Cyber Security Guidance Canada Government

<article data-history-node-id="6471" about="/en/guidance/roadmap-migration-post-quantum-cryptography-government-canada-itsm40001" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>June 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.40.001</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>June 2025 | Management series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsm.40.001-e.pdf">Roadmap for the migration to post-quantum cryptography for the Government of Canada – ITSM.40.001 (PDF, 634 KB)</a></p> </div> <h2 class="text-info mrgn-tp-0">Foreword</h2> <p>This is an UNCLASSIFIED publication, issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information or to suggest amendments, email or phone our Contact Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span> <a href="mailto:cryptography-cryptographie@cyber.gc.ca">cryptography-cryptographie@cyber.gc.ca</a> |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1<span>‑</span>833<span>‑</span>CYBER<span>‑</span>88</a></p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on June 23, 2025</p> <h2 class="text-info">Revision history</h2> <ol><li>First release: June 23, 2025</li> </ol></div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#0">Overview</a></li> <li><a href="#1">1 Introduction</a></li> <li><a href="#2">2 Stakeholders and planning</a></li> <li><a href="#3">3 Execution phases</a> <ul><li><a href="#3.1">3.1 Preparation</a> <ul><li><a href="#3.1.1">3.1.1 Roles and responsibilities</a></li> <li><a href="#3.1.2">3.1.2 Financial planning</a></li> <li><a href="#3.1.3">3.1.3 Education strategy</a></li> <li><a href="#3.1.4">3.1.4 Procurement policies</a></li> <li><a href="#3.1.5">3.1.5 Plan approaches for identification</a></li> </ul></li> <li><a href="#3.2">3.2 Identification</a></li> <li><a href="#3.3">3.3 Transition</a></li> </ul></li> <li><a href="#4">4 Milestones and deliverables</a></li> <li><a href="#5">5 Governance and coordination</a> <ul><li><a href="#5.1">5.1 Relevant Government of Canada governance bodies</a></li> <li><a href="#5.2">5.2 Reporting on progress</a></li> <li><a href="#5.3">5.3 Additional resources and support</a></li> </ul></li> </ul></details></section><section><h2 class="text-info" id="0">Overview</h2> <p>Every organization managing information technology (IT) systems must migrate cyber security components to become quantum-safe. This will help protect against the cryptographic threat of a future quantum computer. The Cyber Centre recommends the adoption of standardized post-quantum cryptography (PQC) to mitigate this threat.</p> <p>This publication outlines the Cyber Centre’s recommended roadmap for the Government of Canada (GC) to migrate non-classified <abbr title="information technology">IT</abbr> systems<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> to use <abbr title="post-quantum cryptography">PQC</abbr>, including milestones, deliverables, and guidance for departmental planning and execution.</p> <p>Milestones and deliverables for federal departments and agencies are as follows:</p> <ul><li>April 2026: Develop an initial departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan</li> <li>Beginning April 2026 and annually after: Report on <abbr title="post-quantum cryptography">PQC</abbr> migration progress</li> <li>End of 2031: Completion of <abbr title="post-quantum cryptography">PQC</abbr> migration of high priority systems</li> <li>End of 2035: Completion of <abbr title="post-quantum cryptography">PQC</abbr> migration of remaining systems</li> </ul></section><section><h2 class="text-info" id="1">1 Introduction</h2> <p>The Cyber Centre recommends organizations managing <abbr title="information technology">IT</abbr> systems migrate to use <abbr title="post-quantum cryptography">PQC</abbr> in order to replace public-key cryptography vulnerable to a future quantum computer<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup>. All instances of public-key cryptography must be migrated to secure <abbr title="Government of Canada">GC</abbr> <abbr title="information technology">IT</abbr> systems and Canadians’ data against this threat.</p> <p>The United States’ National Institute of Standards and Technology (NIST) has worked globally with cryptographic experts to standardize <abbr title="post-quantum cryptography">PQC</abbr> algorithms that can replace existing vulnerable public-key cryptography. Cyber Centre recommendations for <abbr title="post-quantum cryptography">PQC</abbr> algorithms are provided in <a href="https://www.cyber.gc.ca/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP 40.111)</a>. As standards for network security protocols support <abbr title="post-quantum cryptography">PQC</abbr> algorithms, the Cyber Centre will update the <a href="https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a> publication. Vendors are incorporating <abbr title="post-quantum cryptography">PQC</abbr> in their products to rapidly meet the needs of government and industry.</p> <p>The <abbr title="post-quantum cryptography">PQC</abbr> migration within the <abbr title="Government of Canada">GC</abbr> will require significant commitment and take several years. The Cyber Centre is working with Treasury Board of Canada Secretariat (TBS) and Shared Services Canada (SSC) to prepare necessary updates to <abbr title="Government of Canada">GC</abbr> guidance, support and policy. Departments will need to clearly understand their cryptography usage. <abbr title="information technology">IT</abbr> infrastructure, both hardware and software, and data will need to be analyzed across the entire enterprise. Starting the <abbr title="post-quantum cryptography">PQC</abbr> migration early is important to leverage existing <abbr title="information technology">IT</abbr> lifecycle budgets as much as possible.</p> <p>This publication is the Cyber Centre’s recommended roadmap for the migration of non-classified <abbr title="information technology">IT</abbr> systems within the <abbr title="Government of Canada">GC</abbr> to use <abbr title="post-quantum cryptography">PQC</abbr>. It outlines the stakeholders, execution phases, milestones and governance involved in this <abbr title="Government of Canada">GC</abbr>-wide cyber security activity. The intention is to provide key activities and timelines that will assist in coordination of departmental planning activities for migrating to <abbr title="post-quantum cryptography">PQC</abbr> across the <abbr title="Government of Canada">GC</abbr>. It is aimed at directors and managers of <abbr title="information technology">IT</abbr> systems in federal departments and agencies and decision makers accountable for the migration to <abbr title="post-quantum cryptography">PQC</abbr>.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="2">2 Stakeholder and planning</h2> <p>The Cyber Centre is the lead technical authority for information technology (IT) security in the <abbr title="Government of Canada">GC</abbr><sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup>. As part of Canada’s cryptologic agency, the Communications Security Establishment Canada, the Cyber Centre:</p> <ul><li>promotes awareness of the quantum computing threat to cryptography to <abbr title="Government of Canada">GC</abbr> departments</li> <li>provides guidance on cryptographic recommendations, such as the use of <abbr title="post-quantum cryptography">PQC</abbr></li> <li>provides recommendations on incorporating cryptography into a strong cyber security posture</li> </ul><p>The Cyber Centre will continue to provide relevant advice and guidance to support <abbr title="Government of Canada">GC</abbr> departments and agencies in the migration to <abbr title="post-quantum cryptography">PQC</abbr>.</p> <p><abbr title="Treasury Board of Canada Secretariat">TBS</abbr> is responsible for establishing and overseeing a whole-of-government approach to security management, including cyber security, through policy leadership, strategic direction, and oversight. In May 2024, <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> published the <a href="https://www.canada.ca/en/government/system/digital-government/online-security-privacy/enterprise-cyber-security-strategy.html">Government of Canada’s Enterprise Cyber Security Strategy</a> identifying a key action to transition <abbr title="Government of Canada">GC</abbr> systems to use standardized <abbr title="post-quantum cryptography">PQC</abbr> to protect <abbr title="Government of Canada">GC</abbr> information and assets from the quantum threat. <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> will issue the necessary policy instruments to require responsible officials to establish a departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan as well as report on progress under existing departmental reporting processes.</p> <p><abbr title="Shared Services Canada">SSC</abbr> manages <abbr title="information technology">IT</abbr> infrastructure and services on behalf of many of the departments and agencies across the <abbr title="Government of Canada">GC</abbr>. Due to its critical role in modernizing <abbr title="Government of Canada">GC</abbr> systems, <abbr title="Shared Services Canada">SSC</abbr> is already engaged in developing a plan for the migration to <abbr title="post-quantum cryptography">PQC</abbr> and is working directly with the Cyber Centre and <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> to advise on the feasibility of implementation.</p> <p>Federal departments and agencies in the <abbr title="Government of Canada">GC</abbr> are accountable for managing cyber security risks in their program areas. Departments and agencies will be responsible for maintaining software hosted on <abbr title="Shared Services Canada">SSC</abbr>-managed <abbr title="information technology">IT</abbr> infrastructure, and any <abbr title="information technology">IT</abbr> infrastructure that is managed separately from <abbr title="Shared Services Canada">SSC</abbr>, including contracted cloud services. Departments and agencies will be required to develop a tailored departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan that covers the migration of systems for which they are responsible to use <abbr title="post-quantum cryptography">PQC</abbr>. Departments and agencies will be responsible for executing that plan, as well as tracking and reporting on progress. This publication contains the initial considerations that can be used to develop a departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan, but additional guidance and support will be provided by <abbr title="Treasury Board of Canada Secretariat">TBS</abbr>, <abbr title="Shared Services Canada">SSC</abbr> and the Cyber Centre.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="3">3 Execution phases</h2> <p>This roadmap outlines 3 recommended phases to implement the <abbr title="post-quantum cryptography">PQC</abbr> migration. These phases will likely overlap.</p> <h3 id="3.1">3.1 Preparation</h3> <p>During the preparation phase, departments and agencies will be responsible for developing a departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan to migrate systems for which they are responsible to use <abbr title="post-quantum cryptography">PQC</abbr>. To develop this plan, we recommend establishing a committee and identify a dedicated migration lead. The committee should consist of stakeholders throughout the organization and should include at least one member from senior management to ensure executive buy in and support. In addition to technical areas responsible for managing <abbr title="information technology">IT</abbr> systems, we recommend the inclusion of stakeholders from non-technical areas such as finance, project management, procurement and asset management.</p> <p>The departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan needs to be continually revised and expanded upon during the execution of the subsequent phases. The initial version of the departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan should establish the individuals responsible for the following:</p> <ul><li>execution of the plan</li> <li>financial planning</li> <li>education strategy to inform staff on the quantum threat and the progress of this migration within the organization</li> <li>procurement policies for new equipment</li> <li>approaches for the identification of vulnerable systems to build an inventory for transition</li> </ul><h4 id="3.1.1">3.1.1 Roles and responsibilities</h4> <p>The departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan must identify individuals responsible for various tasks in the execution of the plan. Ultimately, the Designated Official for Cyber Security (DOCS) is accountable for mitigating the quantum risk to cyber security. We recommend the <abbr title="Designated Official for Cyber Security">DOCS</abbr>, or a delegated executive official, be assigned the role of <abbr title="post-quantum cryptography">PQC</abbr> Migration Executive Lead to provide:</p> <ul><li>oversight</li> <li>accountability</li> <li>executive support for the execution of the departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan</li> </ul><p>The coordination and cross-departmental engagement may be performed by a <abbr title="post-quantum cryptography">PQC</abbr> Migration Technical Lead. The Technical Lead would be responsible for facilitating coordination across the organization which may include service delivery, network management and <abbr title="information technology">IT</abbr> procurement, as well as other areas pertinent to the migration. The committee established to develop the departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan may be repurposed for managing the execution of the plan.</p> <h4 id="3.1.2">3.1.2 Financial planning</h4> <p>Departments and agencies should expect that many existing <abbr title="information technology">IT</abbr> systems may need to be replaced, or new service contracts put into place to support <abbr title="post-quantum cryptography">PQC</abbr>. The execution of the <abbr title="post-quantum cryptography">PQC</abbr> migration will have staffing impacts that may require new hiring, external contractors, or the realignment of roles that could affect other projects or work activities. The departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan must have a cost estimate that includes resource allocation to complete the execution. The initial version of plan will not be comprehensive in its cost estimation, but the financial estimates can be refined as the identification and transition phases proceed.</p> <p>The costs associated with this <abbr title="post-quantum cryptography">PQC</abbr> migration may be reduced by utilizing existing IT equipment lifecycles and system modernization plans. To do so, it is critical to perform the initial phases of this plan quickly to identify where these cost efficiencies can be leveraged. Delays resulting in rushed procurement will increase costs.</p> <h4 id="3.1.3">3.1.3 Education strategy</h4> <p>It is important that staff across the organization are aware of the quantum threat and the impact it may have on the systems they use or are responsible for. The <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> GCxchange platform will be leveraged to share artifacts with departments and agencies, including material produced by the Cyber Centre, such as presentations and publications for a variety of audiences. The Cyber Centre’s Learning Hub will provide course material to educate on the quantum threat to cryptography. Senior executives must be briefed to be aware of the impact the migration to <abbr title="post-quantum cryptography">PQC</abbr> will have on their operations.</p> <p>As the <abbr title="post-quantum cryptography">PQC</abbr> migration progresses, it’s important to keep senior executives informed of developments and progress, including any emerging challenges or roadblocks that teams may face.</p> <h4 id="3.1.4">3.1.4 Procurement policies</h4> <p>To maximize the lifetime of new systems, departments and agencies should ensure new procurements have requirements that support <abbr title="post-quantum cryptography">PQC</abbr>. The Cyber Centre strongly recommends that systems employ established cyber security standards. Following standards provides assurance of independent security review and promotes interoperability to avoid vendor lock-in. Some cyber security standards are still being revised to support <abbr title="post-quantum cryptography">PQC</abbr>. The Cyber Centre is updating Guidance for securely configuring network protocols (ITSP.40.062) as <abbr title="post-quantum cryptography">PQC</abbr> support is finalized in standards. It is expected that support for <abbr title="post-quantum cryptography">PQC</abbr> may not be currently available in some product categories.</p> <p>The Cyber Centre has recommended contract clauses for systems containing cryptographic modules. These are available upon request and will be made more widely available. In general, departments and agencies should consider the following best practices for procurements:</p> <ul><li>contracts have clauses to ensure that the vendor will include support for <abbr title="post-quantum cryptography">PQC</abbr> that is compliant with Cyber Centre recommendations in Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP.40.111)</li> <li>cryptographic modules have been certified by the <a href="https://www.cyber.gc.ca/en/tools-services/cryptographic-module-validation-program-cmvp">Cryptographic Module Validation Program</a></li> <li>support for <a href="https://www.cyber.gc.ca/en/guidance/guidance-becoming-cryptographically-agile-itsap40018">cryptographic agility</a> to allow for future configuration changes</li> </ul><p>The earlier <abbr title="post-quantum cryptography">PQC</abbr> is included in procurement clauses, the lower the costs departments will face during the migration.</p> <h4 id="3.1.5">3.1.5 Plan approaches for identification</h4> <p>The next phase in this roadmap is the identification of where cryptography is used in <abbr title="information technology">IT</abbr> systems. Sometimes called cryptographic discovery, this identification is necessary to create an inventory of systems that need to be transitioned. The departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan must include the approaches that will be undertaken to identify systems and build this inventory. More detail on identification is provided in the next section.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h3 id="3.2">3.2 Identification</h3> <p>Identifying where and how cryptography is used is a critical step in the process to migrate to <abbr title="post-quantum cryptography">PQC</abbr>. Systems using cryptography will include:</p> <ul><li>network services</li> <li>operating systems</li> <li>applications</li> <li>code development pipelines</li> <li>all physical <abbr title="information technology">IT</abbr> assets, such as <ul><li>server racks</li> <li>desktops</li> <li>laptops</li> <li>mobile telephones</li> <li>network appliances</li> <li>printers</li> <li>voice over Internet Protocol telephony</li> <li>hardware security modules</li> <li>smart cards</li> <li>hardware tokens</li> </ul></li> </ul><p>These may be hosted on-premises, within contracted <abbr title="information technology">IT</abbr> platforms, or a cloud service provider, or under employee possession. The scope is wide, thus making identification a challenging task.</p> <p>The information gathered in this phase will be used to create an inventory that should include the following information per system:</p> <ul><li>system components employing cryptography</li> <li>vendor and product version for each of the components</li> <li>security controls that rely upon the identified cryptography<sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup></li> <li>applicable network security zones</li> <li>current cryptographic configurations</li> <li>hosting platform</li> <li>system dependencies</li> <li>relevant service contracts and expiry dates</li> <li>expected refresh year for the system or its components</li> <li>responsible departmental point of contact</li> <li>if the system should be prioritized for migration</li> </ul><p>Other technical information may be relevant to include in the inventory. The Cyber Centre will provide additional guidance to departments as experience grows within the <abbr title="Government of Canada">GC</abbr>.</p> <p>Departments must identify systems that are a high priority for migrating to <abbr title="post-quantum cryptography">PQC</abbr>. Systems protecting the confidentiality of information in transit over public network zones<sup id="fn5-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup> may be at risk earlier than expected due to the harvest now, decrypt later (HNDL) threat. A <abbr title="harvest now, decrypt later">HNDL</abbr> threat is when a threat actor intercepts encrypted information, stores it and then decrypts it in the future, when sufficiently powerful quantum computers exist. It is recommended that any systems susceptible to a <abbr title="harvest now, decrypt later">HNDL</abbr> threat be a high priority for migrating to <abbr title="post-quantum cryptography">PQC</abbr>. Other considerations include the information lifespan, support for cryptographic agility, and the impact of compromise. It may be valuable to complete a risk assessment for the quantum threat to ensure that systems are properly prioritized.</p> <p>Discovery of systems containing vulnerable cryptography should utilize multiple methodologies. Leveraging existing <abbr title="information technology">IT</abbr> service management (ITSM) processes within the organization may be an efficient way to produce an initial departmental inventory. Lifecycle and change management committees should have much of the information needed for an inventory system entry. However, in practice, ITSM maturity may vary across departments.</p> <p>Software tools and services will be necessary to complete cryptographic discovery. This may leverage existing cyber security services, such as security information and event management (SIEM) solutions, network monitoring and inspection, and endpoint detection and response (EDR) technologies. These services may require configuration changes, third-party plugins, or additional filters to identify the use of cryptography. Independent tools for cryptography discovery will employ technology for scanning networks, hosts, log files, or source code. The <a href="https://www.cse-cst.gc.ca/en/accountability/transparency/reports/communications-security-establishment-annual-report-2023-2024#9-1-1">Cyber Centre’s sensors program</a> is a tool expected to assist departments in identification. Additional guidance on cryptographic discovery tools and services will be provided to departments by the <abbr title="information technology">IT</abbr> Security Tripartite, which includes <abbr title="Treasury Board of Canada Secretariat">TBS</abbr>, <abbr title="Shared Services Canada">SSC</abbr>, and the Cyber Centre.</p> <p>It is important to not be overwhelmed in completing the discovery and to begin with an initial, incomplete inventory with actions to iteratively improve the data.</p> <p>During the identification phase, departments should use the inventory to engage relevant <abbr title="information technology">IT</abbr> vendors and contractors to determine their plans to implement <abbr title="post-quantum cryptography">PQC</abbr> in their products and services. Understanding which system components will be eligible for upgrades versus replacement will assist in the next phase of developing a transition plan.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h3 id="3.3">3.3 Transition</h3> <p>The transition phase leverages the inventory created in the identification phase to plan and execute system upgrades, replacement, tunnelling, and/or isolation.</p> <p>In addition to the inventory data, the plan must consider departmental resources for identifying and assessing solutions, performing necessary procurements, testing, and deployment. The plan for each system will typically require multiple stages and should be integrated with existing <abbr title="information technology">IT</abbr> change management processes to ensure proper preparation including:</p> <ul><li>an impact assessment</li> <li>a rollback playbook</li> <li>a staging environment for testing changes</li> <li>monitoring to validate successful operation post-transition</li> </ul><p>For each system, technical teams must identify and assess solutions to incorporate <abbr title="post-quantum cryptography">PQC</abbr> or otherwise mitigate the quantum threat. The availability of <abbr title="post-quantum cryptography">PQC</abbr>-capable products may be limited in the early stages, but vendors are rapidly adopting <abbr title="post-quantum cryptography">PQC</abbr> as updates to protocol standards are completed. Solutions should meet all the procurement requirements established in the Preparation phase (<a href="#3.1.4">Procurement policies 3.1.4</a>).</p> <p>Many systems will need to maintain backwards compatibility to allow for continued operation with non-transitioned systems for a period of time. The first stage for a system transition may be to support the use of <abbr title="post-quantum cryptography">PQC</abbr>, followed by a second stage to disable the vulnerable, legacy cryptography.</p> <p>It may not be feasible to transition some legacy systems to use <abbr title="post-quantum cryptography">PQC</abbr> without a full system replacement. To meet migration milestones, it may be necessary to isolate such systems on the network or to tunnel traffic within a <abbr title="post-quantum cryptography">PQC</abbr>-protected encapsulation layer. Such decisions should be made during the transition phase planning.</p> <p>Early versions of the departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan may offer limited detail on the transition phase; however, this section should be expanded as identification efforts progress.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="4">4 Milestones and deliverables</h2> <p>Milestones and deliverables for federal departments and agencies are as follows:</p> <ul><li>April 2026: Develop an initial departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan</li> <li>Beginning April 2026 and annually after: Report on <abbr title="post-quantum cryptography">PQC</abbr> migration progress</li> <li>End of 2031: Completion of <abbr title="post-quantum cryptography">PQC</abbr> migration of high priority systems</li> <li>End of 2035: Completion of <abbr title="post-quantum cryptography">PQC</abbr> migration of remaining systems</li> </ul><p>These milestones for the completion of migrations implies that quantum-vulnerable algorithms are disabled, isolated or tunnelled. That is, rather than just supporting <abbr title="post-quantum cryptography">PQC</abbr>, the quantum risk has been mitigated. It will be critical for departments and agencies to create, revise and follow their departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan to migrate systems as early as possible to meet the milestone dates.</p> <p>More information on expectations for reporting progress is given in the next section.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="5">5 Governance and coordination</h2> <h3 id="5.1">5.1 Relevant Government of Canada governance bodies</h3> <p>Departments and agencies are accountable for managing cyber security risks in their program areas. However, <abbr title="Government of Canada">GC</abbr>-wide initiatives, such as this migration to <abbr title="post-quantum cryptography">PQC</abbr>, requires a whole-of-government approach managed at the enterprise level in accordance with accountabilities outlined under the <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> policy instruments.</p> <p>The <abbr title="information technology">IT</abbr> Security Tripartite consists of the <abbr title="Treasury Board of Canada Secretariat">TBS</abbr>, <abbr title="Shared Services Canada">SSC</abbr>, and the Cyber Centre. The tripartite is a centralized body that provides advice, guidance, oversight, and direction on <abbr title="Government of Canada">GC</abbr>-wide cyber security initiatives such as the <abbr title="Government of Canada">GC</abbr> migration to <abbr title="post-quantum cryptography">PQC</abbr>. The tripartite supports departments and agencies under <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> authorities.</p> <p>The <abbr title="Government of Canada">GC</abbr> Enterprise Architecture Review Board (<abbr title="Government of Canada">GC</abbr> EARB) provides a governance mechanism to assess if proposed enterprise systems are aligned to the <abbr title="Government of Canada">GC</abbr> Enterprise Architecture Framework. The framework ensures business, information, application, technology, security, and privacy architecture domains meet the <a href="https://www.canada.ca/en/government/system/digital-government/policies-standards/service-digital-target-enterprise-architecture-white-paper.html">Service and Digital Target Enterprise Architecture</a>. Cyber security requirements, such as compliance to the Cyber Centre’s cryptographic recommendations, are part of the <abbr title="Government of Canada">GC</abbr> Target Enterprise Architecture which is aligned with overall <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> strategic direction and <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> policy instruments.</p> <p>The <abbr title="Government of Canada">GC</abbr> has interdepartmental Quantum Science and Technology (S&amp;T) Coordination Committees at senior executive levels to synchronise efforts and maintain Canada’s leadership in quantum S&amp;T. These committees oversee the federal government’s actions supporting <a href="https://ised-isde.canada.ca/site/national-quantum-strategy/en/canadas-national-quantum-strategy">Canada’s National Quantum Strategy</a> (NQS), including the <abbr title="National Quantum Strategy">NQS</abbr> roadmap on quantum communication and post-quantum cryptography.</p> <h3 id="5.2">5.2 Reporting on progress</h3> <p>Monitoring the progress of the <abbr title="Government of Canada">GC</abbr> migration to <abbr title="post-quantum cryptography">PQC</abbr> is essential for effective activity oversight and governance. This ensures accountability and the completion of milestones. <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> oversees compliance to its policy instruments in accordance with the Treasury Board <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=17151">Framework for Management of Compliance</a>. It also tracks progress on the departmental plan on service and digital which includes cyber security, as required under the <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32603">Policy on Service and Digital</a>. Reporting on departmental progress and on the activities needed to complete the migration to <abbr title="post-quantum cryptography">PQC</abbr> will be requested and collected by <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> as part of the annual submissions for the departmental plan on service and digital.</p> <h3 id="5.3">5.3 Additional resources and support</h3> <p>The <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> GCxchange platform will be leveraged to share artifacts with federal departments and agencies to assist in the migration to <abbr title="post-quantum cryptography">PQC</abbr>. The Cyber Centre will continue to publish guidance and recommendations for organizations on the <a href="https://cyber.gc.ca/">Cyber Centre website</a>.</p> <p>Please use the Cyber Centre contact information at the top of this page to request more information on the quantum threat, <abbr title="post-quantum cryptography">PQC</abbr>, or this roadmap.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><!–FOOTNOTE SECTION EN–><aside class="wb-fnote" role="note"><h2 id="reference">References</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>Non-classified <abbr title="information technology">IT</abbr> systems are those that do not contain, transfer, or otherwise handle classified information. In the Government of Canada, non-classified systems manage UNCLASSIFIED, PROTECTED A, and PROTECTED B information. For classified systems and systems handling PROTECTED C information, departments must contact the Cyber Centre to obtain advice on migrating commercial equipment.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 2</dt> <dd id="fn2"> <p>For more information on the quantum computing threat to cryptography, read the publication <a href="https://www.cyber.gc.ca/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017">Preparing your organization for the quantum threat to cryptography (ITSAP.00.017)</a></p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 3</dt> <dd id="fn3"> <p><a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=16578">Treasury Board Secretariat of Canada’s Policy on Government Security</a></p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote</span>3<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 4</dt> <dd id="fn4"> <p><a href="https://www.cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33"><abbr title="information technology">IT</abbr> security risk management (ITSG-33): Annex 3A – Security control catalogue</a></p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote</span>4<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 5</dt> <dd id="fn5"> <p><a href="https://www.cyber.gc.ca/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022">Baseline security requirements for network security zones (ITSP.80.022)</a></p> <p class="fn-rtn"><a href="#fn5-rf"><span class="wb-inv">Return to footnote</span>5<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></div> </div> </div> </div> </div> </article>

The Canadian Centre for Cyber Security (Cyber Centre) and the United States’ Federal Bureau of Investigation (FBI) is warning Canadians of the threat posed by People’s Republic of China (PRC)

<article data-history-node-id="6456" about="/en/news-events/cyber-centre-advice-securing-operational-technology-systems" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) is warning Canadian organizations to defend their operational technology (OT) and industrial control systems (ICS) from malicious cyber actors.</p> <p>The Cyber Centre is aware of ongoing attempts by non-state malicious cyber actors to discover and compromise poorly secured, internet-connected <abbr title="operational technology">OT</abbr> and <abbr title="industrial control systems">ICS</abbr> that provide critical services to Canadians. The motivations of malicious actors vary, including geopolitical reasons, financial gain, notoriety or a combination.</p> <p>Once they have compromised a system, these actors attempt to change device configurations and manipulate system settings. This can affect physical processes such as changing pressurization or disabling alarms and safety controls.</p> <p>This activity demonstrates reckless intent and complete disregard for real-world harm with the potential to impact the health and safety of Canadians. The Cyber Centre calls on all Canadian organizations who operate <abbr title="operational technology">OT</abbr> and <abbr title="industrial control systems">ICS</abbr> to protect their systems.</p> <p>Recent guidance from the United States’ Cybersecurity and Infrastructure Security Agency (CISA) addresses cyber threats to <abbr title="operational technology">OT</abbr> systems. The Cyber Centre strongly recommends critical infrastructure providers take the recommended steps to defend their <abbr title="operational technology">OT</abbr> assets:</p> <ul><li>Remove <abbr title="operational technology">OT</abbr> connections to the internet</li> <li>Change default passwords immediately</li> <li>Secure remote access to <abbr title="operational technology">OT</abbr> networks</li> <li>Segment <abbr title="information technology">IT</abbr> and <abbr title="operational technology">OT</abbr> networks</li> <li>Practice and maintain the ability to operate <abbr title="operational technology">OT</abbr> systems manually</li> </ul><p>Read the full factsheet: <a href="https://www.cisa.gov/resources-tools/resources/primary-mitigations-reduce-cyber-threats-operational-technology">Primary Mitigations to Reduce Cyber Threats to Operational Technology</a>.</p> <p>We encourage any Canadian organizations who believe they may have been targeted by cyber threat activity to contact the Cyber Centre by email at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> or by phone <a href="tel:+18332923788">1-833-CYBER-88</a>.</p> <p>For more information, consult the following Cyber Centre guidance: <a href="/en/guidance/security-considerations-critical-infrastructure-itsap10100">Security considerations for critical infrastructure (ITSAP.10.100)</a> and <a href="https://www.cyber.gc.ca/en/cyber-security-readiness">Cyber Security Readiness</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6423" about="/en/news-events/chairs-statement-g7-cybersecurity-working-group-meeting" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>Canada, under the leadership of the Communications Security Establishment Canada (CSE) and Public Safety Canada, hosted the G7 Cybersecurity Working Group (Working Group) from May 12 to 13, 2025, in Ottawa, to discuss shared issues on cyber security and emerging technology.</p> <p>The Working Group was established in 2024 under Italy’s G7 leadership and is composed of the principals in national cyber security agencies or roles across the G7. The Working Group acts as a cyber security community of practice for the G7, and is built on shared values, shared interests and a shared vision for the future of cyberspace.</p> <p>The speed, scale and intensity of current challenges in cyberspace are unparalleled, and coordinated efforts among G7 like-minded nations are needed to meet these challenges, namely through the following objectives:</p> <ul><li>Enhancing cooperation on cyber security, through the exchange of views and information, sharing threat analysis and advancing strategies to address current and emerging challenges, including security for <abbr title="artificial intelligence">AI</abbr> and <abbr title="artificial intelligence">AI</abbr> for cyber security.</li> <li>Promoting dialogue on guidelines, standards and approaches that contribute to shaping the best practices for cyber security nationally and internationally.</li> <li>Fostering long-term resilience for new and emerging technologies that have an impact on cyber security such as quantum computing.</li> </ul><p>During the in-person Working Group meeting in Ottawa, representatives met to discuss a series of workstreams on which the group has agreed to collaborate during Canada’s 2025 G7 presidency. This included:</p> <ul><li>Reflecting the shared vision of the group through the preparation and group endorsement of a <a href="https://www.acn.gov.it/portale/en/w/una-visione-condivisa-del-g7-sull-inventario-dei-software-dell-ia">“Food for Thought” paper on a Software Bill of Materials for Artificial Intelligence (SBOM for AI)</a>. The paper reflects a mutual recognition of the fast-paced nature of this space and the need to consider similar initiatives underway in other fora to avoid duplication.</li> <li>Agreeing to advance an <a href="https://www.nisc.go.jp/news/20250613.html">initiative to address the cyber security of Internet of Things (IoT) products (Japanese and English only)</a>, taking into account both the technical and non-technical nature of cyber threats.</li> <li>Renewing a commitment to advocate for a well-planned transition to Post-Quantum Cryptography and to further explore joint technical cyber advisories to leverage the Working Group’s collective voices on cyber security matters.</li> <li>Agreeing to exchange ideas and lessons learned from policy levers for incentivising cyber security.</li> <li>Discussing the need to protect our respective critical infrastructure and improve the collective cyber resilience of essential services and systems. This work is vital to serving citizens, maintaining economic stability and national security. Through these discussions on safeguarding critical infrastructure, the Working Group seeks to mitigate risks, minimize disruptions, and enhance our ability to respond to and recover from cyber threats.</li> <li>Sharing ideas and best practices to build up the cyber security skill set, foster public-private partnerships, and continue to promote secure-by-design principles in various engagements. Developing these skills and engaging in collaboration are crucial to respond effectively to evolving threats, ensuring resilience, and fostering innovation. Further, adopting secure-by-design practices will reduce the attack surface and enhance overall cyber resilience.</li> </ul><p>The Working Group plans to continue these efforts throughout the rest of the Canadian G7 presidency in 2025, including having a second meeting in fall 2025 to review progress and finalize the work prior to transitioning the presidency of the Working Group to France for 2026.</p> <p>Sami Khoury, Principal and Co-Chair<br /> G7 Cybersecurity Working Group<br /> Communications Security Establishment Canada</p> <p>Colin MacSween, Co-Chair<br /> G7 Cybersecurity Working Group<br /> Public Safety Canada</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6366" about="/en/news-events/executive-summary-joint-guidance-security-information-event-management-security-orchestration-automation-response" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) and the following international partners in releasing updated cyber security guidance on security information and event management (SIEM) and security orchestration, automation and response (SOAR):</p> <ul><li>Czech Republic’s National Cyber and Information Security Agency (NÚKIB)</li> <li>Japan’s National Center of Incident Readiness and Strategy for Cyber Security (NISC) and Computer Emergency Response Team Coordination Center (JPCERT/CC)</li> <li>New Zealand’s National Cyber Security Centre (NCSC-NZ)</li> <li>Republic of Korea’s National Intelligence Service (NIS)</li> <li>Singapore’s Cyber Security Agency (CSA)</li> <li>United Kingdom’s National Cyber Security Centre (NCSC-UK)</li> <li>United States’ Federal Bureau of Investigation (FBI)</li> <li>United States’ Cybersecurity and Infrastructure Security Agency (CISA)</li> <li>United States’ National Security Agency (NSA)</li> </ul><p><abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms offer many benefits to organizations. Both platforms can enhance an organization’s ability to detect and respond to cyber security risks by collating, analyzing and automating some aspects of an organization’s work. To function effectively, <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms rely on proper deployment and maintenance over time.</p> <p>This series of guidance includes 3 publications.</p> <h2>Executive guidance: Implementing security information and event management and security orchestration, automation and response platforms</h2> <p>This executive summary provides considerations for organizations that are looking to procure <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms. The executive summary:</p> <ul><li>defines <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms</li> <li>outlines the benefits and challenges associated with using <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms</li> <li>identifies best practices for implementing and maintaining <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms</li> </ul><p>Read <a href="https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-monitoring/implementing-siem-and-soar-platforms/implementing-siem-and-soar-platforms-executive-guidance">Executive guidance: Implementing security information and event management and security orchestration, automation and response platforms</a>.</p> <h2>Guidance for practitioners: Implementing security information and event management and security orchestration, automation and response platforms and their implementation</h2> <p>This joint guidance provides high-level direction for cyber security practitioners on <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms. Cyber security practitioners in government and other organizations can leverage this guidance to implement <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms.</p> <p>Read <a href="https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-monitoring/implementing-siem-and-soar-platforms/implementing-siem-and-soar-platforms-practitioner-guidance">Guidance for practitioners: Implementing security information and event management and security orchestration, automation and response platforms and their implementation</a>.</p> <h2>Guidance for practitioners: Priority logs for security information and event management ingestion</h2> <p>This joint guidance is intended for cyber security practitioners. It provides recommendations for logs that should be prioritized for ingestion by a <abbr title="security information and event management">SIEM</abbr> platform, as well as tips on querying the platform.</p> <p>Read <a href="https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-monitoring/implementing-siem-and-soar-platforms/priority-logs-for-siem-ingestion-practitioner-guidance">Guidance for practitioners: Priority logs for security information and event management ingestion</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6340" about="/en/news-events/joint-advisory-russian-cyber-campaign-targeting-logistics-providers-companies" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the United States’ National Security Agency (NSA) and multiple international partners in issuing the following joint advisory.</p> <p>The advisory concerns Russian state-sponsored cyber activity targeting Western logistics providers and <abbr title="information technology">IT</abbr> companies, particularly those involved in delivering foreign assistance to Ukraine.</p> <p>Known targets include government organizations and commercial entities in <abbr title="North Atlantic Treaty Organization">NATO</abbr> member states and Ukraine as well as international organizations. Target sectors include:</p> <ul><li>the defence industry</li> <li>transportation and transportation hubs, such as ports and airports</li> <li>the maritime sector</li> <li>air traffic management</li> <li><abbr title="information technology">IT</abbr> services</li> </ul><p>The espionage-oriented cyber campaign is attributed to a group (military unit 26165) within the Russian General Staff Main Intelligence Directorate (GRU). This unit is commonly known to the cyber security community as APT28, Fancy Bear, Forest Blizzard or Blue Delta.</p> <p>The campaign uses a mix of tactics, techniques and procedures (TTPs) previously used by unit 26165, including:</p> <ul><li>password spraying</li> <li>spearfishing</li> <li>modification of Microsoft Exchange mailbox permissions</li> </ul><p>The advisory warns executives and network defenders at logistics providers and technology companies to:</p> <ul><li>be aware of the increased threat</li> <li>adjust their cyber security posture with a presumption of targeting</li> <li>increase monitoring and threat-hunting for the <abbr title="tactics, techniques and procedures">TTPs</abbr> and indicators of compromise listed in this advisory</li> <li>take the recommended mitigation actions</li> </ul><p>Read the full joint advisory <a href="https://media.defense.gov/2025/May/21/2003719846/-1/-1/0/CSA_RUSSIAN_GRU_TARGET_LOGISTICS.PDF">Russian <abbr title="General Staff Main Intelligence Directorate">GRU</abbr> Targeting Western Logistics Entities and Technology Companies (PDF)</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="651" about="/en/guidance/security-considerations-voice-activated-digital-assistants-itsap70013" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>May 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.70.013</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>May 2025 | Awareness series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <p>Voice-activated digital assistants are a type of smart device that can control other devices when prompted by a human voice. They can perform a variety of tasks, such as checking the weather, adjusting the thermostat and playing music. Voice-activated digital assistants can connect to the Internet, allowing them to communicate with other smart devices and form a vast network known as the Internet of Things (IoT). Although they can be convenient, it is important to consider the cyber security risks associated with voice-activated digital assistants before integrating them into your network.</p> <div class="row"> <h2 class="text-info">On this page</h2> <ul><li><a href="#voice-activated">How voice-activated digital assistants work</a></li> <li><a href="#risks-digital-assistants">Risks associated with digital assistants</a></li> <li><a href="#attack-methods">Attack methods</a></li> <li><a href="#selecting-vendor">Considerations for selecting a vendor</a></li> <li><a href="#securing-digital-assistant">Securing your digital assistant</a></li> <li><a href="#steps-address">Steps to address a compromise</a></li> </ul></div> <div class="row"> <h2 class="text-info" id="voice-activated">How voice-activated digital assistants work</h2> <p>Voice-activated digital assistants come in various forms, such as smart speakers, smartwatches and smartphone applications. These devices respond to human commands through voice recognition technology. They record and listen for commands or trigger words. Once triggered, the device captures the request and searches the Internet for a suitable response or carries out the requested action. These devices also listen and parse conversation for the purposes of targeted marketing.</p> <p>Voice-activated digital assistants use algorithms and machine learning to improve their performance over time. They create user profiles to identify individuals who issue commands, allowing for more personalized interactions. This involves saving voice recognition data and storing information about the resources and smart devices they use to fulfill your requests. For example, digital assistants may retain data such as websites visited and settings for controlling your home appliances or security cameras. Although digital assistants can create profiles to recognize voice commands from a particular individual, they will record and respond to any voice command they can interpret.</p> </div> <div class="row"> <h2 class="text-info" id="risks-digital-assistants">Risks associated with digital assistants</h2> <p>Voice-activated digital assistants are high-value targets for cyber threat actors who want to steal sensitive information. The interconnected nature of these devices means that a vulnerability in one digital assistant or a device connected to it can compromise the security of the entire network.</p> <p>Cyber threat actors can take advantage of these vulnerabilities in various ways, including:</p> <ul><li>accessing personal information, such as <ul><li>usernames</li> <li>passwords</li> <li>other sensitive account details</li> </ul></li> <li>learning whether you are at home or away</li> <li>tampering with other connected smart device controls to compromise security and integrity, such as <ul><li>adjusting temperature settings</li> <li>unlocking doors</li> <li>disabling alarms</li> </ul></li> </ul><p>There are also additional risks tied to some of the features of digital assistants.</p> </div> <div class="row"> <h2 class="text-info">Storing voice recognition recordings and transcripts</h2> <p>Devices can retain a voice-to-text transcription when the device sends a recorded voice command to a cloud-based resource. This data could contain confidential information, particularly if the voice service was triggered accidentally. Be aware of vendors’ privacy policies. Vendors often have terms that allow them to retain recordings or transcriptions for quality improvement or to share with partners.</p> </div> <div class="row"> <h2 class="text-info">Eavesdropping on sensitive conversations</h2> <p>Voice commands for activities like controlling lights or changing music have a minimal risk of capturing background conversation. However, there are other scenarios where captured background conversations can be risky. For example, connecting a voice assistant to a business platform to dictate the content of your emails could give it access to sensitive conversations. Threat actors can leverage this data to conduct dolphin attacks or make unauthorized purchases. You should turn on confirmation dialogs to minimize the risk of accidental or unauthorized transactions. This will prompt your device to repeat your command and confirm that you want to proceed. Modern devices that have on-device voice recognition can be safer.</p> </div> <div class="row"> <h2 class="text-info" id="attack-methods">Attack methods</h2> <p>Cyber threat actors could target your digital assistant through methods such as a "dolphin" attack or malware.</p> <h3>"Dolphin" attack</h3> <p>A "dolphin" attack broadcasts ultrasonic frequency sounds which are inaudible to the human ear but trigger the recording feature in digital assistants. These high-frequency sounds can be embedded into videos, websites or even physical devices enabling threat actors to target digital assistants within range. By emitting these sounds, threat actors can trigger the digital assistant to initiate actions, such as transferring files, making unauthorized purchases and stealing sensitive data.</p> <h3>Malware</h3> <p>Malware is a common method used by cybercriminals to compromise digital assistants. It infects these devices through disguised applications, malicious attachments and links. Malware is very hard to detect and diagnose on digital assistants. Once inside, threat actors can use malware to record your voice and use the recording for other malicious activities, such as bypassing voice recognition authentication on your other devices.</p> </div> </div> </div> <hr /><div class="row"> <h2 class="text-info" id="selecting-vendor">Considerations for selecting a vendor</h2> <p>When selecting a vendor for voice-activated digital assistants, ensure you understand the terms and conditions in your vendor’s end-user licence agreement. Consider the following questions when selecting a vendor:</p> <ul><li>Is there an option for a "tap to activate" mode?</li> <li>Is there an option to turn off the listening function to safeguard private events and conversations?</li> <li>What data is sent to their voice processing service?</li> <li>What information is returned in response to a service or application request?</li> <li>Who has access to raw voice or text data?</li> <li>How is retained data used and for how long?</li> <li>Is the data generated by the device encrypted?</li> <li>Where is data stored?</li> <li>Is data shared with any third parties?</li> </ul><p>Review vendors’ privacy policies and security practices. Research reviews and security ratings to determine whether the vendor’s databases have vulnerabilities or if their storage facilities have been breached. Consider products that offer local data storage options, as opposed to cloud-based storage. Storing data locally on the device can reduce the risk of exposure to cloud-based vulnerabilities and breaches.</p> <h2 class="text-info" id="securing-digital-assistant">Securing your digital assistant</h2> <p>When setting up your device or digital assistant, you should identify what potentially sensitive information it can access via your network. Consider isolating your digital assistant on a separate network, such as a guest network, to protect your main network should a compromise occur. You should also consider implementing the following best practices to secure your device.</p> <ul><li>Use a unique, strong password or passphrase for your digital assistant</li> <li>Set a PIN on your digital assistant to prevent unauthorized use of the voice assistant</li> <li>Use multi-factor authentication (MFA) to secure accounts and devices on your network</li> <li>Turn off your digital assistant when discussing personal or sensitive information in its vicinity</li> <li>Verify if your device allows you to turn off active listening features</li> <li>Review the microphone permissions granted to applications on your device</li> <li>Deactivate features that allow the digital assistant to perform security-sensitive operations, such as unlocking doors or controlling cameras</li> <li>Disconnect remote access functions on devices if they are not required</li> <li>Update and patch software and firmware frequently</li> <li>Use a virtual private network (VPN) on the network to which your digital assistant is connected</li> <li>Review permissions on your apps to determine whether or not they require access to your microphone and your conversations</li> <li>Delete your voice request history regularly to ensure that there is no memory bank of your voice profile and the content of your conversations</li> <li>Check your privacy settings and make sure you are not sharing more data than necessary</li> <li>Download apps from official stores only, and avoid third-party apps that may be more likely to contain malware</li> </ul></div> <div class="row"> <h2 class="text-info" id="steps-address">Steps to address a compromise</h2> <p>If you suspect malicious activity on your voice-activated digital assistant or other smart devices, you must act quickly to minimize the potential damage. You should take the following steps:</p> <ol><li>Power down the IoT device immediately</li> <li>Contact your mobile service provider to locate the point of intrusion and determine what data has been compromised</li> <li>Perform a factory reset immediately to remove any malicious software or configurations</li> <li>After resetting, update your device with the latest version and relevant security patches</li> <li>Consider both network-based and host-based monitoring solutions on your network</li> <li>Change the passphrases for all affected accounts and devices, ensuring they are strong and unique</li> </ol><p>Learn more about <a href="/en/incident-management">reporting cyber incidents to the Cyber Centre</a>.</p> <h2 class="text-info">Learn more</h2> <ul><li><a href="/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="/en/guidance/internet-things-iot-security-itsap00012">Internet of Things (IoT) security (ITSAP.00.012)</a></li> <li><a href="/en/guidance/virtual-private-networks-itsap80101">Virtual private network (ITSAP.80.101)</a></li> <li><a href="/en/protecting-your-information-and-data-when-using-applications-itsap40200">Protecting your information and data when using applications (ITSAP.40.200)</a></li> <li><a href="/en/guidance/have-you-been-hacked-itsap00015">Have you been hacked? (ITSAP.00.015)</a></li> <li><a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a></li> </ul></div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6307" about="/en/guidance/recommended-contract-clauses-security-operations-centre-procurement-itsm00500" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>April 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.00.500</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>April 2025 | Management series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsm.00.500-en.pdf">Recommended contract clauses for security operations centre procurement – ITSM.00.500 (PDF, 552 KB)</a></p> </div> <h2 class="text-info mrgn-tp-0">Foreword</h2> <p>This is an UNCLASSIFIED publication, issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information or to suggest amendments, email or phone our Contact Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span><a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1<span>‑</span>833<span>‑</span>CYBER<span>‑</span>88</a></p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on April 23, 2025</p> <h2 class="text-info">Revision history</h2> <ol><li>First release: April 23, 2025</li> </ol></div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#1">1 Introduction</a> <ul><li><a href="#1-1">1.1 Scope</a></li> <li><a href="#1-2">1.2 Guiding Publications</a> <ul><li><a href="#1-2-1">1.2.1 Government of Canada resources</a></li> <li><a href="#1-2-2">1.2.2 Industry and other resources </a></li> <li><a href="#1-2-3">1.2.3 Recommended nomenclature </a></li> </ul></li> </ul></li> <li><a href="#2">2 Security operations centre provider selection process </a> <ul><li><a href="#2-1">2.1 Main services for consideration in a security operations centre </a> <ul><li><a href="#2-1-1">2.1.1 Security operations, monitoring and reporting</a></li> <li><a href="#2-1-2">2.1.2 Incident support </a></li> <li><a href="#2-1-3">2.1.3 Threat analysis and intelligence </a></li> <li><a href="#2-1-4">2.1.4 Documentation and standard operating procedures </a></li> <li><a href="#2-1-5">2.1.5 Additional capabilities: Advanced incident management support, forensics and malware analysis </a></li> <li><a href="#2-1-6">2.1.6 Security technologies maintenance and operation </a></li> </ul></li> </ul></li> </ul><p><a href="#3">3 Vendor readiness </a><br /><a href="#4">4 Terms and conditions </a><br /><a href="#5">5 Summary </a></p> </details><details class="mrgn-tp-md"><summary><h2 class="h3">Disclaimer</h2> </summary><p>The information provided in this document is provided "as-is", without warrantee or representation of any kind, to be used at the users’ discretion. The users of this information shall have no recourse against any of the authors for any loss, liability, damage or cost that may be suffered or incurred at any time arising for the use of information in this document.</p> </details></section><section><h2 class="text-info" id="overview">Overview</h2> <p>To effectively protect against cyber threats, it’s essential for your organization to have comprehensive visibility and control over its digital infrastructure and activities. Implementing a security operations centre (SOC) is one way to achieve this. To successfully deploy and manage a SOC, it’s critical to establish clear contract clauses and principles when contracting the SOC to a managed security provider (MSP) or managed security service provider (MSSP). This ensures mutual understanding and documentation of expectations.</p> <p>Key components of cyber security services must be outlined in these contracts. These include service-level agreements (SLAs), task orders, and governing standards, among others. Collectively, they form a prescriptive service framework, assuring clients that they will receive the expected services and solutions. This framework also guarantees the security of their data and identities.</p> <p>This publication details the specific services, deliverables and responsibilities expected from an MSP/MSSP, as well as those of the organization procuring these services. The recommendations should be interpreted in the context of both the functional and fiduciary aspects of service contracting with any managed service provider.</p> </section><section><h2 class="text-info" id="1">1 Introduction</h2> <p>As digital threats escalate, organizations increasingly rely on SOC services to monitor information security and manage digital risks effectively. While the specific functions of an SOC can vary, they typically involve centralized monitoring of the overall security posture through the collection of log data from network devices and systems. SOCs also rely on tools such as security information and event management (SIEM) systems, which interpret log data and correlate it with network incidents. Additionally, threat intelligence plays a crucial role in SOC operations by assessing events related to network systems.</p> <p>Given the complexity of building a mature SOC from the ground up, this publication aims to outline fundamental expectations for evaluating SOC contracts and identifying procurement risks. These considerations should be aligned with the main functional and fiduciary aspects of contracting, whether your organization is working with an MSP or an MSSP.</p> <p>While service providers may propose initial foundational service terms and conditions, management is responsible for ensuring that these terms address the organization’s business security needs and remain flexible for future adjustments. The terms and conditions in the service contract should be designed to yield the best business outcomes for your organization. It is crucial for your organization to take proactive steps to guarantee service provisions, including mechanisms for identifying, preventing, detecting, responding to and recovering from security risks.</p> <p>The clauses outlined in this publication are not legal advice but provide context for evaluating SOC services and understanding the terms and conditions from potential service providers.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h3 id="1.1">1.1 Scope</h3> <p>This publication provides practical advice and guidance on contracting SOC services from a cyber security perspective. It is relevant for both the consuming organizations and the service providers. While the examples presented here are not exhaustive or definitive best practices, they do offer valuable insights based on successful applications by government and industry partners.</p> <p>Please note that despite the TLP:CLEAR classification, standard copyright rules apply. The contents of this document are protected and should not be reproduced or distributed without proper authorization.</p> <h3 id="1-2">1.2 Guiding publications</h3> <p>In preparing this guidance, the Cyber Centre considered inputs from the following reference publications and frameworks.</p> <h4 id="1-2-1">1.2.1 Government of Canada resources</h4> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/best-practices-setting-security-operations-centre-soc-itsap00500">Best practices for setting up a security operations centre (SOC) (ITSAP.00.500)</a></li> <li><a href="https://buyandsell.gc.ca/cds/public/2018/12/18/53dc132a073954be5c139c9604d11d15/attachment_4.2_supply_chain_integrity_process.pdf">Supply chain integrity (SCI) process and assessment requirements (PDF)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations">Baseline cyber security controls for small and medium organizations</a></li> <li><a href="https://canadabuys.canada.ca/documents/pub/att/2022/03/15/601123b618f63d186d4988c1e06f4a4e/annex_a_-_schedule_1_-_security_obligations_-_en.pdf">Schedule 1 – Security obligations for Tier 2 Software as a Service (SaaS) (PDF)</a></li> <li><a href="https://buyandsell.gc.ca/cds/public/2022/03/15/7247efa8ea946aca0c70ea8726459006/annex_a_-_schedule_2_-_privacy_obligations_-_en.pdf">Schedule 2 – Privacy obligations (PDF)</a></li> </ul><h4 id="1-2-2">1.2.2 Industry and other resources</h4> <ul><li><a href="https://www.fedramp.gov/assets/resources/documents/agency_control_specific_contract_clauses.pdf">Federal Risk and Authorization Management Program (FedRAMP) Control-Specific Contract Clauses version 3.0 (PDF)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/171/a/final">Assessing Security Requirements for Controlled Unclassified Information (NIST SP 800-171)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/172/final">Enhanced Security Requirements for Protecting Controlled Unclassified Information (NIST SP 800-172): A Supplement to NIST Special Publication 800-171</a></li> <li><a href="https://www.ncsc.gov.uk/collection/building-a-security-operations-centre">Building a Security Operations Centre (SOC) (National Cyber Security Centre)</a></li> </ul><h4 id="1-2-3">1.2.3  Recommended nomenclature</h4> <p>This publication highlights key contractual terms pertinent to procuring SOC services, especially those that are cloud-based, from a cyber security perspective. These terms are relevant for both immediate needs and future requirements.</p> <p>Below is a summary of essential clauses to consider, based on the specific SOC services required by an organization:</p> <ul><li>When establishing service contracts, it is crucial to differentiate between mandatory and rated requirements. Mandatory requirements are those that the service provider must meet (related contract clauses stipulate "must have" or "shall provide"). Rated requirements, on the other hand, are more flexible, and use terms like "should", "may", or "consider". These suggest that the provider already possesses these capabilities.</li> <li>For services that are part of a future roadmap or are not yet available, look for terms such as "will" or "capable of achieving". These indicate a provider’s commitment to meeting future expectations.</li> </ul><p>It’s important to recognize that some services might require time for re-engineering to meet specific needs or may include updated features in future roadmaps. Therefore, organizations must balance immediate requirements with those that allow for development and evolution.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="2">2 Security operations centre provider selection process</h2> <p>Many organizations may consider a SOC from an MSP or MSSP with different subscription models due to resourcing and capabilities of an outsourced SOC. The SOC can be hosted in an MSP or MSSP environment, whereby your organization can send all the logs to the MSP or MSSP within its cloud tenancy. Or you organization can hire an MSP or MSSP service to operate SOC features within its tenancy, on your behalf.</p> <p>When selecting an MSP or MSSP provider, there are many considerations and decisions your organizations should make internally on the approach and services it requires.</p> <ul><li>Service scope and offerings: Understand the range of services provided by the MSP/MSSP and determine if they offer both proactive threat hunting and reactive incident response capabilities</li> <li>Scalability and flexibility: Assess the provider’s ability to scale services up or down based on your organization’s changing needs and evaluate the flexibility of services in response to emerging threats or organizational growth</li> <li>Customization and integration: Ensure that the MSP/MSSP SOC service can be tailored to fit your organization’s specific environment, industry, and existing security infrastructure and check for compatibility with your current systems and tools</li> <li>Data management and protection: <ul><li>Inquire about the tools and technologies used for data collection and analysis</li> <li>Understand what data will be captured, how it will be used, and where it will be stored <ul><li>Understand where and with whom your data may be shared</li> <li>Clarify the approval or permissions process for sharing data</li> </ul></li> <li>Ensure robust measures are in place for protecting sensitive and confidential data</li> </ul></li> <li>Service level agreement (SLA): Examine the SLA for clear definitions of service expectations, deliverables, and response times and understand how the SLA will be measured, monitored, and enforced</li> <li>Compliance and security standards: Verify that the SOC provider follows industry-standard security practices and complies with relevant regulations to mitigate risks, including supply chain vulnerabilities</li> <li>Risk assessment and threat profiling: Perform a comprehensive cyber security risk assessment to identify specific threats and vulnerabilities relevant to your organization <ul><li>Government of Canada departments should refer <a href="/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33">to IT security risk management: A lifecycle approach (ITSG-33)</a></li> <li>Organizations outside the Government of Canada should consult the <a href="https://oasis-open.github.io/cti-documentation/stix/intro.html">Structured Threat Information eXpression (STIX) 2.1 framework</a></li> </ul></li> <li>Contractual clarity and responsibilities: Establish clear contractual terms, outlining the responsibilities of both your organization and the service provider as per the shared responsibility model</li> <li>Key considerations for choosing a SOC provider: Ensure there are provisions for regular reviews, updates, and adjustments to the services as needed</li> </ul><p>For more information, read <a href="/en/guidance/best-practices-setting-security-operations-centre-soc-itsap00500">Best practices for setting up a security operations centre (SOC) (ITSAP.00.500)</a>.</p> <p>Overall, as the organization requesting the services, you must do work upfront to decide on a SOC strategy and scope. This includes identifying which assets, such as systems and data, are sensitive and need to be monitored and protected. For more information on asset inventory and categorization, read <a href="/en/guidance/guidance-security-categorization-cloud-based-services-itsp50103">Guidance on the security categorization of cloud-based services (ITSP.50.103)</a>.</p> <h3 id="2.1">2.1 Main services for consideration in a security operations centre</h3> <p>Below are the key services for an effective SOC, accompanied by examples of contract clauses to help you draft the language and expectations in your service agreements.</p> <p>Consider the following essential services:</p> <ul><li><strong>Security operations, monitoring, and reporting:</strong> Continuous surveillance and analysis of security events, with timely reporting. Example clause: "Provider shall ensure 24/7 security monitoring and near-real time incident reporting."</li> <li><strong>Incident support:</strong> Rapid response and support for security incidents. Example clause: "Provider must offer near-real time incident response services."</li> <li><strong>Threat analysis and intelligence:</strong> Proactive identification and analysis of potential threats. Example clause: "Provider is required to deliver regular threat intelligence updates."</li> <li><strong>Documentation and standard operating procedures (SOPs):</strong> Maintenance of detailed security documentation and SOPs. Example clause: "Provider shall keep comprehensive, up-to-date security documentation and SOPs based on the shared responsibility model."</li> <li><strong>Additional capabilities: Advanced incident management support, forensics and malware analysis: </strong>Specialized support for complex incidents, including forensic analysis. Example clause: "Provider shall offer advanced incident management and forensic analysis capabilities."</li> <li><strong>Ongoing vulnerability assessments and security assurance scans: </strong>Regular assessments to identify and mitigate vulnerabilities. Example clause: "Provider must conduct periodic vulnerability assessments and provide reports."</li> <li><strong>Security technology maintenance and operation: </strong>Ensuring the effective operation and maintenance of security technologies. Example clause: "Provider must operate and maintain the infrastructure and technology supporting the service."</li> </ul><p>Your organization should also consider additional services that may be required upfront or that can be optionally included later, depending on evolving security needs. These could include compliance management, risk assessment, cloud security, and cyber security training initiatives.</p> <h4 id="2-1-1">2.1.1  Security operations, monitoring and reporting</h4> <p>Security operations, monitoring, and reporting are crucial for observing and analyzing data related to events, incidents, or breaches and the status of information systems or networks. The primary objective is to detect unusual or unauthorized activity and to gather security-relevant data to understand system behaviour. This process is essential for mitigating network vulnerabilities and identifying internal and external threats.</p> <h4>Role and functionality of log aggregation tool suites or capabilities such as SIEM tools</h4> <p>The SIEM system is a pivotal tool in this process. SIEM facilitates the centralization of data from various sources, including devices, applications, and endpoints. It enables:</p> <ul><li>real-time and historical event monitoring</li> <li>detailed analysis and correlation of information</li> <li>enhanced threat detection and response capabilities</li> </ul><h4>Key considerations for outsourcing</h4> <p>When considering outsourcing monitoring and reporting within MSP/MSSP, it’s important to assess:</p> <ul><li>the depth and frequency of monitoring services</li> <li>data storage strategies, including data residency considerations and security measures</li> <li>the provider’s certifications, particularly in cyber security and compliance standards</li> <li>the ability of the provider to integrate its services with your existing security infrastructure, in the case where the provider is operating within the organization’s premises</li> </ul><h4>Recommended contract clauses</h4> <p>The Cyber Centre recommends that organizations include specific clauses related to monitoring, reporting, and availability when contracting a SOC to an MSP/MSSP. Below are examples of wording that your organization may wish to include in its contracts.</p> <h4 class="h5">Monitoring</h4> <p>The Contractor must:</p> <ul><li>provide continuous (24/7/year-round) monitoring of security events</li> <li>analyze security event data for incident investigation using system logs and other detection methods</li> <li>review and record audit logs for inappropriate or illegal activity to facilitate event reconstruction during security incidents</li> <li>investigate and accurately identify anomalies detected by security devices or reported by various stakeholders</li> </ul><h4 class="h5">Reporting</h4> <p>The Contractor shall:</p> <ul><li>deliver actionable notifications, escalations and daily summary reports based on threat intelligence and security event analysis</li> <li>document all investigative activities and incident reports to support the organization’s incident response framework</li> <li>provide comprehensive written reports of all security events, adhering to established procedures and reporting protocols</li> <li>provide the organization with the ability to contact the provider and open an investigation when suspicious activities occur</li> </ul><h4 class="h5">Availability</h4> <p>The Contractor shall ensure the continuous availability and operational integrity of all SOC systems and applications.</p> <h4>References</h4> <ul><li><a href="/en/guidance/network-security-logging-monitoring-itsap80085">Network security logging and monitoring (ITSAP.80.085</a>)</li> <li><a href="https://csrc.nist.gov/publications/detail/sp/800-137/final">Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (NIST SP 800-137, Appendix D)</a></li> </ul><h4 id="2-1-2">2.1.2  Incident support</h4> <p>Incident support is a vital component of a SOC-as-a-service (MSP/MSSP) model. Your organization and the MSP/MSSP must collaborate to manage incidents effectively. It is crucial to have an organizational incident response plan, detailing how your organization will detect, respond to, and recover from incidents. This plan should clearly define the SOC’s role, including the extent of its involvement and the responsibilities of your organization’s internal team. The following two scenarios outline the key aspects of incident support, as well as sample contract clauses, for SOCs hosted in an MSP/MSSP environment (hosted outside of your organization’s tenancy) and for SOCs operating within an organization’s tenancy.</p> <p>In both scenarios, it is vital to establish a partnership based on transparency, trust and shared responsibility for security outcomes. The contractual agreement should be detailed and clear, with specific attention to incident response, data protection, compliance, and service levels. This ensures that both the organization and the MSP/MSSP have a common understanding of their respective roles and responsibilities in securing the organization’s digital assets.</p> <h4>Scenario 1: SOC hosted outside your organization’s tenancy</h4> <p>If your SOC is hosted outside your organization’s tenancy, consider the following key aspects related to incident support.</p> <ul><li><strong>Incident detection and notification</strong>: The MSP/MSSP must promptly identify and notify the organization of security incidents. The agreement should specify the timeframe for notification following incident detection</li> <li><strong>Incident analysis and response</strong>: The MSP/MSSP should provide detailed analysis of incidents, including potential impact, and execute agreed-upon response actions</li> <li><strong>Data protection and confidentiality</strong>: The MSP/MSSP must adhere to strict data protection and confidentiality standards, especially since sensitive organizational data will be stored and processed in their environment</li> <li><strong>Access control and audit trails</strong>: The MSP/MSSP must implement robust access control measures and maintain audit trails of all activities related to the SOC services</li> <li><strong>Compliance and regulatory requirements</strong>: The MSP/MSSP must comply with relevant regulatory and compliance requirements and provide necessary documentation and support for compliance audits</li> </ul><h5>Example contract clause for incident support</h5> <p>The Contractor shall:</p> <ul><li>notify the Client within the negotiated or agreed-upon expected timeframe when detecting any security incident, providing detailed information about the nature, scope, and impact of the incident</li> <li>implement and maintain comprehensive data protection measures, in compliance with applicable laws and regulations, to safeguard the Client’s data against unauthorized access, disclosure, alteration, or destruction</li> <li>upon detecting an incident, commit to a [insert specified] uptime SLA and commence remediation actions within [insert specified timeframe]</li> </ul><h4>Scenario 2: SOC operating within your organization’s tenancy</h4> <p>If your SOC is operating within your organization’s tenancy, consider the following key aspects related to incident support.</p> <ul><li><strong>Integration with existing infrastructure</strong>: The MSP/MSSP must seamlessly integrate its SOC services with the organization’s existing infrastructure, ensuring minimal disruption</li> <li><strong>Incident handling procedures</strong>: The MSP/MSSP must define clear procedures for incident escalation, response, and resolution, tailored to the organization’s policies and procedures</li> <li><strong>Training and awareness</strong>: The MSP/MSSP may be required to provide training, knowledge transfer or both to the organization’s staff on security awareness and incident response procedures</li> <li><strong>Performance monitoring and reporting</strong>: Regular performance reviews and reporting are essential to ensure the SOC services meet the organization’s security requirements</li> <li><strong>Continuous improvement</strong>: The contract should include provisions for continuous improvement of the SOC services, including regular updates to security tools and processes</li> </ul><h5>Example contract clause for incident support</h5> <p>The Contractor shall:</p> <ul><li>ensure that SOC services are fully compatible with the Client’s existing systems and infrastructure and shall be responsible for any modifications required for integration</li> <li>adhere<strong> </strong>to the Client’s incident response procedures and timelines, ensuring incidents are resolved in a manner that minimizes impact on the Client’s operations</li> <li>provide<strong> </strong>monthly performance reports detailing incident detection, response times, and resolution outcomes, including any recommendations for improving security posture</li> </ul><p>Refer to <a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003)</a> for more information.</p> <h4 id="2-1-3">2.1.3  Threat analysis and intelligence</h4> <p>Threat analysis and intelligence are critical components of a proactive cyber security portfolio. Accurate and timely intelligence empowers decision makers to make informed, data-driven decisions. The Cyber Centre, along with other resources, offers valuable insights through publications and active services, aiding organizations in their threat intelligence efforts. It’s essential for organizations to ensure their MSP/MSSP stays abreast of emerging and sophisticated cyber threats.</p> <h4>Key elements of threat intelligence</h4> <ul><li><strong>Continuous monitoring:</strong> keeping track of evolving cyber threats and trends</li> <li><strong>Technical analysis:</strong> analyzing incidents in detail to understand attack vectors and methodologies</li> <li><strong>Intelligence sharing:</strong> utilizing shared resources for a more comprehensive threat landscape view</li> </ul><h4>Example contract clauses for threat analysis and intelligence</h4> <p>The Contractor shall:</p> <ul><li>detect, monitor, analyze, and mitigate targeted, highly organized, or sophisticated cyber threats</li> <li>maintain situational awareness of current cyber security activities and risks</li> <li>utilize various intelligence sources to develop insights into cyber threats and conduct advanced technical analyses of incidents on the organization’s networks</li> <li>analyze consolidated threat data from multiple sources to provide early warnings of impending attacks against the organization’s networks</li> <li>report on technical network and host-based attack vectors, emerging cyber threats, new vulnerabilities, and current trends used by malicious actors</li> <li>develop and maintain databases to catalog and track ongoing threats, enhancing the organization’s defensive posture</li> <li>integrate intelligence findings into the organization’s broader cyber security strategies and incident response plans</li> </ul><p>Incorporating comprehensive threat analysis and intelligence into MSP/MSSP offerings is crucial for organizations to stay ahead of cyber threats. The MSP/MSSP’s role extends beyond mere monitoring; it involves deep analysis, continuous learning, and integration of intelligence into the organization’s overall cyber security framework.</p> <h4>References</h4> <ul><li><a href="https://csrc.nist.gov/publications/detail/sp/800-137/final">Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (NIST SP 800-137, Appendix D)</a></li> <li><a href="/en/guidance/baseline-cyber-threat-assessment-cybercrime">Baseline cyber threat assessment: Cybercrime</a></li> <li><a href="/en/guidance/national-cyber-threat-assessments">National Cyber Threat Assessments</a></li> </ul><h4 id="2-1-4">2.1.4  Documentation and standard operating procedures</h4> <p>SOPs and comprehensive documentation are crucial in ensuring that all parties involved in the SOC are aligned on methods and practices. These documents serve as a reference point for consistent and effective operations within the SOC, aiding in training and providing operational clarity.</p> <h4>Key documentation elements</h4> <ul><li><strong>Security deployment diagrams:</strong> providing visual representations of security deployments for reference and to ensure understanding</li> <li><strong>Regular SOP updates:</strong> updating SOPs with operational changes to ensure ongoing relevance</li> <li><strong>Performance and incident reporting:</strong> providing insights into SOC activities, incident handling, and operational efficiency</li> </ul><h4>Example contract clauses for SOPs and documentation</h4> <p>The Contractor shall:</p> <ul><li>create and maintain diagrams for new or revised security deployments, covering all systems and applications related to the SOC</li> <li>develop and regularly update SOC SOPs, particularly following changes in SOC operations or technologies, deliver regular written reports, including:</li> <li>daily, weekly, and monthly summaries of SOC activities</li> <li>performance metrics and status of security incidents</li> <li>actions accomplished and milestones reached during the reporting period</li> <li>submit comprehensive reports, encompassing</li> <li>monthly status updates on progress and developments</li> <li>planned activities, identified problems/issues with proposed solutions</li> <li>anticipated delays and resources utilized during the period</li> </ul><p>It is essential to establish clear and detailed SOPs and documentation protocols to maintain operational excellence in a SOC environment. These documents not only guide daily operations, but also serve as critical tools for training, performance tracking, and strategic planning.</p> <h4 id="2-1-5">2.1.5  Additional capabilities: Advanced incident management support, forensics and malware analysis</h4> <p>In addition to standard incident management support, organizations often require or desire advanced capabilities such as forensics and malware analysis. These services are crucial for thoroughly investigating and resolving sophisticated cyber incidents, understanding attack vectors, and enhancing future security postures.</p> <h4>Key advanced support services</h4> <ul><li><strong>Forensics and malware analysis:</strong> in-depth investigation of incidents to understand the nature and impact of compromises.</li> <li><strong>Reverse engineering and traffic analysis:</strong> detailed examination of malicious software and network traffic to uncover threat methodologies.</li> </ul><h4>Example contract clauses for advanced incident management support</h4> <p>The Contractor must:</p> <ul><li>provide both on-site and remote computer security incident management, response, and recovery support as necessary</li> <li>conduct advanced technical analyses of potentially malicious activities using security event data from the SOC</li> <li>perform detailed endpoint/host-based forensics and memory analysis</li> <li>undertake triage and in-depth analysis of malware, including reverse engineering of Windows software, phishing emails, and other client-side exploits</li> <li>conduct digital forensics on media from compromised hosts to assess intrusion scope and nature</li> <li>reverse engineer the sequence of events in breaches or attacks for comprehensive understanding</li> <li>execute static and dynamic file analysis to identify malware characteristics, intent, and origin</li> <li>recommend countermeasures against malware and other malicious code exploiting the organization’s systems</li> <li>propose changes to policies and procedures based on investigative findings to strengthen malware incident response</li> <li>perform advanced network traffic analysis at the packet level to identify anomalies, trends, and patterns</li> </ul><p>Advanced incident management support, particularly in forensics and malware analysis, is a critical component of a robust MSP/MSSP offering. These services not only aid in resolving current security incidents but also play a key role in refining organizational policies and strengthening the overall cyber security framework.</p> <p>Refer to <a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003)</a> for more information.</p> <h4 id="2-1-6">2.1.6  Security technologies maintenance and operation</h4> <p>In an MSP/MSSP setup, managing key technologies, such as the SIEM system, intrusion detection and prevention systems (IDS/IPS), and data loss prevention (DLP) systems, is paramount. These technologies form the backbone of effective cyber security operations. Contracts should include specific clauses to ensure these tools are operated and maintained effectively, especially as the organization evolves and grows.</p> <h4>Key responsibilities for technology management</h4> <ul><li><strong>System maintenance and tuning:</strong> regularly updating and tuning security systems to ensure accuracy and efficiency</li> <li><strong>Operational effectiveness:</strong> ensuring continuous operation and optimal performance of all security technologies</li> <li><strong>Adaptability to change:</strong> ensuring flexibility to adapt tools and systems to the changing needs and scale of the organization</li> </ul><h4>Example contract clauses for technology management</h4> <p>The Contractor must:</p> <ul><li>effectively maintain the SIEM to aggregate and analyze data from various sources like network sensors, firewalls, antivirus systems, and vulnerability scanners.</li> <li>handle administration, management, and configuration of all SOC tools, including SIEM, IDS/IPS, DLP, and other dedicated security systems</li> <li>develop and update security device signatures, performance reports, and relevant metrics to track system efficiency</li> <li>fine-tune the SIEM and IDS/IPS to minimize false positives and enhance detection accuracy</li> <li>continuously operate, manage, and update all security technologies, ensuring they are configured appropriately for optimal performance</li> <li>ensure that all relevant security feeds are logged and correlated effectively within the SOC’s SIEM system</li> <li>install, update, or modify network security components and tools as needed to maintain comprehensive coverage and optimal performance in line with organizational growth</li> <li>install or modify network security components, tools, and other systems as required to maintain optimal coverage and performance</li> </ul><p>Effective management of key technologies within an MSP/MSSP framework is essential for maintaining a robust cyber security posture. This includes not only the operational maintenance of these tools but also improving and adapting them to meet the evolving needs of the organization.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="3">3 Vendor readiness</h2> <p>When contracting with an MSP for SOC services, it’s crucial to include specific clauses that ensure the vendor can provide services at the required scale and meet certain standards. These clauses help verify the provider’s experience, compliance with legal requirements, and readiness to handle your organization’s specific needs.</p> <h4>Key contract clauses for vendor readiness</h4> <ul><li><strong>Experience requirements:</strong> The contractor should have a minimum number of years of experience in providing SOC services and engagements of similar size, scale, and complexity</li> <li><strong>Compliance with Canadian laws:</strong> The contractor should have experience in delivering services within Canada and adhering to Canadian privacy and data laws</li> <li><strong>Audit and compliance rights:</strong> The organization reserves the right to perform SOC visits for audit, review, and compliance purposes</li> <li><strong>Business continuity planning:</strong> The contractor must have a robust business continuity plan (BCP) for its SOC to ensure service continuity</li> <li><strong>Certification requirements:</strong> The contractor must meet any industry or sector certification requirements, for example, SOC2 Type2, ISO 27001, CIS CSC, Cloud Security Alliance (CSA) Tier2, ISO 27017</li> <li><strong>Staff clearances and background checks:</strong> The contractor’s personnel should have necessary clearances and background checks (as required)</li> <li><strong>Cyber security controls framework alignment:</strong> Recognized cyber security controls frameworks must be implemented at SOC facilities (DRI Institute, NIST)</li> <li><strong>Liability and compensation:</strong> The contractor should provide clarification on shared responsibilities for breaches and details on the provider’s liability insurance coverage for compensation</li> </ul><p>Including these key clauses in your contract with an MSP for SOC services is essential to ensure that the provider is fully prepared and capable of meeting your organization’s specific requirements. These clauses cover a range of critical areas, from experience and legal compliance to business continuity and cyber security frameworks, ensuring a comprehensive approach to vendor readiness.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="4">4 Terms and conditions</h2> <p>From a security perspective, contract elements must be prescriptive and conform to recognized frameworks and approaches for the MSP/MSSP to establish how it addresses and maintains the security posture as indicated by an organization. In many cases, relying on a given provider’s terms and conditions, as outlined in a contract or end user licensing agreement (EULA), can be considered acceptable. However, if organizations have specific needs or are bound by regulated authorities, negotiation may be required between legal teams using some of the example clauses provided in this document. If you are concerned about any specific areas, seek legal advice where possible.