A page for Government of Canada departments and partners to share information, strategies, and products for all communications regarding the "Cloud".
Cloud Communications Snapshot (6 Month View)
Frequently Asked Questions (FAQs)
Q: What is Cloud?
A: Cloud is a network of servers hosted over the Internet that is used to store, manage, and process data and applications in place of local servers or personal computers. Companies offering these services are called Cloud service providers and typically charge for services based on consumption.
Cloud computing has been around since the late 1990s and continues to be a proven option for hosting data and applications. Cloud services often offer greater flexibility, mobility and efficiency.
Q: What is the Cloud first policy requirement?
A: Cloud first is a policy requirement that can be found in section 6.2.6 of the Treasury Board of Canada Secretariat’s Policy on Management of Information Technology.
It is further elaborated in the Cloud Adoption Strategy where “Cloud first” is recommended as the preferred option for delivering IT services.
This means that Government of Canada departments will prioritize the use of Cloud to store, manage, and process data and applications whenever possible.
Q: What are the different Cloud option models?
A: The Treasury Board of Canada Secretariat offers Government of Canada Right Cloud Selection Guidance to help departments decide which Cloud model is right for them.
A commercially available offering procured and security-assessed for the use of all government organizations. In this deployment model, the government organizations will securely share tenancy with private companies, non-profits and individuals.
A Cloud offering tailored to the Government of Canada (GC). In this deployment model, the GC will be the only tenant residing on the Cloud. Private clouds include both off-premises and on-premises clouds managed by the GC or by a third party.
A traditional IT environment for hosting legacy applications that cannot be deployed to a Cloud environment.
Hybrid Cloud or IT environment
A combination of the above models. This model takes a pragmatic approach to integrating legacy technology with Cloud technology. 
Q: How many contracts are in place for providing unclassified Cloud?
A: The Government of Canada currently has twenty-six contracts in place for commercially available unclassified Cloud services. They are available through the Cloud Brokering Portal for on-demand consumption and are based on actual usage.
Q: What are the different Cloud service models Cloud service providers (CSP) offer?
A: Software as a Service (SaaS): The Cloud Service Provider hosts and manages software applications and the infrastructure that supports them. Clients can access these applications using devices through a web browser.
Platform as a Service (PaaS): An environment where the Cloud Service Provider gives users access to infrastructure, services and tools such as programming languages, libraries, where users can create or customize applications.
Infrastructure as a Service (IaaS): The Cloud Service Provider provides an underlying infrastructure that gives the consumer control over operating systems, storage, and applications. It may also give users limited control of some networking components.
Q: How does migration to the Cloud fit within the workload migration process?
A: Shared Services Canada is working with Government of Canada departments to migrate their data and applications from aging data centres to modern infrastructures like Cloud and enterprise data centres. With its increased performance, agility and elasticity, Cloud is the technology of choice to attain this goal.
Budget 2018 also refers to Cloud as an option for migrating from legacy, at risk, data centres:
“$110 million over six years, starting in 2018–19, to be accessed by Shared Services Canada’s partner departments and agencies to help them migrate their applications from older data centres into more secure modern data centres or cloud solutions.”
Q: Which Government of Canada (GC) departments have the mandate and authority to independently procure Cloud services?
A: Only Shared Services Canada (SSC) and Public Services and Procurement Canada (PSPC) have the delegated authority to procure cloud services.
Each department has a procurement mandate. For instance, SSC’s procurement vehicle supports the delivery of network services, compute and storage capabilities and applications related to workplace technologies for GC departments. PSPC’s vehicle will support Software-as-a-Service requirements, which correspond with the traditional procurement of software applications and associated support.
Roles and responsibilities
Q: From an enterprise perspective, who is responsible for what?
A: TBS: The Treasury Board of Canada Secretariat is responsible for enterprise strategies, policies, standards, governance and the coordination of supply and demand.
SSC: Shared Services Canada is responsible for Cloud service supply, readiness, enablement and standardization.
PSPC: As a common service procurement provider, PSPC responds to client department needs by developing procurement tools and procuring solutions on their behalf.
Departments: Each department is responsible for choosing and adopting Cloud services. They will lead change activities and analyze application portfolios for opportunities to take advantage of Cloud services.
