Government of Canada on AWS

Government of Canada awards Protected B (PBMM) contract to AWS

With over 6,500 government entities using AWS, we understand the requirements the Canadian government has in order to balance economy and agility with security, compliance, and reliability. In every instance, we have been among the first to solve government compliance challenges regarding the use of cloud computing. We have consistently helped our customers navigate procurement and policy issues related to the adoption of cloud computing. AWS provides commercial cloud capability for unclassified, and up to Protected B data, making it possible to execute missions with a common set of tools, a constant flow of the latest technology, and the flexibility to rapidly scale with the mission.

Alex Benay at 2019 AWS Public Sector Summit Ottawa

Protected B (PBMM) Workloads

Shared Services Canada (SSC) acting as the Cloud Broker for the Government of Canada, has established a contract with AWS for the provision of Commercially Available Public Cloud Services up to Protected B/Medium Integrity/Medium Availability (PBMM).

The “GC Cloud Framework” will be used by SSC to provide access to cloud services to its clients, including SSC itself, and the large number of government departments it serves.

  • Protected B on AWS FAQ

    What is the scope of the contract?

    Through Shared Services Canada (SSC) acting as the Cloud Broker for the Government of Canada, departments and agencies can access IaaS/PaaS services identified in the assessment in a direct, on-demand, pay-as-you-go basis and scale as workload requirements demand.

    What did AWS have to do to complete the security assessment to host Protected B data?

    To validate that we maintain a ubiquitous control environment that is operating effectively in our services and facilities across the globe, we seek third-party independent assessments, and demonstrate our compliance posture to help customers verify compliance with industry and government requirements, such as ISO 27001, ISO 27017 (cloud security), ISO 27018 (privacy), SOC 1, SOC 2 and SOC 3, and many others.

    The Canadian Centre for Cyber Security (CCCS) assessed AWS’s ability to address the requirements of the Government of Canada’s-selected technical security controls and enhancements, as outlined in ITSG-33 IT Security Risk Management: A Lifecycle Approach, Annex 3 – Security Control Catalogue.

    What did AWS need to add or change to meet the CCCS’s technical security control review requirements?

    AWS collaborated with CCCS to complete the Cloud Service Provider (CSP) Information Technology Security (ITS) Assessment Process, to ensure our AWS Canada (Central) Region was compliant with the requirements of the Government of Canada’s-selected security controls and enhancements, which has a similar approach to the United States Federal Risk and Authorization Management Program (FedRAMP). FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

    What does this mean for provincial and municipal governments?

    The PBMM security assessment gives customers of all sizes and across all industries, including local and provincial governments, confidence that AWS has passed a significant technical security control review, and is able to host sensitive government data.

    Can other public sector organizations use the Canadian Centre for Cyber Security requirements and assessment so they do not have to duplicate this work?

    We are committed to enabling global customers, including Canadian public sector customers, to adopt cloud computing with confidence, while maintaining compliance with applicable legislation and regulations. Customers can accelerate the adoption of secure cloud solutions, avoid unnecessary time and effort, and redirect staff to perform higher value tasks, by leveraging existing assessments, and using common standards for cloud security, such as SOC 2, ISO 27017, and ISO 27018 as the evidence they require to evaluate cloud security.

Unclassified Cloud Service Contract

In 2018, SSC established a supply arrangement (Unclassified Cloud Service Contract) for unclassified workloads. SSC has made commercial cloud computing services accessible and available to the Government of Canada. This streamlined procurement process supports the Government of Canada’s Cloud Adoption Strategy.

Shared Services Canada has awarded contracts to the following AWS Partners:

  • Unclassified Cloud Service Contract FAQ

    What is the SSC Unclassified Cloud Service Contract?

    The SSC Unclassified Cloud Service Contract is a multi-vendor procurement vehicle that allows Canadian federal organizations to procure cloud services for unclassified data workloads.

    What AWS services can I buy through the Contract?

    Through our Authorized Government Resellers, AWS cloud services are available to SSC and its partners. AWS offers a broad set of global compute, storage, database, analytics, application, and related cloud services. Learn more.

    These services are based in the AWS Canada (Central) Region, as well as in countries within the North Atlantic Treaty Organization (NATO), the European Union (EU), or from countries with which Canada has an international bilateral industrial security instrument.


How to buy cloud in government

Buying cloud computing services takes different skills and strategies than buying traditional IT. Are you ready to move to the cloud but looking for practical guidance? Our experts at AWS have helped many government IT leaders select the right acquisition approach for their agency.

Additional Legislation

Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that applies to the collection, use, and disclosure of personal information in the course of commercial activities in all Canadian provinces as supplemented by substantially similar provincial privacy laws in Alberta, British Columbia and Québec.

Learn more »


The CLOUD Act provides a limited mechanism for United States law enforcement to request data stored in the United States and overseas.

Learn more » 



Comprehensive security capabilities to satisfy the most demanding information security requirements.

Learn more »

Private, Isolated Resources

Choose the right level of isolation for your apps and integrate with existing resources.

Learn more » 


Rich controls, auditing, and broad security accreditations to enable compliance with FedRAMP, CJIS, HIPAA, FERPA, and more.

Learn more »


Build hybrid IT architectures that extend your on-premises infrastructure to the cloud with VMWare.

Learn more »