Question Period Note: AG Report on Cybersecurity of Personal Information in the Cloud

The Office of the Auditor General of Canada will be releasing to the Parliament of Canada an Independent Auditor’s Report on November 15, 2022. Shared Services Canada (SSC) is involved in addressing the Chapter on Cybersecurity of Personal Information in the Cloud. The President of the Treasury Board will be leading the Government’s response to the overall report in the House of Commons.

• We welcome the results of the audit and the recommendations made by the Office of the Auditor General. This audit will help the government strengthen its operating framework for cloud services
  • SSC, Public Services and Procurement Canada, and the Treasury Board Secretariat are proactively working to ensure security of personal information
  • SSC is working closely with Treasury Board Secretariat to strengthen guardrail validation and enforcement and to ensure coordination with departments
  • When it comes to cloud information hosting, this includes:
  • Enforcement of security requirements through contracting
  • Security guardrails validation and enforcement process
  • Validation of vendor security compliance

If pressed on environmental criteria for procuring cloud services:

• SSC and Public Services and Procurement Canada will soon release a standard template for cloud contracts that include sustainability terms for cloud providers
• Going forward, SSC will include rated environmental criteria in new competitive solicitations under the Government of Canada Cloud Framework Agreement

If pressed on cloud:

• SSC acts as a centre of excellence for cloud services across the government, providing technical expertise and tools to guide customers on cloud adoption
• Security standards have been adopted to support secure and agile adoption of cloud hosting services as a tool for federal departments and agencies to improve services to Canadians
• There are eight framework agreements in place with qualified service providers for secure cloud, and seven active supply arrangements for the purchase of client-focused Software as a Solution applications

If pressed on security:

• SSC is working with government organizations to ensure that infrastructure systems are robust and perform the services required of them, now and in the future, and are hosted in modern and secure environments
• SSC is enabling departments to migrate applications to the cloud by providing surge secure cloud connectivity services

The objective of the audit was to determine whether the Government of Canada (GC), including the Treasury Board of Canada Secretariat (TBS), Communications Security Establishment (and its Canadian Centre for Cyber Security), Shared Services Canada (SSC), and Public Services and Procurement Canada (PSPC), had governance, guidance, and tools in place to prevent, detect, and respond to cybersecurity events that could affect the personal information of Canadians in the cloud. The audit also looked at whether the GC met its commitments to the environment and sustainable development in its procurement of cloud services.

For SSC, the audit focused on the department’s roles and responsibilities related to acquiring commercial cloud services, validating and monitoring compliance of cloud security controls. PSPC was implicated based on its role in government-wide procurement and contract security.

The GC did not include environmental criteria in its procurement of cloud services to follow sustainable procurement practice and reduce greenhouse gas emissions.

The Auditor General issued five recommendations as part of her report, four of which impact SSC.

Recommendation 1

In consultation with SSC and PSPC, TBS should do the following:

• Extend the requirement for guardrails to cloud service provider contracts that stem from supply arrangements established by Public Services and Procurement Canada
• Clarify who is responsible for the initial validation and ongoing monitoring of cloud guardrail controls and what processes they should follow

Recommendation 2

In consultation with Communications Security Establishment Canada, SSC, PSPC, and departments, TBS should document and proactively communicate to any department that is using or contemplating cloud services the roles and responsibilities needed to design, implement, validate, monitor, coordinate and enforce the security controls needed to protect sensitive and personal information in the cloud. The Secretariat should review and update these documented roles and responsibilities at least every 12 months.

Recommendation 3

TBS, in consultation with SSC and other departments, should:

• Develop and provide a costing model to help departments make informed decisions about moving to the cloud, and determine whether additional resources and funding are required
• Help departments determine their long-term operational funding needs and support their access to funding so they can fulfill their evolving responsibilities for cloud operations, including securing sensitive information in the cloud

Recommendation 4

PSPC and Shared Services Canada SSC should include environmental criteria when procuring cloud services to support sustainability in procurement practices and contribute to achieving Canada’s net-zero goal.

None