Guidance on using or providing cloud solutions for controlled goods data

This page provides updated guidance for both program registrants and cloud service providers on the safeguarding of controlled goods, including data (controlled goods data), using cloud solutions.

On this page

Safeguarding controlled goods

The purpose of Part 2 of the Defence Production Act (the Act) and the Controlled Goods Regulations (the Regulations) is to enhance Canada's defence and security by ensuring that private individuals and organizations do not unlawfully gain access to controlled goods.

Given their strategic importance, the examination, possession and/or transfer of controlled goods in Canada without registration, exemption or exclusion from the Controlled Goods Program (CGP) is prohibited. Through the registration and exemption, security assessment, and inspections processes, the CGP helps to ensure that controlled goods are not intercepted by high-risk individuals, criminal organizations or other dangerous persons.

By obtaining and maintaining CGP registration by respecting the registrants' obligations under the Regulations, cloud service providers gain permission to lawfully examine, possess and/or transfer controlled goods within Canada. In doing so, registered cloud service providers contribute to an integrated North American defence industrial base, strengthening Canada's defence trade controls with the United States (US).

This Guidance aims to provide confidence for registrants who use, or intend to use, cloud service providers for their controlled goods data so that cloud storage, if properly deployed by the registrant, can be done in a manner that conforms with the Controlled Goods Regulations and policies.

Guidance for program registrants

Program registrants may choose to store their controlled goods data using a cloud service provider's software, platforms or infrastructure. In doing so, however, registrants must keep in mind their legal obligations under the Act (subsection 45(2)) and the Regulations. They must also be mindful of the offence set out in subsection 37(2) of the Act for knowingly transferring a controlled good to, or permitting the examination of a controlled goods by, a person who is not registered or exempt from registration. A partial list of Controlled Goods Program registrants, including registered cloud service providers, is available online.

Program registrants are responsible for determining if cloud solutions are appropriate for their particular business activities, including those relating to the storage and processing of controlled goods data. For information on cloud service and deployment models, consult the Canadian Centre for Cyber Security (CCCS) online publication on models of cloud computing (ITSAP.50.111).

Program registrants should review the security controls of their own information systems and services regularly, and continuously monitor and manage security risks to their own information and information technology (IT) assets. For information on how to conduct cloud risk management, security assessment and authorization processes within both the public and private sector contexts, consult the online Guidance on Cloud Security Assessment and Authorization (ITSP.50.105). These assessments and processes help registrants to understand the overall effectiveness of their own security controls, as well as those implemented by a cloud service provider.

Selecting a cloud service provider

When selecting a registered cloud service provider, program registrants should learn about the security controls available to prevent unauthorized access to controlled goods data. Program registrants are responsible for choosing and implementing their own security controls and other measures to manage any residual risks.

Program registrants should also request to review any formal, independent, third-party certifications and security assessments to ensure that the cloud service provider is complying with industry standards, such as the International Organization for Standardization (ISO) and System and Organisation Controls (SOC).

The CCCS assesses cloud service providers under their Information Technology security assessment process (ITSM.50.100). The resulting list of current Government of Canada approved cloud service providers is available online. Please note that not all of the listed providers are also registered with the CGP. As well, other CGP registered cloud service providers that do not appear on this list may be used for storing controlled goods data.

Data residency

Program registrants should take note of any data residency options to ensure that their controlled goods data is stored on servers located in Canada. For data stored on servers located outside of Canada, Global Affairs Canada must be consulted for additional guidance on any applicable export licensing requirements.

Restricted access

Program registrants must employ a principle of least privilege by monitoring and restricting access to their cloud stored controlled goods data. Access may only be granted to employees who have been security assessed, as detailed in section 15 of the Regulations.

Program registrants should ensure that access to their cloud solution is obtained only through a secure connection using, for example, a virtual private network or transport layer security with user login profiles. Multi-factor authentication and password policies, with audit and logging capabilities, are also recommended.

For further measures to safeguard controlled goods data, small and medium-sized program registrants should consider consulting the CCCS publication on top measures to enhance cyber security for small and medium organizations (ITSAP.10.035).