</p> <p>Organizations should carefully consider and, if necessary, consult with their legal counsel on the following areas when negotiating contracts with service providers:</p> <ul><li><strong>Trade secret protections</strong></li> <li>Inquire how the service provider will separate or secure trade secrets (e.g., patented material, legal branding, etc.) within its system</li> <li>Ensure terms and conditions stipulate that the organization retains ownership and control over its trade secrets, even when placed with the service provider</li> <li><strong>Intellectual property</strong> <ul><li>Discuss measures for tagging, identifying, and securing intellectual property, which may not be officially registered like patents but is crucial to the organization’s operations</li> </ul></li> </ul><p>Clarify in the contract that intellectual property remains the property of the organization, regardless of its placement with the service provider</p> <ul><li><strong>Indemnification/limitation of liability: </strong>Define the level of liability and responsibility in the contract, considering complexities that may arise, especially when multiple service providers are involved</li> <li><strong>Support model considerations</strong> <ul><li>If your organization is subject to regulatory constraints on support locations or resource residency, discuss and agree on support models with the service provider</li> <li>Consider how the provider’s global support model, like a "follow the sun" approach, aligns with regulatory requirements.</li> </ul></li> <li><strong>Data migration policies: </strong>Address potential future needs for data migration, including <ul><li>costs associated with data ingress and egress</li> <li>timeframes and processes for migration activities</li> <li>data retention policies post-migration</li> </ul></li> <li><strong>Conformity with security frameworks</strong>: Ensure that contract elements conform to established cyber security frameworks and best practices</li> <li><strong>EULA versus custom contracts</strong>: While standard terms outlined in an EULA might be acceptable for general purposes, they may not suffice for organizations with specific security needs or those under stringent regulatory requirements.</li> <li><strong>Legal negotiations for custom needs</strong> <ul><li>For organizations with unique requirements or regulatory obligations, negotiations between legal teams are often necessary to tailor the contract appropriately <ul><li>The example clauses provided in this document can guide these negotiations</li> </ul></li> </ul></li> <li><strong>Seeking legal advice</strong> <ul><li>The organization should seek legal counsel, particularly if there are specific areas of concern or if the organization operates under regulated authorities</li> <li>Legal expertise can ensure that contracts are comprehensive, compliant, and tailored to the organization’s unique needs</li> </ul></li> </ul><p>When contracting with a service provider, especially in areas such as MSP/MSSP, organizations must ensure that specific legal and operational considerations are clearly addressed in the contract. This includes retaining ownership of intellectual property and trade secrets, clearly outlining liability terms, understanding support models in the context of regulatory constraints, and preparing for potential data migration. Organizations should consult legal counsel to ensure that these aspects are adequately covered to protect the organization’s interests.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="5">5 Summary</h2> <p>A SOC combines people processes and technology to improve an organization’s resilience against cyber threats.</p> <p>Whether this is done by an in-house team in a dedicated room within an organization or whether it is fully or partially outsourced to a team of information security professionals, SOCs are a first line of defence that is critical for preventing, detecting, and recovering from cyber attacks.</p> <p>This is especially true given the increase in operational technology, mobile and cloud technology, and industrial control systems. Whether work is in-house, hybrid, or fully remote, your organization will require the same inputs and outputs to your SOC. The guidance included in this document should help your organization write contract clauses that ensure your providers are meeting your expectations. As indicated, this is not to be taken as legal advice.</p> <p>Overall, the key message is that your organization should work with its selected MSP/MSSP provider to ensure common understanding and to also inquire and establish what can be done to meet your organization’s specific needs.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6323" about="/en/news-events/joint-guidance-software-security-code-practice" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the United Kingdom’s National Cyber Security Centre (NCSC-UK) and Department for Science, Innovation and Technology (DSIT) in releasing a software security code of practice and accompanying guidance for software vendors.</p> <p>Software supply chain attacks and other software resilience incidents can be caused by weaknesses in software development and maintenance practices. This joint guidance aims to improve the security and resilience of software that organizations rely on.</p> <p>The joint guidance includes the 3 publications below.</p> <h2>Software security code of practice</h2> <p>The Software security code of practice outlines 14 principles that software vendors should implement to establish a consistent baseline of software security and resilience. These 14 principles are divided across 4 themes, which include:</p> <ul><li>secure design and development</li> <li>build environment security</li> <li>secure deployment and maintenance</li> <li>communication with customers</li> </ul><p>Read the <a href="https://www.gov.uk/government/publications/software-security-code-of-practice">Software security code of practice</a>.</p> <h2>Software security code of practice: Implementation guidance</h2> <p>The Software security code of practice: Implementation guidance helps organizations that develop and/or sell software understand how they can meet the principles in the Software security code of practice.</p> <p>Read the <a href="https://www.ncsc.gov.uk/collection/software-security-code-of-practice-implementation-guidance">Software security code of practice: Implementation guidance</a>.</p> <h2>Software security code of practice: Assurance principles and claims</h2> <p>The Software security code of practice: Assurance principles and claims guidance helps vendors measure how well they are meeting the themes and principles of the Software security code of practice and suggests remedial actions should they fall short.</p> <p>Read the <a href="https://www.ncsc.gov.uk/guidance/software-security-code-of-practice-assurance-principles-claims">Software security code of practice: Assurance principles and claims</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6222" about="/en/news-events/cyber-centre-welcomes-round-2-nists-additional-digital-signature-scheme-standardization-process" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>In October 2024, the National Institute of Standards and Technology (NIST) in the United States launched round 2 in its ongoing process to standardize additional post-quantum digital signature schemes. Digital signature schemes are used to authenticate data and remote systems to protect against unauthorized access and are an essential part of cyber security solutions. Post-quantum cryptography (PQC), including post-quantum digital signatures, are designed to remain secure even against the emerging threat posed by quantum computers.</p> <p>The first round of <abbr title="National Institute of Standards and Technology">NIST</abbr>’s additional digital signature scheme standardization process began in 2022, with the publication of 40 candidates. For this second round, <abbr title="National Institute of Standards and Technology">NIST</abbr> has reduced the number of candidates to 14. This allows researchers worldwide, including those within the Cyber Centre, to dedicate more time to examining the remaining schemes.</p> <h2>How this initiative contributes to the post-quantum cryptography migration</h2> <p><abbr title="National Institute of Standards and Technology">NIST</abbr> has already published standards for 2 post-quantum digital signature schemes, the <strong>Module-Lattice-Based Digital Signature Algorithm </strong>(ML-DSA) and the <strong>Stateless Hash-Based digital Signature Algorithm </strong>(SLH-DSA). Read our announcement of these <a href="/en/news-events/cyber-centre-celebrates-new-nist-post-quantum-standards">new <abbr title="National Institute of Standards and Technology">NIST</abbr> post-quantum standards</a> to learn more.</p> <p>We expect <abbr title="National Institute of Standards and Technology">NIST</abbr> to release a draft standard for a third digital signature scheme, the <strong>Fast-Fourier transform over NTRU-Lattice-Based Digital Signature Algorithm</strong> (FN-DSA) soon.</p> <p>With so many options already chosen for standardization, practitioners may wonder why <abbr title="National Institute of Standards and Technology">NIST</abbr> is considering the standardization of additional schemes. Both ML-DSA and FN-DSA are based on hard problems over structured lattices. The nearly 30-year history of lattice-based cryptography has given rise to a robust understanding of the security of lattice-based cryptographic schemes. Nonetheless, in order to diversify cryptographic primitives, <abbr title="National Institute of Standards and Technology">NIST</abbr> has indicated that they are primarily interested in additional schemes based on hard problems other than structured lattices.</p> <p>While ML-DSA is intended to replace non-post-quantum digital signing algorithms in nearly all applications, there may be niche cases requiring schemes with alternative performance characteristics. Although SLH-DSA or FN-DSA are expected to cover most of these situations, <abbr title="National Institute of Standards and Technology">NIST</abbr> is particularly interested in finding schemes with small signature sizes and fast verification to support the migration to <abbr title="Post-quantum cryptography">PQC</abbr> in all situations.</p> <h2>Signature schemes under consideration for standardization</h2> <p>Of the 14 remaining schemes:</p> <ul><li>5 are built using multi-party computation (MPC) in-the-head techniques</li> <li>4 are multivariate signatures</li> <li>2 are code-based</li> <li>1 is isogeny-based</li> <li>1 is symmetric-based</li> <li>1 is lattice-based</li> </ul><p>For a review of these categories, see the "Mathematical Families" section of the <a href="/en/news-events/cyber-centres-summary-review-final-candidates-nist-post-quantum-cryptography-standards">Cyber Centre’s summary review of final candidates for <abbr title="National Institute of Standards and Technology">NIST</abbr> Post‑Quantum Cryptography standards</a>. Most of the approaches for building signature schemes have been previously considered in <abbr title="National Institute of Standards and Technology">NIST</abbr> ‘s standardization process.</p> <p>A notable development in the signature on-ramp has been the proliferation of signature schemes using MPC-in-the-head techniques. These signature schemes borrow ideas from multiparty computation to “prove” knowledge of some secret value.</p> <h2>How to prepare for the post-quantum transition</h2> <p>To ensure Canadian organizations are ready to make the transition to <abbr title="Post-quantum cryptography">PQC</abbr> once standardized algorithms are available, practitioners should review the Cyber Centre’s advice in the following publications:</p> <ul><li><a href="/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017">Preparing your organization for the quantum threat to cryptography (ITSAP.00.017)</a></li> <li><a href="/en/guidance/guidance-becoming-cryptographically-agile-itsap40018">Guidance on becoming cryptographically agile (ITSAP.40.018)</a></li> <li><a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a></li> <li><a href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP.40.111)</a></li> </ul><p>Our guidance on securely configuring network protocols will be updated once these protocols support standardized <abbr title="Post-quantum cryptography">PQC</abbr> algorithms.</p> <p>The Cyber Centre advises consumers to procure and use cryptographic modules that are tested and validated under the <a href="https://cyber.gc.ca/en/cryptographic-module-validation-program-cmvp">Cryptographic Module Validation Program</a> (CMVP) with algorithm certificates from the <a href="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program">Cryptographic Algorithm Validation Program</a> (CAVP). The Cyber Centre partners with <abbr title="National Institute of Standards and Technology">NIST</abbr> to manage both programs and we work jointly to update them to support the testing of new digital signature schemes that get standardized.</p> <p>The Cyber Centre also recommends that cyber security products be evaluated and certified to meet the <a href="/en/tools-services/common-criteria">Common Criteria</a> standard with a Security Target and Certification Report that includes the desired protocol security requirements. Once protocol standards are updated, Common Criteria Testing Laboratories will need to support testing and evaluation methods for protocols utilizing the new <abbr title="Post-quantum cryptography">PQC</abbr> algorithms.</p> <p>The Cyber Centre is working within the Government of Canada and with critical infrastructure to ensure a smooth and timely transition to <abbr title="Post-quantum cryptography">PQC</abbr> . Contact the Cyber Centre by email at <a href="mailto:cryptography-cryptographie@cyber.gc.ca">cryptography-cryptographie@cyber.gc.ca</a> or by phone at <a href="tel:18332923788">1-888-CYBER-88</a> if you have further questions.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6282" about="/en/news-events/peoples-republic-china-activity-targeting-network-edge-routers-observations-mitigation-strategies" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/csa25-001-en.pdf">People’s Republic of China activity targeting network edge routers: Observations and mitigation strategies (PDF, 411 KB)</a></p> </div> <h2 class="text-info mrgn-tp-2">Foreword</h2> <p>This cyber security advisory is intended for IT professionals and managers within government and all sectors.</p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on April 15, 2025.</p> <!– <section> <h2 class="text-info">On this page</h2> <ul class="list-unstyled mrgn-tp-md"> <li><a href="#background">1 Background</a></li> <li><a href="#security">2 Security and edge devices</a></li> <li><a href="#avenues">3 Known avenues of exploitation and persistence</a></li> <li><a href="#remediations">4 Remediations</a></li> <li><a href="#References">5 References</a></li> </ul> </section> –> <section><h2 class="text-info">1 Background</h2> <p>A Cyber security advisory is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional mitigation advice to recipients. The Canadian Centre for Cyber Security (Cyber Centre) is able to provide additional assistance regarding the content of this bulletin to recipients as requested.</p> <p>The Cyber Centre has observed increasing levels of the People’s Republic of China threat actor activity, including activity associated to SALT TYPHOON, targeting network edge routers across critical infrastructure sectors. The Cyber Centre and our partners have recently observed repeated compromises of misconfigured and unpatched routing devices.</p> <p>The Cyber Centre is urging the Canadian cybersecurity community to bolster their awareness of threat actor activity targeting network edge routers and to leverage Cyber Centre guidance to protect their networks.</p> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> </div> <section><h2 class="text-info">2 Security and edge devices</h2> <p>As we note in the National Cyber Threat Assessment 2025-2026<sup id="fn10-rf"><a class="fn-lnk" href="#fn10"><span class="wb-inv">Footnote </span>10</a></sup>, threat actors are exploiting vulnerabilities in security and network edge routing devices that sit at the perimeter of networks. The Cyber Centre is particularly highlighting that by compromising network edge routers, a threat actor can enter a network, monitor, modify, and exfiltrate network traffic flowing through the device, or possibly move deeper into the victim network.</p> <p>Given their outward facing presence on the Internet, edge routers are easily identifiable by threat actors. Threat actors often compromise network perimeter defenses by exploiting known vulnerabilities in edge devices. These security weaknesses are usually already identified, and patches are available to fix them. However, breaches occur because these patches are not consistently applied or implemented in a timely manner. We strongly recommend following our guidance in the Government of Canada’s Patch Management Guidance publication<sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup>. In particular, all guidance, manuals and references provided with edge device equipment should be reviewed to ensure organizations adherence to the manufacturer’s security guidance. If that guidance is not clear or available, then organizations should reach out to their vendors as needed for support.</p> <p>The Cyber Centre’s Security considerations for edge devices<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup> also provides the following factors your organization should consider when evaluating the security of an edge device:</p> <ul><li>how it is made (the responsibility of the manufacturer)</li> <li>how it is configured (a shared responsibility between the manufacturer, through vendor hardening guides and through the organization)</li> <li>when the most recent software, firmware, operating system, and security updates and patches were applied</li> </ul></section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> </div> <section><h2 class="text-info">3 Known avenues of exploitation and persistence</h2> <p>The following are examples of known patterns in threat actors’ exploitation of edge routers.</p> <h3>3.1 Exposed services to the Internet</h3> <p>Devices exposing services of any kind to the Internet will easily and rapidly be detected by adversarial actors through mass scanning campaigns and more targeted reconnaissance activity. Sensitive or administrative services such as management protocols are of particular interest to adversaries seeking to identify and exploit edge routers.</p> <h3>3.2 Poor configuration on device</h3> <p>The Cyber Centre has observed weak cryptography or default security settings configured and not updated that has led to exploitation of those devices. It is important to review manufacturer guidance for hardening edge routers, and to continually review and audit for compliance. Default setting(s) may also include insecure ports or protocols listening on untrusted interfaces. Even though a device is installed and configured properly at the beginning of its lifecycle, as time goes on those configurations can become less secure due to external factors. If a router is compromised, inadequate network segmentation and the absence of Access Control Lists can enable an adversary to more easily move laterally within the network.</p> <h3>3.3 Modifying configuration files</h3> <p>Trusted partners have observed that compromised edge routers often have their configurations altered to enable persistent mechanisms and techniques for lateral movement. This includes the establishment of traffic captures, the creation of new administrative accounts, and the configuration of traffic forwarding. Any configurable allow lists should also be reviewed to ensure that no unauthorized additions have been made. Typically, these modifications are executed using the devices’ inherent functions and capabilities.</p> <h3>3.4 Exfiltrating configuration files</h3> <p>Trusted partners have observed that compromised edge routing devices within Canada have had their configuration files exfiltrated out of their networks by threat actors. By exfiltrating configuration files, threat actors can extract additional sensitive information, perform tests, or identify further vulnerabilities to enable their access. Where configuration files contain credentials and especially those who are not cryptographically secure, threat actors can also use tactics such as offline password cracking to gain further access. Trusted partner reporting indicates that many of the exfiltrated configuration files contained deprecated hashing and password types, such as Type-4 and Type-7<sup id="fn9-rf"><a class="fn-lnk" href="#fn9"><span class="wb-inv">Footnote </span>9</a></sup>.</p> <h3>3.5 Unauthorized commands</h3> <p>Once an edge router has been compromised, threat actors run unauthorized commands to deepen their access or persistence on the host or network. Identifying suspicious or malicious use of successful unauthorized commands can often be a strong starting point for threat hunts and forensic investigations. Some common threat actor tactics include:</p> <ul><li>clearing logs and other records</li> <li>adding new threat actor-controlled accounts to the device</li> <li>brute forcing and abnormal logins</li> <li>making unapproved changes to configuration files</li> </ul><p>The Cyber Centre has observed threat actors modifying the configurations of edge routers. It is important to conduct regular reviews of these configurations to detect any unauthorized changes. Look out for signs of tampering, such as unrecognized IP addresses and newly added accounts, as well as any unusual packet capture settings that may have been introduced.</p> <h3>3.6 Weak credentials</h3> <p>The Cyber Centre has observed many cases where devices were compromised due to the use of default or easily guessable passwords.</p> <ul><li>Do not use easily guessed passwords, passphrases, or PINs, such as "password", "let me in", or "1234". Even if the passwords or passphrases include character substitutions like "p@ssword"</li> <li>Do not use common expressions, song titles or lyrics, movie titles, or quotes</li> <li>Do not use your personal details such as your birthday, hometown, or pet’s name</li> <li>Do not use the passwords assigned by the vendor when installing or enabling new hardware or software</li> <li>Do not use passwords found on known data breaches</li> <li>Do not reuse password across devices or deployments</li> </ul></section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> </div> <section><h2 class="text-info" id="remediations">4 Remediations</h2> <p>The Cyber Centre has published guidance for organizations and has guidance for enhancing the security posture of edge devices <span class="nowrap"><sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup><sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup><sup id="fn5-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup><sup id="fn6-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup><sup id="fn7-rf"><a class="fn-lnk" href="#fn7"><span class="wb-inv">Footnote </span>7</a></sup><sup id="fn8-rf"><a class="fn-lnk" href="#fn8"><span class="wb-inv">Footnote </span>8</a></sup></span>.</p> <p>In addition to reviewing and implementing that guidance above, the Cyber Centre recommends the following remediations:</p> <ul><li>disable unnecessary services especially unsecured services such as Telnet, HTTP and SNMP versions (v1/v2c)</li> <li>disable any unauthenticated router management protocols or functions</li> <li>ensure that SNMP v3 is configured with encryption and authentication</li> <li>restrict device management to administrators inside secured management networks, avoiding direct internet access to management interfaces</li> <li>use phishing-resistant MFA for all administrative access, preferably using hardware-based PKI or FIDO authentication</li> <li>use secure modern encryption standards, such as AES-256 and ensure TLS v1.3 is utilized with strong cipher suites for secure communications</li> <li>use strong, non default passwords</li> <li>apply secure authentication to protocols and services which support it</li> <li>upgrade deprecated hashing mechanisms and password types</li> <li>ensure that devices are running vendor-recommended firmware versions</li> <li>validate software integrity of images using hash verification against authenticated vendor hashes</li> <li>implement secure, centralized logging with capabilities to analyze large datasets</li> <li>encrypt logging traffic to avoid tampering, store logs off-site, and integrate with SIEM tools for advanced correlation and rapid incident identification</li> <li>establish baselines for normal network behavior and utilize security appliances to alert on deviations</li> <li>investigate any configuration modifications or alterations to network devices outside of the change management process</li> </ul></section><section><aside class="wb-fnote" role="note"><h2 class="text-info" id="references">5 References</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p><a href="/en/news-events/joint-guidance-enhanced-visibility-hardening-communications-infrastructure">Joint guidance on enhanced visibility and hardening for communications infrastructure</a></p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 2</dt> <dd id="fn2"> <p><a href="/en/guidance/security-considerations-edge-devices-itsm80101">Security considerations for edge devices (ITSM.80.101)</a></p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 3</dt> <dd id="fn3"> <p><a href="https://www.canada.ca/en/government/system/digital-government/online-security-privacy/patch-management-guidance.html">Patch Management Guidance</a></p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote</span>3<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 4</dt> <dd id="fn4"> <p><a href="/en/guidance/rethink-your-password-habits-protect-your-accounts-hackers-itsap30036">Rethink your password habits to protect your accounts from hackers (ITSAP.30.036)</a></p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote</span>4<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 5</dt> <dd id="fn5"> <p><a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a></p> <p class="fn-rtn"><a href="#fn5-rf"><span class="wb-inv">Return to footnote</span>5<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 6</dt> <dd id="fn6"> <p><a href="/en/guidance/top-10-security-actions-no-5-segment-and-separate-information-itsm10092">Top 10 IT security actions: No.5 segment and separate information (ITSM.10.092)</a></p> <p class="fn-rtn"><a href="#fn6-rf"><span class="wb-inv">Return to footnote</span>6<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 7</dt> <dd id="fn7"> <p><a href="/en/guidance/routers-cyber-security-best-practices-itsap80019">Routers cyber security best practices (ITSAP.80.019)</a></p> <p class="fn-rtn"><a href="#fn7-rf"><span class="wb-inv">Return to footnote</span>7<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 8</dt> <dd id="fn8"> <p><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)</a></p> <p class="fn-rtn"><a href="#fn8-rf"><span class="wb-inv">Return to footnote</span>8<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 9</dt> <dd id="fn9"> <p><a href="https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2938313/nsa-publishes-best-practices-for-selecting-cisco-password-types/">NSA Publishes Best Practices for Selecting Cisco Password Types</a></p> <p class="fn-rtn"><a href="#fn9-rf"><span class="wb-inv">Return to footnote</span>9<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 10</dt> <dd id="fn10"> <p><a href="/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a></p> <p class="fn-rtn"><a href="#fn10-rf"><span class="wb-inv">Return to footnote</span>10<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></section></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6225" about="/en/guidance/security-guidance-dark-web-leaks-itsap00115" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–DESKTOP STARTS HERE–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>April 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.00.115</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>April 2025 | Awareness series</strong></p> </div> <p>Data breaches can be stressful. Finding out that your organization’s credentials were leaked to the dark web can make the situation worse. This publication provides actions to take if you discover the presence of your organization’s credentials on the dark web. The following actions will help your organization reduce the risk of information being leaked to the dark web.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#how">How the dark web works</a></li> <li><a href="#reduce">Reduce the risks of dark web leaks</a></li> <li><a href="#implement">Implement security measures</a></li> <li><a href="#what">What to do when your credentials have been exposed</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="how">How the dark web works</h2> <p>The dark web is a part of the Internet consisting of hidden sites that are not indexed, meaning that the site is not visible by conventional search engines. Instead, the dark web can only be accessed through specific browsers which provide increased privacy and anonymity while browsing the Internet.</p> <p>Using the dark web is legal and there are many benefits to it, including increased security measures and the ability to access ad-free search engines. Despite the increased privacy measures that the Dark Web offers, it can also provide anonymity to users looking to host or spread content with malicious intent.</p> <p>Cyber threat actors may use the dark web to anonymously buy and sell illegal market goods and services, including illegal content, firearms, and personal data. Threat actors often target businesses to steal customer and employee data, as well as proprietary information. If your organization’s compromised data is found on the dark web following a data breach, it may result in substantial risks, including:</p> <ul><li>reputational damage</li> <li>financial losses</li> <li>legal consequences</li> </ul><h2 class="text-info" id="reduce">Reduce the risks of dark web leaks</h2> <p>Any access to the Internet can create vulnerabilities for your organization that may be exploited by threat actors. Promoting cyber security awareness in your organization is crucial for the safety of your network and systems. Among other benefits, it can significantly reduce the risks of stolen credentials.</p> <p>You should provide employees with adequate training on cyber safety and educate them on their role in protecting your organization’s network and information. Your employees should understand account security measures, such as:</p> <ul><li>the importance of maintaining safe password practices</li> <li>the benefits of multi-factor authentication (MFA)</li> <li>how to handle sensitive information</li> <li>using Wi-Fi safe practices</li> </ul><h2 class="text-info" id="implement">Implement cyber security measures</h2> <p>Your organization can take the following actions to reduce the risk of stolen credentials:</p> <ul><li>Use firewalls, antivirus software, and intrusion detection and prevention systems to protect your network and systems</li> <li>Update and patch all software and systems regularly</li> <li>Encrypt sensitive data</li> <li>Implement strong access controls and privilege principles</li> <li>Develop an incident response plan</li> </ul><p>For more information on these and other tips for how to increase your cyber security posture, consult our <a href="/en/guidance/cyber-security-hygiene-best-practices-your-organization-itsap10102">Cyber security hygiene best practices for your organization (ITSAP.10.102)</a>.</p> <h2 class="text-info" id="what">What to do when your credentials have been exposed</h2> <p>It could take your organization several months to find stolen information or credentials on the dark web. If you’re aware that your organization’s credentials have been leaked to the dark web, take the following actions to minimize the impact.</p> <h3>Contact your IT department</h3> <p>They will do a thorough scan for viruses, malware and other tools used by threat actors to evaluate the extent of the breach. They will also look for suspicious activity that may confirm whether the threat actors have maintained access to your network. For additional assistance, contact your relevant service providers.</p> <h3>Protect your assets</h3> <p>Ensure your antivirus software is up to date and perform thorough security scans on all devices. Isolate any compromised devices by:</p> <ul><li>disconnecting them from the Internet</li> <li>turning on airplane mode</li> <li>turning off networking and Bluetooth capabilities</li> <li>revoking access to any third-party applications or services connected to the compromised accounts</li> <li>reviewing and managing application permissions</li> </ul><h3>Change your passwords</h3> <p>Threat actors may use your passwords to gain unauthorized access to other accounts, especially those with administrative privileges. To prevent unauthorized access to your networks and information, all passwords should be changed, and old passwords should never be reused.</p> <p>A password manager can help you create and store complex and accessible passwords and passphrases. However, these tools present some risks to users’ information. We recommend researching different vendors to make an informed choice about which is right for you. You should also consult your IT department to create a recovery plan.</p> <h3>Turn on multi-factor authentication</h3> <p>Authentication adds an extra layer of security to protect your accounts, networks and devices. To provide additional security measures for your accounts, MFA uses a combination of two or more methods of authentication, such as:</p> <ul><li>passwords</li> <li>email</li> <li>text codes</li> <li>fingerprints</li> </ul><h3>Promote internal awareness in your organization</h3> <p>Your organization should ensure that employees are informed of compromised credentials. Employees should change their own credentials to prevent unauthorized access to networks and information.</p> <h3>Review your financial accounts</h3> <p>Carefully review any financial accounts linked to or logged in from your devices. Notify a credit bureau of any unauthorized use and ask them to remove fraudulent items from your credit report. Freeze any compromised accounts to prevent threat actors from opening new accounts or taking out loans.</p> <h3>Report the incident</h3> <p><em>The Privacy Act</em> governs the Government of Canada. However, private sector organizations are governed by the <em>Personal Information Protection and Electronic Documents Act</em> and are required to do the following in the event of a data breach:</p> <ul><li>Report any data breach involving personal information that poses a risk of significant harm to individuals to the Privacy Commissioner of Canada</li> <li>Notify individuals affected by the breach</li> <li>Retain records related to the breach</li> </ul><h2 class="text-info" id="learn">Learn more</h2> <ul><li><a href="/en/guidance/common-employee-it-security-challenges-itsap00005">Common employee IT security challenges (ITSAP.00.005)</a></li> <li><a href="/en/guidance/have-you-been-victim-cybercrime">Have you been a victim of cybercrime? (ITSAP.00.037)</a></li> <li><a href="/en/guidance/steps-effectively-deploying-multi-factor-authentication-mfa-itsap00105">Steps for effectively deploying multi-factor authentication (MFA) (ITSAP.00.105)</a></li> <li><a href="/en/guidance/foundational-cyber-security-actions-small-organizations-itsap10300">Foundational cyber security actions for small organizations (ITSAP.10.300)</a></li> <li><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)</a></li> <li><a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a></li> <li><a href="/en/guidance/password-managers-security-itsap30025">Password managers: Security tips (ITSAP.30.025)</a></li> <li><a href="/en/guidance/application-allow-list-itsap10095">Application allow list (ITSAP.10.095)</a></li> <li><a href="/en/guidance/protecting-your-organization-while-using-wi-fi-itsap80009">Protecting your organization while using Wi-Fi (ITSAP.80.009)</a></li> <li><a href="/en/guidance/wi-fi-security-itsp80002">Wi-Fi security (ITSP.80.002)</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6227" about="/en/guidance/search-engine-optimization-poisoning-itsap00013" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–DESKTOP STARTS HERE–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>April 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.00.013</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>April 2025 | Awareness series</strong></p> </div> <p>Search engines are the go-to tool for searching the Internet. Users often click on the first link in their results and trust the site is legitimate. Threat actors are aware of this user behaviour and try to exploit it.</p> <p>While the links at the top of your search results look legitimate, they can be spam or link to malicious sites. Threat actors can promote these malicious sites in your search engine using search engine optimization (SEO) poisoning. This publication will explain what <abbr title="search engine optimization">SEO</abbr> is and how you can protect yourself and your organization from potential compromises.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#search">Search engine optimization</a></li> <li><a href="#poisoning">Search engine optimization poisoning as an attack vector</a></li> <li><a href="#look">What to look out for</a></li> <li><a href="#yourself">How to protect yourself</a></li> <li><a href="#website">How to protect your website</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="search">Search engine optimization</h2> <p><abbr title="search engine optimization">SEO</abbr> is a series of techniques that marketers and website owners use to increase site traffic and the visibility of their product or service. <abbr title="search engine optimization">SEO</abbr> attempts to make a website seem more relevant to a search query so it will be ranked as a top result by search engines. <abbr title="search engine optimization">SEO</abbr> allows search engines to categorize your content to provide more tailored search results.</p> <p>The following <abbr title="search engine optimization">SEO</abbr> techniques can be used to influence search results in various ways.</p> <h3>Meta tags</h3> <p>Meta tags provide data on a webpage’s content and structure. These tags are helpful to both users and search engines. There are many different types of meta tags, such as those that indicate important page content and descriptive text for images.</p> <h3>Backlinks</h3> <p>Backlinks are links from other sites that direct users to your site. These can act as an endorsement of credibility. High-quality backlinks, from reputable sources, help rank your website higher in search engine results. However, beware of low quality or toxic backlinks from disreputable sources, as they can:</p> <ul><li>harm your site’s reputation or ranking</li> <li>lower your ranking in search engine results</li> <li>associate your website with low-quality or unsolicited commercial (spam) content</li> </ul><h3>Keywords and keyphrases</h3> <p>These are popular search terms used in search engines. Associating commonly used and relevant keywords on your website will help users find your content.</p> <h3>Descriptive URLs</h3> <p>Search engines use your URLs to crawl and index sites. By ensuring your URLs are short, descriptive and on-topic, you will help search engines better understand your content.</p> <h3>Semantic HTML</h3> <p>Semantic HTML is a markup language that consists of tags that add meaning to your website’s content. It also helps a search engine interpret your site’s content. Your HTML is the structure of your website. By giving sections meaning, you allow the website to be categorized by search engines.</p> <h3>Breadcrumbs</h3> <p>Breadcrumbs present a text path that shows the user where they are on the site. These breadcrumbs allow search engines to easily understand how your site is organized.</p> <h2 class="text-info" id="poisoning">Search engine optimization poisoning as an attack vector</h2> <p>An attack vector refers to a method that a threat actor uses to gain access to a system, network or application. <abbr title="search engine optimization">SEO</abbr> poisoning is an effective attack vector for threat actors. They can manipulate search results to target anyone using a search engine. <abbr title="search engine optimization">SEO</abbr> poisoning is effective due to the widespread trust users have in search engines. Many users have widespread trust in search engines and assume they display the most relevant, vetted and legitimate links first.</p> <p>Threat actors take advantage of these user assumptions and alter the weight or bias of search results seen by users. Threat actors can use <abbr title="search engine optimization">SEO</abbr> poisoning to manipulate search results and rank their malicious sites higher than legitimate sites. For example, they may use popular and trending search terms to raise their ranking, misleading users into clicking on harmful links.</p> <p>Threat actors can also exploit vulnerabilities in already established websites to hijack and spread their malicious content. This can occur whether it’s through malicious downloads or by linking to other spam websites. This technique can also have the following negative impacts on legitimate websites that are being spoofed:</p> <ul><li>Lower search engine ranking</li> <li>Reduced site traffic</li> <li>Damage to brand integrity and reputation</li> </ul><p>Any links or files that you click on or download from malicious sites can jeopardize your computer. Accessing a webpage without the appropriate firewalls and plug-ins could put your system at risk, even if you just click on a link.</p> <p>These malicious codes and attacks can:</p> <ul><li>distribute malware or ransomware</li> <li>steal personal information with the intent to sell it or use it maliciously</li> <li>urge you to call a false helpline number to allow access to your device or to transfer funds</li> </ul><p>They can pose as any type of website, whether it be a news site, streaming site, retail store or technical help desk.</p> <p>Along with the above-mentioned <abbr title="search engine optimization">SEO</abbr> techniques, threat actors can also use the following actions to assist in <abbr title="search engine optimization">SEO</abbr> poisoning.</p> <h3>Script spoofing</h3> <p>Threat actors use script spoofing to trick users by impersonating legitimate websites or email addresses. They use similar URLs that contain incorrect characters or domain names.</p> <h3>Keyword stuffing</h3> <p>Keyword stuffing occurs when threat actors fill webpages with keywords to increase their ranking. The keywords are repeated often and make the content of the site illogical. You may see many keywords combined with irrelevant words that will not make much sense when read. These are meant to be read by machines that recognize the keywords.</p> <h3>Typo squatting</h3> <p>Threat actors register domains that are similar to popular websites but with intentional typos or misspellings. They may design the website to look like the intended site the user wanted to visit. This may further trick the user into spending more time on the malicious site and clicking on links.</p> <h3>Link farms</h3> <p>Link farms are groups of websites that all link to one another. The more links or backlinks you have from other sites, the higher your search engine rating may be. Spam link farms manipulate the search algorithms by increasing their backlinks to automated link farms to increase their rating.</p> <h2 class="text-info" id="look">What to look out for</h2> <p>When searching the web or inputting a query into a search engine, always be aware that any link may contain malicious content. Use the following clues to avoid being compromised:</p> <ul><li>Check URLs for misspelled words</li> <li>Confirm the link’s content is related to the search query</li> <li>Be aware of unprofessional designs or cluttered webpages (if already on the website)</li> <li>Look out for fonts that seem out of place</li> <li>Use caution if links look too good to be true or are unrelated to the webpage</li> <li>Check to see if link extensions match the description</li> <li>Look for the padlock HTTPS symbol in the address bar, but always proceed with caution as some malicious sites may still show this symbol</li> </ul><h2 class="text-info" id="yourself">How to protect yourself</h2> <p>Use the following tips and techniques to proactively protect your computer from malicious websites.</p> <ul><li>Ensure the default script editor is set to block all scripts by default <ul><li>Doing so helps prevent automatic execution of potentially malicious scripts</li> <li>This can help keep your personal data private and your system safe from malware</li> </ul></li> <li>Install firewalls on your device which can warn you and block malicious sites</li> <li>Keep browsers and anti-virus software up to date</li> <li>Avoid clicking on suspicious links</li> <li>Avoid providing personal information unless you’re certain the site is legitimate and secure</li> <li>Always double-check the URL before clicking</li> <li>Instead of searching and clicking on a link, type the known address into the address bar and confirm you have not made any typos before hitting enter</li> <li>Allow for file extensions to be shown and verify that the type of file being downloaded matches its advertised intent</li> </ul><h2 class="text-info" id="website">How to protect your website</h2> <p>If you are a website owner or administrator, consider the following actions to secure your online presence. Many of these can be done by an IT professional.</p> <ul><li>Employ secure coding practices <ul><li>Practices such as input validation and proper error handling can help prevent various attacks</li> <li>For an in-depth look, see <a href="https://csrc.nist.gov/pubs/ir/8397/final">Guidelines on minimum standards for developers verification of <span>software (NISTIR 8397) </span></a></li> </ul></li> <li>Update information on your site regularly</li> <li>Apply web application firewalls</li> <li>Use reputable content management systems</li> <li>Perform regular security audits and review files, settings, and website codes</li> <li>Employ strong authentication methods for website administrators, such as multi-factor authentication</li> <li>Be aware of unexpected spikes and drops in website traffic, which may indicate that your site has been hacked</li> </ul><h2 class="text-info" id="Learn">Learn more</h2> <ul><li><a href="/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="/en/guidance/ransomware-how-prevent-and-recover-itsap00099">Ransomware: How to prevent and recover (ITSAP.00.099)</a></li> <li><a href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)</a></li> <li><a href="/en/guidance/security-considerations-when-developing-and-managing-your-website-itsap60005">Security consideration when developing and managing your website (ITSAP.60.005)</a></li> <li><a href="/en/guidance/how-shop-online-safely-itsap00071">How to shop online safely (ITSAP.00.071)</a></li> <li><a href="/en/guidance/website-defacement-itsap00060">Website defacement (ITSAP.00.060)</a></li> <li><a href="/en/guidance/domain-name-system-dns-tampering-itsap40021">Domain name system (DNS) tampering (ITSAP.40.021)</a></li> <li><a href="https://www.getcybersafe.gc.ca/en/blogs/script-spoofing-protect-yourself">Script spoofing: What it is and how you can protect yourself</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="5758" about="/en/cyber-security-readiness" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>Canadian organizations are confronted with an evolving threat landscape as malicious cyber activities increase in scale and sophistication. Critical Infrastructure (CI) operators and owners are especially at risk. Cyber attacks on <abbr title="critical infrastructure">CI, </abbr> can have devastating consequences on Canada’s economy, safety and national security.</p> <p>This page provides resources from the Cyber Centre to help Canadian organizations and critical infrastructure increase their cyber security readiness. This includes information on current cyber threats, steps to protect against them and ways respond to and recover from incidents.