The Treasury Board of Canada Secretariat also has a roles and responsibilities document.
Q: Who determines the prioritization of migration (departments) to the Cloud and how is it being managed?
A: The departmental chief information officers make the choice to use Cloud and set migration priorities, based on a number of criteria.
Cloud client information
Q: What are Shared Services Canada’s Cloud Brokering Services?
A: Government of Canada (GC) departments can review, purchase and provision public Cloud services through Shared Services Canada’s (SSC) Cloud Brokering Service (CBS).
As the Cloud broker, SSC is the liaison between qualified external Cloud service providers and GC departments, ensuring they receive the best possible Cloud solution to meet their needs.
Following a rigorous procurement process, the GC qualified twenty-six suppliers of commercial unclassified public Cloud services. These services are available to GC departments through the Cloud Brokering Portal.
Q: What steps must Government of Canada departments take to adopt Cloud?
A: Before adopting Cloud, departments must develop a Cloud strategy document and put a number of plans in place. These plans would touch on the following key steps towards Cloud readiness:
- Application Design
- Platform Configuration
- Network Connectivity
- Foundational Services
- Access Management
- Security Monitoring
- Configuration Management and Automation
- Financial Monitoring
- Security Assessment
- Human Resource Skills and Capacity
Q: How do Government of Canada departments know what should be destined for the Enterprise Data Centre vs. the various Cloud options?
A: Departments determine when Cloud or data centre services are appropriate. This responsibility is embedded in the Policy for the Management of IT. All data having national interest (i.e. PROTECTED C, CONFIDENTIAL, SECRET, TOP SECRET) cannot be deployed to public Cloud. Protected B and unclassified data are deemed appropriate for public Cloud deployment, but departments are ultimately responsible for determining if an Enterprise Data Centre or Cloud services best meets their business requirements.
The Treasury Board of Canada Secretariat has oversight of that decision, while Shared Services Canada and Public Services and Procurement Canada supply the Cloud services.
The Government of Canada’s Cloud First Policy requires departments to choose public Cloud service as their principal deployment model for IT.
Q: How much technical involvement will Shared Services Canada have once the Cloud services have been purchased?
A: The Cloud Adoption Strategy and supporting security guidance place the responsibility of Cloud operations with the Government of Canada departments. SSC will remain involved with networking, security and any other optional services that departments may want SSC to deliver. SSC is working with departments to identify these. In addition, SSC is responsible for providing secure network connectivity to address their responsibility for cloud service readiness.
Q: Is my data safe? Can data and applications be securely stored in the Cloud?
A: Yes, the data is safe in the cloud. The Government of Canada (GC) has put in place a cloud security risk management process which consists of a series of procedures that are implemented by a combination of Cloud Service Provider (CSP) and GC resources. This procedure remains a governmental responsibility and is directly linked to the management of IT security risks. In evaluating CSP solutions, the following exercises are conducted:
- Perform Security Categorization, i.e. what is the level of security required to protect the information
- Select appropriate Security Controls, Cloud Deployment and Service Model
- Assess Cloud Services, implement GC security controls and Authorize operations of the cloud based GC service
- Continuously monitor cloud based GC services and maintain authorization state.
CSPs are selected following a successful security assessment through Canadian Centre for Cyber Security’s Cloud Security Program.
Q: How is the security and confidentiality of data protected?
A: The Government of Canada (GC) has policies in place that enforce where data resides (residency) and how it is controlled (sovereignty). It has also adapted the existing GC risk management approach by incorporating existing risk management processes with cloud standards from:
- The US National Institute of Standards and Technology (NIST)
- The Canadian Centre for Cyber Security (Cyber Centre)
- The Treasury Board of Canada Secretariat (TBS)
The following list of standards were used to develop this new Cloud Security Risk Management approach:
- Cyber Centre information system security risk management guidance, ITSG-33
- NIST’s standards on information system security risk management, which are specified in the Special Publications 800 series
- The NIST cloud computing reference architecture, which is documented in Special Publication 500 292
- The NIST cloud computing security reference architecture, which is documented in Special Publication 500 299
- The Federal Risk and Authorization Management Program (FedRAMP)
- TBS’s Security Risk management approach and procedure
Operating within the cloud, it is still part of the Risk Management framework for the GC to determine the security requirements necessary to protect the information and services.
