Build a Security Compliance Program Aligned to NPSNet Policy With ITSG-33

Agencies must comply with the NPSNet Secured Communication Policy but lack clear, actionable guidance to operationalize its expectations across diverse environments.
Fragmented systems, limited internal capacity, and unclear accountability hinder coordination across departments, vendors, and jurisdictions.
Teams face mounting pressure to modernize infrastructure and meet NCACR requirements without compromising security, timelines, or compliance integrity.

Our Advice

Critical Insight

Agencies that use ITSG-33 as a structured compliance foundation gain clarity, consistency, and auditability across their environments. With a strong NPSNet Policy compliance posture in place, they are better positioned to prepare and submit NCACR requests efficiently and confidently.
A standardized control framework is essential for eliminating interpretation gaps. It allows agencies to validate security controls and apply them across multiple NPSNet Policy obligations, simplifying compliance and reducing duplication.
Compliance risk under NPSNet Policy stems from delayed implementation, poor governance, and weak documentation. Security risk rises when policies are misapplied, and NCACR submissions are unclear or incomplete. Our approach helps agencies mitigate both by embedding secure, compliant practices across the environment.

Impact and Result

Agencies strengthen audit readiness for compliance management and streamline NCACR approval timelines through structured assessments, prioritized gap closure, and continuous compliance tracking.
Cross-functional collaboration improves through clearly defined roles, shared guidance, and centralized tools that promote accountability and transparency across departments and partners.
The compliance program empowers IT, operations, and leadership teams to proactively manage NCACR requirements, reduce delays, and sustain long-term alignment with NPSNet Policy compliance expectations.

Build a Security Compliance Program Aligned to NPSNet Policy With ITSG-33 Research & Tools

1. Build a Security Compliance Program Aligned to NPSNet Policy With ITSG-33 Deck – Empowers public sector agencies to align with NPSNet policy, streamline NCACR submissions, and operationalize security using ITSG-33

This storyboard helps public sector agencies bridge the gap between NPSNet policy expectations and operational implementation. By using ITSG-33 as a reference, the storyboard offers a compliance foundation, templates, and tools to help agencies demonstrate NCACR readiness while improving security program maturity.

2. Security Compliance Management and NCACR Readiness Tool – Helps agencies structure, track, and manage a security compliance program aligned to NPSNet Policy and prepare for NCACR readiness using ITSG-33.

This tool maps to Annex 3A of the Information Technology Security Guidance (ITSG-33) and serves as an example of how agencies can structure and document a compliance program while preparing for NCACR Readiness for the NPSNet Secured Communication Policy (which is not publicly available). It is intended to support alignment with NCACR readiness requirements and offers a structured approach for agencies to plan, assess, and document compliance against NPSNet compliance expectations. The tool provides a consistent, structured approach to meeting compliance and NCACR requirements while improving transparency, ownership, and preparedness across complex environments.

3. Security Compliance Process Template – A template that you can use to establish and document your security compliance management program.

Use this template to define:

Roles and responsibilities.
Compliance conformance levels.
Audit test scripts and evidence repositories.
Self-attestation forms.

Bridge the gap between policy and practice while accelerating NCACR readiness.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 4-phase advisory process. You'll receive 7 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Establish program

Call 1: Scope requirements, objectives, and your specific challenges.

Guided Implementation 2: Identify obligations

Call 1: Establish framework and roles.
Call 2: Identify operational environments.

Guided Implementation 3: Implement compliance strategy

Call 1: Identify compliance obligations and conformance levels.
Call 2: Map obligations into control framework.

Guided Implementation 4: Finalize NCACR readiness

Call 1: Review policies and compliance strategy.
Call 2: Conduct a gap analysis for NCACR readiness.

Author

Vidhi Trivedi

Contributors

Doug Ross, Chief Superintendent, Canadian Police Information Centre
Marco Novielli, Systems and Information Security Supervisor, Peel Regional Police
Aaron Sheard, Section Manager, Information Technology, Medicine Hat Police Services
Jennifer Mulligan, Acting Manager, NPSNet Connection Authorization Change/Request, Royal Canadian Mounted Police (RCMP)
Kimberly Huntley, Technical Advisor, Royal Canadian Mounted Police (RCMP)
Kirolos Mattar, Technical Advisor, Royal Canadian Mounted Police (RCMP)
Cole Cioran, Managing Partner, Global Services, Info-Tech Research Group
Hendra Hendrawan, Technical Counselor, Info-Tech Research Group
Nitin Varshney, Technical Counselor, Info-Tech Research Group

Search Code: 108442
Last Revised: October 7, 2025

TAGS:

ITSG-33 compliance, NCACR readiness, NPSNet policy, NPSNet Secured Communications Policy, CJIS Canada, RCMP, CPIC, public sector security, compliance tracking, gap analysis tool, security program, control framework, law enforcement IT, RCMP compliance, hybrid cloud security, Canadian police network