</p> <h2>Cyber Security Readiness Goals</h2> <p>The Cross-Sector Cyber Security Readiness Goals (CRGs) provide Canadian organizations with 36 foundational, realistic and achievable goals to strengthen their cyber security. Each goal is linked to concrete recommended actions that, if taken, will elevate the cyber security posture of Canadian organizations and <abbr title="critical infrastructure">CI </abbr>.</p> <p class="mrgn-tp-md"><a class="btn btn-success btn-lg" href="/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit">Consult the Cross-Sector Cyber Security Readiness Goals Toolkit</a></p> <p>To accompany these goals, the Cyber Centre has published <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="f552f117-1c52-46d4-a56a-0d2181223d8f" href="/en/cyber-security-readiness/cyber-security-readiness-goals-securing-our-most-critical-systems">Cyber Security Readiness Goals: Securing Our Most Critical Systems</a> which provides an overview of the cyber threat landscape and explains how the <abbr title="Cross-Sector Cyber Security Readiness Goals">CRGs </abbr> came to be. This publication also highlights the <abbr title="Cross-Sector Cyber Security Readiness Goals">CRGs </abbr>’ alignment with international frameworks and other Government of Canada publications and tools.</p> <p>The <abbr title="Cross-Sector Cyber Security Readiness Goals">CRGs </abbr> are a tool for self-assessment that any organization can use to track their progress and improve their cyber security posture. They will be updated regularly to support organizations in effectively mitigating emerging cyber threats.</p> <h2>Additional resources</h2> <ul><li><a href="/en/guidance/security-considerations-critical-infrastructure-itsap10100">Security considerations for critical infrastructure (ITSAP.10.100)</a></li> <li><a href="/en/guidance/cyber-threat-bulletin-cyber-centre-reminds-canadian-critical-infrastructure-operators">Cyber threat bulletin: Cyber Centre reminds Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity</a></li> <li><a href="/en/guidance/cyber-threat-bulletin-cyber-centre-urges-canadian-critical-infrastructure-operators-raise">Cyber threat bulletin: Cyber Centre urges Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity</a></li> <li><a href="/en/guidance/national-cyber-threat-assessments">National Cyber Threat Assessments</a></li> <li><a href="/en/guidance/state-sponsored-espionage-and-threats-critical-infrastructure">State-sponsored espionage and threats to critical infrastructure</a></li> <li><a href="/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33">IT security risk management: A lifecycle approach (ITSG-33)</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6252" about="/en/news-events/joint-guidance-badbazaar-moonshine" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the following international partners in releasing 2 cyber security guidance publications on BADBAZAAR and MOONSHINE:</p> <ul><li>Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC)</li> <li>Germany’s Federal Intelligence Service (BND)</li> <li>Germany’s Federal Office for the Protection of the Constitution (BfV)</li> <li>New Zealand’s National Cyber Security Centre (NCSC-NZ)</li> <li>United States’ Federal Bureau of Investigation (FBI)</li> <li>United States’ National Security Agency (NSA)</li> </ul><p>The joint guidance provides new information and mitigation measures for those at high risk from 2 spyware variants: BADBAZAAR and MOONSHINE.</p> <h2>BADBAZAAR and MOONSHINE: Spyware targeting Uyghur, Taiwanese and Tibetan groups and civil society actors</h2> <p>This publication raises awareness of the threat that malicious cyber actors pose to individuals connected to topics the People’s Republic of China (PRC) considers to be a threat to its domestic authority, ambitions and global reputation, including:</p> <ul><li>Taiwan</li> <li>Tibet</li> <li>Xinjiang Uyghur autonomous region</li> <li>democracy movements</li> <li>Falun Gong</li> </ul><p>The publication includes 2 case studies that detail the techniques employed by malicious cyber actors using BADBAZAAR and MOONSHINE to target data on mobile devices. The publication’s guidance also includes mitigation measures that individuals can use to help protect:</p> <ul><li>themselves</li> <li>their devices</li> <li>their data</li> </ul><p>Read the full joint guidance <a href="https://www.ncsc.gov.uk/files/NCSC-Advisory-BADBAZAAR-and-MOONSHINE-guidance.pdf">BADBAZAAR and MOONSHINE: Spyware targeting Uyghur, Taiwanese and Tibetan groups and civil society actors (PDF)</a>.</p> <h2>BADBAZAAR and MOONSHINE: Technical analysis and mitigations</h2> <p>This joint guidance provides new and collated threat intelligence on the spyware variants BADBAZAAR and MOONSHINE. It includes advice for app store operators, developers and social media companies to help keep their users safe.</p> <p>Read the full joint guidance <a href="https://www.ncsc.gov.uk/files/NCSC-Advisory-BADBAZAAR-and-MOONSHINE-technical-analysis-and-mitigations.pdf">BADBAZAAR and MOONSHINE: Technical analysis and mitigations (PDF)</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6223" about="/en/guidance/private-5g-networks-itsap80117" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–DESKTOP STARTS HERE–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>April 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.80.117</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>April 2025 | Awareness series</strong></p> </div> <!–pdf download–> <p>Private 5G (P5G) networks are dedicated, purpose-built networks designed for private use. They are a key driver of industrial development that integrates digital technologies, also known as Industry 4.0. They provide secure, high-performance wireless connectivity and support technologies, such as:</p> <ul><li>industrial robots</li> <li>automated guided vehicles (AGVs)</li> <li>smart grids</li> <li>autonomous (driverless) haulage systems (AHS)</li> <li>Internet of medical things (IoMT)</li> </ul><p>They are used in a range of industries and sectors, including:</p> <ul><li>logistics and warehousing</li> <li>transportation</li> <li>energy and utilities</li> <li>mining and oil</li> <li>healthcare</li> </ul><h2 class="text-info">On this page</h2> <ul><li><a href="#benefits">Benefits of using private 5G networks</a></li> <li><a href="#deployment">Deployment models</a></li> <li><a href="#risks">Risks and challenges of private 5G networks</a></li> <li><a href="#security">Security best practices for 5G networks</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="benefits">Benefits of using private 5G networks</h2> <p>There are several potential technical and business reasons your organization may consider deploying P5G networks rather than 4G/LTE, Wi-Fi, or other technologies, such as:</p> <ul><li>faster deployment times</li> <li>lower initial and operational costs</li> <li>stronger security mechanisms and improved control</li> <li>more flexibility</li> <li>better coverage and performance (lower network latency, higher transmission rates and more bandwidth)</li> </ul><h2 class="text-info" id="deployment">Deployment models</h2> <p>P5G networks can be deployed in complete isolation, integrated with public networks, or deployed as a virtual network slice depending on an organization’s requirements. Generally, there are four main deployment models.</p> <h3>Standalone</h3> <p>Standalone P5G networks are fully isolated and controlled by the organization, including the radio access network (RAN) and core functions. The organization deploys, owns and operates the network, while overseeing subscriber management, provisioning and authentication mechanisms. This deployment model can provide complete isolation from public networks, making it the most secure option. As such, we recommend this model for high-security applications and critical infrastructure. A standalone P5G network is also suitable for large organizations with resources and expertise that want complete control.</p> <h3>Shared RAN</h3> <p>Shared RAN P5G networks combine elements of private and public 5G networks. Organizations that adopt this model use the existing RAN infrastructure of a mobile network operator (MNO) while keeping control of core functions and user plane traffic. This model is ideal for large-scale deployments, such as utility metre connectivity, emergency services and mobile devices requiring seamless roaming. This model is suitable for organizations looking to balance control and cost.</p> <h3>Shared RAN and control plane</h3> <p>In this model, organizations use the MNOs’ RAN infrastructure, control plane and core functions while retaining the user plane. This simplified model reduces network operations and management efforts, allowing organizations to focus on the functional and operational aspects of their business. The RAN and control sharing model is suitable for organizations looking to balance control and cost.</p> <h3>Network slicing</h3> <p>Network slicing allows organizations to create isolated virtual networks within a public 5G infrastructure. This means organizations can have their own dedicated "slice" of the 5G network. This model is suitable for organizations focused on developing multiple types of applications or on providing services with distinct performance requirements. For example, it could support low latency for robotics and high bandwidth for video streaming. Network slicing is a low-cost option with the quickest time to market.</p> <h2 class="text-info" id="risks">Risks and challenges of private 5G networks</h2> <p>P5G networks enhance security by reducing exposure to external cyber threats through additional layers of isolation. They also allow organizations to implement stronger and tailored security controls. However, even isolated networks remain vulnerable to determined actors looking to exploit misconfigurations or vulnerabilities in the P5G infrastructure.</p> <p>P5G can introduce new and complex technologies to organizations that may not have experience operating 5G networks or defending against mobile network threats. Organizations considering P5G must be aware that the following risks and challenges could invalidate some of its security benefits:</p> <ul><li>lack of technical personnel with adequate P5G knowledge during the planning, deployment and operational phases</li> <li>added complexity due to IT requirements to support the P5G deployment, such as cloud and virtualization infrastructure</li> <li>inadequate supply chain assurance activities performed before and after acquiring equipment, such as: <ul><li>failure to assess a supplier’s cyber maturity, including adherence to secure-by-design principles</li> <li>insufficient testing of P5G equipment using an industry-accepted security framework</li> </ul></li> <li>inadequate security controls at interconnection points between the private and public 5G domains</li> <li>insufficient isolation of P5G users, equipment, and end devices by type, vendor and security requirements</li> <li>inadequate separation and security controls between P5G and other IT domains within the organization (enterprise, management, Internet)</li> </ul><h2 class="text-info" id="security">Security best practices for private 5G networks</h2> <p>When deploying P5G, your organization should take steps to protect against some of the associated risks. To strengthen your organization’s security and align with the zero-trust model, we recommend the following cyber security best practices:</p> <ul><li><strong>Enforce strong access controls:</strong> <ul><li>Implement security policies that mandate strict role-based access control</li> <li>Use diverse identity management solutions</li> <li>Do not allow credentials to be reused between general IT and P5G networks</li> </ul></li> <li><strong>Segment the network:</strong> <ul><li>Divide your network into isolated segments</li> <li>Implement adequate network access controls between security zones</li> <li>Isolate users, equipment and end devices by type, vendor and security requirements</li> </ul></li> <li><strong>Perform regular security audits:</strong> <ul><li>Conduct periodic assessments of your network and equipment to identify and address vulnerabilities</li> </ul></li> <li><strong>Train employees:</strong> <ul><li>Provide continuous training to technical and front-end personnel on security best practices and the risks of social engineering attacks</li> </ul></li> <li><strong>Define an incident response plan:</strong> <ul><li>Develop a comprehensive incident response plan (IRP) to effectively address security incidents</li> <li>Include backup capabilities and procedures to operate safely on degraded capabilities until normal operations resume</li> <li>Retain the ability to take over operations and disable traffic to vendors, managed service providers and remote operators</li> </ul></li> <li><strong>Manage supply chain threats:</strong> <ul><li>Assess suppliers’ cyber maturity and product development processes</li> <li>Implement supply chain best practices for network equipment and end devices</li> <li>Avoid using end-of-life products</li> <li>Use products that have an active support contract with the manufacturer</li> </ul></li> <li><strong>Perform cyber defense activities:</strong> <ul><li>Implement robust monitoring to detect anomalies, identify potential threats and block unwanted traffic</li> </ul></li> <li><strong>Adopt cyber security best practices for 5G networks:</strong> <ul><li>Adhere to industry standards and participate in security initiatives to enhance your organization’s cyber maturity</li> </ul></li> <li><strong>Implement adequate physical security controls:</strong> <ul><li>Adhere to industry best practices for physical security of telecommunications and network equipment</li> </ul></li> </ul><h2 class="text-info" id="learn">Learn more</h2> <ul><li><a href="/en/guidance/top-10-it-security-actions">Top 10 IT security actions</a></li> <li><a href="/en/guidance/cyber-security-considerations-5g-networks-itsap80116">Cyber security considerations for 5G networks (ITSAP.80.116)</a></li> <li><a href="/en/guidance/supply-chain-security-small-and-medium-sized-organizations-itsap00070">Supply chain security for small and medium-sized organizations (ITSAP.00.070)</a></li> <li><a href="/en/guidance/contracting-clauses-telecommunications-equipment-and-services-tscg-01l">Contracting clauses for telecommunications equipment and services (TSCG-01L)</a></li> <li><a href="/en/guidance/cyber-centre-data-centre-virtualization-report-best-practices-data">Best practices for data centre virtualization (ITSP.70.010)</a></li> <li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003)</a></li> <li><a href="/en/guidance/social-engineering-itsap00166">Social engineering (ITSAP.00.166)</a></li> <li><a href="/en/guidance/zero-trust-security-model-itsap10008">Zero Trust security model (ITSAP.10.008)</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="745" about="/en/guidance/cyber-security-advice-political-candidates" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><section><div class="row"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-lg"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/cyber_security_advice_for_political_candidates.pdf">Cyber security advice for political candidates (PDF, 708 KB)</a></p> </div> <ul><li>Secure your accounts</li> <li>Secure your devices</li> <li>Secure your data and information</li> <li>Secure your online connections</li> <li>Secure staff and volunteers</li> <li>Secure your social media presence</li> </ul><section><h2 class="text-info">Why cyber security matters</h2> <p>Foreign cyber threat activity continues to target Canada’s democratic process.</p> <p>Threat actors target Canadian elections to influence decisions on key global issues or to exploit data and disrupt the democratic process.</p> <p>Foreign threat actors can launch cyber attacks to disrupt election infrastructure, influence voters and spread disinformation. They can target political candidates by:</p> <ul><li>hijacking accounts and online identities to spread false information</li> <li>disrupting campaign websites and infrastructure using distributed denial of service (DDoS) attacks</li> <li>hacking systems to leak sensitive (personal or campaign) data and embarrass, discredit or undermine a political</li> <li>candidate</li> <li>using ransomware attacks to disrupt campaign infrastructure and demand ransom payments</li> <li>creating content with artificial intelligence (AI), specifically generative <abbr title="artificial intelligence">AI</abbr>, to spread disinformation</li> </ul><p>The following guidance includes cyber security measures to best secure your data, devices and online presence, and what preventative measures you should take to protect your assets and information.</p> <h2 class="text-info">How to secure your campaign</h2> <p>Consider the following security measures to protect your campaign from cyber threats:</p> <section><div class="well"><img alt="" class="img-responsive pull-right col-md-2 col-sm-3 col-xs-3" src="/sites/default/files/cyber/inline-images/icon-01.png" /><h3>Secure accounts</h3> <ul><li>use strong and unique passphrases or passwords</li> <li>avoid reusing passwords across accounts</li> <li>use multi-factor authentication (MFA) to add another line of defence against someone hijacking your account</li> <li>do not share access to accounts and systems unless necessary</li> <li>limit the use of “remember me” features on websites and mobile applications</li> <li>use a password manager to help create and secure credentials</li> <li>deactivate and remove accounts and profiles that are no longer in use</li> <li>regularly review your account security and recovery settings</li> </ul></div> </section><section><div class="well"><img alt="" class="img-responsive pull-right col-md-2 col-sm-3 col-xs-3" src="/sites/default/files/cyber/inline-images/icon-02.png" /><h3>Secure devices</h3> <ul><li>install anti-virus, anti-malware and anti-phishing software on devices</li> <li>secure access to your mobile device with a passcode or other forms of strong authentication</li> <li>update your devices’ software, firmware and operating systems regularly</li> <li>enforce clear guidelines on handling campaign accounts and data on personal devices</li> <li>limit access to sensitive data on personal devices</li> <li>restart your devices regularly</li> </ul></div> </section><section><div class="well"><img alt="" class="img-responsive pull-right col-md-2 col-sm-3 col-xs-3" src="/sites/default/files/cyber/inline-images/icon-03.png" /><h3>Secure data and information</h3> <ul><li>encrypt sensitive data by using device and verified application encryption</li> <li>transport information securely using an encrypted USB or a secure storage container</li> <li>back up information regularly</li> <li>keep backups stored and encrypted offline to better protect against ransomware</li> <li>limit access to accounts and information by practicing the principle of least privilege (for example, only authorized individuals can handle sensitive information)</li> <li>verify and validate messages and information before engaging and responding</li> </ul></div> </section><section><div class="well"><img alt="" class="img-responsive pull-right col-md-2 col-sm-3 col-xs-3" src="/sites/default/files/cyber/inline-images/icon-11.png" /><h3>Secure online connections</h3> <ul><li>avoid connecting to public Wi-Fi where possible</li> <li>use cellular data or a secure Wi-Fi network to handle sensitive information</li> <li>change the default name and password of your router and Wi-Fi connection</li> <li>install Canadian Internet Registration Authority’s (CIRA) Canadian Shield protective domain name service (DNS) on your router and personal devices</li> <li>confirm firewalls are enabled by checking the status in your device or system settings or with your service provider</li> <li>use only trusted mobile app stores and avoid unverified third-party apps</li> </ul></div> </section><section><div class="well"><img alt="" class="img-responsive pull-right col-md-2 col-sm-3 col-xs-3" src="/sites/default/files/cyber/icons/cccs-icon-colour-0563.png" /><h3>Secure staff and volunteers</h3> <ul><li>keep staff members informed about current potential cyber threats and vulnerabilities</li> <li>conduct awareness training to assist volunteers and new and existing staff to understand their roles and responsibilities</li> <li>consider background checks for campaign staff and volunteers</li> </ul></div> </section><section><div class="well"><img alt="" class="img-responsive pull-right col-md-2 col-sm-3 col-xs-3" src="/sites/default/files/cyber/inline-images/icon-05_0.png" /><h3>Secure your social media presence</h3> <ul><li>strengthen account settings to protect your personal information</li> <li>use fact-checking tools to validate sources before interacting with their content and platform</li> <li>review and sanitize content, images and videos to remove sensitive data before posting publicly</li> <li>restrict third-party app access to your social media profile</li> <li>educate your team on tips for spotting <abbr title="artificial intelligence">AI</abbr>, deepfakes and disinformation</li> <li>avoid opening files and links contained in unsolicited text messages or emails</li> <li>report any suspicious activity to your <abbr title="information technology">IT</abbr> security and security incident response team, if applicable</li> </ul></div> </section></section><div class="mrgn-bttm-md well"> <h2 class="mrgn-tp-sm h3">Related links:</h2> <ul><li><a href="/en/guidance/cyber-threats-elections">Cyber threats to elections</a></li> <li><a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords</a></li> <li><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication</a></li> <li><a href="/en/guidance/how-updates-secure-your-device-itsap10096">How updates secure your device</a></li> <li><a href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks</a></li> <li><a href="/en/guidance/tips-backing-your-information-itsap40002">Tips for backing up your information</a></li> </ul></div> </div> </section></div> </div> </div> </div> </div> </article>

Fast flux is a technique used by threat actors to obfuscate the locations of malicious servers. Threat actors do this by rapidly changing domain name system (DNS) records associated with a domain name. The use of fast flux poses a significant threat to national security. The fast flux technique allows threat actors to create resilient and highly available command and control infrastructure and conceal their malicious activities.

<article data-history-node-id="6144" about="/en/guidance/protecting-controlled-information-non-government-canada-systems-and-organizations-itsp10171" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>April 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Practitioner series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSP.10.171</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>April 2025 | Practitioner series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsp.10.171-e_1.pdf">Protecting controlled information in non-Government of Canada systems and organizations – ITSP.10.171 (PDF, 2.5 MB)</a></p> </div> <h2 class="text-info">Foreword</h2> <p>This is an unclassified publication issued under the authority of the Head, Canadian Centre for Cyber Security (Cyber Centre). For more information or to suggest amendments, email or phone our Contact Centre at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>, <a href="tel:+16139497048">(613) 949-7048</a> or <span class="nowrap"><a href="tel:+18332923788">1-833-CYBER-88</a></span>.</p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on April 2, 2025.</p> <h2 class="text-info">Revision history</h2> <ol><li><strong>First release:</strong> April 2, 2025</li> </ol><section><h2 class="text-info">Table of contents</h2> <ul class="list-unstyled lst-spcd"><li><a href="#1">1 Introduction</a> <ul class="lst-none"><li><a href="#1-1">1.1 Purpose</a></li> <li><a href="#1-2">1.2 Audience</a></li> <li><a href="#1-3">1.3 Publication organization</a></li> </ul></li> <li><a href="#2">2 Fundamentals</a> <ul class="lst-none"><li><a href="#2-1">2.1 Security requirements assumptions</a></li> <li><a href="#2-2">2.2 Security requirement development methodology</a></li> </ul></li> <li><a href="#3">3 Requirements</a> <ul class="lst-none"><li><a href="#3-1">3.1 Access control</a></li> <li><a href="#3-2">3.2 Awareness and training</a></li> <li><a href="#3-3">3.3 Audit and accountability</a></li> <li><a href="#3-4">3.4 Configuration management</a></li> <li><a href="#3-5">3.5 Identification and authentication</a></li> <li><a href="#3-6">3.6 Incident response</a></li> <li><a href="#3-7">3.7 Maintenance</a></li> <li><a href="#3-8">3.8 Media protection</a></li> <li><a href="#3-9">3.9 Personnel security</a></li> <li><a href="#3-10">3.10 Physical protection</a></li> <li><a href="#3-11">3.11 Risk assessment</a></li> <li><a href="#3-12">3.12 Security assessment and monitoring</a></li> <li><a href="#3-13">3.13 System and communications protection</a></li> <li><a href="#3-14">3.14 System and information integrity</a></li> <li><a href="#3-15">3.15 Planning</a></li> <li><a href="#3-16">3.16 System and services acquisition</a></li> <li><a href="#3-17">3.17 Supply chain risk management</a></li> </ul></li> <li><a href="#AA">Annex A Tailoring criteria</a></li> <li><a href="#AB">Annex B Organization-defined parameters</a></li> </ul></section><section><h2 class="text-info">Overview</h2> <p>Protecting Controlled Information (CI) is of paramount importance to Government of Canada (GC) departments and agencies and can directly impact the <abbr title="Government of Canada">GC</abbr>’s ability to successfully conduct its essential missions and functions. This publication provides <abbr title="Government of Canada">GC</abbr> departments and agencies with recommended security requirements for protecting the confidentiality of <abbr title="controlled information">CI</abbr> when the information resides in non-<abbr title="Government of Canada">GC</abbr> systems and organizations. These requirements apply to the components of non-<abbr title="Government of Canada">GC</abbr> systems that handle, process, store or transmit <abbr title="controlled information">CI</abbr>, or that provide protection for such components. The security requirements are intended for use by <abbr title="Government of Canada">GC</abbr> departments and agencies in contractual vehicles or other agreements established between those departments and agencies and non-<abbr title="Government of Canada">GC</abbr> organizations.</p> <p>This publication is a Canadian version of the National Institute of Standards and Technology <a href="https://csrc.nist.gov/pubs/sp/800/171/r3/final">NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations</a>. The Cyber Centre will produce a companion publication to use in conjunction with this publication, based on <a href="https://csrc.nist.gov/pubs/sp/800/171/a/r3/final">NIST SP 800-171A Assessing Security Requirements for Controlled Unclassified Information</a>. That publication will provide a comprehensive set of procedures to assess the security requirements. In the interim, NIST SP 800-171A can be used as a reference.</p> <p><strong>Disclaimer:</strong> This publication is iterative, and the Canadian Program for Cyber Security Certification (CPCSC) program will continue to work with industry partners regarding the application and effectiveness of this new standard.</p> <h2 class="text-info">Acknowledgments</h2> <p>The Cyber Centre wishes to acknowledge and thank Dr. Ron Ross and Victoria Pillitteri from the Computer Security Division at <abbr title="National Institute of Standards and Technology">NIST</abbr> for allowing the Cyber Security Guidance (CSG) team to use their guidance and modify it to the Canadian context.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="1">1 Introduction</h2> <p>This publication is a Canadian version of <a href="https://csrc.nist.gov/pubs/sp/800/171/r3/final">NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations</a>. There are no substantial technical changes between this publication and NIST SP 800-171. The primary modifications arise from differences in laws, policies, directives, standards and guidelines. In other words, the changes reflect the distinct Canadian regulatory and compliance landscape; there are no changes to the underlying technical context.</p> <p>The controls are aligned with Security and privacy controls and assurance activities catalogue (ITSP.10.033), which is a version of <a href="https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final">NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations</a> adapted to the Canadian context.</p> <p><strong>Controlled information (CI)</strong> includes Protected A, Protected B, and controlled goods information that is not classified. Protected information, as well as the safeguarding and dissemination requirements for such information, is defined by the Treasury Board of Canada Secretariat <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32614"><abbr title="Treasury Board Secretariat">TBS</abbr> Directive on Security Management, Appendix J: Standard on Security Categorization</a> and is codified in the <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=12510"><abbr title="Treasury Board Secretariat">TBS</abbr> Policy on Privacy Protection</a>. We use the term “controlled information” in place of “controlled unclassified information” (CUI) which is used in the US document.</p> <p>GC departments and agencies are required to follow the policies and directives published by <abbr title="Treasury Board Secretariat">TBS</abbr> when using federal systems to handle, process, store, or transmit information<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <p>The responsibility of <abbr title="Government of Canada">GC</abbr> departments and agencies to protect <abbr title="controlled information">CI</abbr> remains the same when sharing <abbr title="controlled information">CI</abbr> with non-<abbr title="Government of Canada">GC</abbr> organizations. Therefore, a similar level of protection is needed when non-<abbr title="Government of Canada">GC</abbr> organizations using non-<abbr title="Government of Canada">GC</abbr> systems handle, process, store or transmit <abbr title="controlled information">CI</abbr>. To maintain a consistent level of protection, the security requirements for safeguarding <abbr title="controlled information">CI</abbr> in non-<abbr title="Government of Canada">GC</abbr> systems and organizations must comply with the <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=16578"><abbr title="Treasury Board Secretariat">TBS</abbr> Policy on Government Security</a>, <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32603"><abbr title="Treasury Board Secretariat">TBS</abbr> Policy on Service and Digital</a>, and <abbr title="Treasury Board Secretariat">TBS</abbr> Policy on Privacy Protection.</p> <p>The cyber security controls and activities presented in this publication outline requirements for federal contracting.</p> <p>This publication does not contain the complete set of privacy-related controls and activities described in ITSP.10.033. Rather, it contains a subset of privacy-related controls that are shared with confidentiality-related controls.</p> <h3 class="h2 mrgn-tp-lg" id="1-1">1.1 Purpose</h3> <p>This publication provides <abbr title="Government of Canada">GC</abbr> departments and agencies with recommended security requirements for protecting the confidentiality of <abbr title="controlled information">CI</abbr> when this information resides in non-<abbr title="Government of Canada">GC</abbr> systems and organizations and where there are no specific safeguarding requirements prescribed by the authorizing law, regulation, or government-wide policy for the <abbr title="controlled information">CI</abbr> category, and that ITSP.10.171 may not be sufficient. The requirements do not apply to non-<abbr title="Government of Canada">GC</abbr> organizations that are collecting or maintaining information on behalf of a <abbr title="Government of Canada">GC</abbr> department or agency or using or operating a system on their behalf.</p> <p>The security requirements in this publication are only applicable to components<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup> of non-<abbr title="Government of Canada">GC</abbr> systems that handle, process, store, or transmit <abbr title="controlled information">CI</abbr> or that provide protection for such components. The requirements are intended to be used by <abbr title="Government of Canada">GC</abbr> departments and agencies in contractual vehicles or other agreements established with non-<abbr title="Government of Canada">GC</abbr> organizations.</p> <p>It is important that non-<abbr title="Government of Canada">GC</abbr> organizations scope requirements appropriately when making protection-related investment decisions and managing security risks. By designating system components for handling, processing, storing or transmitting <abbr title="controlled information">CI</abbr>, non-<abbr title="Government of Canada">GC</abbr> organizations can limit the scope of the security requirements by isolating the system components in a separate security domain. Isolation can be achieved by applying architectural and design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms). Security domains can use physical separation, logical separation, or a combination of both. This approach can provide adequate security for <abbr title="controlled information">CI</abbr> and avoid increasing the non-<abbr title="Government of Canada">GC</abbr> organization’s security posture beyond what it requires for protecting its missions, operations and assets.</p> <h3 class="h2 mrgn-tp-lg" id="1-2">1.2 Audience</h3> <p>This publication is intended for various individuals and organizations in the public and private sectors, including:</p> <ul><li><abbr title="Government of Canada">GC</abbr> departments and agencies responsible for managing and protecting CI</li> <li>non-<abbr title="Government of Canada">GC</abbr> organizations responsible for protecting <abbr title="controlled information">CI</abbr></li> <li>individuals with system development lifecycle (SDLC) responsibilities</li> <li>individuals with acquisition or procurement responsibilities</li> <li>individuals with system, security, privacy or risk management and oversight responsibilities</li> <li>individuals with security or privacy assessment and monitoring responsibilities</li> </ul><h3 class="h2 mrgn-tp-lg" id="1-3">1.3 Publication organization</h3> <p>The remainder of this publication is organized as follows:</p> <ul><li><a href="#2">Section 2 Fundamentals</a> describes the assumptions and methodology used to develop the security requirements for protecting the confidentiality of <abbr title="controlled information">CI</abbr>, the format of the requirements, and the tailoring criteria applied to the Cyber Centre guidelines to obtain the requirements</li> <li><a href="#3">Section 3 Requirements</a> lists the security requirements for protecting the confidentiality of <abbr title="controlled information">CI</abbr> in non-<abbr title="Government of Canada">GC</abbr> systems and organizations</li> </ul><p>The following sections provide additional information to support the protection of <abbr title="controlled information">CI</abbr>:</p> <ul><li><a href="#AA">Annex A: Tailoring criteria</a></li> <li><a href="#AB">Annex B: Organization-defined parameters</a></li> </ul></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="2">2 Fundamentals</h2> <p>This section describes the assumptions and methodology used to develop the requirements to protect the confidentiality of <abbr title="controlled information">CI</abbr> in non-<abbr title="Government of Canada">GC</abbr> systems and organizations. It also includes the tailoring criteria applied to the controls in ITSP.10.033.</p> <h3 class="h2 mrgn-tp-lg" id="2-1">2.1 Security requirements assumptions</h3> <p>The security requirements in this publication are based on the following assumptions:</p> <ul><li><abbr title="Government of Canada">GC</abbr> information designated as <abbr title="controlled information">CI</abbr> has the same value regardless of whether such information resides in a <abbr title="Government of Canada">GC</abbr> or a non-<abbr title="Government of Canada">GC</abbr> system or organization</li> <li>statutory and regulatory requirements for the protection of <abbr title="controlled information">CI</abbr> are consistent in <abbr title="Government of Canada">GC</abbr> and non-<abbr title="Government of Canada">GC</abbr> systems and organizations</li> <li>safeguards implemented to protect <abbr title="controlled information">CI</abbr> are consistent in <abbr title="Government of Canada">GC</abbr> and non-<abbr title="Government of Canada">GC</abbr> systems and organizations</li> <li>the confidentiality impact value for <abbr title="controlled information">CI</abbr> is no less than low (Protected A), but will be medium (Protected B) for most large <abbr title="Government of Canada">GC</abbr> datasets</li> <li>non-<abbr title="Government of Canada">GC</abbr> organizations can directly implement a variety of potential security solutions or use external service providers to satisfy security requirements</li> </ul><h3 class="h2 mrgn-tp-lg" id="2-2">2.2 Security requirement development methodology</h3> <p>Starting with the ITSP.10.033 controls in the ITSP.10.033-01 Medium impact profile, the controls are tailored to eliminate selected controls or parts of controls that are:</p> <ul><li>primarily the responsibility of the <abbr title="Government of Canada">GC</abbr></li> <li>not directly related to protecting the confidentiality of <abbr title="controlled information">CI</abbr></li> <li>adequately addressed by other related controls</li> <li>not applicable</li> </ul><p>ITSP.10.171 security requirements represent a subset of the controls that are necessary to protect the confidentiality of <abbr title="controlled information">CI</abbr>. The security requirements are organized into 17 families, as illustrated in Table 1. Each family contains the requirements related to its general security topic. Certain families from ITSP.10.033 are not included because they do not directly contribute to confidentiality. For example, the Personal information handling and transparency (PT) family is not included because it is about handling personal information (PI), not about the confidentiality of the <abbr title="personal information">PI</abbr>. The Program management (PM) family is not included because it is not related to confidentiality. Finally, the Contingency planning (CP) family is not included because it addresses availability.</p> <p>The following are the security requirements families:</p> <ul><li>Access control</li> <li>Awareness and training</li> <li>Audit and accountability</li> <li>Configuration management</li> <li>Identification and authentication</li> <li>Incident response</li> <li>Maintenance</li> <li>Media protection</li> <li>Personnel security</li> <li>Physical protection</li> <li>Risk assessment</li> <li>Security assessment and monitoring</li> <li>System and communications protection</li> <li>System and information integrity</li> <li>Planning</li> <li>System and services acquisition</li> <li>Supply chain risk management</li> </ul><p>Organization-defined parameters (ODPs) are included in certain security requirements. <abbr title="organization-defined parameter">ODP</abbr>s provide flexibility through the use of assignment and selection operations to allow <abbr title="Government of Canada">GC</abbr> departments and agencies and non-<abbr title="Government of Canada">GC</abbr> organizations to specify values for the designated parameters in the requirements. Assignment and selection operations allow security requirements to be customized based on specific protection needs. The determination of <abbr title="organization-defined parameter">ODP</abbr> values can be guided and informed by laws, Orders in Council, directives, regulations, policies, standards, guidance, or mission and business needs. Once specified, <abbr title="organization-defined parameter">ODP</abbr> values become part of the requirement. When present in a control or activity statement, the square brackets indicate that there is an <abbr title="organization-defined parameter">ODP</abbr> that needs to be inserted by the reader in order for an organization to tailor the control to their context.</p> <p><abbr title="organization-defined parameter">ODP</abbr>s are an important part of specifying a security requirement. <abbr title="organization-defined parameter">ODP</abbr>s provide both the flexibility and the specificity needed by organizations to clearly define their <abbr title="controlled information">CI</abbr> security requirements according to their particular missions, business functions, operational environments and risk tolerance. In addition, <abbr title="organization-defined parameter">ODP</abbr>s support consistent security assessments to determine if specified security requirements have been satisfied. If a <abbr title="Government of Canada">GC</abbr> department or agency, or a group of departments or agencies, does not specify a particular value or range of values for an <abbr title="organization-defined parameter">ODP</abbr>, non-<abbr title="Government of Canada">GC</abbr> organizations must assign the value or values to complete the security requirement.</p> <p>Each requirement includes a discussion section, derived from the control discussion sections in NIST SP 800-53. These sections provide additional information to facilitate the implementation and assessment of the requirements. They are informative, not normative. The discussion sections are not intended to extend the scope of a requirement or to influence the solutions that organizations may use to satisfy a requirement. Examples provided are notional, not exhaustive, and do not reflect all the potential options available to organizations. The “References” section provides the source controls or assurance activities from ITSP.10.033, and a list of relevant publications with additional information on the topic described in the requirement.</p> <p>Because this is the first iteration of the Canadian publication, controls that were withdrawn in NIST SP 800-171 Revision 3 have been labelled as “not allocated” to keep the same numbering for interoperability purposes.</p> <p>The structure and content of a typical security requirement is provided in the example below.</p> <p>The term “organization” is used in many security requirements, and its meaning depends on context. For example, in a security requirement with an <abbr title="organization-defined parameter">ODP</abbr>, an organization can refer to either the <abbr title="Government of Canada">GC</abbr> department or agency or to the non-<abbr title="Government of Canada">GC</abbr> organization establishing the parameter values for the requirement.</p> <p>Annex A describes the security control tailoring criteria used to develop the security requirements and the results of the tailoring process. It provides a list of controls and activities from ITSP.10.033 that support the requirements and the controls and activities that have been eliminated from the Medium impact profile in accordance with the tailoring criteria.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="3">3 Requirements</h2> <p>This section describes 17 families of security requirements for protecting the confidentiality of <abbr title="controlled information">CI</abbr> in non-<abbr title="Government of Canada">GC</abbr> systems and organizations. In this section, the term “system” refers to non-<abbr title="Government of Canada">GC</abbr> systems or system components that handle, process, store or transmit <abbr title="controlled information">CI</abbr>, or that provide protection for such systems or components. Not all security requirements mention <abbr title="controlled information">CI</abbr> explicitly. Requirements that do not mention <abbr title="controlled information">CI</abbr> explicitly are included because they directly affect the protection of <abbr title="controlled information">CI</abbr> during its processing, storage or transmission.</p> <p>There may be limitations to how some systems, including specialized systems (e.g., industrial/process control systems, medical devices, or computer numerical control machines) can apply certain security requirements. To accommodate such issues, the system security plan — as reflected in requirement <a href="#03-15-02">System security plan 03.15.02</a> — is used to describe any enduring exceptions to the security requirements. Plans of action and milestones are used to manage individual, isolated or temporary deficiencies, as reflected in requirement <a href="#03-12-02">Plan of action and milestones 03.12.02</a>.</p> <p>The security requirements in this section are only applicable to components of non-<abbr title="Government of Canada">GC</abbr> systems that process, store or transmit <abbr title="controlled information">CI</abbr> or that provide protection for such components.</p> <section><h3 class="h2 mrgn-tp-lg" id="3-1">3.1 Access control</h3> <p>The controls in the Access control family support the ability to permit or deny user access to resources within the system.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-01-01">03.01.01 Account management</a></li> <li><a href="#03-01-02">03.01.02 Access enforcement</a></li> <li><a href="#03-01-03">03.01.03 Information flow enforcement</a></li> <li><a href="#03-01-04">03.01.04 Separation of duties</a></li> <li><a href="#03-01-05">03.01.05 Least privilege</a></li> <li><a href="#03-01-06">03.01.06 Least privilege&nbsp;– privileged accounts</a></li> <li><a href="#03-01-07">03.01.07 Least privilege&nbsp;– privileged functions</a></li> <li><a href="#03-01-08">03.01.08 Unsuccessful logon attempts</a></li> <li><a href="#03-01-09">03.01.09 System use notification</a></li> <li><a href="#03-01-10">03.01.10 Device lock</a></li> <li><a href="#03-01-11">03.01.11 Session termination</a></li> <li><a href="#03-01-12">03.01.12 Remote access</a></li> <li><a href="#03-01-13">03.01.13 Not allocated</a></li> <li><a href="#03-01-14">03.01.14 Not allocated</a></li> <li><a href="#03-01-15">03.01.15 Not allocated</a></li> <li><a href="#03-01-16">03.01.16 Wireless access</a></li> <li><a href="#03-01-17">03.01.17 Not allocated</a></li> <li><a href="#03-01-18">03.01.18 Access control for mobile devices</a></li> <li><a href="#03-01-19">03.01.19 Not allocated</a></li> <li><a href="#03-01-20">03.01.20 Use of external systems</a></li> <li><a href="#03-01-21">03.01.21 Not allocated</a></li> <li><a href="#03-01-22">03.01.22 Publicly accessible content</a></li> </ul> </section>–> <details><summary><h4 id="03-01-01">03.01.01 Account management</h4> </summary><ol class="lst-upr-alph"><li>Define the types of system accounts allowed and prohibited.</li> <li>Create, enable, modify, disable, and remove system accounts in accordance with organizational policy, procedures, prerequisites, and criteria.</li> <li>Specify: <ol><li>authorized users of the system</li> <li>group and role membership</li> <li>access authorizations (i.e., privileges) for each account</li> </ol></li> <li>Authorize access to the system based on: <ol><li>a valid access authorization</li> <li>intended system usage</li> </ol></li> <li>Monitor the use of system accounts</li> <li>Disable system accounts when: <ol><li>the accounts have expired</li> <li>the accounts have been inactive for [Assignment: organization-defined time period]</li> <li>the accounts are no longer associated with a user or individual</li> <li>the accounts are in violation of organizational policy</li> <li>significant risks associated with individuals are discovered</li> </ol></li> <li>Notify account managers and designated personnel or roles within: <ol><li>[Assignment: organization-defined time period] when accounts are no longer required</li> <li>[Assignment: organization-defined time period] when users are terminated or transferred</li> <li>[Assignment: organization-defined time period] when system usage or the need-to-know changes for an individual</li> </ol></li> <li>Require that users log out of the system after [Assignment: organization-defined time period] of expected inactivity or when [Assignment: organization-defined circumstances]</li> </ol><h5>Discussion</h5> <p>This requirement focuses on account management for systems and applications. The definition and enforcement of access authorizations other than those determined by account type (e.g., privileged access or non-privileged access) are addressed in <a href="#03-01-02">Access enforcement 03.01.02</a>. System account types include individual, group, temporary, system, guest, anonymous, emergency, developer, and service accounts. Users who require administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access. Types of accounts that organizations may prohibit due to increased risk include group, emergency, guest, anonymous, and temporary accounts.