We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”
Customize cookie preferences
We use cookies and similar tools (collectively, "cookies") for the following purposes.
Essential
Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms.
Performance
Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes.
Allowed
Functional
Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly.
Allowed
Advertising
Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising.
Allowed
Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by selecting Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice.
Your privacy choices
We display ads relevant to your interests on AWS sites and on other properties, including cross-context behavioral advertising. Cross-context behavioral advertising uses data from one site or app to advertise to you on a different company’s site or app.
To not allow AWS cross-context behavioral advertising based on cookies or similar technologies, select “Don't allow” and “Save privacy choices” below, or visit an AWS site with a legally-recognized decline signal enabled, such as the Global Privacy Control. If you delete your cookies or visit this site from a different browser or device, you will need to make your selection again. For more information about cookies and how we use them, please read our AWS Cookie Notice.
Canadian Centre for Cyber Security (CCCS) Medium Assessment
Overview
The Canadian Centre for Cyber Security (CCCS) is Canada’s authoritative source of cyber security expert guidance for Canadian government, industry, and the general public. Public and commercial sector organizations across Canada rely on the CCCS Cloud Service Provider (CSP) Information Technology Security (ITS) Assessment Process in their decision to use Amazon Web Services (AWS).
CCCS’s medium assessment process determines if the Government of Canada (GC) ITS requirements for the CCCS Medium Cloud Security Profile (previously referred to as GC’s PROTECTED B/Medium Integrity/Medium Availability [PBMM] profile) are met as described in ITSG-33 (IT Security Risk Management: A Lifecycle Approach, Annex 3 – Security Control Catalogue). As of November 2023, 150 services and features in the Canada (Central) and Canada West (Calgary) Region have been assessed by the CCCS, and meet the requirements for medium cloud security profile. Meeting the medium cloud security profile is required to host workloads that are classified up to and including medium categorization. In addition, CCCS’s ITS assessment process is a mandatory requirement for AWS to provide cloud services to Canadian federal government departments and agencies.
On a periodic basis, CCCS assesses new or previously unassessed services and re-assesses the AWS services that were previously assessed to verify that they continue to meet the GC requirements. CCCS prioritizes the medium assessment of new AWS services based on their availability in Canada, and customer demand for the AWS services.
CCCS’s Cloud Service Provider (CSP) IT Security (ITS) assessment for AWS is relied on by public and commercial sector organizations across Canada in their decision to use the CSP services. The assessment process determines if the ITS requirements for CCCS Medium Profile (previously referred as “PBMM” profile) are met as described in ITSG-33. Meeting the medium cloud security profile is required to host workloads that are classified up to and including the medium categorization.
What type of assessments are offered by the CCCS?
The CCCS currently offers two levels of formal cloud assessments, either CCCS Low Profile (previously known as Protected A, Low, Low) or CCCS Medium (previously known as Protected B, Medium, Medium). AWS is currently assessed to process, transfer and store data up to the medium categorization of information and services.
What criteria and requirements are used for the CCCS Medium Assessment?
The security control profile published by the Canadian Centre for Cyber Security (CCCS) for the medium categorization of information and services in public cloud is used as the baseline Information Technology Security requirements for this medium assessment.
Which regions are covered in the CCCS Medium Assessment scope?
For a service to be assessed by the CCCS, it must be in the Canadian regions [Canada (Central) and/or Canada West (Calgary)]. However, the CCCS medium assessment applies to AWS services and/or features, regardless of the region. Customers must individually assess if utilization of an AWS service outside the Canadian Region meets their compliance requirements.
What services are covered by the CCCS Medium Assessment?
As of November 2023, 150 AWS services in the Canadian regions [Canada (Central) and/or Canada West (Calgary)] have been assessed by the CCCS, and meet the requirements for the medium cloud security profile. The AWS services that are in scope of the CCCS Medium Assessment can be found within Services in Scope for CCCS Assessment page.
Are services/features available in Canada West (Calgary) region considered to meet the CCCS Medium bar?
All services previously assessed in the Canada (Central) region, and which are also available in the Canada West (Calgary) region, are considered assessed in both regions. These services are eligible for use up to the CCCS Medium (previously PBMM) level.
Can I get a copy of the CCCS Medium Assessment Summary for AWS?
We sell solutions to Canadian public sector customers that are built on AWS, how can you help us with our CCCS Medium Assessment?
The Global Security & Compliance Acceleration (ATO on AWS) team provides informal advisory services at no cost for compliance frameworks across healthcare, privacy, national security, financial sectors, and more. Our Global Security & Compliance Acceleration (ATO on AWS) Partners help you navigate, automate, and accelerate building compliant workloads on AWS and reduce time and cost. Please fill out our registration form and our team will help you connect with the right Partner for your specific consulting, deployment, and integration needs.
If you are not already registered as an AWS Partner, we offer a broad set of Partner programs to help you innovate, expand, and differentiate your offerings.
I am a Canadian customer whose project(s) needs to obtain an Authority to Operate (ATO) for my AWS hosted workload(s). Can AWS provide any assistance with the Authorization?
For more information on obtaining an Authority to Operate (ATO) with the CCCS Medium Cloud Security Profile, visit our Canada Public Sector page or contact your AWS account team who can outline the range of options from AWS and AWS Partners to support your needs.