The GC has created Cloud Security Control Profiles based on the Cyber Centre’s IT Security Risk Management: A Lifecycle Approach (ITSG-33) guidelines to help with Departmental level activities to integrate into the organization’s security program to plan, manage, assess, and improve the management of IT security-related risks the organization faces in the Cloud.
These activities include the execution of information system security engineering, threat and risk assessment, security assessment, and authorization.
The GC takes into account industry benchmarks and certifications in establishing the requirements that the Cloud Service Providers must meet as part of the Security Requirements (e.g. SOC2 and ISO27000 series).
Q: What is Secure Cloud Enablement and Defence (SCED)?
A: The Secure Cloud Enablement and Defence (SCED) is the security services implemented by the Government of Canada (GC) to secure the network connectivity between the Cloud environment and the Government of Canada (GC). Protected B Cloud is an approved Cloud solution for use with GC data which has been identified at a Protected B security level.
Note: "Secure Cloud to Ground" (SC2G) is also used to refer to the same SSC initiative, eventual service offerings and underlying technologies. It may be that the term SC2G will supersede SCED.
Q: What are the timelines for SCED?
A: The pilot of Secure Cloud Enablement and Defence (SCED) architecture 1 is being finalized and assessed for Treasury Board of Canada Secretariat and Statistics Canada.
Q: Who is responsible for IM/IT security?
A: Cloud service providers are responsible for the security of the Cloud; the departments are responsible for Security in the Cloud; and Shared Services Canada provides security "to and from" the Cloud.
Cloud security is a shared responsibility between the Cloud service provider, SSC, the Canadian Centre for Cyber Security, and the departments. Security controls must be implemented appropriately to allow for the proper hosting of GC data and applications.
The combination of Treasury Board Secretariat of Canada Cloud directives and the Canadian Centre for Cyber Security Cloud Service Provider (CSP) Assessment Program methodology documentation provide advice and more information.
Q: What security certifications do the Cloud services hold?
A: At a minimum the Government of Canada (GC) has indicated that Cloud service providers require up-to-date industry benchmarks and certifications like SOC2 and ISO27000 series to demonstrate compliance to security requirements. Additional evidence or documentation may also be collected and reviewed as necessary.
Q: How many vendors have qualified for providing Protected B Cloud Services?
A: Two vendors have qualified at this time; AWS Canada and Microsoft Azure.
Q: What is the difference between Protected B Cloud and SCED?
A: The Secure Cloud Enablement and Defence (SCED) Project is designing a firewall to secure GC content. Its main focus is on protecting the network connectivity between the Cloud environment and the public Internet. Protected B Cloud is an approved Cloud solution for Protected B data. SCED may be a component, but is not limited to, of any one specific Protected B Cloud offering.
Q: Are there different types of Protected B (public vs. private)?
A: No, There are not different types of Protected B. Protected B is a GC standard data classification identifier that indicates a level of security required to protect sensitive data.
Q: What steps do Government of Canada departments need to follow to access Protected B Cloud services?
A: When the Protected B supply is in place, it will be available through the Cloud Brokering Portal.
Q: Does the Cloud Brokering Service function the same way for Protected B?
Q: Will Cloud lead to job loss?
A: No. The Government of Canada’s (GC) IT workforce is its most valuable asset when it comes to Cloud adoption. The GC’s ability to adopt Cloud services is directly proportional to the workforce’s ability to adopt modern Cloud skills. Preparing the workforce is a key theme of the GC Cloud Adoption Strategy. New opportunities are being created with emerging roles to manage and consume Cloud services.
Q: What training is available for employees interested in working on Cloud?
A: The Canada School of Public Service, under the Digital Academy, has created programs to increase IT professionals’ skills in Cloud and DevOps.
SSC is also assembling a guide book in relation to the various career paths & training opportunities in relation to SSC Cloud. This information will be made available by: []
Q: What is the new information technology (IT) occupational group?
