The Government of Canada follows guidance from the Treasure Board Secretariat on the use of Public Cloud offerings, in order to conduct their departmental business.
In many cases, department are under the (correct) impression that they need to accredit their platforms to the PBMM (Protected B, Medium, Medium) Security Categorization level.
There is general confusion however when departments want to use Public Cloud offerings in order to store and manage source code. The code is typically considered "Protected B" by departments, when in fact it is usually not, given exceptions including those in the Access to Information Act that list the types of protected information.
We will document the above, with a suggested method of classifying source code at the Unclassified level, as there will be multiple cases to consider.
At present, the suggested categories are:
Unclassified code
Code that is public/open for submissions
Code that is public/closed for submissions
Code that is fully private
Protected B code. Some examples are:
Code that contains information protected under the Access to Information Act
Code that contains sensitive business logic
Code that is used for auditing financial transaction record
ISSUE
The Government of Canada follows guidance from the Treasure Board Secretariat on the use of Public Cloud offerings, in order to conduct their departmental business. In many cases, department are under the (correct) impression that they need to accredit their platforms to the PBMM (Protected B, Medium, Medium) Security Categorization level.
There is general confusion however when departments want to use Public Cloud offerings in order to store and manage source code. The code is typically considered "Protected B" by departments, when in fact it is usually not, given exceptions including those in the Access to Information Act that list the types of protected information.
We will document the above, with a suggested method of classifying source code at the Unclassified level, as there will be multiple cases to consider.
At present, the suggested categories are: