Share via


Canadian Centre for Cybersecurity (CCCS) Medium

CCCS Medium overview

The Government of Canada (GC) Protected B security level for sensitive government information and assets applies to information or assets that, if compromised, could cause serious injury to an individual, organization, or government. Based on the Information Technology Security Guidance (ITSG) 33 on IT security risk management published by the Canadian Centre for Cybersecurity (CCCS), GC developed the Guidance on the Security Categorization of Cloud-Based Services (ITSP.50.103) and the Government of Canada Security Control Profile for Cloud-based GC Services (GC Security Control Profile), which identifies the baseline security controls applicable to the processing of information having a security category of Protected B, medium integrity, and medium availability (PBMM). The original PBMM security control profile evolved into what is now the CCCS Medium Cloud Profile Recommendations.

The GC Security Control Profile was developed using the ITSG-33 and the US Federal Risk and Authorization Management Program (FedRAMP), both of which have a foundation in the National Institute of Standards and Technology (NIST)  Special Publication (SP) 800-53  security and privacy controls. GC has aligned the GC Security Control Profile with FedRAMP to maximize both the interoperability of cloud services and reusability of the authorization evidence produced by cloud service providers (CSPs).

The Treasury Board of Canada Secretariat (TBS) is responsible for GC enterprise governance, strategy, and policy for cloud services, including maintaining oversight and monitoring departmental compliance with the GC Cloud Guardrails as mandated under the Directive on Service and Digital. GC has evolved its Cloud Adoption Strategy, now advocating a cloud-smart principle in which cloud is the preferred option for new applications and will rationalize existing application portfolios to align to the most appropriate hosting model.

The Canadian Centre for Cybersecurity (CCCS) has established a Cloud Service Provider Security Assessment Process that reviews a CSP’s ability implement the CCCS Medium security controls (Note: the CCCS Medium control profile superseded the original Government of Canada Security Control Profile for Cloud-based GC Services). The resulting technical risk assessment report contains the results from the review process. Departmental Guidance on Cloud Security Assessment and Authorization (ITSP.50.105) is also available from CCCS.

Microsoft in-scope cloud platforms & services

The Canadian Centre for Cyber Security conducts assessments where the security controls and processes of cloud service providers are evaluated against the Government of Canada security requirements for information and services up to Protected B, medium integrity, medium availability (PBMM) according to the CCCS Medium security control profile. To date CCCS has formally assessed the following Microsoft online services:

  • Azure
  • Dynamics 365
  • Power Platform
  • Microsoft 365

Azure, Dynamics 365, Power Platform, and CCCS Medium

Microsoft was one of the first global cloud service providers to be qualified for Government of Canada secure cloud services when it entered into a framework agreement with the federal government in 2019. The framework agreement supports the Canadian Government’s ambitions to streamline government processes and is a key step on the road towards a true digital Government. Microsoft’s Azure CCCS Medium assessed services unleash new opportunities for public sector innovation, transformation, and service agility as public servants gain access to a range of sophisticated capabilities that support storage and processing of Protected B data. In addition, government agencies benefit from Microsoft’s thriving ecosystem of partners and developers who build innovative and secure solutions on Azure.

Microsoft has established two Canadian Azure cloud regions: Canada Central in Toronto and Canada East in Québec City each consisting of multiple hyperscale cloud datacenter sites. These regions add Canadian in-country data residency for storage of Customer Data at rest, failover, and disaster recovery  for applications and Customer Data for many Core Online Services. Additional datacenter infrastructure investments in the Canada Central Region have also enabled an Azure Availability Zone within the Canada Central region to help customers create even more resilient and highly available applications for mission-critical workloads.

For a complete listing of in-scope CCCS assessed cloud services across Azure, Dynamics 365 and Power Platform, please see the summary assessment reports in the Canada regional section of the Service Trust Portal.

Office 365 and CCCS Medium

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscriptions:

Applicability In-scope services
Commercial Advanced eDiscovery, Customer Lockbox, Defender Endpoint, Defender for Cloud Apps, Defender for M365, Defender of Identity, Exchange Online (EXO), Loki, Microsoft Information Protection, Microsoft Intune, Microsoft Planner, Microsoft Stream, Microsoft Teams, Office Forms, Office for the Web (Word, Excel, OneNote, PowerPoint), Office PODS (PowerPoint Online Document Service), Office Project, Office Services Infrastructure, Office Sway, OneNote Service, Phone System & Calling, Search Content Service, Sharepoint Online, SharePoint Syntex, Suite User Experience, ToDo, Viva Insights, Viva Learning, Viva Topics, Windows 365

Assessment reports

The summary CCCS assessment reports for Microsoft services are available to customers in the Canada regional section of the Service Trust Portal. The detailed security assessment reports for Microsoft services are available to Canadian government customers by contacting the CCCS at contact@cyber.gc.ca.

Frequently asked questions

Which Microsoft cloud services are available to the Government of Canada through the Shared Services Canada cloud contract?

One of the first global cloud providers to be awarded a Cloud Framework Agreement by the Government of Canada, Microsoft offers a range of commercial cloud services – including Azure, Dynamics 365, Power Platform, and Microsoft 365. The Shared Services Canada cloud broker catalog provides details on the Microsoft cloud services that are currently available to GC departments.

What level of US FedRAMP compliance do Microsoft’s cloud services conform to and how does this apply to Canadian cloud regions?

Microsoft Azure commercial (including Dynamics 365) maintain a FedRAMP High Provisional Authority to Operate (P-ATOs). Microsoft 365 commercial maintains a FedRAMP High equivalency. Azure regions outside the United States aren't formally authorized by the FedRAMP Joint Authorization Board (JAB) and aren't in the FedRAMP High P-ATO scope. However, Azure security controls and operational processes are consistent everywhere Azure runs. FedRAMP is based on the NIST SP 800-53 control baselines. All NIST SP 800-53 controls that support the Azure FedRAMP High P-ATO in the United States are also operational in other Azure regions outside the United States. Therefore, Azure customers outside the United States can count on the same control implementation details that pertain to the NIST SP 800-53 High control baseline. See Federal Risk and Authorization Management Program (FedRAMP) for more details. FedRAMP audit evidence is available in the Service Trust Portal.

Are there geographic restrictions on where Protected B data must be stored?

The Government of Canada has developed a flexible data residency (storage of data at rest) policy for the storage of Protected B data as per Section 4.4.3.14 of the Directive on Service and Digital. This is further clarified in Section 4.4 of the Guideline on Service and Digital. Canadian data residency needs to be identified and evaluated as a principal delivery option for storage of Protected B data in the cloud, however the departmental CIO (or in some cases the CIO of Canada), has the flexibility and is responsible for approving decisions to store data outside of Canada based on the following business criteria identified in Section 4.4.3 Considerations in implementing the requirement:

  • Reputation
  • Legal and contractual considerations
  • Trade agreements
  • Market availability
  • Business value
  • Technical capabilities

Microsoft security controls and processes are implemented consistently in all cloud regions globally. While controls within the CCCS Medium profile may reference the GC data residency policy, evaluation of location of data at rest doesn't factor into the risk rating of a CCCS cloud assessment report.

Section 4.4.2 (Why is this important?) also clarifies that encrypted data in transit is not restricted by the data residency requirement.

The following resources provide information about data residency for many common products and services:

What are Nonregional cloud services?

Azure nonregional services are services that have no dependency on a specific Azure region and don't currently provide customers with the ability to specify a deployment region. These services were architected and optimized to be always available as part of Azure's global cloud. An example of a nonregional service is Azure Active Directory. You can find a complete list at Azure Products by Region.

Where does data processing in the cloud take place?

Many Azure services enable you to specify the region where your Customer Data will be stored and processed. For more information, see Data Residency in Azure. SaaS online services such as Microsoft 365 typically process data closest to where the data is stored however processing of Customer Data might occur in cloud regions outside of Canada. The delivery of support services might also involve processing of data outside Canada.

Resources

Microsoft has developed several resources to assist customers when deploying cloud services suitable for running Protected B workloads including:

  • Azure Landing Zone for Canada Public Sector: a purpose-built reference implementation to guide government departments in their efforts to comply with CCCS Medium requirements that are the customer’s responsibility.
  • Canada Federal PBMM Azure Blueprint: a set of repeatable Azure resources and patterns that allow organizations to build new cloud environments with compliance to specific CCCS Medium controls and GC Cloud Guardrails.
  • Foundational Privacy Impact Assessments (PIAs): The Foundational PIAs are intended to better inform privacy leaders, practitioners, and risk managers, who might consider using this analysis as the core for their own PIA work during the adoption of Microsoft’s cloud-based service offerings.
  • Microsoft Purview Compliance Manager Protected B assessment template: Compliance Manager is a feature in the Microsoft Purview compliance portal to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager provides a built-in mechanism to continuously assess and track the implementation of many of the CCCS Medium customer controls within the Microsoft 365 environment. Find the Protected B template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.