Question Period Note: GC Cyber Security Roles and Responsibilities

What is the government doing to protect itself and the information of Canadians from cyber attacks?

• The Government of Canada, like all organizations, faces constant cyber threats.
• Canadians can rest assured that we have robust safeguards in place to protect their information, our systems and our ability to deliver secure and reliable digital services.
• Cyber security protections continuously monitor, detect and investigate potential threats so that active measures can be taken to neutralize them.
• As well, the Government of Canada’s GC Enterprise Cyber Security Strategy, published last year (May 2024) is helping to strengthen the government's ability to effectively combat cyber threats and remediate vulnerabilities.

The Government works continuously to enhance cyber security in its services by preventing attacks through implementation of protective security measures, identifying cyber threats and vulnerabilities, and by preparing for and responding to all kinds of cyber incidents to better protect Canada and Canadians.
Cyber security is a shared responsibility across government. Departments and agencies have a responsibility to ensure that cyber security is managed within their organization, including the cyber security of departmental programs and services. TBS, SSC, and the CSE are the primary stakeholders with responsibility for ensuring the government’s cyber security posture is effective and able to respond to evolving threats. CSE, in concert with Public Safety, also provides support on cyber security from a national perspective. TBS provides policy leadership, advice and guidance for all matters related to government security, establishes and oversees a whole- of-government approach to security, and provides strategic oversight of government cyber security event management to ensure effective coordination of major security events and support governmentwide decision-making. The Chief Information Officer of Canada sets Information Technology security policy, defines cyber security requirements, and executes decisions on the management of cyber security risks on behalf of the Government of Canada (GC).
Over the past decade, the government has taken incremental steps to improve its cyber security posture by standardizing IT infrastructure and integrating cyber defense services, establishing the Canadian Centre for Cyber Security, and putting in place clear governance, policies, and tools to support cyber security.
In November 2024, TBS launched of mandatory cyber security awareness training for all employees of the core public administration which aims to establish a consistent level of cyber security foundational knowledge across departments.
Despite this progress, gaps still remain. The Government of Canada’s Enterprise Cyber Security Strategy aims to address these gaps and ensure the government is well positioned to address future cyber threats. It is a forward-looking plan that will serve as a framework to move the government even more from a defensive position to a proactive cyber security approach.
Budget 2024 provides $11.1 million over three years (no ongoing), starting in 2024-25, for TBS to implement a whole-of-government cyber security strategy. Specifically, funding supports key actions including:
• Establishing a centralized evaluation system with independent assessments and thorough reviews of departments' cybersecurity to identify and prioritize risks.
• Creating a federated integrated risk management platform to enable prioritization and data-driven reporting as a key part of a broader enterprise portfolio management system.
• Creating a government-wide vulnerability management program for a coordinated vulnerability disclosure process and will focus on people, processes, policies, and technology
• Forming a new Purple Team that conducts active, strategic oversight of policy compliance and cyber hygiene by emulating techniques used by threat actors against

government systems to proactively test and audit any security gaps. This type of team does not currently exist in the government.
TBS is performing a policy review to identify options and recommendations on strengthening the
Office of the Chief Information Officer’s authorities to enhance enterprise-wide cyber security. Currently, not all federal organizations, e.g., Crown corporations, are subject to Treasury Board cyber security requirements under the Policy on Government Security and the Policy on Service and Digital.
To improve cyber security external to the GC, in February 2025, Public Safety (PS) published the National Cyber Security Strategy (NCSS). The new NCSS focuses on whole-of-society engagement that include partnerships with other levels of government, law enforcement, Indigenous communities, the private sector, academia, and civil society. The NCSS includes three Pillars:
• Working with partners to protect Canadians and Canadian businesses from cyber threats, for instance, through public-private partnerships to address national-level cyber security challenges, policy priorities, and cyber operations via the new Canadian Cyber Defence Collective.
• Making Canada a global cyber security leader through initiatives such as the Canadian Cyber Security Certification program which will enhance cyber security in the defence sector; and
• Detecting and disrupting cyber threat actors including strengthening partnerships with owners of critical energy infrastructure.
TBS and PS also have responsibilities related to cyber security event management. TBS maintains the GC Cyber Security Event Management Plan (GC CSEMP). The GC CSEMP is the whole-of-government incident response plan providing an operational framework which outlines the stakeholders and actions required to ensure that cyber security events are addressed in a consistent, coordinated, and timely fashion across the government. The plan is applicable to all departments subject to the Policy on Government Security. To ensure that the GC CSEMP is up-to-date and effective, the plan is tested regularly, reviewed on an annual basis, and updated if changes are warranted, for example, in light of lessons learned from cyber events. The latest version of GC CSEMP was published in October 2023. The most recent cyber simulation took place in May 2025 as part of the government’s executive level cyber simulation exercises designed to test how the GC responds to a significant cyber event impacting multiple GC departments.
PS maintains the Federal Cyber Incident Response Plan (FCIRP) which is the incident response plan for ensuring the effective GC coordination of cyber security events or incidents affecting non-GC systems.
In response to cyber incidents affecting the GC, in August 2024, TBS issued the Improving Cyber Security Health: Security Policy Implementation Notice to reinforce specific requirements under the Policy on Government Security and the Policy on Service and Digital. TBS is monitoring progress on departmental compliance within the 3-6-9 month requirements.

Cyber incidents have also impacted services contracted out by the government. Compromises within the supply chain have an impact on the GC, and introduce operational risks when third- party services are used. Managing cyber security risks in supply chains requires ensuring the integrity, security, quality and resilience of the supply chain and its products and services. TBS, SSC, and CSE are working together to strengthen supply chain risk management within the GC through updated supply chain integrity review processes integrated earlier within acquisitions that include robust security contract clauses, establishing a diversification strategy, and strengthening governance.

None