A: The Treasury Board of Canada Secretariat (TBS) has approved the creation of a new IT group that replaces the Computer Systems (CS) group to better reflect modern professional IT work and the current IT environment.
There is no immediate impact on employees of the CS group. Additional information on the conversion to the IT standard will be shared closer to the effective date, which will be determined following the round of collective bargaining for the renewal of the CS collective agreement that expired December 21, 2018.
Q: Is the procurement of Protected B Cloud services related to the conversion to the IT occupational group?
A: No. Both initiatives are separate. SSC is leading the procurement of Protected B Cloud services and TBS is leading the conversion to the new IT occupational group.
Q: Will there be Protected A options in the future?
A: Yes. The contract addressing Protected A supply will be in place over the next year.
Q: Where can I get more information/documentation on Cloud?
A: The SSC Cloud Program office at: []
The Treasury Board of Canada Secretariat website at: https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/cloud-services.html
Anticipatory Media Lines
Protected B Public Cloud Services Procurement
In 2018, Government of Canada updated its Cloud Adoption Strategy to draw its vision and commitment to adopting Cloud-based solutions, in particular in the area of the public cloud deployment and software-as-a-service (SaaS).
In February 2018, the Government of Canada awarded twenty-six contracts for commercially available unclassified Cloud services. These contracts make these services available on demand through the Cloud Brokering Portal, with costs based on actual usage.
On September 7, 2018, Shared Services Canada (SSC) posted an Invitation to Qualify (ITQ) for Protected B Public Cloud Services on buysandsell.gc.ca. This new procurement process will expand the range of Cloud services available to help departments manage their data and application workloads. In August 2019, the Government of Canada signed the first two contracts Protected B Cloud services with AWS Canada and Microsoft Azure.
- The protection and privacy of Government of Canada data stored and processed in the Cloud is a top priority for the Government of Canada.
- The Government of Canada must be capable of delivering a range of digital services, at various security levels, to meet the needs of Canadians.
- Protected B Cloud services will respond to the increasing demand for options that enable departments to securely store data and applications in Canada.
- Choosing Protected B vendors will expand the range of cloud services available to departments so they can manage their data and applications.
If pressed on the cloud protected B procurement process
- Shared Services Canada posted the Invitation to Qualify on September 7, 2018. This was the first phase of the procurement process to find qualified suppliers with experience in delivering cloud services at various security levels.
- Public Services and Procurement Canada (PSPC) has developed a Supply Arrangement allowing vendors to qualify for the provision of SaaS solutions. Starting from June 17, PSPC is accepting and reviewing submissions and as vendors qualify, client departments can start consuming.
- The scope of each process aligns with the procurement mandates of each department. For instance:
- SSC’s procurement vehicle supports delivering of their core mandate of network services, compute and storage capabilities and applications related to workplace technologies for GC departments; and
- PSPC’s vehicle will support SaaS requirements, which correspond with the traditional procurement of software applications and associated support.
- Shared Services Canada and PSPC work with industry stakeholders to ensure open, fair and transparent procurement processes.
- As of August 8, 2019, Shared Services Canada has signed Cloud Framework Agreements with AWS Canada and Microsoft Azure.
- Building on lessons learned from procuring unclassified Cloud services, Shared Services Canada and PSPC are using a multi-phased procurement process that works with industry to define and develop service requirements.
- When the procurement process is complete, partner departments will have access to Protected B Cloud services through the Cloud Brokering Portal.
- PSPC’s RFSA is posted continuously to enable suppliers to qualify on an ongoing basis.
If pressed on security
- Shared Services Canada and PSPC work with security partners to ensure its service offerings meet specified Government of Canada security requirements to mitigate to the confidentiality, integrity and availability of data and business processes.
- Shared Services Canada monitors compliance to Government of Canada-specified security requirements to ensure they remain in place.
- Canadians can rest assured that their data is safe in the Cloud.
- The Government of Canada has policies in place that enforce where data resides (residency), how it is controlled (sovereignty).
- The Government of Canada will not award contracts unless all of the security requirements are met.
If pressed on networks
- Shared Services Canada is focusing on the network connectivity to increase reliability and capacity for access to cloud services.