</p> <p>Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of both. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point of origin. In defining other account attributes, organizations consider system requirements (e.g., system upgrades, scheduled maintenance) and mission and business requirements (e.g., time zone differences, remote access to facilitate travel requirements).</p> <p>Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to the system to cause harm or that adversaries will cause harm through them. Close coordination among human resource managers, mission/business owners, system administrators, and legal staff is essential when disabling system accounts for high-risk individuals. Time periods for the notification of organizational personnel or roles may vary.</p> <p>Inactivity logout is behaviour- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by <a href="#03-01-10">Device lock 03.01.10</a>.</p> <h5>References</h5> <p>Source controls: AC-02, AC-02(03), AC-02(05), AC-02(13)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/managing-and-controlling-administrative-privileges-itsap10094">Cyber Centre Managing and controlling administrative privileges (ITSAP.10.094) </a></li> <li><a href="/en/guidance/how-protect-your-organization-insider-threats-itsap10003-0">Cyber Centre How to protect your organization from insider threats (ITSAP.10.003) </a></li> </ul></details><details><summary><h4 id="03-01-02">03.01.02 Access enforcement</h4> </summary><p>Enforce approved authorizations for logical access to <abbr title="controlled information">CI</abbr> and system resources in accordance with applicable access control policies.</p> <h5>Discussion</h5> <p>Access control policies control access between active entities or subjects (i.e., users or system processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, and domains) in organizational systems. Types of system access include remote access and access to systems that communicate through external networks, such as the Internet. Access enforcement mechanisms can also be employed at the application and service levels to provide increased protection for <abbr title="controlled information">CI</abbr>. This recognizes that the system can host many applications and services in support of mission and business functions. Access control policies are defined in Policy and procedures 03.15.01.</p> <h5>References</h5> <p>Source control: AC-03<br /> Supporting publications: <a href="/en/guidance/managing-and-controlling-administrative-privileges-itsap10094">Cyber Centre Managing and controlling administrative privileges (ITSAP.10.094)</a></p> </details><details><summary><h4 id="03-01-03">03.01.03 Information flow enforcement</h4> </summary><p>Enforce approved authorizations for controlling the flow of <abbr title="controlled information">CI</abbr> within the system and between connected systems.</p> <h5>Discussion</h5> <p>Information flow control regulates where <abbr title="controlled information">CI</abbr> can transit within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include keeping <abbr title="controlled information">CI</abbr> from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting requests to the Internet that are not from the internal web proxy server, and limiting <abbr title="controlled information">CI</abbr> transfers between organizations based on data structures and content.</p> <p>Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of <abbr title="controlled information">CI</abbr> between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., encrypted tunnels, routers, gateways, and firewalls) that use rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement.</p> <p>Transferring <abbr title="controlled information">CI</abbr> between organizations may require an agreement that specifies how the information flow is enforced (see <a href="#03-12-05">Information exchange 03.12.05</a>). Transferring <abbr title="controlled information">CI</abbr> between systems that represent different security domains with different security policies introduces the risk that such transfers may violate one or more domain security policies. In such situations, information custodians provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes prohibiting <abbr title="controlled information">CI</abbr> transfers between interconnected systems (i.e., allowing information access only), employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.</p> <h5>References</h5> <p>Source control: AC-04<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022">Cyber Centre Baseline Security Requirements for Network Security Zones (ITSP.80.022) </a></li> <li><a href="/en/guidance/it-media-sanitization-itsp40006">Cyber Centre <abbr title="information technology">IT</abbr> media sanitization (ITSP.40.006) </a></li> </ul></details><details><summary><h4 id="03-01-04">03.01.04 Separation of duties</h4> </summary><ol class="lst-upr-alph"><li>Identify the duties of individuals requiring separation.</li> <li>Define system access authorizations to support separation of duties.</li> </ol><h5>Discussion</h5> <p>Separation of duties addresses the potential for abuse of authorized privileges and reduces the risk of malicious activity without collusion. Separation of duties includes dividing mission functions and support functions among different individuals or roles, conducting system support functions with different individuals or roles (e.g., quality assurance, configuration management, system management, assessments, programming, and network security), and ensuring that personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of their systems and system components when developing policies on separation of duties. This requirement is enforced by <a href="#03-01-02">Access enforcement 03.01.02</a>.</p> <h5>References</h5> <p>Source control: AC-05<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/162/upd2/final">NIST SP 800-162 Guide to Attribute Based Access Control (ABAC) Definition and Considerations </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/178/final">NIST SP 800-178 A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) </a></li> </ul></details><details><summary><h4 id="03-01-05">03.01.05 Least privilege</h4> </summary><ol class="lst-upr-alph"><li>Allow only the authorized system access for users (or processes acting on behalf of users) that is necessary to accomplish assigned organizational tasks.</li> <li>Authorize access to [Assignment: organization-defined security functions] and [Assignment: organization-defined security-relevant information].</li> <li>Review the privileges assigned to roles or classes of users [Assignment: organization-defined frequency] to validate the need for such privileges.</li> <li>Reassign or remove privileges, as necessary.</li> </ol><h5>Discussion</h5> <p>Organizations employ the principle of least privilege for specific duties and authorized access for users and system processes. Least privilege is applied to the development, implementation, and operation of the system. Organizations consider creating additional processes, roles, and system accounts to achieve least privilege. Security functions include establishing system accounts and assigning privileges, installing software, configuring access authorizations, configuring settings for events to be audited, establishing vulnerability scanning parameters, establishing intrusion detection parameters, and managing audit information. Security-relevant information includes threat and vulnerability information, filtering rules for routers or firewalls, configuration parameters for security services, security architecture, cryptographic key management information, access control lists, and audit information.</p> <h5>References</h5> <p>Source controls: AC-06, AC-06(01), AC-06(07), AU-09(04)<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-06">03.01.06 Least privilege – privileged accounts</h4> </summary><ol class="lst-upr-alph"><li>Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles].</li> <li>Require that users (or roles) with privileged accounts use non-privileged accounts when accessing non-security functions or non-security information.</li> <li>Require any administrative or superuser actions to be performed from a physical workstation which is dedicated to those specific tasks and isolated from all other functions and networks, especially any form of Internet access.</li> </ol><h5>Discussion</h5> <p>Privileged accounts refer to accounts that are granted elevated privileges to access resources (including security functions or security-relevant information) that are otherwise restricted for non-privileged accounts. These accounts are typically described as system administrator or super-user accounts. For example, a privileged account is often required in order to perform privileged functions such as executing commands that could modify system behaviour. Restricting privileged accounts to specific personnel or roles prevents non-privileged users from accessing security functions or security-relevant information. Requiring the use of non-privileged accounts when accessing non-security functions or non-security information limits exposure when operating from within privileged accounts.</p> <p>A dedicated administration workstation (DAW) is typically comprised of a user terminal with a very small selection of software designed for interfacing with the target system. For the purpose of this control, workstation is meant as the system from which you are performing the administration, as opposed to the target system of administration.</p> <h5>References</h5> <p>Source controls: AC-06(02), AC-06(05), SI-400<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-07">03.01.07 Least privilege – privileged functions</h4> </summary><ol class="lst-upr-alph"><li>Prevent non-privileged users from executing privileged functions.</li> <li>Log the execution of privileged functions.</li> </ol><h5>Discussion</h5> <p>Privileged functions include establishing system accounts, performing system integrity checks, conducting patching operations, or administering cryptographic key management activities. Non-privileged users do not possess the authorizations to execute privileged functions. Bypassing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. This requirement represents a condition to be achieved by the definition of authorized privileges in <a href="#03-01-01">Account management 03.01.01</a> and privilege enforcement in <a href="#03-01-02">Access enforcement 03.01.02</a>.</p> <p>The misuse of privileged functions – whether intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts – is a serious and ongoing concern that can have significant adverse impacts on organizations. Logging the use of privileged functions is one way to detect such misuse and mitigate the risks from advanced persistent threats and insider threats.</p> <h5>References</h5> <p>Source controls: AC-06(09), AC-06(10)<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-08">03.01.08 Unsuccessful logon attempts</h4> </summary><ol class="lst-upr-alph"><li>Limit the number of consecutive invalid logon attempts to [Assignment: organization-defined number] in [Assignment: organization-defined time period].</li> <li>Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt; notify system administrator; take other action] when the maximum number of unsuccessful attempts is exceeded.</li> </ol><h5>Discussion</h5> <p>Due to the potential for denial of service, automatic system lockouts are, in most cases, temporary and automatically release after a predetermined period established by the organization (i.e., using a delay algorithm). Organizations may employ different delay algorithms for different system components based on the capabilities of the respective components. Responses to unsuccessful system logon attempts may be implemented at the system and application levels.</p> <p>Organization-defined actions that may be taken include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of a full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles, such as location, time of day, IP address, device, or Media Access Control (MAC) address.</p> <h5>References</h5> <p>Source control: AC-07<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> </ul></details><details><summary><h4 id="03-01-09">03.01.09 System use notification</h4> </summary><p>Display a system use notification message with privacy and security notices consistent with applicable <abbr title="controlled information">CI</abbr> rules before granting access to the system.</p> <h5>Discussion</h5> <p>System use notifications can be implemented using warning or banner messages. The messages are displayed before individuals log in to the system. System use notifications are used for access via logon interfaces with human users and are not required when human interfaces do not exist. Organizations consider whether a secondary use notification is needed to access applications or other system resources after the initial network logon. Posters or other printed materials may be used in lieu of an automated system message. This requirement is related to <a href="#03-15-03">Rules of behaviour 03.15.03</a>.</p> <h5>References</h5> <p>Source control: AC-08<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-10">03.01.10 Device lock</h4> </summary><ol class="lst-upr-alph"><li>Prevent access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended].</li> <li>Retain the device lock until the user re-establishes access using established identification and authentication procedures.</li> <li>Conceal, via the device lock, information previously visible on the display with a publicly viewable image.</li> </ol><h5>Discussion</h5> <p>Device locks are temporary actions taken to prevent access to the system when users depart from the immediate vicinity of the system but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or application level. User-initiated device locking is behaviour- or policy-based and requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of the system (e.g., when organizations require users to log out at the end of workdays). Publicly viewable images can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed.</p> <h5>References</h5> <p>Source controls: AC-11, AC-11(01)<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-11">03.01.11 Session termination</h4> </summary><p>Terminate a user session automatically after [Assignment: organization-defined conditions or trigger events requiring session disconnect].</p> <h5>Discussion</h5> <p>This requirement addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., disconnecting from the network) in <a href="03-13-09">Network disconnect 03.13.09</a>. A logical session is initiated whenever a user (or processes acting on behalf of a user) accesses a system. Logical sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination ends all system processes associated with a user’s logical session except those processes that are created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic session termination can include organization-defined periods of user inactivity, time-of-day restrictions on system use, and targeted responses to certain types of incidents.</p> <h5>References</h5> <p>Source control: AC-12<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-01-12">03.01.12 Remote access</h4> </summary><ol class="lst-upr-alph"><li>Establish usage restrictions, configuration requirements, and connection requirements for each type of allowable remote system access.</li> <li>Authorize each type of remote system access prior to establishing such connections.</li> <li>Route remote access to the system through authorized and managed access control points.</li> <li>Authorize remote execution of privileged commands and remote access to security-relevant information.</li> </ol><h5>Discussion</h5> <p>Remote access is access to systems (or processes acting on behalf of users) that communicate through external networks, such as the Internet. Monitoring and controlling remote access methods allows organizations to detect attacks and ensure compliance with remote access policies. Routing remote access through managed access control points enhances explicit control over such connections and reduces susceptibility to unauthorized access to the system, which could result in the unauthorized disclosure of <abbr title="controlled information">CI</abbr>.</p> <p>Remote access to the system represents a significant potential vulnerability that can be exploited by adversaries. Restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and its susceptibility to threats by adversaries. A privileged command is a human-initiated command executed on a system that involves the control, monitoring, or administration of the system, including security functions and security-relevant information. Security-relevant information is information that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions.</p> <h5>References</h5> <p>Source controls: AC-17, AC-17(03), AC-17(04)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/46/r2/final">NIST SP 800-46 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/77/r1/final">NIST SP 800-77 Guide to IPsec <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/113/final">NIST SP 800-113 Guide to SSL <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/114/r1/final">NIST SP 800-114 User’s Guide to Telework and Bring Your Own Device (BYOD) Security</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/121/r2/upd1/final">NIST SP 800-121 Guide to Bluetooth Security</a></li> </ul></details><h4 id="03-01-13">03.01.13 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-01-14">03.01.14 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-01-15">03.01.15 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-01-16">03.01.16 Wireless access</h4> </summary><ol class="lst-upr-alph"><li>Establish usage restrictions, configuration requirements, and connection requirements for each type of wireless access to the system</li> <li>Authorize each type of wireless access to the system prior to establishing such connections</li> <li>Disable, when not intended for use, wireless networking capabilities prior to issuance and deployment</li> <li>Protect wireless access to the system using authentication and encryption</li> </ol><h5>Discussion</h5> <p>Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. Establishing usage restrictions, configuration requirements, and connection requirements for wireless access to the system provides criteria to support access authorization decisions. These restrictions and requirements reduce susceptibility to unauthorized system access through wireless technologies. Wireless networks use authentication protocols that provide credential protection and mutual authentication. Organizations authenticate individuals and devices to protect wireless access to the system. Special attention is given to the variety of devices with potential wireless access to the system, including small form factor mobile devices (e.g., smart phones, tablets, smart watches). Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Strong authentication of users and devices, strong encryption, and disabling wireless capabilities that are not needed for essential missions or business functions can reduce susceptibility to threats by adversaries involving wireless technologies.</p> <h5>References</h5> <p>Source controls: AC-18, AC-18(01), AC-18(03)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/security-requirements-wireless-local-area-networks-itsg-41">Cyber Centre Security Requirements for Wireless Local Area Networks (ITSG-41) </a></li> <li><a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Cyber Centre Guidance on Securely Configuring Network Protocols (ITSP.40.062) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/94/final">NIST SP 800-94 Guide to Intrusion Detection and Prevention Systems (IDPS) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> </ul></details><h4 id="03-01-17">03.01.17 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-01-18">03.01.18 Access control for mobile devices</h4> </summary><ol class="lst-upr-alph"><li>Establish usage restrictions, configuration requirements, and connection requirements for mobile devices</li> <li>Authorize the connection of mobile devices to the system</li> <li>Implement full-device or container-based encryption to protect the confidentiality of <abbr title="controlled information">CI</abbr> on mobile devices</li> </ol><h5>Discussion</h5> <p>A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable, or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, smart watches, and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capabilities of mobile devices may be comparable to or a subset of notebook or desktop systems, depending on the nature and intended purpose of the device. The protection and control of mobile devices are behaviour- or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which the organization provides physical or procedural controls to meet the requirements established for protecting <abbr title="controlled information">CI</abbr>.</p> <p>Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions, configuration requirements, and connection requirements for mobile devices include configuration management, device identification and authentication, implementing mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system and possibly other software integrity checks, and disabling unnecessary hardware. On mobile devices, secure containers provide software-based data isolation designed to segment enterprise applications and information from personal apps and data. Containers may present multiple user interfaces, one of the most common being a mobile application that acts as a portal to a suite of business productivity apps, such as email, contacts, and calendar. Organizations can employ full-device encryption or container-based encryption to protect the confidentiality of <abbr title="controlled information">CI</abbr> on mobile devices.</p> <h5>References</h5> <p>Source controls: AC-19, AC-19(05)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/46/r2/final">NIST SP 800-46 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/114/r1/final">NIST SP 800-114 User’s Guide to Telework and Bring Your Own Device (BYOD) Security </a></li> </ul></details><h4 id="03-01-19">03.01.19 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-01-20">03.01.20 Use of external systems</h4> </summary><ol class="lst-upr-alph"><li>Prohibit the use of external systems unless they are specifically authorized</li> <li>Establish the following terms, conditions, and security requirements to be satisfied on external systems prior to allowing use of or access to those systems by authorized individuals: [Assignment: organization-defined security requirements]</li> <li>Permit authorized individuals to use an external system to access the organization’s system or to process, store, or transmit <abbr title="controlled information">CI</abbr> only after: <ol><li>verifying that the security requirements on the external system as specified in the organization’s system security and privacy plans have been satisfied</li> <li>retaining approved system connection or processing agreements with the organizational entities hosting the external systems</li> </ol></li> <li>Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems</li> </ol><h5>Discussion</h5> <p>External systems are systems that are used by but are not part of the organization. These systems include personally owned systems, system components, or devices; privately owned computing and communication devices in commercial or public facilities; systems owned or controlled by non-federal organizations; and systems managed by contractors. Organizations have the option to prohibit the use of any type of external system or specified types of external systems, (e.g., prohibit the use of external systems that are not organization-owned). Terms and conditions are consistent with the trust relationships established with the entities that own, operate, or maintain external systems and include descriptions of shared responsibilities.</p> <p>Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to the organizational system and over whom the organization has the authority to impose specific rules of behaviour regarding system access. Restrictions that organizations impose on authorized individuals may vary depending on the trust relationships between the organization and external entities. Organizations need assurance that the external systems satisfy the necessary security requirements so as not to compromise, damage, or harm the system. This requirement is related to <a href="#03-16-03">External system services 03.16.03</a>.</p> <h5>References</h5> <p>Source controls: AC-20, AC-20(01), AC-20(02)<br /> Supporting publications: None</p> </details><h4 id="03-01-21">03.01.21 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-01-22">03.01.22 Publicly accessible content</h4> </summary><ol class="lst-upr-alph"><li>Train authorized individuals to ensure that publicly accessible information does not contain <abbr title="controlled information">CI</abbr></li> <li>Review the content on publicly accessible systems for <abbr title="controlled information">CI</abbr> periodically and remove such information, if discovered</li> </ol><h5>Discussion</h5> <p>In accordance with applicable laws, Orders in Council, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to non-public information, including <abbr title="controlled information">CI</abbr>.</p> <h5>References</h5> <p>Source control: AC-22<br /> Supporting publications: None</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-2">3.2 Awareness and training</h3> <p>The Awareness and training controls deal with the education of users with respect to the security of the system.</p> <!– <section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-02-01">03.02.01 Literacy training and awareness</a></li> <li><a href="#03-02-02">03.02.02 Role-based training</a></li> <li><a href="#03-02-03">03.02.03 Not allocated</a></li> </ul> </section> –> <details><summary><h4 id="03-02-01">03.02.01 Literacy training and awareness</h4> </summary><ol class="lst-upr-alph"><li>Provide security and privacy literacy training to system users: <ol><li>as part of initial training for new users and [Assignment: organization-defined frequency] thereafter</li> <li>when required by system changes or following [Assignment: organization-defined events]</li> <li>on recognizing and reporting indicators of insider threat, social engineering, and social mining</li> </ol></li> <li>Update security and privacy literacy training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]</li> </ol><h5>Discussion</h5> <p>Organizations provide basic and advanced levels of security and privacy literacy training to system users (including managers, senior executives, system administrators, and contractors) and measures to test the knowledge level of users. Organizations determine the content of literacy training based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and the actions required of users to maintain security and to respond to incidents. The content also addresses the need for operations security and the handling of <abbr title="controlled information">CI</abbr>.</p> <p>Security and privacy awareness techniques include displaying posters, offering supplies inscribed with security reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events using podcasts, videos, and webinars. Security and privacy literacy training is conducted at a frequency consistent with applicable laws, directives, regulations, and policies. Updating literacy training content on a regular basis ensures that the content remains relevant. Events that may precipitate an update to literacy training content include assessment or audit findings, security incidents or breaches, or changes in applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines.</p> <p>Potential indicators and possible precursors of insider threats include behaviours such as inordinate, long-term job dissatisfaction; attempts to gain access to information that is not required for job performance; unexplained access to financial resources; sexual harassment or bullying of fellow employees; workplace violence; and other serious violations of the policies, procedures, rules, directives, or practices of organizations. Organizations may consider tailoring insider threat awareness topics to the role (e.g., training for managers may be focused on specific changes in the behaviour of team members, while training for employees may be focused on more general observations).</p> <p>Social engineering is an attempt to deceive an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, threadjacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Security and privacy literacy training includes how to communicate employee and management concerns regarding potential indicators of insider threat and potential and actual instances of social engineering and data mining through appropriate organizational channels in accordance with established policies and procedures.</p> <h5>References</h5> <p>Source controls: AT-02, AT-02(02), AT-02(03)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/offer-tailored-cyber-security-training-your-employees-itsap10093">Cyber Centre Offer tailored cyber security training to your employees (ITSAP.10.093) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v2/r1/final">NIST SP 800-160-2 Developing Cyber-Resilient Systems: A Systems Security Engineering Approach </a></li> </ul></details><details><summary><h4 id="03-02-02">03.02.02 Role-based training</h4> </summary><ol class="lst-upr-alph"><li>Provide role-based security and privacy training to organizational personnel: <ol><li>before authorizing access to the system or <abbr title="controlled information">CI</abbr>, before performing assigned duties, and [Assignment: organization-defined frequency] thereafter</li> <li>when required by system changes or following [Assignment: organization-defined events]</li> </ol></li> <li>Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]</li> </ol><h5>Discussion</h5> <p>Organizations determine the content and frequency of security and privacy training based on the assigned duties, roles, and responsibilities of individuals and the security and privacy requirements of the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, privacy officers, software developers, systems integrators, acquisition/procurement officials, system and network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation, security assessors, and personnel with access to system-level software with security-related technical training specifically tailored for their assigned duties.</p> <p>Comprehensive role-based training addresses management, operational, and technical roles and responsibilities that cover physical, personnel, and technical controls. Such training can include policies, procedures, tools, and artifacts for the security and privacy roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs.</p> <h5>References</h5> <p>Source control: AT-03<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/181/r1/final">NIST SP 800-181 Workforce Framework for Cybersecurity (NICE Framework) </a></li> </ul></details><h4 id="03-02-03">03.02.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-3">3.3 Audit and accountability</h3> <p>The Audit and accountability controls support the ability to collect, analyze, and store audit records associated with user operations performed within the system.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-03-01">03.03.01 Event logging</a></li> <li><a href="#03-03-02">03.03.02 Audit record content</a></li> <li><a href="#03-03-03">03.03.03 Audit record generation</a></li> <li><a href="#03-03-04">03.03.04 Response to audit logging process failures</a></li> <li><a href="#03-03-05">03.03.05 Audit record review, analysis, and reporting</a></li> <li><a href="#03-03-06">03.03.06 Audit record reduction and report generation</a></li> <li><a href="#03-03-07">03.03.07 Time stamps</a></li> <li><a href="#03-03-08">03.03.08 Protection of audit information</a></li> <li><a href="#03-03-09">03.03.09 Not allocated</a></li> </ul> </section>–> <details><summary><h4 id="03-03-01">03.03.01 Event logging</h4> </summary><ol class="lst-upr-alph"><li>Specify the following event types selected for logging within the system: [Assignment: organization-defined event types]</li> <li>Review and update the event types selected for logging [Assignment: organization-defined frequency]</li> </ol><h5>Discussion</h5> <p>An event is any observable occurrence in a system, including unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed. This includes events that are relevant to the security of systems, the privacy of individuals, and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, the execution of privileged functions, failed logons or accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the system monitoring and auditing that are appropriate for each of the security requirements. When defining event types, organizations consider the logging necessary to cover related events, such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloud-based architectures.</p> <p>Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access, both successful and unsuccessful, but only activate that capability under specific circumstances due to the potential burden on system performance. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types is necessary to ensure that the current set remains relevant.</p> <h5>References</h5> <p>Source control: AU-02<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/network-security-logging-monitoring-itsap80085">Cyber Centre Network security logging and monitoring (ITSAP.80.085) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/92/final">NIST SP 800-92 Guide to Computer Security Log Management </a></li> </ul></details><details><summary><h4 id="03-03-02">03.03.02 Audit record content</h4> </summary><ol class="lst-upr-alph"><li>Include the following content in audit records: <ol><li>what type of event occurred</li> <li>when the event occurred</li> <li>where the event occurred</li> <li>source of the event</li> <li>outcome of the event</li> <li>identity of individuals, subjects, objects, or entities associated with the event</li> </ol></li> <li>Provide additional information for audit records, as needed</li> </ol><h5>Discussion</h5> <p>Audit record content that may be necessary to support the auditing function includes time stamps, source and destination addresses, user or process identifiers, event descriptions, file names, and the access control or flow control rules that are invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records may include a full text recording of privileged commands or the individual identities of group account users.</p> <h5>References</h5> <p>Source controls: AU-03, AU-03(01)<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-03-03">03.03.03 Audit record generation</h4> </summary><ol class="lst-upr-alph"><li>Generate audit records for the selected event types and audit record content specified in <a href="#03-03-01">Event logging 03.03.01</a> and <a href="#03-03-02">Audit record content 03.03.02</a></li> <li>Retain audit records for a time period consistent with records retention policy</li> </ol><h5>Discussion</h5> <p>Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records, including the access control or flow control rules invoked and the individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. If records generated for the audit process contain personal information that is not required for the audit process, that personal information should be removed or redacted prior to retention.</p> <p>If audit records rely on personal information and that information is used to make an administrative decision, the minimum retention standard is at least two years following the last time the personal information was used for an administrative purpose unless the individual consents to its disposal.</p> <h5>References</h5> <p>Source controls: AU-11, AU-12<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/92/final">NIST SP 800-92 Guide to Computer Security Log Management</a></p> </details><details><summary><h4 id="03-03-04">03.03.04 Response to audit logging process failures</h4> </summary><ol class="lst-upr-alph"><li>Alert organizational personnel or roles within [Assignment: organization-defined time period] in the event of an audit logging process failure</li> <li>Take the following additional actions: [Assignment: organization-defined additional actions]</li> </ol><h5>Discussion</h5> <p>Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Response actions include overwriting the oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type, location, and severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.</p> <h5>References</h5> <p>Source control: AU-05<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-03-05">03.03.05 Audit record review, analysis, and reporting</h4> </summary><ol class="lst-upr-alph"><li>Review and analyze system audit records [Assignment: organization-defined frequency] for indications and potential impact of inappropriate or unusual activity</li> <li>Report findings to organizational personnel or roles</li> <li>Analyze and correlate audit records across different repositories to gain organization-wide situational awareness</li> </ol><h5>Discussion</h5> <p>Audit record review, analysis, and reporting cover information security- and privacy-related logging performed by organizations and can include logging that results from the monitoring of account usage, remote access, wireless connectivity, configuration settings, the use of maintenance tools and non-local maintenance, system component inventory, mobile device connection, equipment delivery and removal, physical access, temperature and humidity, communications at system interfaces, and the use of mobile code. Findings can be reported to organizational entities, such as the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The scope, frequency, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received. Correlating audit record review, analysis, and reporting processes helps to ensure that they collectively create a more complete view of events.</p> <h5>References</h5> <p>Source controls: AU-06, AU-06(03)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/86/final">NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/101/r1/final">NIST SP 800-101 Guidelines on Mobile Device Forensics </a></li> </ul></details><details><summary><h4 id="03-03-06">03.03.06 Audit record reduction and report generation</h4> </summary><ol class="lst-upr-alph"><li>Implement an audit record reduction and report generation capability that supports audit record review, analysis, reporting requirements, and after-the-fact investigations of incidents</li> <li>Preserve the original content and time ordering of audit records</li> </ol><h5>Discussion</h5> <p>Audit records are generated in <a href="#03-03-03">Audit record generation 03.03.03</a>. Audit record reduction and report generation occur after audit record generation. Audit record reduction is a process that manipulates collected audit information and organizes it in a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always come from the same system or organizational entities that conduct auditing activities. An audit record reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behaviour in audit records. The report generation capability provided by the system can help generate customizable reports. The time ordering of audit records can be a significant issue if the granularity of the time stamp in the record is insufficient.</p> <h5>References</h5> <p>Source control: AU-07<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-03-07">03.03.07 Time stamps</h4> </summary><ol class="lst-upr-alph"><li>Use internal system clocks to generate time stamps for audit records</li> <li>Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time (UTC), have a fixed local time offset from <abbr title="Coordinated Universal Time">UTC</abbr>, or include the local time offset as part of the time stamp</li> </ol><h5>Discussion</h5> <p>Time stamps generated by the system include the date and time. Time is commonly expressed in <abbr title="Coordinated Universal Time">UTC</abbr> or local time with an offset from <abbr title="Coordinated Universal Time">UTC</abbr>. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds or tens of milliseconds). Organizations may define different time granularities for system components. Time service can be critical to other security capabilities (e.g., access control, and identification and authentication), depending on the nature of the mechanisms used to support those capabilities.</p> <h5>References</h5> <p>Source control: AU-08<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-03-08">03.03.08 Protection of audit information</h4> </summary><ol class="lst-upr-alph"><li>Protect audit information and audit logging tools from unauthorized access, modification, and deletion</li> <li>Authorize access to management of audit logging functionality to only a subset of privileged users or roles</li> </ol><h5>Discussion</h5> <p>Audit information includes the information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personal information. Audit logging tools are programs and devices used to conduct audit and logging activities. The protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. The physical protection of audit information is addressed by media and physical protection requirements.</p> <p>Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges.</p> <h5>References</h5> <p>Source controls: AU-09, AU-09(04)<br /> Supporting publications: None</p> </details><h4 id="03-03-09">03.03.09 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-4">3.4 Configuration management</h3> <p>The Configuration management controls support the management and control of all components of the system such as hardware, software, and configuration items.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-04-01">03.04.01 Baseline configuration</a></li> <li><a href="#03-04-02">03.04.02 Configuration settings</a></li> <li><a href="#03-04-03">03.04.03 Configuration change control</a></li> <li><a href="#03-04-04">03.04.04 Impact analyses</a></li> <li><a href="#03-04-05">03.04.05 Access restrictions for change</a></li> <li><a href="#03-04-06">03.04.06 Least functionality</a></li> <li><a href="#03-04-07">03.04.07 Not allocated</a></li> <li><a href="#03-04-08">03.04.08 Authorized software&nbsp;– allow by exception</a></li> <li><a href="#03-04-09">03.04.09 Not allocated</a></li> <li><a href="#03-04-10">03.04.10 System component inventory</a></li> <li><a href="#03-04-11">03.04.11 Information location</a></li> <li><a href="#03-04-12">03.04.12 System and component configuration for high-risk areas</a></li> </ul> </section>–> <details><summary><h4 id="03-04-01">03.04.01 Baseline configuration</h4> </summary><ol class="lst-upr-alph"><li>Develop and maintain under configuration control, a current baseline configuration of the system</li> <li>Review and update the baseline configuration of the system [Assignment: organization-defined frequency] and when system components are installed or modified</li> </ol><h5>Discussion</h5> <p>Baseline configurations for the system and system components include aspects of connectivity, operation, and communications. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for the system or configuration items within it. Baseline configurations serve as a basis for future builds, releases, or changes to the system and include information about system components, operational procedures, network topology, and the placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as the system changes over time. Baseline configurations of the system reflect the current enterprise architecture. If the system facilitates the collection or use of personal information, baseline configurations should include providing privacy notice to users.</p> <h5>References</h5> <p>Source control: CM-02<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details><details><summary><h4 id="03-04-02">03.04.02 Configuration settings</h4> </summary><ol class="lst-upr-alph"><li>Establish, document, and implement the following configuration settings for the system that reflect the most restrictive mode consistent with operational requirements: [Assignment: organization-defined configuration settings].</li> <li>Identify, document, and approve any deviations from established configuration settings.</li> </ol><h5>Discussion</h5> <p>Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system which affect the security and privacy posture or functionality of the system. Security-related configuration settings can be defined for systems (e.g., servers, workstations), input and output devices (e.g., scanners, copiers, printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications.</p> <p>Security parameters are those that impact the security state of the system, including the parameters required to satisfy other security requirements. Security parameters include registry settings; account, file, and directory permission settings (i.e., privileges); and settings for functions, ports, protocols, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including those required to satisfy other privacy controls. Privacy parameters include settings for access controls, personal information, data accuracy requirements, data manipulation capabilities, data processing preferences, and information handling and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for the system. The established settings become part of the system’s configuration baseline.</p> <p>Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, and security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific <abbr title="information technology">IT</abbr> platforms/products and instructions for configuring those system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including <abbr title="information technology">IT</abbr> product developers, manufacturers, vendors, consortia, academia, industry, federal departments and agencies, and other organizations in the public and private sectors.</p> <h5>References</h5> <p>Source control: CM-06<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022">Cyber Centre Baseline Security Requirements for Network Security Zones (ITSP.80.022) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/70/r4/final">NIST SP 800-70 National Checklist Program for <abbr title="information technology">IT</abbr> Products: Guidelines for Checklist Users and Developers </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/126/r3/final">NIST SP 800-126 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3 </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems</a></li> </ul></details><details><summary><h4 id="03-04-03">03.04.03 Configuration change control</h4> </summary><ol class="lst-upr-alph"><li>Define the types of changes to the system that are configuration-controlled.</li> <li>Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security impacts.</li> <li>Implement and document approved configuration-controlled changes to the system.</li> <li>Monitor and review activities associated with configuration-controlled changes to the system.