Canada Protected B

Canada Protected B overview

The Government of Canada (GC) Protected B security level for sensitive government information and assets applies to information or assets that, if compromised, could cause serious injury to an individual, organization, or government. Based on the Information Technology Security Guidance (ITSG) 33 on IT security risk management published by the Canadian Centre for Cybersecurity (CCCS), GC developed the Guidance on the Security Categorization of Cloud-Based Services (ITSP.50.103) and the Government of Canada Security Control Profile for Cloud-based GC Services (GC Security Control Profile), which identifies the baseline security controls applicable to the processing of information having a security category of Protected B, medium integrity, and medium availability (PBMM).

The GC Security Control Profile was developed using the ITSG-33 and the US Federal Risk and Authorization Management Program (FedRAMP), both of which have a foundation in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 security and privacy controls. GC has aligned the GC Security Control Profile with FedRAMP to maximize both the interoperability of cloud services and reusability of the authorization evidence produced by cloud service providers (CSPs).

The Treasury Board of Canada Secretariat (TBS) is responsible for GC enterprise governance, strategy, and policy for cloud services, including oversight and risk assessment of cloud service requests from GC departments. Similar to the US, Canada has adopted a cloud-first strategy in which cloud is the preferred option for delivering IT services and public cloud is the preferred option for cloud deployment. In November 2017, TBS issued the Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN), which allows for Protected B data to be hosted in the public cloud. In the SPIN, TBS clarified the role of existing third-party assurances that CSPs may already have in place. Specifically, GC departments can use independent third-party audits such as ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, FedRAMP, PCI DSS, CSA STAR, and SOC to establish third-party assurances when physical inspection and audit by departments is not feasible or practical.

Per TBS guidance, CSPs are expected to clearly document the security controls and features implemented within their cloud services to help GC understand the security controls within its scope of responsibility. To support this process, GC has developed a program to assess CSP security control implementation evidence centrally in collaboration with appropriate lead security agencies. For more information, see the CCCS Cloud Service Provider Information Technology Security Assessment Process (ITSM.50.100). The resulting technical risk assessments are intended to show whether CSP’s security processes and controls meet the GC public cloud security requirements for information and services up to PBMM. Departmental Guidance on Cloud Security Assessment and Authorization (ITSP.50.105) is also available from CCCS.

Under the cloud computing paradigm, the GC will depend on vendors for many aspects of security and privacy, and in doing so, will confer a level of trust onto the cloud service provider (CSP). To establish this trust, the GC requires an information system security risk management approach and procedures that are adapted to cloud computing. The GC Cloud Security Risk Management Approach and Procedures describes the authorities, approach, and procedures for managing security risks to GC services when they are hosted on cloud services provided by commercial service providers. When implementing a cloud-based GC service, the responsible GC consumer organization and the supporting CSP each have specific responsibilities according to the shared responsibility model in cloud computing.

The Security Playbook for Information System Solutions outlines a set of security tasks for consideration by federal departments and agencies when designing and implementing solutions for GC information systems in cloud environments.

Data residency policy for the storage of Protected B data is clarified in Section 4.4 of the Guideline on Service and Digital. Canadian data residency should be identified and evaluated as the principal delivery option for storage of Protected B data in the cloud. The departmental CIO has the option and is responsible for approving decisions to store data outside of Canada based on the business criteria identified in Section 4.4.3 Considerations in implementing the requirement.

Azure and Canada Protected B

Microsoft was one of the first global cloud service providers to be qualified for Government of Canada secure cloud services when it entered into a framework agreement with the federal government in 2019. At the time, Azure Core Services (as defined in the then-applicable Online Services Terms) were assessed by CCCS for their compliance with the GC Security Control Profile. This accomplishment enables the Government of Canada (GC) departments to securely store, manage, and process sensitive data and applications on Microsoft Azure.

The framework agreement supports the Canadian Government’s ambitions to streamline government processes and is a key step on the road towards a true digital Government. Using Microsoft Azure for PBMM services unleashes new opportunities for public sector innovation, transformation, and service agility as public servants gain access to a range of sophisticated Azure services. In addition, government agencies benefit from Microsoft’s thriving ecosystem of partners and developers who build innovative and secure solutions on Azure.

To support public and private sector organizations that are concerned about data residency, Microsoft has established two Canadian data center regions: Canada Central in Toronto and Canada East in Québec City. These data centers add in-country data residency, failover, and disaster recovery for applications and customer data in Azure Core Services. Moreover, Microsoft has launched Azure Availability Zones in the Canada Central region to help customers create resilient and highly available applications for mission-critical workloads. To improve connectivity to Azure and place cloud infrastructure close to customers when supporting latency-sensitive workloads, Microsoft also launched an Azure Edge Zone in Vancouver. This edge zone is an extension of Azure cloud services that will help Western Canadian healthcare and public sector customers address data residency requirements.

Microsoft provides the following tools and features to assist you with your compliance requirements:

  • Azure Policy regulatory compliance built-in initiative for Canada PBMM maps to Canada PBMM compliance domains and controls. Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each Canada PBMM control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.
  • Microsoft Canada has launched the Azure landing zone for Canadian public sector. The intent of this reference implementation is to help Canadian public sector and government organizations meet their ITSG-33 compliance requirements by using the NIST SP 800-53 and Canada PBMM regulatory policy sets. For more information on how to build a Protected B capable Azure landing zone, see Azure landing zones for Canadian public sector.
  • Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal that helps you manage your organization’s compliance requirements. It calculates a risk-based score measuring your progress toward completing recommended actions that help reduce risks around data protection based on key regulations and standards for data protection and general data governance. It also provides workflow capabilities and built-in control mapping to help you efficiently carry out improvement actions. Microsoft Purview Compliance Manager provides a set of templates for creating assessments, including a template for Canada Protected B.

Extra compliance resources are available from the Service Trust Portal (STP) Resources for Canada section.


  • Azure

Services in scope

Attestation documents

For instructions on how to access attestation documents, see Audit documentation.

  • CCCS performs ongoing technical security risk assessments of Azure, each with a defined scope of assessed Azure services. The resulting reports are available internally within GC based on individual requests from GC departments.
  • Azure foundational privacy impact assessment (PIA), is available from the Service Trust Portal (STP) Privacy and Data Protection section. The Azure PIA provides a third-party analysis of how Azure complies with the Canadian Privacy Act, PIPEDA, FIPPA (Ontario), PHIPA (Ontario), CSA Code (Private Sector), Québec Private Sector Law, and ISO/IEC 27018.