- Media Relations Office, 613-670-1626
President (SSC) Speaking Points: Stratosphere - The Government of Canada's Conference on Cloud and DevOps
Background Information: The Event
- The Government of Canada has partnered with the Association of Public Sector Information Professionals (DPI), to host Stratosphere – a conference focused on Cloud and DevOps.
- This conference is an opportunity for participants to share their experiences and lessons learned with their peers, and for the GC IT community to learn about possible partnerships with industry.
SSC and TBS
- Shared Services Canada and the Treasury Board of Canada Secretariat are working together to bring Cloud services to the Government of Canada.
- The Treasury Board of Canada Secretariat is responsible for Government of Canada enterprise governance, strategy and policy for Cloud services. This includes oversight and risk assessment of Cloud service requests from departments.
- Under the leadership of TBS, the Government of Canada committed to a government-wide Cloud-First Adoption Strategy in which Cloud is the preferred option for delivering IT services to Canadians.
- This means that departments will use Cloud to store, manage, and process data and applications where possible.
- As part of our mandate on Cloud, SSC has 3 core roles: Broker, Provider, and Enabler.
- As a Cloud Broker, we offer the Cloud Brokering Service for public commercial unclassified supply to Government departments. We will soon be offering the supply for Protected B data.
- As a Cloud Provider, we plan to create additional private supply to complement the public commercial Cloud.
- As a Cloud Enabler, we enable the delivery of foundational services like connectivity and security to enable departments to consume Cloud supply.
- There are currently 26 contracts in place for commercially available unclassified Cloud services available to departments for on-demand consumption, subscription or pre-paid services.
Protected B Cloud Services
- On September 7, 2018, SSC posted an Invitation to Qualify (ITQ) for Protected B public Cloud services on buysandsell.gc.ca. A number of vendors were pre-qualified as a result.
- The procurement of Cloud for Protected B information responds to increasing demand from departments, enabling them to benefit from tools that are capable of securely storing data in Canada.
- As of June 17, the Government of Canada is ready to receive bids from ITQ qualified respondents for Protected B Cloud services.
- Upon receiving bids, the Government of Canada will evaluate them and begin contract negotiations with the qualified respondents.
- Following these final procurement steps, departments will be able to access Protected B Cloud services through the Government of Canada Cloud Brokering Service.
- We have a number of pilots and projects underway with select departments on migrating their workloads to the Cloud.
- Most recently, Statistics Canada and SSC successfully tested a small subset of users to a secure, fully integrated active directory in the Cloud. Statistics Canada’s active directory is forecasted to be live early this summer.
- With the news of this success travelling, we expect that the other pathfinder departments and other departments in general, will be approaching us to leverage lessons learned to follow suit.
- While SSC has provisioned early connectivity to Cloud Service Providers for some of the pathfinders via existing network connections, SSC is investigating optimal end state connectivity through pilot projects.
Enterprise Approach 3.0
- At SSC, we are focusing on putting the “Shared” in Shared Services to enable a digital government. This means embracing an enterprise approach to provide quicker turnarounds, enhance collaboration, increase reliability and reduce risk.
- Cloud computing is a big part of this new approach. The department is focusing on three key priorities:
- Solidifying the IT foundation by increasing network reliability and capacity, and strengthening security;
- Modernizing collaboration tools to enable, engage, and empower employees; and
- Adopting Cloud and enterprise data centers to improve reliability and reduce risk.
- Most of our data is currently stored in aging data centres across the country.
- We are working with our partners to move their content into the hosting solution that meets their needs and one that provides a secure, reliable environment for their applications and data.
- The objective is to have the majority of our data stored in our state-of-the-art EDCs, or in the Cloud, with consistent operating models.
- In terms of workplace tools, the current landscape largely consists of standalone or loosely integrated productivity, communication and collaboration tools such as Skype, and audio/videoconferencing used from desktop devices and/or standalone devices.
- The objective it to get to a point where Cloud-based services are used, leveraging industry standards and practices to interoperate with SSC end-state services and co-exist with legacy components during our transformation.
Stage Backgound Screen for Keynote Speech - Alex Benay
Stage Backgound Screen for Keynote Speech - Paul Glover