparing your organization for the quantum threat to cryptography,” published in February 2025. It reads the same way the U.S. and UK preparation guidance does: map the cryptography, then plan the migration.
- Build a cryptographic inventory. The foundational move is identifying which systems depend on cryptography and need to transition, the same discovery work every mandate front-loads, and a CBOM is the natural artifact for it.
- Become cryptographically agile. The guidance advises leveraging that inventory to reach cryptographic agility, the property that makes future algorithm changes straightforward, and it points to information sensitivity and lifespan as the way to prioritize.
- Manage the harvest-now-decrypt-later risk. ITSAP.00.017 names the harvest-now-decrypt-later threat directly: adversaries can store encrypted data now and decrypt it once a sufficiently powerful quantum computer exists, which is why long-retention data moves first.
Source: Canadian Centre for Cyber Security, “Preparing your organization for the quantum threat to cryptography (ITSAP.00.017),” February 2025, cyber.gc.ca.
How does Canada’s timeline align with the U.S. and other mandates?
Canada sits squarely inside the international 2031-and-2035 consensus and takes its algorithms from the same NIST source, so a plan built to Canadian federal expectations lines up with the U.S., UK, and EU horizons rather than diverging from them.
- The NIST algorithm base. The CCCS adopts ML-KEM, ML-DSA, and SLH-DSA wholesale in ITSP.40.111, with no separate Canadian algorithm suite, the same posture the UK NCSC takes.
- The 2035 endpoint. Canada’s end-of-2035 completion date lines up with the U.S. NSM-10 risk-mitigation goal of 2035, the NCSC 2035 completion date, and the EU roadmap’s end-of-2035 target, so the national timelines converge at the finish.
- The 2031 high-priority gate. Canada’s high-priority date of end-of-2031 is close kin to the NCSC’s 2031 priority-migration milestone, so the two national programs run nearly in step on the intermediate as well as the endpoint.
- The instrument. The roadmap is Canadian government guidance backed by a Treasury Board implementation notice rather than a standalone statute, so its force for federal systems is directive-driven, and for the wider economy it functions as the authoritative national reference the way NCSC guidance does in the UK.
Source: Canadian Centre for Cyber Security, “Roadmap for the migration to post-quantum cryptography for the Government of Canada (ITSM.40.001),” June 23, 2025, cyber.gc.ca.
How does the CCCS relate to the other mandates and standards?
The CCCS is Canada’s node in the international standards stack, drawing on the NIST algorithms and converging with the U.S., UK, and EU on timeline.
- NIST FIPS suite. The CCCS approves ML-KEM, ML-DSA, and SLH-DSA in ITSP.40.111, tracking the standards as they are finalized.
- UK NCSC. The closest peer on shape: advisory-but-authoritative national guidance with a 2031 priority milestone and a 2035 endpoint, and a NIST-algorithm base with no separate national suite.
- NSM-10 and NIST IR 8547 (U.S.). The reference timeline for the 2035 horizon and the algorithm-deprecation schedule Canada’s phase-out dates run parallel to.
- BSI and ANSSI. Fellow national authorities; Canada’s pairing model (classical alongside post-quantum through the transition) shares the practical instinct behind their hybrid recommendations.
- Crypto-agility. The design property ITSAP.00.017 elevates, the through-line connecting Canada’s guidance to the CRA and NCSC positions.
Common misconceptions
- “Canada’s deadline is 2035, so there is a decade.” The dates that start the program are earlier: an initial departmental plan by April 2026, annual reporting from April 2026, and high-priority systems migrated by the end of 2031. Long-retention data is on a faster clock still because of harvest-now-decrypt-later.
- “Canada has its own post-quantum algorithms.” It adopts the NIST suite. ITSP.40.111 approves ML-KEM, ML-DSA, and SLH-DSA at their full parameter sets rather than defining a Canadian set.
- “The roadmap covers all government systems.” ITSM.40.001 scopes itself to non-classified systems (UNCLASSIFIED, PROTECTED A, PROTECTED B). Classified systems are handled through direct Cyber Centre advice.
- “Classical RSA and ECC are banned now.” They stay approved with a runway: key sizes step up by the end of 2030, and standalone use without a post-quantum pairing is to end by the end of 2035.
- “Canada says nothing about hybrid.” ITSP.40.111 frames the classical phase-out as ending use without a post-quantum scheme, which contemplates running classical and post-quantum together through the transition, a hybrid posture in substance.
Questions people ask
What is the CCCS? It is the Canadian Centre for Cyber Security, Canada’s national cyber-security authority, part of the Communications Security Establishment, and it publishes the ITSP, ITSM, and ITSAP guidance that defines Canada’s cryptographic expectations, including the post-quantum roadmap and approved-algorithms standard.
What is Canada’s post-quantum deadline? For the Government of Canada, high-priority systems by the end of 2031 and the remaining systems by the end of 2035, per roadmap ITSM.40.001, with an initial departmental plan due April 2026 and annual progress reporting from then.
Which post-quantum algorithms does Canada approve? ML-KEM (FIPS 203) for key establishment and ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) for signatures, at their full NIST parameter sets, as set in ITSP.40.111. There is no separate Canadian algorithm suite.
Does the roadmap apply to classified systems? No. ITSM.40.001 covers non-classified systems handling UNCLASSIFIED, PROTECTED A, and PROTECTED B information. For classified systems, departments contact the Cyber Centre for tailored advice.
Does Canada recommend hybrid cryptography? In substance, yes. ITSP.40.111 phases out classical public-key schemes used “without a post-quantum” scheme, which contemplates running classical and post-quantum together through the transition, even though the guidance does not lean on the hybrid label the way ANSSI and BSI do.
How does Canada compare to the U.S. and UK? Closely. Canada takes its algorithms from the NIST suite, its 2035 endpoint aligns with the U.S. NSM-10 goal and the UK NCSC completion date, and its 2031 high-priority gate is close kin to the NCSC’s 2031 priority milestone.
What should an organization do first? Build a cryptographic inventory, per ITSAP.00.017. Prioritizing and planning both depend on seeing your own cryptography clearly, and a CBOM is the artifact that captures it. Long-retention and harvest-now-decrypt-later-exposed data moves first.
Everything here is the map, given freely. When your team needs the CCCS roadmap and ITSP.40.111 algorithm picks translated into a migration plan sequenced against your own Canadian and cross-border systems and their deadlines, that’s what an alignment briefing is for.
Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.