Canadian Centre for Cyber Security (CCCS) Assessment

FAQs

• What does this mean to me as a customer?

  CCCS’s Cloud Service Provider (CSP) IT Security (ITS) assessment for AWS is relied on by public and commercial sector organizations across Canada in their decision to use the CSP services. The assessment process determines if the ITS requirements for CCCS Medium Profile (previously referred as “PBMM” profile) are met as described in ITSG-33. Meeting the medium cloud security profile is required to host workloads that are classified up to and including the medium categorization.
  

• What type of assessments are offered by the CCCS?

  The CCCS currently offers two levels of formal cloud assessments, either CCCS Low Profile (previously known as Protected A, Low, Low) or CCCS Medium (previously known as Protected B, Medium, Medium). AWS is currently assessed to process, transfer and store data up to the medium categorization of information and services.

• What criteria and requirements are used for the CCCS Assessment?

  The security control profile published by the Canadian Centre for Cyber Security (CCCS) for the medium categorization of information and services in public cloud is used as the baseline Information Technology Security requirements for this assessment.

• Which regions are covered in the CCCS Assessment scope?

  For a service to be assessed by the CCCS, it must be in the AWS Canada (Central) Region. However, the CCCS assessment applies to AWS services and/or features, regardless of the region. Customers must individually assess if utilization of an AWS service outside the Canadian Region meets their compliance requirements.

• What services are covered by the CCCS Assessment?

  As of November 2023, 150 AWS services in the Canada (Central) Region have been assessed by the CCCS, and meet the requirements for the medium cloud security profile. The AWS services that are in scope of the CCCS Assessment can be found within Services in Scope for CCCS Assessment page.
  

• Are services/features available in Canada West (Calgary) region considered to meet the CCCS Medium bar?

  All services previously assessed in the Canada (Central) region, and which are also available in the Canada West (Calgary) region, are considered assessed in both regions. These services are eligible for use up to the CCCS Medium (previously PBMM) level.
  

• Can I get a copy of the CCCS Assessment Summary for AWS?

  Yes. The summary report is available on AWS Artifact. AWS Artifact is a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact. 

• We sell solutions to Canadian public sector customers that are built on AWS, how can you help us with our CCCS Assessment?

  The Global Security & Compliance Acceleration (ATO on AWS) team provides informal advisory services at no cost for compliance frameworks across healthcare, privacy, national security, financial sectors, and more. Our Global Security & Compliance Acceleration (ATO on AWS) Partners help you navigate, automate, and accelerate building compliant workloads on AWS and reduce time and cost. Please fill out our registration form and our team will help you connect with the right Partner for your specific consulting, deployment, and integration needs.

  If you are not already registered as an AWS Partner, we offer a broad set of Partner programs to help you innovate, expand, and differentiate your offerings.
  

• I am a Canadian customer whose project(s) needs to obtain an Authority to Operate (ATO) for my AWS hosted workload(s). Can AWS provide any assistance with the Authorization?

  For more information on obtaining an Authority to Operate (ATO) with the CCCS Medium Cloud Security Profile, visit our Canada Public Sector page or contact your AWS account team who can outline the range of options from AWS and AWS Partners to support your needs.