Technical support

When seeking technical support, program registrants should inform their cloud service provider in writing if the program registrant is seeking support on data that is controlled as the cloud provider does not have visibility to the content and whether it is controlled. Program registrants should also:

Encryption

Program registrants should ensure that controlled goods data is encrypted when transmitted or stored at rest within a cloud service. For example, the US Federal Information Processing Standard encryption standard is used by federal departments and agencies to protect sensitive Government of Canada data in their cloud-based deployments. It is also used to protect end-to-end encrypted unclassified data controlled by the International Traffic in Arms Regulations in the US.

Record keeping

Program registrants must meet the record keeping obligations under section 10 of the Regulations. The records maintained must cover any controlled goods data uploaded, stored or processed in a cloud solution, including a description and date of the data received, transferred or disposed of, as required in section 10(a) of the Regulations.

Security plan

Program registrants must establish and implement a security plan under section 10(e) of the Regulations. This plan should detail:

More information about security plans.

Security breaches

Program registrants must report to the CGP any security breach involving their controlled goods data stored on a cloud solution, as required under section 10(h) of the Regulations. CGP-registered cloud service providers may report on security incidents relating to the cloud environment itself, but registrants are responsible for reporting and determining whether an incident affects their controlled goods data specifically.

Guidance for registered cloud service providers

It is an offence under section 37 of the Act for any person—unless the person is registered under section 38 or exempt from registration under section 39 or 39.1, to knowingly examine or possess a controlled good, or transfer a controlled good to another person.

Cloud service providers typically do not examine, possess, or control their users' content stored in the cloud, but they may provide services to registrants that require them to examine or possess the controlled data (example, as part of a partnered technological build) which then requires the cloud service provider to be registered. Unregistered cloud service providers may be at risk of contravening the Act due to the nature of their services, business practices and technical operations, such as technical support or maintenance if it involves examining the controlled data of its user (example: reviewing the user's controlled data in decrypted form). Cloud service providers may wish to seek legal and technical advice on how to mitigate their risks under section 37 of the Act.

Registration

Cloud service providers that choose to register with the CGP contribute to an integrated North American defence industrial base. CGP registration provides assurances to clients, as well as to the US. Government and defense industry, that controlled goods data is not diverted to unauthorized persons.

Registered cloud service providers should provide their clients with information describing their cloud solutions, including guidance on the security controls and features that can be used to safeguard controlled goods data. Providers should undergo third-party audits and compliance verifications, such as: ISO/International Electrotechnical Commissions (IEC) 27001, ISO/IEC 27017 or SOC 2 Type II.

Providers should be prepared to show these certifications and valid audit reports to prospective clients to demonstrate their compliance with industry standards.

Technical Support

When a program registrant has advised their registered cloud service provider in writing that a specific support incident implicates controlled goods data and access to the program registrant's controlled goods data is unavoidable, the registered cloud service provider should provide the program registrant with the option of technical support by employees that have been security assessed, as detailed in section 15 of the Regulations. When providing such technical support, the provider should:

Record keeping

If applicable, registered cloud service providers must also maintain records relevant to their own controlled goods data in accordance with the section 10(a) and (i) conditions of registration until the Act and Regulations are formally updated. Registered cloud service providers do not have the capacity to track and report on their client's controlled goods data stored and/or processed on the registered cloud service provider's cloud solutions, as required for the registrant of the controlled data under:

However, these providers may choose to keep records of those clients using, or intending to use, their cloud solutions to store and/or process controlled goods data. This can be done by asking prospective clients to disclose this intended use when they sign up for a cloud solution or otherwise establish the contractual obligations in the cloud service user agreement.

Security plan

Registered providers are required to establish and implement a security plan, as indicated in section 10(e) of the Regulations. At a minimum, the plan must address the various physical, technical and administrative security controls used to protect the physical assets related to their cloud solutions and those used to ensure the integrity of the cloud environment itself.

The cloud service provider's plan should acknowledge that data should be stored in Canada and include procedures for safeguarding controlled goods data in the event of emergency maintenance. The clients of cloud service providers are responsible for configuring their data storage location for the cloud services.

Security incidents

CGP-registered clients, and not registered cloud service providers, are required to report security breaches to the CGP, as required in section 10(h) of the Regulations.

Contact us

If you have any questions, please contact the Controlled Goods Program.

Date modified: