Canadian Centre for Cyber Security (CCCS) Assessment
The Canadian Centre for Cyber Security (CCCS) is Canada’s authoritative source of cyber security expert guidance for Canadian government, industry, and the general public. Public and commercial sector organizations across Canada rely on the CCCS Cloud Service Provider (CSP) Information Technology Security (ITS) Assessment Process in their decision to use Amazon Web Services (AWS).
CCCS’s assessment process determines if the Government of Canada (GC) ITS requirements for the CCCS Medium Cloud Security Profile (previously referred to as GC’s PROTECTED B/Medium Integrity/Medium Availability [PBMM] profile) are met as described in ITSG-33 (IT Security Risk Management: A Lifecycle Approach, Annex 3 – Security Control Catalogue). As of November 2023, 150 services and features in the Canada (Central) Region have been assessed by the CCCS, and meet the requirements for medium cloud security profile. Meeting the medium cloud security profile is required to host workloads that are classified up to and including medium categorization. In addition, CCCS’s ITS assessment process is a mandatory requirement for AWS to provide cloud services to Canadian federal government departments and agencies.
On a periodic basis, CCCS assesses new or previously unassessed services and re-assesses the AWS services that were previously assessed to verify that they continue to meet the GC requirements. CCCS prioritizes the assessment of new AWS services based on their availability in Canada, and customer demand for the AWS services.
What does this mean to me as a customer?
CCCS’s Cloud Service Provider (CSP) IT Security (ITS) assessment for AWS is relied on by public and commercial sector organizations across Canada in their decision to use the CSP services. The assessment process determines if the ITS requirements for CCCS Medium Profile (previously referred as “PBMM” profile) are met as described in ITSG-33. Meeting the medium cloud security profile is required to host workloads that are classified up to and including the medium categorization.
What type of assessments are offered by the CCCS?
The CCCS currently offers two levels of formal cloud assessments, either CCCS Low Profile (previously known as Protected A, Low, Low) or CCCS Medium (previously known as Protected B, Medium, Medium). AWS is currently assessed to process, transfer and store data up to the medium categorization of information and services.
What criteria and requirements are used for the CCCS Assessment?
The security control profile published by the Canadian Centre for Cyber Security (CCCS) for the medium categorization of information and services in public cloud is used as the baseline Information Technology Security requirements for this assessment.
Which regions are covered in the CCCS Assessment scope?
For a service to be assessed by the CCCS, it must be in the AWS Canada (Central) Region. However, the CCCS assessment applies to AWS services and/or features, regardless of the region. Customers must individually assess if utilization of an AWS service outside the Canadian Region meets their compliance requirements.
What services are covered by the CCCS Assessment?
As of November 2023, 150 AWS services in the Canada (Central) Region have been assessed by the CCCS, and meet the requirements for the medium cloud security profile. The AWS services that are in scope of the CCCS Assessment can be found within Services in Scope for CCCS Assessment page.
Can I get a copy of the CCCS Assessment Summary for AWS?