Changes to the Policy on Service and Digital policy instrument – GC Cloud Guardrails

From: Chief Information Officer of the Government of Canada

To: Deputy Heads, Departmental Chief Information Officers, Designated Officials for Cyber Security, Chief Data Officers, Chief Security Officers

Subject: Changes to the Policy on Service and Digital policy instrument

Message:

Colleagues,

I would like to take this opportunity to thank you for your continued collaboration in establishing enterprise-wide, integrated approaches to the governance, planning and management of cyber security in the Government of Canada (GC).

To support your role in ensuring that “cyber security requirements and appropriate risk-based measures are applied continuously in an identify, protect, detect, respond, and recover approach to protect information systems and services,” the Office of the Chief Information Officer (OCIO) regularly updates its policy suite under the Policy on Service and Digital.

In 2019, the GC adopted a strategy to leverage cloud services and developed a mandatory operationalization framework – the Government of Canada Cloud Guardrails (GC Cloud Guardrails) were put in place to serve a minimum set of security controls. In May 2022, the GC Cloud Guardrails were published under the Directive on Service and Digital – Appendix G: Standard on Enterprise Information Technology Service Common Configurations and became a mandatory standard.

In November 2022, the Office of the Auditor General’s (OAG) audit Report recommended the GC clarify the process and roles/responsibilities for validating and monitoring GC Cloud Guardrails and extend these to Public Services and Procurement Canada-procured solutions. To support this important endeavour, I am pleased to announce that the updates to the GC Cloud Guardrails has been published under Appendix G: Standard on Enterprise Information Technology Service Common Configurations of the Directive on Service and Digital.

GC Cloud Guardrails updates are expected to be implemented for all cloud services without delay and within the first 30 business days of a department getting access to their cloud account. If a transition period to implement the updates is needed, I urge your officials to contact the TBS Cyber Security Division to set a path forward.

I encourage you to share these updates with other designated officials and colleagues across your organization. My team will continue working with departments and agencies to support the implementation of the Policy on Service and Digital. Compliance will be tracked in the next cyclical update of the Departmental Plan on Service and Digital.

Should you have any questions, please contact: ServiceDigital-ServicesNumerique@tbs-sct.gc.ca.

Stephen D. Burt (he/him, il)
A/Chief Information Officer of Canada
Treasury Board of Canada Secretariat / Government of Canada