Government response to recommendations
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack
Recommendation (R1)
The government continue to strengthen its framework for defending government networks from cyber attack ensuring that its authorities and programs for cyber defence are modernized as technology and other relevant factors evolve, including to align them with the horizontal framework for cyber defence that has emerged over the last decade.
Response
Agreed. Public Safety, Communications Security Establishment, and Treasury Board of Canada Secretariat agree that the government continue to strengthen its framework for defending government networks from cyber attack, ensuring that its authorities and programs for cyber defence are modernized as technology and other relevant factors evolve.
Public Safety, in collaboration with Communications Security Establishment and Treasury Board of Canada Secretariat, will continue to work together to align with the horizontal framework for cyber security to ensure that an appropriate governance structure is in place to advance cyber security policy.
Responsible organizations: Public Safety, in consultation with Communications Security Establishment and Treasury Board of Canada Secretariat.
Recommendation (R2.1)
To the greatest extent possible, the government:
Apply Treasury Board policies relevant to cyber defence equally to departments and agencies.
Response
Agreed. The Treasury Board of Canada Secretariat will review the Treasury Board policy framework to ensure that cyber defence is applied equally to departments and agencies to the greatest extent possible. This includes alignment between the scope of the Policy on Government Security and the Policy on Service and Digital.
Responsible organization: Treasury Board of Canada Secretariat.
Recommendation (R2.2)
To the greatest extent possible, the government:
Extend Treasury Board policies relevant to cyber defence to all federal organizations, including small organizations, Crown Corporations and other federal organizations not currently subject to Treasury Board policies and directives related to cyber defence.
Response
Agreed. The Treasury Board of Canada Secretariat will undertake a review of the Treasury Board policy framework to explore and identify potential options to extend Treasury Board policies relevant to cyber defence to all federal organizations, including small organizations, Crown Corporations, and other federal organizations not currently subject to Treasury Board policies and directives related to cyber defence. This review will take into consideration the Financial Administration Act and the authorities under that Act, as well as any legal considerations.
Responsible organization: Treasury Board of Canada Secretariat.
Recommendation (R2.3)
To the greatest extent possible, the government:
Extend advanced cyber defence services, notably Enterprise Internet Service of Shared Services Canada and the cyber defense sensors of the Communication Security Establishment, to all federal organizations.
Response
Agreed. Treasury Board of Canada Secretariat, in consultation with Shared Services Canada and Communications Security Establishment agree that the government should extend advanced cyber defence services, notably the Enterprise Internet Service of Shared Services Canada and the cyber defense sensors of the Communication Security Establishment, to all federal organizations to the greatest extent possible.
Treasury Board of Canada Secretariat will continue to strengthen cyber defence measures as part of the updates to the Policy on Service and Digital, specifically through the mandatory procedures outlined under Appendix G: Standard on Enterprise IT Service Common Configurations of the Directive on Service and Digital which will be published in Early 2022.
Shared Services Canada, in consultation with Treasury Board of Canada Secretariat and Communications Security Establishment, and as part of a funded study, is evaluating the current posture of small departments and agencies (SDAs) that have not adopted the Enterprise Internet Service of Shared Services Canada. The goal of the evaluation is to produce a costed business case outlining the funding necessary to migrate SD As to the Enterprise Internet Service of Shared Services Canada, eliminate the use of non- Shared Services Canada managed internet services, and provision other enterprise services (including the cyber defense sensors of the Communication Security Establishment), which will help to improve the security posture of SDAs and reduce the threat exposure of the government's enterprise networks.
Communications Security Establishment, in consultation with Treasury Board of Canada Secretariat, will explore options to extend the cyber defense sensors of the Communications Security Establishment to all federal organizations.
Responsible organizations: Treasury Board of Canada Secretariat, in consultation with Shared Services Canada and Communications Security Establishment.