</li> </ol><h5>Discussion</h5> <p>Configuration change control refers to tracking, reviewing, approving or disapproving, and logging changes to the system. Specifically, it involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the system, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for system components (e.g., operating systems, applications, firewalls, routers, mobile devices) and configuration items of the system, changes to configuration settings, unscheduled and unauthorized changes, and changes to remediate vulnerabilities. This requirement is related to <a href="#03-04-04">Impact analyses 03.04.04</a>.</p> <h5>References</h5> <p>Source control: CM-03<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details><details><summary><h4 id="03-04-04">03.04.04 Impact analyses</h4> </summary><ol class="lst-upr-alph"><li>Analyze the security and privacy impacts of changes to the system prior to implementation.</li> <li>Verify that the security requirements for the system continue to be satisfied after the system changes have been implemented.</li> </ol><h5>Discussion</h5> <p>Organizational personnel with security or privacy responsibilities conduct impact analyses that include reviewing security and privacy plans, policies, and procedures to understand security and privacy requirements; reviewing system design documentation and operational procedures to understand how system changes might affect the security and privacy state of the system; reviewing the impacts of changes on supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals, and the ability to mitigate those risks. Impact analyses also include risk assessments to understand the impacts of changes and to determine whether additional security or privacy requirements are needed. Changes to the system may affect the safeguards and countermeasures previously implemented. This requirement is related to <a href="#03-04-03">Configuration change control 03.04.03</a>. Not all changes to the system are configuration controlled.</p> <h5>References</h5> <p>Source controls: CM-04, CM-04(02)<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems</a></p> </details><details><summary><h4 id="03-04-05">03.04.05 Access restrictions for change</h4> </summary><p>Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.</p> <h5>Discussion</h5> <p>Changes to the hardware, software, or firmware components of the system or the operational procedures related to the system can have potentially significant effects on the security of the system or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access the system for the purpose of initiating changes. Access restrictions include physical and logical access controls, software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into the system), and change windows (i.e., changes occur only during specified times).</p> <h5>References</h5> <p>Source control: CM-05<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/fips/140-3/final">NIST FIPS 140-3 Security Requirements for Cryptographic Modules </a></li> <li><a href="https://csrc.nist.gov/pubs/fips/186-5/final">NIST FIPS 186-5 Digital Signature Standard (DSS) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details><details><summary><h4 id="03-04-06">03.04.06 Least functionality</h4> </summary><ol class="lst-upr-alph"><li>Configure the system to provide only mission-essential capabilities.</li> <li>Prohibit or restrict use of the following functions, ports, protocols, connections, and services: [Assignment: organization-defined functions, ports, protocols, connections, and services].</li> <li>Review the system [Assignment: organization-defined frequency] to identify unnecessary or nonsecure functions, ports, protocols, connections, and services.</li> <li>Disable or remove functions, ports, protocols, connections, and services that are unnecessary or nonsecure.</li> </ol><h5>Discussion</h5> <p>Systems can provide a variety of functions and services. Some functions and services that are routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. It may be convenient to provide multiple services from single system components. However, doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit functionality to a single function per component.</p> <p>Organizations review the functions and services provided by the system or system components to determine which functions and services are candidates for elimination. Organizations disable unused or unnecessary physical and logical ports and protocols to prevent the unauthorized connection of devices, transfer of information, and tunneling. Organizations can employ network scanning tools, intrusion detection and prevention systems, and endpoint protection systems (e.g., firewalls and host-based intrusion detection systems) to identify and prevent the use of prohibited functions, ports, protocols, system connections, and services. Bluetooth, File Transfer Protocol (FTP), and peer-to-peer networking are examples of the types of protocols that organizations consider eliminating, restricting, or disabling.</p> <h5>References</h5> <p>Source controls: CM-07, CM-07(01)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/application-allow-list-itsap10095">Cyber Centre Application Allow Lists (ITSAP.10.095) </a></li> <li><a href="/en/top-top-10-it-security-action-items-no-10-implement-application-allow-lists-itsm10095">Cyber Centre Top 10 <abbr title="information technology">IT</abbr> security action items: No. 10 Implement application allow lists (ITSM.10.095) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems </a></li> <li>Cyber Centre System lifecycle cyber security and privacy risk management activities (ITSP.10.037)</li> </ul></details><h4 id="03-04-07">03.04.07 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-04-08">03.04.08 Authorized software – allow by exception</h4> </summary><ol class="lst-upr-alph"><li>Identify software programs authorized to execute on the system.</li> <li>Implement a deny-all, allow-by-exception policy for the execution of software programs on the system.</li> <li>Review and update the list of authorized software programs [Assignment: organization-defined frequency].</li> </ol><h5>Discussion</h5> <p>If provided with the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved “app stores.” The policies selected for governing user-installed software are organization-developed or provided by an external entity. Policy enforcement methods can include procedural methods and automated methods.</p> <p>Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection against attacks that bypass application-level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries.</p> <h5>References</h5> <p>Source control: CM-07(05)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/application-allow-list-itsap10095">Cyber Centre Application Allow Lists (ITSAP.10.095) </a></li> <li><a href="/en/top-top-10-it-security-action-items-no-10-implement-application-allow-lists-itsm10095">Cyber Centre Top 10 <abbr title="information technology">IT</abbr> security action items: No. 10 Implement application allow lists (ITSM.10.095) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems </a></li> </ul></details><h4 id="03-04-09">03.04.09 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-04-10">03.04.10 System component inventory</h4> </summary><ol class="lst-upr-alph"><li>Develop and document an inventory of system components.</li> <li>Review and update the system component inventory [Assignment: organization-defined frequency].</li> <li>Update the system component inventory as part of installations, removals, and system updates.</li> </ol><h5>Discussion</h5> <p>System components are discrete, identifiable assets (i.e., hardware, software, and firmware elements) that compose a system. Organizations may implement centralized system component inventories that include components from all systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information — and for networked components — the machine names and network addresses for all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include component type, physical location, date of receipt, manufacturer, cost, model, serial number, and supplier information.</p> <h5>References</h5> <p>Source controls: CM-08, CM-08(01)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details><details><summary><h4 id="03-04-11">03.04.11 Information location</h4> </summary><ol class="lst-upr-alph"><li>Identify and document the location of <abbr title="controlled information">CI</abbr> and the system components on which the information is processed and stored.</li> <li>Document changes to the system or system component location where <abbr title="controlled information">CI</abbr> is processed and stored.</li> </ol><h5>Discussion</h5> <p>Information location addresses the need to understand the specific system components where <abbr title="controlled information">CI</abbr> is being processed and stored and the users who have access to <abbr title="controlled information">CI</abbr> so that appropriate protection mechanisms can be provided, including information flow controls, access controls, and information management.</p> <h5>References</h5> <p>Source control: CM-12<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-04-12">03.04.12 System and component configuration for high-risk areas</h4> </summary><ol class="lst-upr-alph"><li>Issue systems or system components with the following configurations to individuals traveling to high-risk locations: [Assignment: organization-defined system configurations].</li> <li>Apply the following security requirements to the system or system components when the individuals return from travel: [Assignment: organization-defined security requirements].</li> </ol><h5>Discussion</h5> <p>When it is known that a system or a specific system component will be in a high-risk area, additional security requirements may be needed to counter the increased threat. Organizations can implement protective measures on systems or system components used by individuals departing on and returning from travel. Actions include determining locations of concern, defining the required configurations for the components, ensuring that the components are configured as intended before travel is initiated, and taking additional actions after travel is completed. For example, systems going into high-risk areas can be configured with sanitized hard drives, limited applications, and more stringent configuration settings. Actions applied to mobile devices upon return from travel include examining the device for signs of physical tampering and purging and reimaging the device storage.</p> <h5>References</h5> <p>Source control: CM-02(07)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-5">3.5 Identification and authentication</h3> <p>The Identification and authentication controls support the unique identification of users, processes acting on behalf of users and devices. They also support the authentication or verification of the identities of those users, processes or devices as a prerequisite to allowing access to organizational systems.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-05-01">03.05.01 User identification, authentication, and re-authentication</a></li> <li><a href="#03-05-02">03.05.02 Device identification and authentication</a></li> <li><a href="#03-05-03">03.05.03 Multi-factor authentication</a></li> <li><a href="#03-05-04">03.05.04 Replay-resistant authentication</a></li> <li><a href="#03-05-05">03.05.05 Identifier management</a></li> <li><a href="#03-05-06">03.05.06 Not allocated</a></li> <li><a href="#03-05-07">03.05.07 Password management</a></li> <li><a href="#03-05-08">03.05.08 Not allocated</a></li> <li><a href="#03-05-09">03.05.09 Not allocated</a></li> <li><a href="#03-05-10">03.05.10 Not allocated</a></li> <li><a href="#03-05-11">03.05.11 Authentication feedback</a></li> <li><a href="#03-05-12">03.05.12 Authenticator management</a></li> </ul> </section>–> <details><summary><h4 id="03-05-01">03.05.01 User identification, authentication, and re-authentication</h4> </summary><ol class="lst-upr-alph"><li>Uniquely identify and authenticate system users and associate that unique identification with processes acting on behalf of those users.</li> <li>Re-authenticate users when [Assignment: organization-defined circumstances or situations requiring re-authentication].</li> </ol><h5>Discussion</h5> <p>System users include individuals (or system processes acting on behalf of individuals) who are authorized to access a system. Typically, individual identifiers are the usernames associated with the system accounts assigned to those individuals. Since system processes execute on behalf of groups and roles, organizations may require the unique identification of individuals in group accounts or accountability of individual activity. The unique identification and authentication of users applies to all system accesses. Organizations employ passwords, physical authenticators, biometrics, or some combination thereof to authenticate user identities. Organizations may re-authenticate individuals in certain situations, including when roles, authenticators, or credentials change; when the execution of privileged functions occurs; after a fixed time period; or periodically.</p> <h5>References</h5> <p>Source controls: IA-02, IA-11<br /> Supporting publications: <a href="https://www.cyber.gc.ca/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details><details><summary><h4 id="03-05-02">03.05.02 Device identification and authentication</h4> </summary><p>Uniquely identify and authenticate [Assignment: organization-defined devices or types of devices] before establishing a system connection.</p> <h5>Discussion</h5> <p>Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers [IEEE] 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Public Key Infrastructure (PKI) and certificate revocation checking for the certificates exchanged can also be included as part of device authentication.</p> <h5>References</h5> <p>Source control: IA-03<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031) </a></p> </details><details><summary><h4 id="03-05-03">03.05.03 Multi-factor authentication</h4> </summary><p>Implement strong multi-factor authentication (MFA) for access to privileged and non-privileged accounts.</p> <h5>Discussion</h5> <p>This requirement applies to user accounts. Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator, such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level to provide increased information security.</p> <h5>References</h5> <p>Source controls: IA-02(01), IA-02(02)<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details><details><summary><h4 id="03-05-04">03.05.04 Replay-resistant authentication</h4> </summary><p>Implement replay-resistant authentication mechanisms for access to privileged and non-privileged accounts.</p> <h5>Discussion</h5> <p>Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges, such as time synchronous or challenge-response one-time authenticators.</p> <h5>References</h5> <p>Source control: IA-02(08)<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details><details><summary><h4 id="03-05-05">03.05.05 Identifier management</h4> </summary><ol class="lst-upr-alph"><li>Receive authorization from organizational personnel or roles to assign an individual, group, role, service, or device identifier.</li> <li>Select and assign an identifier that identifies an individual, group, role, service, or device.</li> <li>Prevent reuse of identifiers for [Assignment: organization-defined time period].</li> <li>Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].</li> </ol><h5>Discussion</h5> <p>Identifiers are provided for users, processes acting on behalf of users, and devices. Prohibiting the reuse of identifiers prevents the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.</p> <p>Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides information about the people with whom organizational personnel are communicating. For example, it is useful for an employee to know that one of the individuals on an email message is a contractor.</p> <h5>References</h5> <p>Source controls: IA-04, IA-04(04)<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details><h4 id="03-05-06">03.05.06 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-05-07">03.05.07 Password management</h4> </summary><ol class="lst-upr-alph"><li>Maintain a list of commonly used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised.</li> <li>Verify that passwords are not found on the list of commonly used, expected, or compromised passwords when users create or update passwords.</li> <li>Transmit passwords only over cryptographically protected channels.</li> <li>Store passwords in a cryptographically protected form.</li> <li>Select a new password upon first use after account recovery.</li> <li>Enforce the following composition and complexity rules for passwords: [Assignment: organization-defined composition and complexity rules].</li> </ol><h5>Discussion</h5> <p>Password-based authentication applies to passwords used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable to shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish and enforce certain rules for password generation (e.g., minimum character length) under certain circumstances. For example, account recovery can occur when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof. Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity and reduces the susceptibility to authenticator compromises. Long passwords and passphrases can be used to increase the complexity of passwords.</p> <h5>References</h5> <p>Source control: IA-05(01)<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details><h4 id="03-05-08">03.05.08 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-05-09">03.05.09 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-05-10">03.05.10 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-05-11">03.05.11 Authentication feedback</h4> </summary><p>Obscure feedback of authentication information during the authentication process.</p> <h5>Discussion</h5> <p>Authentication feedback does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For example, for desktop or notebook computers with relatively large monitors, the threat may be significant (commonly referred to as shoulder surfing). For mobile devices with small displays, this threat may be less significant and is balanced against the increased likelihood of input errors due to small keyboards. Therefore, the means for obscuring the authentication feedback is selected accordingly. Obscuring feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a limited time before fully obscuring it.</p> <h5>References</h5> <p>Source control: IA-06<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-05-12">03.05.12 Authenticator management</h4> </summary><ol class="lst-upr-alph"><li>Verify the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution.</li> <li>Establish initial authenticator content for any authenticators issued by the organization.</li> <li>Establish and implement administrative procedures for initial authenticator distribution, for lost, compromised, or damaged authenticators, and for revoking authenticators.</li> <li>Change default authenticators at first use.</li> <li>Change or refresh authenticators [Assignment: organization-defined frequency] or when the following events occur: [Assignment: organization-defined events].</li> <li>Protect authenticator content from unauthorized disclosure and modification.</li> </ol><h5>Discussion</h5> <p>Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. The initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, requirements for authenticator content contain specific characteristics. Authenticator management is supported by organization-defined settings and restrictions for various authenticator characteristics (e.g., password complexity and composition rules, validation time window for time synchronous one-time tokens, and the number of allowed rejections during the verification stage of biometric authentication).</p> <p>The requirement to protect individual authenticators may be implemented by <a href="#03-15-03">Rules of behaviour 03.15.03</a> for authenticators in the possession of individuals and by <a href="#03-01-01">Account management 03.01.01</a>, <a href="#03-01-01">Access enforcement 03.01.02</a>, <a href="#03-01-05">Least privilege 03.01.05</a>, and <a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a> for authenticators stored in organizational systems. This includes passwords stored in hashed or encrypted formats or files that contain encrypted or hashed passwords accessible with administrator privileges. Actions can be taken to protect authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators.</p> <p>Developers may deliver system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well-known, easily discoverable, and present a significant risk. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed. The use of long passwords or passphrases may obviate the need to periodically change authenticators.</p> <h5>References</h5> <p>Source control: IA-05<br /> Supporting publications: <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a></p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-6">3.6 Incident response</h3> <p>The Incident response controls support the establishment of an operational incident handling capability for organizational systems that includes adequate preparation, monitoring, detection, analysis, containment, recovery, and response. Incidents are monitored, documented, and reported to appropriate organizational officials and authorities.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-06-01">03.06.01 Incident handling</a></li> <li><a href="#03-06-02">03.06.02 Incident monitoring, reporting, and response assistance</a></li> <li><a href="#03-06-03">03.06.03 Incident response testing</a></li> <li><a href="#03-06-04">03.06.04 Incident response training</a></li> <li><a href="#03-06-05">03.06.05 Incident response plan</a></li> </ul> </section>–> <details><summary><h4 id="03-06-01">03.06.01 Incident handling</h4> </summary><p>Implement an incident-handling capability that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery</p> <h5>Discussion</h5> <p>Incident-related information can be obtained from a variety of sources, including audit monitoring, network monitoring, physical access monitoring, user and administrator reports, and reported supply chain events. An effective incident handling capability involves coordination among many organizational entities, including mission and business owners, system owners, human resources offices, physical and personnel security offices, legal departments, operations personnel, and procurement offices.</p> <p>An incident that involves personal information is considered a privacy breach. A privacy breach results in the loss of control, compromise, unauthorized disclosure, unpermitted use, unlawful collection, improper retention or disposal, or a similar occurrence where a person other than an authorized user accesses or potentially accesses or an authorized user accesses or potentially accesses such information for other than authorized purposes.</p> <p>If the incident involves the breach of personal information, notification to the contract owner is mandatory.</p> <h5>References</h5> <p>Source control: IR-04<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Cyber Centre Developing your incident response plan (ITSAP.40.003)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/61/r2/final">NIST SP 800-61 Computer Security Incident Handling Guide </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations</a></li> </ul></details><details><summary><h4 id="03-06-02">03.06.02 Incident monitoring, reporting, and response assistance</h4> </summary><ol class="lst-upr-alph"><li>Track and document system security incidents.</li> <li>Report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period].</li> <li>Report incident information to [Assignment: organization-defined authorities].</li> <li>Provide an incident response support resource that offers advice and assistance to system users for the handling and reporting of incidents.</li> </ol><h5>Discussion</h5> <p>Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from many sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. <a href="#03-06-01">Incident handling 03.06.01</a> provides information on the types of incidents that are appropriate for monitoring. The types of incidents reported, the content and timeliness of the reports, and the reporting authorities reflect applicable laws, jurisprudence, Orders in Council, directives, regulations, policies, standards, and guidelines. Incident information informs risk assessments, the effectiveness of security and privacy assessments, the security requirements for acquisitions, and the selection criteria for technology products. Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensic services or consumer redress services, when required.</p> <h5>References</h5> <p>Source controls: IR-05, IR-06, IR-07<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/61/r2/final">NIST SP 800-61 Computer Security Incident Handling Guide</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/86/final">NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response</a></li> <li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Cyber Centre Developing your incident response plan (ITSAP.40.003)</a></li> </ul></details><details><summary><h4 id="03-06-03">03.06.03 Incident response testing</h4> </summary><p>Test the effectiveness of the incident response capability [Assignment: organization-defined frequency].</p> <h5>Discussion</h5> <p>Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations. Incident response testing can include a determination of the effects of incident response on organizational operations, organizational assets, and individuals. Qualitative and quantitative data can help determine the effectiveness of incident response processes.</p> <h5>References</h5> <p>Source control: IR-03<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/84/final">NIST SP 800-84 Guide to Test, Training, and Exercise Programs for <abbr title="information technology">IT</abbr> Plans and Capabilities</a></p> </details><details><summary><h4 id="03-06-04">03.06.04 Incident response training</h4> </summary><ol class="lst-upr-alph"><li>Provide incident response training to system users consistent with assigned roles and responsibilities: <ol><li>within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access</li> <li>when required by system changes</li> <li>[Assignment: organization-defined frequency] thereafter</li> </ol></li> <li>Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].</li> </ol><h5>Discussion</h5> <p>Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know whom to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of <a href="#03-02-02">Role-based training 03.02.02</a>. Events that may cause an update to incident response training content include incident response plan testing, response to an actual incident, audit or assessment findings, or changes in applicable laws, jurisprudence, Orders in Council, policies, directives, regulations, standards, and guidelines.</p> <h5>References</h5> <p>Source control: IR-02<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/86/final">NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/137/final">NIST SP 800-137 Information Security Continuous Monitoring (ISCM)</a></li> </ul></details><details><summary><h4 id="03-06-05">03.06.05 Incident response plan</h4> </summary><ol class="lst-upr-alph"><li>Develop an incident response plan that: <ol><li>provides the organization with a roadmap for implementing its incident response capability</li> <li>describes the structure and organization of the incident response capability</li> <li>provides a high-level approach for how the incident response capability fits into the overall organization</li> <li>defines reportable incidents</li> <li>addresses the sharing of incident information</li> <li>designates responsibilities to organizational entities, personnel, or roles</li> </ol></li> <li>Distribute copies of the incident response plan to designated incident response personnel (identified by name and/or by role) and organizational elements.</li> <li>Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing.</li> <li>Protect the incident response plan from unauthorized disclosure.</li> </ol><h5>Discussion</h5> <p>It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain.</p> <h5>References</h5> <p>Source control: IR-08<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Cyber Centre Developing your incident response plan (ITSAP.40.003) </a></li> <li><a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/dvlpng-ndnt-rspns-pln/index-en.aspx">Public Safety Canada Developing an Operational Technology and Information Technology Incident Response Plan </a></li> <li><a href="https://laws-lois.justice.gc.ca/eng/regulations/SOR-2018-64/index.html">Breach of Security Safeguards Regulations SOR/2018-64 </a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-7">3.7 Maintenance</h3> <p>The Maintenance controls support periodic and timely maintenance on organizational systems and provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance to ensure its ongoing availability.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-07-01">03.07.01 Not allocated</a></li> <li><a href="#03-07-02">03.07.02 Not allocated</a></li> <li><a href="#03-07-03">03.07.03 Not allocated</a></li> <li><a href="#03-07-04">03.07.04 Maintenance tools</a></li> <li><a href="#03-07-05">03.07.05 Non-local maintenance</a></li> <li><a href="#03-07-06">03.07.06 Maintenance personnel</a></li> </ul> </section>–> <h4 id="03-07-01">03.07.01 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-07-02">03.07.02 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-07-03">03.07.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-07-04">03.07.04 Maintenance tools</h4> </summary><ol class="lst-upr-alph"><li>Approve, control, and monitor the use of system maintenance tools.</li> <li>Check media containing diagnostic and test programs for malicious code before the media are used in the system.</li> <li>Prevent the removal of system maintenance equipment containing <abbr title="controlled information">CI</abbr> by verifying that there is no <abbr title="controlled information">CI</abbr> on the equipment, sanitizing or destroying the equipment, or retaining the equipment within the facility.</li> </ol><h5>Discussion</h5> <p>Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with the tools that are used for diagnostic and repair actions on the system. Maintenance tools can include hardware and software diagnostic and test equipment as well as packet sniffers. The tools may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Diagnostic and test programs are potential vehicles for transporting malicious code into the system, either intentionally or unintentionally. Examples of media inspection include checking the cryptographic hash or digital signatures of diagnostic and test programs and media.</p> <p>If organizations inspect media that contain diagnostic and test programs and determine that the media also contains malicious code, the incident is handled consistent with incident handling policies and procedures. A periodic review of maintenance tools can result in the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools do not address the hardware and software components that support maintenance and are considered a part of the system.</p> <h5>References</h5> <p>Source controls: MA-03, MA-03(01), MA-03(02), MA-03(03)<br /> Supporting publications: <a href="https://www.cyber.gc.ca/en/guidance/it-media-sanitization-itsp40006">Cyber Centre <abbr title="information technology">IT</abbr> media sanitization (ITSP.40.006)</a></p> </details><details><summary><h4 id="03-07-05">03.07.05 Non-local maintenance</h4> </summary><ol class="lst-upr-alph"><li>Approve and monitor non-local maintenance and diagnostic activities.</li> <li>Implement multi-factor authentication and replay resistance in the establishment of non-local maintenance and diagnostic sessions.</li> <li>Terminate session and network connections when non-local maintenance is completed.</li> </ol><h5>Discussion</h5> <p>Non-local maintenance and diagnostic activities are conducted by individuals who communicate through an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish non-local maintenance and diagnostic sessions reflect the requirements in <a href="#03-05-01">User identification, authentication, and re-authentication 03.05.01</a>.</p> <h5>References</h5> <p>Source control: MA-04<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">Cyber Centre User Authentication Guidance for Information Technology Systems (ITSP.30.031) </a></li> <li><a href="/en/guidance/it-media-sanitization-itsp40006">Cyber Centre <abbr title="information technology">IT</abbr> media sanitization (ITSP.40.006) </a></li> <li><a href="/en/identity-credential-and-access-management-icam-itsap30018">Cyber Centre Identity, Credential, and Access Management (ICAM) (ITSAP.30.018) </a></li> </ul></details><details><summary><h4 id="03-07-06">03.07.06 Maintenance personnel</h4> </summary><ol class="lst-upr-alph"><li>Establish a process for maintenance personnel authorization.</li> <li>Maintain a list of authorized maintenance organizations or personnel.</li> <li>Verify that non-escorted personnel who perform maintenance on the system possess the required access authorizations.</li> <li>Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.</li> </ol><h5>Discussion</h5> <p>Maintenance personnel refers to individuals who perform hardware or software maintenance on the system, while <a href="#03-10-01">Physical access authorizations 03.10.01</a> addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the system. The technical competence of supervising individuals relates to the maintenance performed on the system, while having required access authorizations refers to maintenance on and near the system. Individuals who have not been previously identified as authorized maintenance personnel (e.g., manufacturers, consultants, systems integrators, and vendors) may require privileged access to the system, such as when they are required to conduct maintenance with little or no notice. Organizations may choose to issue temporary credentials to these individuals based on their risk assessments. Temporary credentials may be for one-time use or for very limited time periods.</p> <h5>References</h5> <p>Source control: MA-05<br /> Supporting publications: None</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-8">3.8 Media protection</h3> <p>Physically control and securely store system media containing <abbr title="controlled information">CI</abbr>.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-08-01">03.08.01 Media storage</a></li> <li><a href="#03-08-02">03.08.02 Media access</a></li> <li><a href="#03-08-03">03.08.03 Media sanitization</a></li> <li><a href="#03-08-04">03.08.04 Media marking</a></li> <li><a href="#03-08-05">03.08.05 Media transport</a></li> <li><a href="#03-08-06">03.08.06 Not allocated</a></li> <li><a href="#03-08-07">03.08.07 Media use</a></li> <li><a href="#03-08-08">03.08.08 Not allocated</a></li> <li><a href="#03-08-09">03.08.09 System backup&nbsp;– cryptographic protection</a></li> </ul> </section>–> <details><summary><h4 id="03-08-01">03.08.01 Media storage</h4> </summary><p>Physically control and securely store system media containing <abbr title="controlled information">CI</abbr>.</p> <h5>Discussion</h5> <p>System media includes digital and non-digital media. Digital media includes diskettes, flash drives, magnetic tapes, external or removable solid state or magnetic drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, establishing procedures to allow individuals to check out and return media to libraries, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. Controlled areas provide physical and procedural controls to meet the requirements established for protecting information and systems. Sanitization techniques (e.g., cryptographically erasing, destroying, clearing, and purging) prevent the disclosure of <abbr title="controlled information">CI</abbr> to unauthorized individuals. The sanitization process removes <abbr title="controlled information">CI</abbr> from media such that the information cannot be retrieved or reconstructed.</p> <h5>References</h5> <p>Source control: MP-04<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/111/final">NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices </a></li> <li><a href="/en/guidance/it-media-sanitization-itsp40006">Cyber Centre <abbr title="information technology">IT</abbr> media sanitization (ITSP.40.006) </a></li> </ul></details><details><summary><h4 id="03-08-02">03.08.02 Media access</h4> </summary><p>Restrict access to <abbr title="controlled information">CI</abbr> on system media to authorized personnel or roles.</p> <h5>Discussion</h5> <p>System media includes digital and non-digital media. Access to <abbr title="controlled information">CI</abbr> on system media can be restricted by physically controlling such media. This includes conducting inventories, ensuring that procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for stored media. For digital media, access to <abbr title="controlled information">CI</abbr> can be restricted by using cryptographic means. Encrypting data in storage or at rest is addressed in <a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a>.</p> <h5>References</h5> <p>Source control: MP-02<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/111/final">NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices</a></p> </details><details><summary><h4 id="03-08-03">03.08.03 Media sanitization</h4> </summary><p>Sanitize system media containing <abbr title="controlled information">CI</abbr> prior to disposal, release out of organizational control, or release for reuse.</p> <h5>Discussion</h5> <p>Media sanitization applies to digital and non-digital media subject to disposal or reuse, whether or not the media are considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, mobile devices, network components, and non-digital media. The sanitization process removes <abbr title="controlled information">CI</abbr> from media such that the information cannot be retrieved or reconstructed. Sanitization techniques (e.g., cryptographically erasing, clearing, purging, and destroying) prevent the disclosure of <abbr title="controlled information">CI</abbr> to unauthorized individuals when such media is reused or released for disposal. Cyber Centre and <abbr title="Royal Canadian Mounted Police">RCMP</abbr> endorsed standards control the sanitization process for media containing <abbr title="controlled information">CI</abbr> and may require destruction when other methods cannot be applied to the media.</p> <h5>References</h5> <p>Source control: MP-06<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/it-media-sanitization-itsp40006">Cyber Centre <abbr title="information technology">IT</abbr> media sanitization (ITSP.40.006) </a></li> <li><a href="https://www.rcmp-grc.gc.ca/physec-secmat/res-lim/pubs/seg/html/home_e.htm"><abbr title="Royal Canadian Mounted Police">RCMP</abbr> G1-001 Security Equipment Guide (restricted to <abbr title="Government of Canada">GC</abbr>)</a></li> </ul></details><details><summary><h4 id="03-08-04">03.08.04 Media marking</h4> </summary><p>Mark system media containing <abbr title="controlled information">CI</abbr> to indicate distribution limitations, handling caveats, and applicable <abbr title="controlled information">CI</abbr> markings.</p> <h5>Discussion</h5> <p>System media includes digital and non-digital media. Marking refers to the use or application of human-readable security attributes. Labeling refers to the use of security attributes for internal system data structures. Digital media includes diskettes, magnetic tapes, external or removable solid state or magnetic drives, flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. <abbr title="controlled information">CI</abbr> includes Protected A, Protected B and controlled goods information that is not classified. Protected information is defined by the <abbr title="Treasury Board Secretariat">TBS</abbr> <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32614">Directive on Security Management, Appendix J: Standard on Security Categorization</a> along with marking, safeguarding, and dissemination requirements for such information.</p> <h5>References</h5> <p>Source control: MP-03<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-08-05">03.08.05 Media transport</h4> </summary><ol class="lst-upr-alph"><li>Protect and control system media that contain <abbr title="controlled information">CI</abbr> during transport outside of controlled areas.</li> <li>Maintain accountability of system media that contain <abbr title="controlled information">CI</abbr> during transport outside of controlled areas.</li> <li>Document activities associated with the transport of system media that contain <abbr title="controlled information">CI</abbr>.</li> </ol><h5>Discussion</h5> <p>System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable solid state or magnetic drives, compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural measures to meet the requirements established for protecting <abbr title="controlled information">CI</abbr> and systems. Media protection during transport can include cryptography and/or locked containers. Activities associated with media transport include releasing media for transport, ensuring that media enter the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking or obtaining records of transport activities as the media move through the transportation system to prevent and detect loss, destruction, or tampering. This requirement is related to <a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a> and <a href="#03-13-11">Cryptographic protection 03.13.11</a>.</p> <h5>References</h5> <p>Source controls: MP-05, SC-28<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/111/final">NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices</a></p> </details><h4 id="03-08-06">03.08.06 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-08-07">03.08.07 Media use</h4> </summary><ol class="lst-upr-alph"><li>Restrict or prohibit the use of [Assignment: organization-defined types of system media].</li> <li>Prohibit the use of removable system media without an identifiable owner.</li> </ol><h5>Discussion</h5> <p>In contrast to requirement <a href="#03-08-01">Media storage 03.08.01</a>, which restricts user access to media, this requirement restricts or prohibits the use of certain types of media, such as external hard drives, flash drives, or smart displays. Organizations can use technical and non-technical measures (e.g., policies, procedures, and rules of behaviour) to control the use of system media. For example, organizations may control the use of portable storage devices by using physical cages on workstations to prohibit access to external ports or disabling or removing the ability to insert, read, or write to devices.</p> <p>Organizations may limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Organizations may also control the use of portable storage devices based on the type of device — prohibiting the use of writeable, portable devices — and implement this restriction by disabling or removing the capability to write to such devices. Limits on the use of organization-controlled system media in external systems include restrictions on how the media may be used and under what conditions. Requiring identifiable owners (e.g., individuals, organizations, or projects) for removable system media reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the media (e.g., insertion of malicious code).</p> <h5>References</h5> <p>Source control: MP-07<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/111/final">NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices</a></p> </details><h4 id="03-08-08">03.08.08 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-08-09">03.08.09 System backup – cryptographic protection</h4> </summary><ol class="lst-upr-alph"><li>Protect the confidentiality of backup information.</li> <li>Implement cryptographic mechanisms to prevent the unauthorized disclosure of <abbr title="controlled information">CI</abbr> at backup storage locations.</li> </ol><h5>Discussion</h5> <p>The selection of cryptographic mechanisms is based on the need to protect the confidentiality of backup information. Hardware security module (HSM) devices safeguard and manage cryptographic keys and provide cryptographic processing. Cryptographic operations (e.g., encryption, decryption, and signature generation and verification) are typically hosted on the <abbr title="hardware security module">HSM</abbr> device, and many implementations provide hardware-accelerated mechanisms for cryptographic operations. This requirement is related to <a href="#03-13-11">Cryptographic protection 03.13.11</a>.</p> <h5>References</h5> <p>Source controls: CP-09, CP-09(08)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/34/r1/upd1/final">NIST SP 800-34 Contingency Planning Guide for Federal Information Systems</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/130/final">NIST SP 800-130 A Framework for Designing Cryptographic Key Management Systems</a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-9">3.9 Personnel security</h3> <p>The Personnel security controls support the procedures required to ensure that all personnel who have access to systems have the necessary authorizations as well as appropriate security screening levels. They ensure that organizational information and systems are protected during and after personnel actions such as terminations and transfers.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-09-01">03.09.01 Personnel screening</a></li> <li><a href="#03-09-02">03.09.02 Personnel termination and transfer</a></li> </ul> </section>–> <details><summary><h4 id="03-09-01">03.09.01 Personnel screening</h4> </summary><ol class="lst-upr-alph"><li>Screen individuals prior to authorizing access to the system.</li> <li>Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening].</li> </ol><h5>Discussion</h5> <p>Personnel security screening activities involve the assessment of the conduct, integrity, judgment, loyalty, reliability, and stability of an individual (i.e., the individual’s trustworthiness) prior to authorizing access to the system or when elevating system access. The screening and rescreening activities reflect applicable federal laws, Orders in Council, directives, policies, regulations, and criteria established for the level of access required for the assigned positions.</p> <h5>References</h5> <p>Source control: PS-03<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/181/r1/final">NIST SP 800-181 Workforce Framework for Cybersecurity (NICE Framework) </a></li> <li><a href="https://www.tpsgc-pwgsc.gc.ca/esc-src/msc-csm/index-eng.html">PSPC Contract Security Manual </a></li> </ul></details><details><summary><h4 id="03-09-02">03.09.02 Personnel termination and transfer</h4> </summary><ol class="lst-upr-alph"><li>When individual employment is terminated: <ol><li>disable system access within [Assignment: organization-defined time period]</li> <li>terminate or revoke authenticators and credentials associated with the individual</li> <li>retrieve security-related system property</li> </ol></li> <li>When individuals are reassigned or transferred to other positions in the organization: <ol><li>review and confirm the ongoing operational need for current logical and physical access authorizations to the system and facility</li> <li>modify access authorization to correspond with any changes in operational need</li> </ol></li> </ol><h5>Discussion</h5> <p>Security-related system property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that accountability is achieved for the organizational property. Security topics at exit interviews include reminding individuals of potential limitations on future employment and nondisclosure agreements. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment.</p> <p>The timely execution of termination actions is essential for individuals who have been terminated for cause. Organizations may consider disabling the accounts of individuals who are being terminated prior to the individuals being notified. This requirement applies to the reassignment or transfer of individuals when the personnel action is permanent or of such extended duration as to require protection. Protections that may be required for transfers or reassignments to other positions within organizations include returning old and issuing new identification cards, keys, and building passes; changing system access authorizations (i.e., privileges); closing system accounts and establishing new accounts; and providing access to official records to which individuals had access at previous work locations in previous system accounts.</p> <h5>References</h5> <p>Source controls: PS-04, PS-05<br /> Supporting publications: None</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-10">3.10 Physical protection</h3> <p>The Physical protection controls support the control of physical access to systems, equipment, and the respective operating environments to authorized individuals. They facilitate the protection of the physical plant and support infrastructure for systems, the protection of systems against environmental hazards, and provide appropriate environmental controls in facilities containing systems.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-10-01">03.10.01 Physical access authorizations</a></li> <li><a href="#03-10-02">03.10.02 Monitoring physical access</a></li> <li><a href="#03-10-03">03.10.03 Not allocated</a></li> <li><a href="#03-10-04">03.10.04 Not allocated</a></li> <li><a href="#03-10-05">03.10.05 Not allocated</a></li> <li><a href="#03-10-06">03.10.06 Alternate work site</a></li> <li><a href="#03-10-07">03.10.07 Physical access control</a></li> <li><a href="#03-10-08">03.10.08 Access control for transmission</a></li> </ul> </section>–> <details><summary><h4 id="03-10-01">03.10.01 Physical access authorizations</h4> </summary><ol class="lst-upr-alph"><li>Develop, approve, and maintain a list of individuals with authorized access to the physical location where the system resides.</li> <li>Issue authorization credentials for physical access.</li> <li>Review the physical access list [Assignment: organization-defined frequency].</li> <li>Remove individuals from the physical access list when access is no longer required.</li> </ol><h5>Discussion</h5> <p>A facility can include one or more physical locations containing systems or system components that process, store, or transmit <abbr title="controlled information">CI</abbr>. Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include identification badges, identification cards, and smart cards. Organizations determine the strength of the authorization credentials consistent with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.</p> <h5>References</h5> <p>Source control: PE-02<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-10-02">03.10.02 Monitoring physical access</h4> </summary><ol class="lst-upr-alph"><li>Monitor physical access to the facility where the system resides to detect and respond to physical security incidents.</li> <li>Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events].</li> </ol><h5>Discussion</h5> <p>A facility can include one or more physical locations containing systems or system components that process, store, or transmit <abbr title="controlled information">CI</abbr>. Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls if the access logs are part of an automated system. Incident response capabilities include investigations of physical security incidents and responses to those incidents. Incidents include security violations or suspicious physical access activities, such as access outside of normal work hours, repeated access to areas not normally accessed, access for unusual lengths of time, and out-of-sequence access.</p> <h5>References</h5> <p>Source control: PE-06<br /> Supporting publications: None</p> </details><h4 id="03-10-03">03.10.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-10-04">03.10.04 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-10-05">03.10.05 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-10-06">03.10.06 Alternate work site</h4> </summary><ol class="lst-upr-alph"><li>Determine alternate work sites allowed for use by employees.</li> <li>Employ the following security requirements at alternate work sites: [Assignment: organization-defined security requirements].</li> </ol><h5>Discussion</h5> <p>Alternate work sites include the private residences of employees or other facilities designated by the organization. Alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different security requirements for specific alternate work sites or types of sites, depending on the work-related activities conducted at the sites. Assessing the effectiveness of the requirements and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations.</p> <h5>References</h5> <p>Source control: PE-17<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/end-user-device-security-bring-your-own-device-byod-deployment-models-itsm70003">Cyber Centre End user device security for Bring-Your-Own-Device (BYOD) deployment models (ITSM.70.003) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/46/r2/final">NIST SP 800-46 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/114/r1/final">NIST SP 800-114 User’s Guide to Telework and Bring Your Own Device (BYOD) Security</a></li> </ul></details><details><summary><h4 id="03-10-07">03.10.07 Physical access control</h4> </summary><ol class="lst-upr-alph"><li>Enforce physical access authorizations at entry and exit points to the facility where the system resides by: <ol><li>verifying individual physical access authorizations before granting access to the facility</li> <li>controlling ingress and egress with physical access control systems, devices or guards</li> </ol></li> <li>Maintain physical access audit logs for entry or exit points.</li> <li>Escort visitors and control visitor activity.</li> <li>Secure keys, combinations, and other physical access devices.</li> <li>Control physical access to output devices to prevent unauthorized individuals from obtaining access to <abbr title="controlled information">CI</abbr>.</li> </ol><h5>Discussion</h5> <p>This requirement addresses physical locations containing systems or system components that process, store, or transmit <abbr title="controlled information">CI</abbr>. Organizations determine the types of guards needed, including professional security staff or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, Orders in Council, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include exterior access points, interior access points to systems that require supplemental access controls, or both. Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors.</p> <p>Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and only allowing access to authorized individuals, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, facsimile machines, audio devices, and copiers.</p> <h5>References</h5> <p>Source controls: PE-03, PE-05<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-10-08">03.10.08 Access control for transmission</h4> </summary><p>Control physical access to system distribution and transmission lines in organizational facilities.</p> <h5>Discussion</h5> <p>Safeguarding measures applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such measures may also be necessary to prevent eavesdropping or the modification of unencrypted transmissions. Safeguarding measures used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protecting cabling with conduit or cable trays, and wiretapping sensors.</p> <h5>References</h5> <p>Source control: PE-04<br /> Supporting publications: None</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-11">3.11 Risk assessment</h3> <p>The Risk assessment controls deal with the periodic conduct of risk assessments, including privacy impact assessments, resulting from the operation of organizational systems and associated handling, storage, or transmission of data and information.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-11-01">03.11.01 Risk assessment</a></li> <li><a href="#03-11-02">03.11.02 Vulnerability monitoring and scanning</a></li> <li><a href="#03-11-03">03.11.03 Not allocated</a></li> <li><a href="#03-11-04">03.11.04 Risk response</a></li> </ul> </section>–> <details><summary><h4 id="03-11-01">03.11.01 Risk assessment</h4> </summary><ol class="lst-upr-alph"><li>Assess the risk (including supply chain risk) of unauthorized disclosure resulting from the handling, processing, storage, or transmission of <abbr title="controlled information">CI</abbr>.</li> <li>Update risk assessments [Assignment: organization-defined frequency].</li> </ol><h5>Discussion</h5> <p>Establishing the system boundary is a prerequisite to assessing the risk of unauthorized disclosure of <abbr title="controlled information">CI</abbr>. Risk assessments consider threats, vulnerabilities, likelihood, and adverse impacts to organizational operations and assets based on the operation and use of the system and the unauthorized disclosure of <abbr title="controlled information">CI</abbr>. Risk assessments also consider risks from external parties (e.g., contractors operating systems on behalf of the organization, service providers, individuals accessing systems, and outsourcing entities). Risk assessments can be conducted at the organization level, the mission or business process level, or the system level and at any phase in the system development life cycle. Risk assessments include supply chain-related risks associated with suppliers or contractors and the system, system component, or system service that they provide.</p> <h5>References</h5> <p>Source controls: RA-03, RA-03(01), SR-06<br /> Supporting publications:</p> <ul><li><a href="/en/tools-services/harmonized-tra-methodology">CSE-<abbr title="Royal Canadian Mounted Police">RCMP</abbr> Harmonized Threat and Risk Assessment Methodology (TRA-1)</a></li> <li><a href="/en/guidance/cyber-supply-chain-approach-assessing-risk-itsap10070">Cyber Centre Cyber supply chain: An approach to assessing risk (ITSAP.10.070)</a></li> <li><a href="/en/guidance/supply-chain-security-small-and-medium-sized-organizations-itsap00070">Cyber Centre Supply chain security for small and medium-sized organizations (ITSAP.00.070)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/30/r1/final">NIST SP 800-30 Guide for Conducting Risk Assessments</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations</a></li> </ul></details><details><summary><h4 id="03-11-02">03.11.02 Vulnerability monitoring and scanning</h4> </summary><ol class="lst-upr-alph"><li>Monitor and scan for vulnerabilities in the system [Assignment: organization-defined frequency] and when new vulnerabilities affecting the system are identified.</li> <li>Remediate system vulnerabilities within [Assignment: organization-defined response times].</li> <li>Update system vulnerabilities to be scanned [Assignment: organization-defined frequency] and when new vulnerabilities are identified and reported.</li> </ol><h5>Discussion</h5> <p>Organizations determine the required vulnerability scanning for system components and ensure that potential sources of vulnerabilities (e.g., networked printers, scanners, and copiers) are not overlooked. Vulnerability analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, or binary analysis. Organizations can use these approaches in source code reviews and tools (e.g., static analysis tools, web-based application scanners, binary analyzers). Vulnerability scanning includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for improperly configured or incorrectly operating flow control mechanisms.</p> <p>To facilitate interoperability, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention. Sources for vulnerability information also include the Common Weakness Enumeration (CWE) listing, the National Vulnerability Database (NVD), and the Common Vulnerability Scoring System (CVSS).</p> <h5>References</h5> <p>Source controls: RA-05, RA-05(02)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/40/r4/final">NIST SP 800-40 Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/53/a/r5/final">NIST SP 800-53A Assessing Security and Privacy Controls in Information Systems and Organizations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/70/r4/final">NIST SP 800-70 National Checklist Program for <abbr title="information technology">IT</abbr> Products: Guidelines for Checklist Users and Developers</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/115/final">NIST SP 800-115 Technical Guide to Information Security Testing and Assessment</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/126/r3/final">NIST SP 800-126 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3</a></li> <li><a href="/en/guidance/top-10-it-security-action-items-no2-patch-operating-systems-and-applications-itsm10096">Cyber Centre Top 10 <abbr title="information technology">IT</abbr> security actions: No.2 patch operating systems and applications (ITSM.10.096)</a></li> </ul></details><h4 id="03-11-03">03.11.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-11-04">03.11.04 Risk response</h4> </summary><p>Respond to findings from security assessments, monitoring, and audits.</p> <h5>Discussion</h5> <p>This requirement addresses the need to determine an appropriate response to risk before generating a plan of action and milestones (POAM) entry. It may be possible to mitigate the risk immediately so that a <abbr title="plan of action and milestones">POAM</abbr> entry is not needed. However, a <abbr title="plan of action and milestones">POAM</abbr> entry is generated if the risk response is to mitigate the identified risk and the mitigation cannot be completed immediately.</p> <h5>References</h5> <p>Source control: RA-07<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li>Cyber Centre System lifecycle cyber security and privacy risk management activities (ITSP.10.037)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems </a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-12">3.12 Security assessment and monitoring</h3> <p>The Security assessment and monitoring controls deal with the security assessment and monitoring of the system.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-12-01">03.12.01 Security assessment</a></li> <li><a href="#03-12-02">03.12.02 Plan of action and milestones</a></li> <li><a href="#03-12-03">03.12.03 Continuous monitoring</a></li> <li><a href="#03-12-04">03.12.04 Not allocated</a></li> <li><a href="#03-12-05">03.12.05 Information exchange</a></li> </ul> </section>–> <details><summary><h4 id="03-12-01">03.12.01 Security assessment</h4> </summary><p>Assess the security and privacy requirements for the system and its environment of operation [Assignment: organization-defined frequency] to determine if the requirements have been satisfied.</p> <h5>Discussion</h5> <p>By assessing the security and privacy requirements, organizations determine whether the necessary safeguards and countermeasures are implemented correctly, operating as intended, and producing the desired outcome. Security assessments identify weaknesses and deficiencies in the system and provide the essential information needed to make risk-based decisions. Security and privacy assessment reports document assessment results in sufficient detail as deemed necessary by the organization to determine the accuracy and completeness of the reports. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted.</p> <h5>References</h5> <p>Source control: CA-02<br /> Supporting publications:</p> <ul><li>Cyber Centre Security and privacy controls and assurance activities catalogue (ITSP.10.033)</li> <li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li>Cyber Centre System lifecycle cyber security and privacy risk management activities (ITSP.10.037)</li> <li><a href="https://www.cyber.gc.ca/en/tools-services/harmonized-tra-methodology">CSE-<abbr title="Royal Canadian Mounted Police">RCMP</abbr> Harmonized Threat and Risk Assessment Methodology (TRA-1)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/115/final">NIST SP 800-115 Technical Guide to Information Security Testing and Assessment</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/53/a/r5/final">NIST SP 800-53A Assessing Security and Privacy Controls in Information Systems and Organizations</a></li> </ul></details><details><summary><h4 id="03-12-02">03.12.02 Plan of action and milestones</h4> </summary><ol class="lst-upr-alph"><li>Develop a plan of action and milestones (POAMs) for the system to: <ol><li>document the planned remediation actions to correct weaknesses or deficiencies noted during security assessments</li> <li>reduce or eliminate known system vulnerabilities</li> </ol></li> <li>Update the existing <abbr title="plan of action and milestones">POAM</abbr>s based on the findings from: <ol><li>security assessments</li> <li>audits or reviews</li> <li>continuous monitoring activities</li> </ol></li> </ol><h5>Discussion</h5> <p><abbr title="plan of action and milestones">POAM</abbr>s are important documents in organizational security and privacy programs. Organizations use <abbr title="plan of action and milestones">POAM</abbr>s to describe how unsatisfied security requirements will be met and how planned mitigations will be implemented. Organizations can document system security plans and <abbr title="plan of action and milestones">POAM</abbr>s as separate or combined documents and in any format.</p> <h5>References</h5> <p>Source control: CA-05<br /> Supporting publications: Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</p> </details><details><summary><h4 id="03-12-03">03.12.03 Continuous monitoring</h4> </summary><p>Develop and implement a system-level continuous monitoring strategy that includes ongoing monitoring and security assessments.</p> <h5>Discussion</h5> <p>Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support risk management decisions. The terms "continuous" and "ongoing" imply that organizations assess and monitor their systems at a frequency that is sufficient to support risk-based decisions. Different types of security and privacy requirements may require different monitoring frequencies.</p> <h5>References</h5> <p>Source control: CA-07<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/115/final">NIST SP 800-115 Technical Guide to Information Security Testing and Assessment</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/137/final">NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/53/a/r5/final">NIST SP 800-53A Assessing Security and Privacy Controls in Information Systems and Organizations</a></li> </ul></details><h4 id="03-12-04">03.12.04 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-12-05">03.12.05 Information exchange</h4> </summary><ol class="lst-upr-alph"><li>Approve and manage the exchange of <abbr title="controlled information">CI</abbr> between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; information sharing arrangements; service level agreements; user agreements; nondisclosure agreements].</li> <li>Document, as part of the exchange agreements, interface characteristics, security and privacy requirements, and responsibilities for each system.</li> <li>Review and update the exchange agreements [Assignment: organization-defined frequency].</li> </ol><h5>Discussion</h5> <p>Information exchange applies to information exchanges between two or more systems, both internal and external to the organization. Organizations consider the risks related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security requirements or policies. The types of agreements selected are based on factors such as the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual) and the level of access to the organizational system by users of the other system. The types of agreements can include information exchange security agreements, interconnection security agreements, memoranda of understanding or agreement, information sharing arrangements, service-level agreements, or other types of agreements.</p> <p>Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal departments and agencies and non-federal organizations (e.g., service providers, contractors, system developers, and system integrators). The types of information contained in exchange agreements include the interface characteristics, security and privacy requirements, controls, and responsibilities for each system.</p> <h5>References</h5> <p>Source control: CA-03<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022">Cyber Centre Baseline Security Requirements for Network Security Zones (ITSP.80.022) </a></li> <li><a href="/en/guidance/network-security-zoning-design-considerations-placement-services-within-zones-itsg-38">Cyber Centre Network security zoning – Design considerations for placement of services within zones (ITSG-38) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/47/r1/final">NIST SP 800-47 Managing the Security of Information Exchanges </a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-13">3.13 System and communications protection</h3> <p>The System and communications protection controls support the monitoring, control and protection of the systems themselves and of the communications between and within the systems.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-13-01">03.13.01 Boundary protection</a></li> <li><a href="#03-13-02">03.13.02 Not allocated</a></li> <li><a href="#03-13-03">03.13.03 Not allocated</a></li> <li><a href="#03-13-04">03.13.04 Information in shared system resources</a></li> <li><a href="#03-13-05">03.13.05 Not allocated</a></li> <li><a href="#03-13-06">03.13.06 Network communications&nbsp;– deny by default&nbsp;– allow by exception</a></li> <li><a href="#03-13-07">03.13.07 Not allocated</a></li> <li><a href="#03-13-08">03.13.08 Transmission and storage confidentiality</a></li> <li><a href="#03-13-09">03.13.09 Network disconnect</a></li> <li><a href="#03-13-10">03.13.10 Cryptographic key establishment and management</a></li> <li><a href="#03-13-11">03.13.11 Cryptographic protection</a></li> <li><a href="#03-13-12">03.13.12 Collaborative computing devices and applications</a></li> <li><a href="#03-13-13">03.13.13 Mobile code</a></li> <li><a href="#03-13-14">03.13.14 Not allocated</a></li> <li><a href="#03-13-15">03.13.15 Session authenticity</a></li> <li><a href="#03-13-16">03.13.16 Not allocated</a></li> </ul> </section>–> <details><summary><h4 id="03-13-01">03.13.01 Boundary protection</h4> </summary><ol class="lst-upr-alph"><li>Monitor and control communications at the external managed interfaces to the system and key internal managed interfaces within the system.</li> <li>Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.</li> <li>Connect to external systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.</li> </ol><h5>Discussion</h5> <p>Managed interfaces include gateways, routers, firewalls, network-based malicious code analysis, virtualization systems, and encrypted tunnels implemented within a security architecture. Subnetworks that are either physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting both internal and external address spoofing for protocols crossing the boundary.</p> <h5>References</h5> <p>Source control: SC-07<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022">Cyber Centre Baseline Security Requirements for Network Security Zones (ITSP.80.022)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/network-security-zoning-design-considerations-placement-services-within-zones-itsg-38">Cyber Centre Network security zoning – Design considerations for placement of services within zones (ITSG-38)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Cyber Centre Guidance on Securely Configuring Network Protocols (ITSP.40.062)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/189/final">NIST SP 800-189 Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/41/r1/final">NIST SP 800-41 Guidelines on Firewalls and Firewall Policy</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/125/b/final">NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/207/final">NIST SP 800-207 Zero Trust Architecture</a></li> </ul></details><h4 id="03-13-02">03.13.02 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-13-03">03.13.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-13-04">03.13.04 Information in shared system resources</h4> </summary><p>Prevent unauthorized and unintended information transfer via shared system resources.</p> <h5>Discussion</h5> <p>Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, the control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted, covert channels (including storage and timing channels) in which shared system resources are manipulated to violate information flow restrictions, or components within systems for which there are only single users or roles.</p> <h5>References</h5> <p>Source control: SC-04<br /> Supporting publications: None</p> </details><h4 id="03-13-05">03.13.05 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-13-06">03.13.06 Network communications – deny by default – allow by exception</h4> </summary><p>Deny network communications traffic by default and allow network communications traffic by exception.</p> <h5>Discussion</h5> <p>This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, allow-by-exception network communications traffic policy ensures that only essential and approved connections are allowed.</p> <h5>References</h5> <p>Source control: SC-07(05)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/41/r1/final">NIST SP 800-41 Guidelines on Firewalls and Firewall Policy</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/77/r1/final">NIST SP 800-77 Guide to IPsec <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/189/final">NIST SP 800-189 Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation</a></li> </ul></details><h4 id="03-13-07">03.13.07 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-13-08">03.13.08 Transmission and storage confidentiality</h4> </summary><p>Implement cryptographic mechanisms to prevent the unauthorized disclosure of <abbr title="controlled information">CI</abbr> during transmission and while in storage.</p> <h5>Discussion</h5> <p>This requirement applies to internal and external networks and any system components that can transmit <abbr title="controlled information">CI</abbr>, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are susceptible to interception and modification. Encryption protects <abbr title="controlled information">CI</abbr> from unauthorized disclosure during transmission and while in storage. Cryptographic mechanisms that protect the confidentiality of <abbr title="controlled information">CI</abbr> during transmission include <abbr title="Transport Layer Security">TLS</abbr> and IPsec. Information in storage (i.e., information at rest) refers to the state of <abbr title="controlled information">CI</abbr> when it is not in process or in transit and resides on internal or external storage devices, storage area network devices, and databases. Protecting <abbr title="controlled information">CI</abbr> in storage does not focus on the type of storage device or the frequency of access to that device but rather on the state of the information. This requirement relates to <a href="#03-13-11">Cryptographic protection 03.13.11</a>.</p> <h5>References</h5> <p>Source controls: SC-08, SC-08(01), SC-28, SC-28(01)<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cyber Centre Cryptographic Algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information (ITSP.40.111)</a></li> <li><a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Cyber Centre Guidance on Securely Configuring Network Protocols (ITSP.40.062)</a></li> <li><a href="https://csrc.nist.gov/pubs/fips/140-3/final">NIST FIPS 140-3 Security Requirements for Cryptographic Modules</a></li> <li><a href="https://csrc.nist.gov/pubs/fips/197/final">NIST FIPS 197 Advanced Encryption Standard</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/46/r2/final">NIST SP 800-46 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/52/r2/final">NIST SP 800-52 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/a/r3/final">NIST SP 800-56A Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/b/r2/final">NIST SP 800-56B Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/c/r2/final">NIST SP 800-56C Recommendation for Key-Derivation Methods in Key-Establishment Schemes</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final">NIST SP 800-57-1 Recommendation for Key Management: Part 1 – General</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt2/r1/final">NIST SP 800-57-2 Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt3/r1/final">NIST SP 800-57-3 Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/77/r1/final">NIST SP 800-77 Guide to IPsec <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/111/final">NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/113/final">NIST SP 800-113 Guide to SSL <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/114/r1/final">NIST SP 800-114 User’s Guide to Telework and Bring Your Own Device (BYOD) Security</a></li> <li><a href="/en/guidance/end-user-device-security-bring-your-own-device-byod-deployment-models-itsm70003">Cyber Centre End user device security for Bring-Your-Own-Device (BYOD) deployment models (ITSM.70.003)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/121/r2/upd1/final">NIST SP 800-121 Guide to Bluetooth Security</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/124/r2/final">NIST SP 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/177/r1/final">NIST SP 800-177 Trustworthy Email</a></li> </ul></details><details><summary><h4 id="03-13-09">03.13.09 Network disconnect</h4> </summary><p>Terminate network connections associated with communications sessions at the end of the sessions or after [Assignment: organization-defined time period] of inactivity.</p> <h5>Discussion</h5> <p>This requirement applies to internal and external networks. Terminating network connections associated with communications sessions includes deallocating <abbr title="Transmission Control Protocol/Internet Protocol">TCP/IP</abbr> addresses or port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single network connection. Time periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.</p> <h5>References</h5> <p>Source control: SC-10<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-13-10">03.13.10 Cryptographic key establishment and management</h4> </summary><p>Establish and manage cryptographic keys in the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].</p> <h5>Discussion</h5> <p>Cryptographic keys can be established and managed using either manual procedures or automated mechanisms supported by manual procedures. Organizations satisfy key establishment and management requirements in accordance with applicable federal laws, Orders in Council, policies, directives, regulations, and standards that specify appropriate options, levels, and parameters. This requirement is related to <a href="#03-13-11">Cryptographic protection 03.13.11</a>.</p> <h5>References</h5> <p>Source control: SC-12<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Cyber Centre Guidance on Securely Configuring Network Protocols (ITSP.40.062)</a></li> <li><a href="https://csrc.nist.gov/pubs/fips/140-3/final">NIST FIPS 140-3 Security Requirements for Cryptographic Modules</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/a/r3/final">NIST SP 800-56A Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/b/r2/final">NIST SP 800-56B Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/56/c/r2/final">NIST SP 800-56C Recommendation for Key-Derivation Methods in Key-Establishment Schemes</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt1/r5/final">NIST SP 800-57-1 Recommendation for Key Management: Part 1 – General</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt2/r1/final">NIST SP 800-57-2 Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/57/pt3/r1/final">NIST SP 800-57-3 Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance</a></li> </ul></details><details><summary><h4 id="03-13-11">03.13.11 Cryptographic protection</h4> </summary><p>Implement the following types of cryptography when used to protect the confidentiality of <abbr title="controlled information">CI</abbr>: [Assignment: organization-defined types of cryptography].</p> <h5>Discussion</h5> <p>Cryptography is implemented in accordance with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines. Federal information processing standard (FIPS)-validated cryptography is recommended for the protection of <abbr title="controlled information">CI</abbr>.</p> <h5>References</h5> <p>Source control: SC-13<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/fips/140-3/final">NIST FIPS 140-3 Security Requirements for Cryptographic Modules</a></p> </details><details><summary><h4 id="03-13-12">03.13.12 Collaborative computing devices and applications</h4> </summary><ol class="lst-upr-alph"><li>Prohibit remote activation of collaborative computing devices and applications with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed].</li> <li>Provide an explicit indication of use to users physically present at the devices.</li> </ol><h5>Discussion</h5> <p>Collaborative computing devices include white boards, microphones, and cameras. Notebook computers, smartphones, display monitors, and tablets containing cameras and microphones are considered part of collaborative computing devices when conferencing software is in use. Indication of use includes notifying users (e.g., a pop-up menu stating that recording is in progress, or that the microphone has been turned on) when collaborative computing devices are activated. Dedicated video conferencing systems, which typically rely on one of the participants calling or connecting to the other party to activate the video conference, are excluded. Solutions to prevent device usage include webcam covers and buttons to disable microphones.</p> <h5>References</h5> <p>Source control: SC-15<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-13-13">03.13.13 Mobile code</h4> </summary><ol class="lst-upr-alph"><li>Define acceptable mobile code and mobile code technologies.</li> <li>Authorize, monitor, and control the use of mobile code.</li> </ol><h5>Discussion</h5> <p>Mobile code includes software programs or parts of programs that are obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient. Decisions regarding the use of mobile code are based on the potential for the code to cause damage to the system if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, VBScript, and WebGL. Usage restrictions and implementation guidelines apply to the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers, smart phones, and smart devices. Mobile code policies and procedures address the actions taken to prevent the development, acquisition, and use of unacceptable mobile code within the system, including requiring mobile code to be digitally signed by a trusted source.</p> <h5>References</h5> <p>Source control: SC-18<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/28/ver2/final">NIST SP 800-28 Guidelines on Active Content and Mobile Code</a></p> </details><h4 id="03-13-14">03.13.14 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-13-15">03.13.15 Session authenticity</h4> </summary><p>Protect the authenticity of communications sessions.</p> <h5>Discussion</h5> <p>Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of the communications sessions in the ongoing identities of other parties and the validity of the transmitted information. Authenticity protection includes protecting against adversary-in-the-middle attacks, session hijacking, and the insertion of false information into sessions.</p> <h5>References</h5> <p>Source control: SC-23<br /> Supporting publications:</p> <ul><li><a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Cyber Centre Guidance on Securely Configuring Network Protocols (ITSP.40.062)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/52/r2/final">NIST SP 800-52 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/77/r1/final">NIST SP 800-77 Guide to IPsec <abbr title="virtual private network">VPN</abbr>s</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/95/final">NIST SP 800-95 Guide to Secure Web Services</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/113/final">NIST SP 800-113 Guide to SSL <abbr title="virtual private network">VPN</abbr>s</a></li> </ul><h4 id="03-13-16">03.13.16 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-14">3.14 System and information integrity</h3> <p>The System and information integrity controls support the protection of the integrity of the system components and the data that it processes. They allow an organization to identify, report and correct data and system flaws in a timely manner, to provide protection against malicious code, and to monitor system security alerts and advisories, and to take appropriate actions in response.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-14-01">03.14.01 Flaw remediation</a></li> <li><a href="#03-14-02">03.14.02 Malicious code protection</a></li> <li><a href="#03-14-03">03.14.03 Security alerts, advisories, and directives</a></li> <li><a href="#03-14-04">03.14.04 Not allocated</a></li> <li><a href="#03-14-05">03.14.05 Not allocated</a></li> <li><a href="#03-14-06">03.14.06 System monitoring</a></li> <li><a href="#03-14-07">03.14.07 Not allocated</a></li> <li><a href="#03-14-08">03.14.08 Information management and retention</a></li> <li><a href="#03-14-09">03.14.09 Dedicated administration workstation</a></li> </ul> </section>–> <details><summary><h4 id="03-14-01">03.14.01 Flaw remediation</h4> </summary><ol class="lst-upr-alph"><li>Identify, report, and correct system flaws.</li> <li>Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates.</li> </ol><h5>Discussion</h5> <p>Organizations identify systems that are affected by announced software and firmware flaws, including potential vulnerabilities that result from those flaws, and report this information to designated personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address the flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources (e.g., <abbr title="Common Weakness Enumeration">CWE</abbr> or <abbr title="Common Vulnerabilities and Exposures">CVE</abbr> databases) when remediating system flaws. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors, including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types.</p> <h5>References</h5> <p>Source control: SI-02<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/40/r4/final">NIST SP 800-40 Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/128/upd1/final">NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems </a></li> </ul></details><details><summary><h4 id="03-14-02">03.14.02 Malicious code protection</h4> </summary><ol class="lst-upr-alph"><li>Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.</li> <li>Update malicious code protection mechanisms as new releases are available in accordance with configuration management policies and procedures.</li> <li>Configure malicious code protection mechanisms to: <ol><li>perform scans of the system [assignment: organization-defined frequency] and real-time scans of files from external sources at endpoints or system entry and exit points as the files are downloaded, opened, or executed</li> <li>block or quarantine malicious code, or take other mitigation actions in response to malicious code detection</li> </ol></li> </ol><h5>Discussion</h5> <p>Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code can be inserted into the system in a variety of ways, including email, the Internet, and portable storage devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats, contained in compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code may be present in commercial off-the-shelf software and custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions. Periodic scans of the system and real-time scans of files from external sources as files are downloaded, opened, or executed can detect malicious code. Malicious code protection mechanisms can also monitor systems for anomalous or unexpected behaviours and take appropriate actions.</p> <p>Malicious code protection mechanisms include signature- and non-signature-based technologies. Non-signature-based detection mechanisms include artificial intelligence (AI) techniques that use heuristics to detect, analyze, and describe the characteristics or behaviour of malicious code. They also provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Non-signature-based mechanisms include reputation-based technologies. Pervasive configuration management, anti-exploitation software, and software integrity controls may also be effective in preventing unauthorized code execution.</p> <p>If malicious code cannot be detected by detection methods or technologies, organizations can rely on secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that the software only performs intended functions. Organizations may determine that different actions are warranted in response to the detection of malicious code. For example, organizations can define actions to be taken in response to the detection of malicious code during scans, malicious downloads, or malicious activity when attempting to open or execute files.</p> <h5>References</h5> <p>Source control: SI-03<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/protect-your-organization-malware-itsap00057">Cyber Centre Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/spotting-malicious-email-messages-itsap00100">Cyber Centre Spotting malicious email messages (ITSAP.00.100)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/83/r1/final">NIST SP 800-83 Guide to Malware Incident Prevention and Handling for Desktops and Laptops</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/125/b/final">NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/177/r1/final">NIST SP 800-177 Trustworthy Email</a></li> </ul></details><details><summary><h4 id="03-14-03">03.14.03 Security alerts, advisories, and directives</h4> </summary><ol class="lst-upr-alph"><li>Receive system security alerts, advisories, and directives from external organizations on an ongoing basis.</li> <li>Generate and disseminate internal system security alerts, advisories, and directives, as necessary.</li> </ol><h5>Discussion</h5> <p>There are many publicly available sources of system security alerts and advisories. For example, the Canadian Centre for Cyber Security (Cyber Centre) generates security alerts and advisories to maintain situational awareness across the <abbr title="Government of Canada">GC</abbr> and in non-<abbr title="Government of Canada">GC</abbr> organizations. Software vendors, subscription services, and industry Information Sharing and Analysis Centres (ISACs) may also provide security alerts and advisories. Compliance with security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and Canada should the directives not be implemented in a timely manner.</p> <h5>References</h5> <p>Source control: SI-05<br /> Supporting publications: <a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations</a></p> </details><h4 id="03-14-04">03.14.04 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4 id="03-14-05">03.14.05 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-14-06">03.14.06 System monitoring</h4> </summary><ol class="lst-upr-alph"><li>Monitor the system to detect: <ol><li>attacks and indicators of potential attacks</li> <li>unauthorized connections</li> </ol></li> <li>Identify unauthorized use of the system.</li> <li>Monitor inbound and outbound communications traffic to detect unusual or unauthorized activities or conditions.</li> </ol><h5>Discussion</h5> <p>System monitoring involves external and internal monitoring. Internal monitoring includes the observation of events that occur within the system. External monitoring includes the observation of events that occur at the system boundary. Organizations can monitor the system by observing audit record activities in real time or by observing other system aspects, such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events.</p> <p>A system monitoring capability is achieved through a variety of tools and techniques (e.g., audit record monitoring software, intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms that support critical applications with such devices being employed at managed system interfaces. The granularity of monitoring the information collected is based on organizational monitoring objectives and the capability of the system to support such objectives.</p> <p>Systems connections can be network, remote, or local. A network connection is any connection with a device that communicates through a network (e.g., local area network, the Internet). A remote connection is any connection with a device that communicates through an external network (e.g., the Internet). Network, remote, and local connections can be either wired or wireless.</p> <p>Unusual or unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in the system or propagating among system components, the unauthorized export of information, or signaling to external systems. Evidence of malicious code is used to identify a potentially compromised system. System monitoring requirements, including the need for types of system monitoring, may be referenced in other requirements.</p> <h5>References</h5> <p>Source controls: SI-04, SI-04(04)<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/61/r2/final">NIST SP 800-61 Computer Security Incident Handling Guide</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/83/r1/final">NIST SP 800-83 Guide to Malware Incident Prevention and Handling for Desktops and Laptops</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/92/final">NIST SP 800-92 Guide to Computer Security Log Management</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/94/final">NIST SP 800-94 Guide to Intrusion Detection and Prevention Systems (IDPS)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/137/final">NIST SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/177/r1/final">NIST SP 800-177 Trustworthy Email</a></li> </ul></details><h4 id="03-14-07">03.14.07 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4 id="03-14-08">03.14.08 Information management and retention</h4> </summary><p>Manage and retain <abbr title="controlled information">CI</abbr> within the system and <abbr title="controlled information">CI</abbr> output from the system in accordance with applicable laws, Orders in Council, directives, regulations, policies, standards, guidelines, and operational requirements.</p> <h5>Discussion</h5> <p>Federal departments and agencies consider data retention requirements for non-federal organizations. Retaining <abbr title="controlled information">CI</abbr> on non-federal systems after contracts or agreements have concluded increases the attack surface for those systems and the risk of the information being compromised. The Library and Archives Canada provides federal policy and guidance on records retention and schedules.</p> <h5>References</h5> <p>Source control: SI-12<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-14-09">03.14.09 Dedicated administration workstation</h4> </summary><ol class="lst-upr-alph"><li>Require any administrative or superuser actions to be performed from a physical workstation which is dedicated to those specific tasks and isolated from all other functions and networks, and especially from any form of internet access.</li> <li>Remote connection of a <abbr title="dedicated administration workstation">DAW</abbr> to a target network is to use carrier private networks (e.g., virtual private LAN service (VPLS) or multiprotocol label switching (MPLS)) with <abbr title="virtual private network">VPN</abbr> encryption.</li> <li>Use a dedicated and hardened single-purpose physical workstation or thin client as the <abbr title="dedicated administration workstation">DAW</abbr>, that is not shared between security realms.</li> </ol><h5>Discussion</h5> <p>A dedicated administration workstation (DAW) is typically comprised of a user terminal with a very small selection of software designed for interfacing with the target system. For the purpose of this control, workstation means the system from which you are performing the administration, as opposed to the target system of administration. The <abbr title="dedicated administration workstation">DAW</abbr> must be hardened for the role, in order to minimize the likelihood that a superuser’s or administrator’s endpoint may be compromised by any threat actor (which would logically lead to the compromise of the target system). Typical office productivity tools are not required on the <abbr title="dedicated administration workstation">DAW</abbr>. All non-essential applications and services are removed. <abbr title="dedicated administration workstation">DAW</abbr>s are not domain-joined, cannot download patches from the internet, and cannot update documentation in networked applications.</p> <p>Removing public Internet access from administrative workstations substantially reduces risk of compromise. Internet-exposed <abbr title="virtual private network">VPN</abbr> gateways are not preferred for remote administration, private carriers provide better protection, but still require <abbr title="virtual private network">VPN</abbr> encryption within that network. The <abbr title="dedicated administration workstation">DAW</abbr> must not become a means of moving laterally between security realms.</p> <h5>References</h5> <p>Source controls: SI-400, SI-400(02), SI-400(05)<br /> Supporting publications: None</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-15">3.15 Planning</h3> <p>The Planning controls and assurance activities deal with the development, documentation, update, and implementation of security and privacy plans for organizational systems. Those plans describe the security and privacy controls and assurance activities in place or planned for the systems, and the rules of behaviour for individuals accessing the systems.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-15-01">03.15.01 Policy and procedures</a></li> <li><a href="#03-15-02">03.15.02 System security plan</a></li> <li><a href="#03-15-03">03.15.03 Rules of behaviour</a></li> </ul> </section>–> <details><summary><h4 id="03-15-01">03.15.01 Policy and procedures</h4> </summary><ol class="lst-upr-alph"><li>Develop, document, and disseminate to organizational personnel or roles, policies and procedures needed to satisfy the security requirements for the protection of <abbr title="controlled information">CI</abbr>.</li> <li>Review and update policies and procedures [Assignment: organization-defined frequency].</li> </ol><h5>Discussion</h5> <p>This requirement addresses policies and procedures for the protection of <abbr title="controlled information">CI</abbr>. Policies and procedures contribute to security assurance and should address each family of the <abbr title="controlled information">CI</abbr> security requirements. Policies can be included as part of the organizational security policy or be represented by separate policies that address each family of requirements. Procedures describe how policies are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security plans or in one or more separate documents.</p> <h5>References</h5> <p>Source controls: AC-01, AT-01, AU-01, CA-01, CM-01, IA-01, IR-01, MA-01, MP-01, PE-01, PL-01, PS-01, RA-01, SA-01, SC-01, SI-01, SR-01<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/12/r1/final">NIST SP 800-12 An Introduction to Information Security</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/100/upd1/final">NIST SP 800-100 Information Security Handbook</a></li> </ul></details><details><summary><h4 id="03-15-02">03.15.02 System security plan</h4> </summary><ol class="lst-upr-alph"><li>Develop a system security and privacy plan that: <ol><li>defines the constituent system components</li> <li>identifies the information types processed, stored, and transmitted by the system</li> <li>describes specific threats to the system that are of concern to the organization</li> <li>describes the operational environment for the system and any dependencies on or connections to other systems or system components</li> <li>provides an overview of the security requirements for the system</li> <li>describes the safeguards in place or planned for meeting the security requirements</li> <li>identifies individuals that fulfill system roles and responsibilities</li> <li>includes other relevant information necessary for the protection of CI</li> </ol></li> <li>Review and update the system security plan [Assignment: organization-defined frequency].</li> <li>Protect the system security plan from unauthorized disclosure.</li> </ol><h5>Discussion</h5> <p>System security and privacy plans provide key characteristics of the system that is processing, storing, and transmitting <abbr title="controlled information">CI</abbr> and how the system and information are protected. System security and privacy plans contain sufficient information to facilitate a design and implementation that are unambiguously compliant with the intent of the plans and the subsequent determinations of risk if the plan is implemented as intended. System security and privacy plans can be a collection of documents, including documents that already exist. Effective system security plans make use of references to policies, procedures, and additional documents (e.g., design specifications) where detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security information in other established management or operational areas related to enterprise architecture, the system development life cycle, systems engineering, and acquisition.</p> <h5>References</h5> <p>Source control: PL-02<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/18/r1/final">NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems</a></li> </ul></details><details><summary><h4 id="03-15-03">03.15.03 Rules of behaviour</h4> </summary><ol class="lst-upr-alph"><li>Establish, rules that describe the responsibilities and expected behaviour for system usage and protecting <abbr title="controlled information">CI</abbr>.</li> <li>Provide rules to individuals who require access to the system.</li> <li>Receive a documented acknowledgement from individuals indicating that they have read, understand, and agree to abide by the rules of behaviour before authorizing access to <abbr title="controlled information">CI</abbr> and the system.</li> <li>Review and update the rules of behaviour [Assignment: organization-defined frequency].</li> </ol><h5>Discussion</h5> <p>Rules of behaviour represent a type of access agreement for system users. Organizations consider rules of behaviour for the handling of <abbr title="controlled information">CI</abbr> based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users.</p> <h5>References</h5> <p>Source control: PL-04<br /> Supporting publications:</p> <ul><li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/18/r1/final">NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems</a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-16">3.16 System and services acquisition</h3> <p>The System and services acquisition controls deal with the contracting of products and services required to support the implementation and operation of organizational systems. They ensure that sufficient resources are allocated for the protection of organizational systems, and they support system development lifecycle processes that incorporate security considerations.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-16-01">03.16.01 Security engineering principles</a></li> <li><a href="#03-16-02">03.16.02 Unsupported system components</a></li> <li><a href="#03-16-03">03.16.03 External system services</a></li> </ul> </section>–> <details><summary><h4 id="03-16-01">03.16.01 Security engineering principles</h4> </summary><p>Apply the following systems security engineering principles to the development or modification of the system and system components: [Assignment: organization-defined systems security engineering principles].</p> <h5>Discussion</h5> <p>Organizations apply systems security engineering principles to new development systems. For legacy systems, organizations apply systems security engineering principles to system modifications to the extent feasible, given the current state of hardware, software, and firmware components. The application of systems security engineering principles helps to develop trustworthy, secure, and resilient systems and reduce the susceptibility of organizations to disruptions, hazards, and threats. Examples include developing layered protections; establishing security policies, architectures, and controls as the foundation for system design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build trustworthy secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risks to acceptable levels; and make informed risk-management decisions.</p> <h5>References</h5> <p>Source control: SA-08<br /> Supporting publications:</p> <ul><li>Cyber Centre System lifecycle cyber security and privacy risk management activities (ITSP.10.037)</li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v2/r1/final">NIST SP 800-160-2 Developing Cyber-Resilient Systems: A Systems Security Engineering Approach</a></li> </ul></details><details><summary><h4 id="03-16-02">03.16.02 Unsupported system components</h4> </summary><ol class="lst-upr-alph"><li>Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer.</li> <li>Provide options for risk mitigation or alternative sources for continued support for unsupported components if components cannot be replaced.</li> </ol><h5>Discussion</h5> <p>Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in opportunities for adversaries to exploit weaknesses or deficiencies in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities when newer technologies are unavailable or when the systems are so isolated that installing replacement components is not an option.</p> <p>Alternative sources of support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or obtain the services of external providers who provide ongoing support for unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated by prohibiting the connection of such components to public or uncontrolled networks or implementing other forms of isolation.</p> <h5>References</h5> <p>Source control: SA-22<br /> Supporting publications: None</p> </details><details><summary><h4 id="03-16-03">03.16.03 External system services</h4> </summary><ol class="lst-upr-alph"><li>Require the providers of external system services used for the processing, storage, or transmission of <abbr title="controlled information">CI</abbr>, to comply with the following security requirements: [Assignment: organization-defined security requirements].</li> <li>Define and document user roles and responsibilities with regard to external system services including shared responsibilities with external service providers.</li> <li>Implement processes, methods, and techniques to monitor security requirement compliance by external service providers on an ongoing basis.</li> </ol><h5>Discussion</h5> <p>External system services are provided by external service providers. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with the organization charged with protecting <abbr title="controlled information">CI</abbr>. Service-level agreements define expectations of performance, describe measurable outcomes, and identify remedies, mitigations, and response requirements for instances of noncompliance. Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when there is a need to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols. This requirement is related to <a href="#03-01-20">Use of external systems 03.01.20</a>.</p> <h5>References</h5> <p>Source control: SA-09<br /> Supporting publications:</p> <ul><li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations </a></li> </ul></details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 class="h2 mrgn-tp-lg" id="3-17">3.17 Supply chain risk management</h3> <p>The Supply chain risk management controls support the mitigation of cyber security risks throughout all phases of the supply chain.</p> <!–<section> <h4>In this section</h4> <ul class="list-unstyled"> <li><a href="#03-17-01">03.17.01 Supply chain risk management plan</a></li> <li><a href="#03-17-02">03.17.02 Acquisition strategies, tools, and methods</a></li> <li><a href="#03-17-03">03.17.03 Supply chain requirements and processes</a></li> </ul> </section>–> <details><summary><h4 id="03-17-01">03.17.01 Supply chain risk management plan</h4> </summary><ol class="lst-upr-alph"><li>Develop a plan for managing supply chain risks associated with the research, development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the system, system components, or system services.</li> <li>Review and update the supply chain risk management plan [Assignment: organization-defined frequency].</li> <li>Protect the supply chain risk management plan from unauthorized disclosure.</li> </ol><h5>Discussion</h5> <p>Dependence on the products, systems, and services of external providers and the nature of the relationships with those providers present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, poor manufacturing and development practices in the supply chain, theft, and the insertion of malicious software, firmware, and hardware. Supply chain risks can be endemic or systemic within a system, component, or service. Managing supply chain risks is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders.</p> <p>Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing <abbr title="supply chain risk management">SCRM</abbr> plans to document response actions, and monitoring performance against the plans. The system-level <abbr title="supply chain risk management">SCRM</abbr> plan is implementation-specific and provides policy implementation, requirements, constraints, and implications. It can either be stand-alone or incorporated into system security and privacy plans. The <abbr title="supply chain risk management">SCRM</abbr> plan addresses the management, implementation, and monitoring of <abbr title="supply chain risk management">SCRM</abbr> controls and the development or sustainment of systems across the system development life cycle to support mission and business functions. Because supply chains can differ significantly across and within organizations, <abbr title="supply chain risk management">SCRM</abbr> plans are tailored to individual program, organizational, and operational contexts.</p> <h5>References</h5> <p>Source control: SR-02<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/tools-services/harmonized-tra-methodology">CSE-<abbr title="Royal Canadian Mounted Police">RCMP</abbr> Harmonized Threat and Risk Assessment Methodology (TRA-1)</a></li> <li>Cyber Centre Organizational cyber security and privacy risk management activities (ITSP.10.036)</li> <li><a href="https://www.cyber.gc.ca/en/guidance/protecting-your-organization-software-supply-chain-threats-itsm10071">Cyber Centre Protecting your organization from software supply chain threats (ITSM.10.071)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-supply-chain-approach-assessing-risk-itsap10070">Cyber Centre Cyber supply chain: An approach to assessing risk (ITSAP.10.070)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/supply-chain-security-small-and-medium-sized-organizations-itsap00070">Cyber Centre Supply chain security for small and medium-sized organizations (ITSAP.00.070)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/160/v1/r1/final">NIST SP 800-160-1 Engineering Trustworthy Secure Systems</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/181/r1/final">NIST SP 800-181 Workforce Framework for Cybersecurity (NICE Framework)</a></li> </ul></details><details><summary><h4 id="03-17-02">03.17.02 Acquisition strategies, tools, and methods</h4> </summary><p>Develop and implement acquisition strategies, contract tools, and procurement methods to identify, protect against, and mitigate supply chain risks.</p> <h5>Discussion</h5> <p>The acquisition process provides an important vehicle for protecting the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind purchases, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, the insertion of counterfeits, the insertion of malicious software or backdoors, and poor development practices throughout the system life cycle.</p> <p>Organizations also consider providing incentives for suppliers to implement controls, promote transparency in their processes and security practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risks, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security requirements of the organization. Contracts may specify documentation protection requirements.</p> <h5>References</h5> <p>Source control: SR-05<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/tools-services/harmonized-tra-methodology">CSE-<abbr title="Royal Canadian Mounted Police">RCMP</abbr> Harmonized Threat and Risk Assessment Methodology (TRA-1) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations </a></li> </ul></details><details><summary><h4 id="03-17-03">03.17.03 Supply chain requirements and processes</h4> </summary><ol class="lst-upr-alph"><li>Establish a process for identifying and addressing weaknesses or deficiencies in the supply chain elements and processes.</li> <li>Enforce the following security requirements to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined security requirements].</li> </ol><h5>Discussion</h5> <p>Supply chain elements include organizations, entities, or tools that are employed for the research, development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, firmware, and systems development processes; shipping and handling procedures; physical security programs; personnel security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance, and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to harm the organization and affect its ability to carry out its core missions or business functions.</p> <h5>References</h5> <p>Source control: SR-03<br /> Supporting publications:</p> <ul><li><a href="https://www.cyber.gc.ca/en/tools-services/harmonized-tra-methodology">CSE-<abbr title="Royal Canadian Mounted Police">RCMP</abbr> Harmonized Threat and Risk Assessment Methodology (TRA-1) </a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/161/r1/final">NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations </a></li> </ul></details></section></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="AA">Annex A Tailoring criteria</h2> <section><h3>In this section</h3> <ul class="list-unstyled"><li><a href="#tab1">Table 1: Access control (AC)</a></li> <li><a href="#tab2">Table 2: Awareness and training (AT)</a></li> <li><a href="#tab3">Table 3: Audit and accountability (AU)</a></li> <li><a href="#tab4">Table 4: Assessment, authorization, and monitoring (CA)</a></li> <li><a href="#tab5">Table 5: Configuration management (CM)</a></li> <li><a href="#tab6">Table 6: Contingency planning (CP)</a></li> <li><a href="#tab7">Table 7: Identification and Authentication (IA)</a></li> <li><a href="#tab8">Table 8: Incident Response (IR)</a></li> <li><a href="#tab9">Table 9: Maintenance (MA)</a></li> <li><a href="#tab10">Table 10: Media protection (MP)</a></li> <li><a href="#tab11">Table 11: Physical and environmental protection (PE)</a></li> <li><a href="#tab12">Table 12: Planning (PL)</a></li> <li><a href="#tab13">Table 13: Program management (PM)</a></li> <li><a href="#tab14">Table 14: Personnel security (PS)</a></li> <li><a href="#tab15">Table 15: Personal information handling and transparency (PT)</a></li> <li><a href="#tab16">Table 16: Risk assessment (RA)</a></li> <li><a href="#tab17">Table 17: System and services acquisition (SA)</a></li> <li><a href="#tab18">Table 18: System and communications protection (SC)</a></li> <li><a href="#tab19">Table 19: System and information integrity (SI)</a></li> <li><a href="#tab20">Table 20: Supply chain risk management (SR)</a></li> </ul></section><p>This appendix describes the security control tailoring criteria used to develop the <abbr title="controlled information">CI</abbr> security requirements. Table 1 through Table 20 specify the tailoring actions applied to the controls in the ITSP.10.033-01 medium impact baseline to obtain the security requirements in section 3. The controls, assurances activities and enhancements are hyperlinked to their corresponding entry in ITSP.10.033<!–when published–>.</p> <p>The security control tailoring criteria are the following:</p> <ul><li>NCO: the control is not directly related to protecting the confidentiality of <abbr title="controlled information">CI</abbr></li> <li><abbr title="Government of Canada">GC:</abbr> the control is primarily the responsibility of the Government of Canada</li> <li>ORC: the outcome of the control related to protecting the confidentiality of <abbr title="controlled information">CI</abbr> is adequately covered by other related controls</li> <li>N/A: the control is not applicable</li> <li><abbr title="controlled information">CI</abbr>: the control is directly related to protecting the confidentiality of <abbr title="controlled information">CI</abbr></li> </ul><div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab1"><caption>Table 1: Access control (AC)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>AC-01</td> <td>Access control policy and procedures </td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>AC-02</td> <td>Account management</td> <td>CI</td> <td><a href="#03-01-01">Account management 03.01.01</a></td> </tr><tr><td>AC-02(01)</td> <td>Account management: Automated system account management</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-02(02)</td> <td>Account management: Automated temporary and emergency account management</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-02(03)</td> <td>Account management: Disable accounts</td> <td>CI</td> <td><a href="#03-01-01">Account management 03.01.01</a></td> </tr><tr><td>AC-02(04)</td> <td>Account management: Automated audit actions</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-02(05)</td> <td>Account management: Inactivity logout</td> <td>CI</td> <td><a href="#03-01-01">Account management 03.01.01</a></td> </tr><tr><td>AC-02(07)</td> <td>Account management: Privileged user accounts</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-02(13)</td> <td>Account management: Disable accounts for high-risk individuals</td> <td>CI</td> <td><a href="#03-01-01">Account management 03.01.01</a></td> </tr><tr><td>AC-03</td> <td>Access enforcement</td> <td>CI</td> <td><a href="#03-01-02">Access enforcement 03.01.02</a></td> </tr><tr><td>AC-03(02)</td> <td>Access enforcement: Dual authorization</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-03(04)</td> <td>Access enforcement: Discretionary access control</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-03(09)</td> <td>Access enforcement: Controlled release</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-04</td> <td>Information flow enforcement</td> <td>CI</td> <td><a href="#03-01-03">Information flow enforcement 03.01.03</a></td> </tr><tr><td>AC-05</td> <td>Separation of duties</td> <td>CI</td> <td><a href="#03-01-04">Separation of duties 03.01.04</a></td> </tr><tr><td>AC-06</td> <td>Least privilege</td> <td>CI</td> <td><a href="#03-01-05">Least privilege 03.01.05</a></td> </tr><tr><td>AC-06(01)</td> <td>Least privilege: Authorize access to security functions</td> <td>CI</td> <td><a href="#03-01-05">Least privilege 03.01.05</a></td> </tr><tr><td>AC-06(02)</td> <td>Least privilege: Non-privileged access for non-security functions</td> <td>CI</td> <td><a href="#03-01-06">Least privilege – privileged accounts 03.01.06</a></td> </tr><tr><td>AC-06(05)</td> <td>Least privilege: Privileged accounts</td> <td>CI</td> <td><a href="#03-01-06">Least privilege – privileged accounts 03.01.06</a></td> </tr><tr><td>AC-06(07)</td> <td>Least privilege: Review of user privileges</td> <td>CI</td> <td><a href="#03-01-05">Least privilege 03.01.05</a></td> </tr><tr><td>AC-06(09)</td> <td>Least privilege: Log use of privileged functions</td> <td>CI</td> <td><a href="#03-01-07">Privileged accounts – privileged functions 03.01.07</a></td> </tr><tr><td>AC-06(10)</td> <td>Least privilege: Prohibit non-privileged users from executing privileged functions</td> <td>CI</td> <td><a href="#03-01-07">Privileged accounts – privileged functions 03.01.07</a></td> </tr><tr><td>AC-07</td> <td>Unsuccessful logon attempts</td> <td>CI</td> <td><a href="#03-01-08">Unsuccessful logon attempts 03.01.08</a></td> </tr><tr><td>AC-08</td> <td>System use notification</td> <td>CI</td> <td><a href="#03-01-09">System use notification 03.01.09</a></td> </tr><tr><td>AC-11</td> <td>Device lock</td> <td>CI</td> <td><a href="#03-01-10">Device lock 03.01.10</a></td> </tr><tr><td>AC-11(01)</td> <td>Device lock: Pattern-hiding displays</td> <td>CI</td> <td><a href="#03-01-10">Device lock 03.01.10</a></td> </tr><tr><td>AC-12</td> <td>Session termination</td> <td>CI</td> <td><a href="#03-01-11">Session termination 03.01.11</a></td> </tr><tr><td>AC-14</td> <td>Permitted actions without identification or authentication</td> <td>GC</td> <td>none</td> </tr><tr><td>AC-16</td> <td>Security and privacy attributes</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-16(02)</td> <td>Security and privacy attributes: Attribute value changes by authorized individuals</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-16(05)</td> <td>Security and privacy attributes: Attribute displays on objects to be output</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-17</td> <td>Remote access</td> <td>CI</td> <td><a href="#03-01-02">Access enforcement 03.01.02</a></td> </tr><tr><td>AC-17(01)</td> <td>Remote access: Monitoring and control</td> <td>NCO</td> <td>none</td> </tr><tr><td>AC-17(02)</td> <td>Remote access: Protection of confidentiality and integrity using encryption</td> <td>CI</td> <td><a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a></td> </tr><tr><td>AC-17(03)</td> <td>Remote access: Managed access control points</td> <td>CI</td> <td><a href="#03-01-12">Remote access 03.01.12</a></td> </tr><tr><td>AC-17(04)</td> <td>Remote access: Privileged commands and access</td> <td>CI</td> <td><a href="#03-01-12">Remote access 03.01.12</a></td> </tr><tr><td>AC-17(400)</td> <td>Remote access: Privileged accounts remote access</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-18</td> <td>Wireless access</td> <td>CI</td> <td><a href="#03-01-16">Wireless access 03.01.16</a></td> </tr><tr><td>AC-18(01)</td> <td>Wireless access: Authentication and encryption</td> <td>CI</td> <td><a href="#03-01-16">Wireless access 03.01.16</a></td> </tr><tr><td>AC-18(03)</td> <td>Wireless access: Disable wireless networking</td> <td>CI</td> <td><a href="#03-01-16">Wireless access 03.01.16</a></td> </tr><tr><td>AC-18(04)</td> <td>Wireless access: Restrict configurations by users</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-19</td> <td>Access control for mobile devices</td> <td>CI</td> <td><a href="#03-01-18">Access control for mobile devices 03.01.18</a></td> </tr><tr><td>AC-19(05)</td> <td>Access control for mobile devices: Full device or container-based encryption</td> <td>CI</td> <td><a href="#03-01-18">Access control for mobile devices 03.01.18</a></td> </tr><tr><td>AC-20</td> <td>Use of external systems</td> <td>CI</td> <td><a href="#03-01-20">Use of external systems 03.01.20</a></td> </tr><tr><td>AC-20(01)</td> <td>Use of external systems: Limits on authorized use</td> <td>CI</td> <td><a href="#03-01-20">Use of external systems 03.01.20</a></td> </tr><tr><td>AC-20(02)</td> <td>Use of external systems: Portable storage devices – restricted use</td> <td>CI</td> <td><a href="#03-01-20">Use of external systems 03.01.20</a></td> </tr><tr><td>AC-20(04)</td> <td>Use of external systems: Network accessible storage devices – restricted use</td> <td>ORC</td> <td>none</td> </tr><tr><td>AC-21</td> <td>Information sharing</td> <td>GC</td> <td>none</td> </tr><tr><td>AC-21(400)</td> <td>Information sharing: Information sharing agreement</td> <td>GC</td> <td>none</td> </tr><tr><td>AC-21(401)</td> <td>Information sharing: Information sharing arrangement</td> <td>GC</td> <td>none</td> </tr><tr><td>AC-22</td> <td>Publicly accessible content</td> <td>CI</td> <td><a href="#03-01-22">Publicly accessible content 03.01.22</a></td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab2"><caption>Table 2: Awareness and training</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>AT-01</td> <td>Awareness and training policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>AT-02</td> <td>Literacy training and awareness</td> <td>CI</td> <td><a href="#03-02-01">Literacy training and awareness 03.02.01</a></td> </tr><tr><td>AT-02(02)</td> <td>Literacy training and awareness: Insider threat</td> <td>CI</td> <td><a href="#03-02-01">Literacy training and awareness 03.02.01</a></td> </tr><tr><td>AT-02(03)</td> <td>Literacy training and awareness: Social engineering and mining</td> <td>CI</td> <td><a href="#03-02-01">Literacy training and awareness 03.02.01</a></td> </tr><tr><td>AT-03</td> <td>Role-based training</td> <td>CI</td> <td><a href="#03-02-02">Role-based training 03.02.02</a></td> </tr><tr><td>AT-04</td> <td>Training records</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab3"><caption>Table 3: Audit and accountability</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>AU-01</td> <td>Audit and accountability policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>AU-02</td> <td>Event logging</td> <td>CI</td> <td><a href="#03-03-01">Event logging 03.03.01</a></td> </tr><tr><td>AU-03</td> <td>Content of audit records</td> <td>CI</td> <td><a href="#03-03-02">Audit record content 03.03.02</a></td> </tr><tr><td>AU-03(01)</td> <td>Additional audit information</td> <td>CI</td> <td><a href="#03-03-02">Audit record content 03.03.02</a></td> </tr><tr><td>AU-04</td> <td>Audit log storage capacity</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-04(01)</td> <td>Audit log storage capacity: Transfer to alternate storage</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-05</td> <td>Response to audit logging process failures</td> <td>CI</td> <td><a href="#03-03-04">Response to audit logging process failures 03.03.04</a></td> </tr><tr><td>AU-05(01)</td> <td>Response to audit logging process failures: Storage capacity warning</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-06</td> <td>Audit record review, analysis, and reporting</td> <td>CI</td> <td><a href="#03-03-05">Audit record review, analysis, and reporting 03.03.05</a></td> </tr><tr><td>AU-06(01)</td> <td>Audit record review, analysis, and reporting: Automated process integration</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-06(03)</td> <td>Audit record review, analysis, and reporting: Correlate audit record repositories</td> <td>CI</td> <td><a href="#03-03-05">Audit record review, analysis, and reporting 03.03.05</a></td> </tr><tr><td>AU-06(04)</td> <td>Audit record review, analysis, and reporting: Central review and analysis</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-07</td> <td>Audit record reduction and report generation</td> <td>CI</td> <td><a href="#03-03-06">Audit record reduction and report generation 03.03.06</a></td> </tr><tr><td>AU-07(01)</td> <td>Audit record reduction and report generation: Automatic processing</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-08</td> <td>Time stamps</td> <td>CI</td> <td><a href="#03-03-07">Time stamps 03.03.07</a></td> </tr><tr><td>AU-09</td> <td>Protection of audit information</td> <td>CI</td> <td><a href="#03-03-08">Protection of audit information 03.03.08</a></td> </tr><tr><td>AU-09(02)</td> <td>Protection of audit information: Store on separate physical system or component</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-09(04)</td> <td>Protection of audit information: Access by subset of privileged users</td> <td>CI</td> <td><a href="#03-03-08">Protection of audit information 03.03.08</a></td> </tr><tr><td>AU-09(06)</td> <td>Protection of audit information: Read-only access</td> <td>NCO</td> <td>none</td> </tr><tr><td>AU-11</td> <td>Audit record retention</td> <td>CI</td> <td><a href="#03-03-03">Audit record generation 03.03.03</a></td> </tr><tr><td>AU-12</td> <td>Audit record generation</td> <td>CI</td> <td><a href="#03-03-03">Audit record generation 03.03.03</a></td> </tr><tr><td>AU-12(01)</td> <td>Audit record generation: System-wide and time-correlated audit trail</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab4"><caption>Table 4: Assessment, authorization, and monitoring (CA)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">TSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>CA-01</td> <td>Assessment, authorization, and monitoring policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>CA-02</td> <td>Control assessments</td> <td>CI</td> <td><a href="#03-12-01">Security assessment 03.12.01</a></td> </tr><tr><td>CA-02(01)</td> <td>Control assessments: Independent assessors</td> <td>NCO</td> <td>none</td> </tr><tr><td>CA-03</td> <td>Information exchange</td> <td>CI</td> <td><a href="#03-12-05">Information exchange 03.12.05</a></td> </tr><tr><td>CA-05</td> <td>Plan of action and milestones</td> <td>CI</td> <td><a href="#03-12-02">Plan of action and milestones 03.12.02</a></td> </tr><tr><td>CA-06</td> <td>Authorization</td> <td>GC</td> <td>none</td> </tr><tr><td>CA-07</td> <td>Continuous monitoring</td> <td>CI</td> <td><a href="#03-12-03">Continuous monitoring 03.12.03</a></td> </tr><tr><td>CA-07(01)</td> <td>Continuous monitoring: Independent assessment</td> <td>NCO</td> <td>none</td> </tr><tr><td>CA-07(04)</td> <td>Continuous monitoring: Risk monitoring</td> <td>NCO</td> <td>none</td> </tr><tr><td>CA-09</td> <td>Internal system connections</td> <td>NCO</td> <td>none</td> </tr><tr><td>CA-09(01)</td> <td>Internal system connections: Compliance checks</td> <td>ORC</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab5"><caption>Table 5: Configuration management (CM)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>CM-01</td> <td>Configuration management policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>CM-02</td> <td>Baseline configuration</td> <td>CI</td> <td><a href="#03-04-01">Baseline configuration 03.04.01</a></td> </tr><tr><td>CM-02(02)</td> <td>Baseline configuration: Automation support for accuracy and currency</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-02(03)</td> <td>Baseline configuration: Retention of previous configurations</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-02(06)</td> <td>Baseline configuration: Development and test environments</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-02(07)</td> <td>Baseline configuration: Configure systems and components for high-risk areas</td> <td>CI</td> <td><a href="#03-04-12">System and component configuration for high-risk areas 03.04.12</a></td> </tr><tr><td>CM-03</td> <td>Configuration change control</td> <td>CI</td> <td><a href="#03-04-03">Configuration change control 03.04.03</a></td> </tr><tr><td>CM-03(02)</td> <td>Configuration change control: Testing, validation, and documentation of changes</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-03(04)</td> <td>Configuration change control: Security and privacy representatives</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-04</td> <td>Impact analyses</td> <td>CI</td> <td><a href="#03-04-04">Impact analyses 03.04.04</a></td> </tr><tr><td>CM-04(01)</td> <td>Impact analyses: Separate test environments</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-04(02)</td> <td>Impact analyses: Verification of controls</td> <td>CI</td> <td><a href="#03-04-04">Impact analyses 03.04.04</a></td> </tr><tr><td>CM-05</td> <td>Access restrictions for change</td> <td>CI</td> <td><a href="#03-04-05">Access restrictions for change 03.04.05</a></td> </tr><tr><td>CM-06</td> <td>Configuration settings</td> <td>CI</td> <td><a href="#03-04-02">Configuration settings 03.04.02</a></td> </tr><tr><td>CM-07</td> <td>Least functionality</td> <td>CI</td> <td><a href="#03-04-06">Least functionality 03.04.06</a></td> </tr><tr><td>CM-07(01)</td> <td>Least functionality: Periodic review</td> <td>CI</td> <td><a href="#03-04-06">Least functionality 03.04.06</a></td> </tr><tr><td>CM-07(02)</td> <td>Least functionality: Prevent program execution</td> <td>ORC</td> <td>none</td> </tr><tr><td>CM-07(05)</td> <td>Least functionality: Authorized software – allow by exception</td> <td>CI</td> <td><a href="#03-04-08">Authorized software – allow by exception 03.04.08</a></td> </tr><tr><td>CM-08</td> <td>System component inventory</td> <td>CI</td> <td><a href="#03-04-10">System component inventory 03.04.10</a></td> </tr><tr><td>CM-08(01)</td> <td>System component inventory: Updates during installation and removal</td> <td>CI</td> <td><a href="#03-04-10">System component inventory 03.04.10</a></td> </tr><tr><td>CM-08(03)</td> <td>System component inventory: Automated unauthorized component detection</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-08(04)</td> <td>System component inventory: Accountability information</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-08(06)</td> <td>System component inventory: Assessed configurations and approved deviations</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-09</td> <td>Configuration management plan</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-10</td> <td>Software usage restrictions</td> <td>NCO</td> <td>none</td> </tr><tr><td>CM-11</td> <td>User-installed software</td> <td>ORC</td> <td>none</td> </tr><tr><td>CM-11(02)</td> <td>User-installed software: Software installation with privileged status</td> <td>ORC</td> <td>none</td> </tr><tr><td>CM-12</td> <td>Information location</td> <td>CI</td> <td><a href="#03-04-11">Information location 03.04.11</a></td> </tr><tr><td>CM-12(01)</td> <td>Information location: Automated tools to support information location</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab6"><caption>Table 6: Contingency planning (CP)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>CP-01</td> <td>Contingency planning policy and procedures</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-02</td> <td>Contingency plan</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-02(01)</td> <td>Contingency plan: Coordinate with related plans</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-02(02)</td> <td>Contingency plan: Capacity planning</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-02(03)</td> <td>Contingency plan: Resume mission and business functions</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-02(08)</td> <td>Contingency plan: Identify critical assets</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-03</td> <td>Contingency training</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-04</td> <td>Contingency plan testing</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-04(01)</td> <td>Contingency plan testing: Coordinate related plans</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-06</td> <td>Alternate storage site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-06(01)</td> <td>Alternate storage site: Separation of primary site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-06(03)</td> <td>Alternate storage site: Accessibility</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07</td> <td>Alternate processing site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07(01)</td> <td>Alternate processing site: Separation of primary site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07(02)</td> <td>Alternate processing site: Accessibility</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07(03)</td> <td>Alternate processing site: Priority of service</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07(04)</td> <td>Alternate processing site: Preparation for use</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-07(06)</td> <td>Alternate processing site: Inability to return to primary site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-08</td> <td>Telecommunications services</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-08(01)</td> <td>Telecommunications services: Priority of service provisions</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-08(02)</td> <td>Telecommunications services: Single points of failure</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-08(03)</td> <td>Telecommunications services: Separation of primary and alternate providers</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-08(05)</td> <td>Telecommunications services: Alternate telecommunication service testing</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-09</td> <td>System backup</td> <td>CI</td> <td><a href="#03-08-09">System backup – cryptographic protection 03.08.09</a></td> </tr><tr><td>CP-09(01)</td> <td>System backup: Testing for reliability and integrity</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-09(03)</td> <td>System backup: Separate storage for critical information</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-09(05)</td> <td>System backup: Transfer to alternate storage site</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-09(07)</td> <td>System backup: Dual authorization for deletion or destruction</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-09(08)</td> <td>System backup: Cryptographic protection</td> <td>CI</td> <td><a href="#03-08-09">System backup – cryptographic protection 03.08.09</a></td> </tr><tr><td>CP-10</td> <td>System recovery and reconstitution</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-10(02)</td> <td>System recovery and reconstitution: Transaction recovery</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-10(04)</td> <td>System recovery and reconstitution: Restore within time period</td> <td>NCO</td> <td>none</td> </tr><tr><td>CP-10(06)</td> <td>System recovery and reconstitution: Component protection</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab7"><caption>Table 7: Identification and Authentication (IA)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>IA-01</td> <td>Identification and authentication policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>IA-02</td> <td>Identification and authentication (organizational users)</td> <td>CI</td> <td><a href="#03-05-01">User identification, authentication, and re-authentication 03.05.01</a></td> </tr><tr><td>IA-02(01)</td> <td>Identification and authentication (organizational users): Multi-factor authentication to privileged accounts</td> <td>CI</td> <td><a href="#03-05-03">Multi-factor authentication 03.05.03</a></td> </tr><tr><td>IA-02(02)</td> <td>Identification and authentication (organizational users): Multi-factor authentication to non-privileged accounts</td> <td>CI</td> <td><a href="#03-05-03">Multi-factor authentication 03.05.03</a></td> </tr><tr><td>IA-02(08)</td> <td>Identification and authentication (organizational users): Access to accounts – replay resistant</td> <td>CI</td> <td><a href="#03-05-04">Replay-resistant authentication 03.05.04</a></td> </tr><tr><td>IA-02(10)</td> <td>Identification and authentication (organizational users): Single sign-on</td> <td>NCO</td> <td>none</td> </tr><tr><td>IA-02(12)</td> <td>Identification and authentication (organizational users): Use of hardware token <abbr title="Government of Canada">GC</abbr>-issued <abbr title="Public Key Infrastructure">PKI</abbr>-based credentials</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-03</td> <td>Device identification and authentication</td> <td>CI</td> <td><a href="#03-05-02">Device identification and authentication 03.05.02</a></td> </tr><tr><td>IA-04</td> <td>Identifier management</td> <td>CI</td> <td><a href="#03-05-05">Identifier management 03.05.05</a></td> </tr><tr><td>IA-04(04)</td> <td>Identifier management: Identify user status</td> <td>CI</td> <td><a href="#03-05-05">Identifier management 03.05.05</a></td> </tr><tr><td>IA-05</td> <td>Authenticator management</td> <td>CI</td> <td><a href="#03-05-12">Authenticator management 03.05.12</a></td> </tr><tr><td>IA-05(01)</td> <td>Authenticator management: Password-based authentication</td> <td>CI</td> <td><a href="#03-05-07">Password management 03.05.07</a></td> </tr><tr><td>IA-05(02)</td> <td>Authenticator management: Public key-based authentication</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-05(06)</td> <td>Authenticator management: Protection of authenticators</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-05(07)</td> <td>Authenticator management: No embedded unencrypted static authenticators</td> <td>NCO</td> <td>none</td> </tr><tr><td>IA-05(08)</td> <td>Authenticator management: Multiple system accounts</td> <td>NCO</td> <td>none</td> </tr><tr><td>IA-05(09)</td> <td>Authenticator management: Federated credential management</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-05(13)</td> <td>Authenticator management: Expiration of cached authenticators</td> <td>ORC</td> <td>none</td> </tr><tr><td>IA-05(14)</td> <td>Authenticator management: Managing content of <abbr title="Public Key Infrastructure">PKI</abbr> trust stores</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-06</td> <td>Authentication feedback</td> <td>CI</td> <td><a href="#03-05-11">Authentication feedback 03.05.11</a></td> </tr><tr><td>IA-07</td> <td>Cryptographic module authentication</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-08</td> <td>Identification and authentication (non-organizational users)</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-08(01)</td> <td>Identification and authentication (non-organizational users): Acceptance of <abbr title="Public Key Infrastructure">PKI</abbr>-based credentials from other agencies</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-08(02)</td> <td>Identification and authentication (non-organizational users): Acceptance of external authenticators</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-08(04)</td> <td>Identification and authentication (non-organizational users): Use of defined profiles</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-11</td> <td>Re-authentication</td> <td>CI</td> <td><a href="#03-05-01">User identification, authentication, and re-authentication 03.05.01</a></td> </tr><tr><td>IA-12</td> <td>Identity proofing</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-12(02)</td> <td>Identity proofing: Identity evidence</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-12(03)</td> <td>Identity proofing: Identity evidence validation and verification</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-12(04)</td> <td>Identity proofing: In-person validation and verification</td> <td>GC</td> <td>none</td> </tr><tr><td>IA-12(05)</td> <td>Identity proofing: Address confirmation</td> <td>GC</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab8"><caption>Table 8: Incident Response (IR)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>IR-01</td> <td>Incident response policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>IR-02</td> <td>Incident response training</td> <td>CI</td> <td><a href="#03-06-04">Incident response training 03.06.04</a></td> </tr><tr><td>IR-03</td> <td>Incident response testing</td> <td>CI</td> <td><a href="#03-06-03">Incident response testing 03.06.03</a></td> </tr><tr><td>IR-03(02)</td> <td>Incident response testing: Coordinate with related plans</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-04</td> <td>Incident handling</td> <td>CI</td> <td><a href="#03-06-01">Incident handling 03.06.01</a></td> </tr><tr><td>IR-04(03)</td> <td>Incident handling: Continuity of operations</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-04(08)</td> <td>Incident handling: Correlation with external organizations</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-04(09)</td> <td>Incident handling: Dynamic response capability</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-05</td> <td>Incident monitoring</td> <td>CI</td> <td><a href="#03-06-02">Incident monitoring, reporting, and response assistance 03.06.02</a></td> </tr><tr><td>IR-06</td> <td>Incident reporting</td> <td>CI</td> <td><a href="#03-06-02">Incident monitoring, reporting, and response assistance 03.06.02</a></td> </tr><tr><td>IR-06(01)</td> <td>Incident reporting: Automated reporting</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-06(02)</td> <td>Incident reporting: Vulnerabilities related to incidents</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-06(03)</td> <td>Incident reporting: Supply chain coordination</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-07</td> <td>Incident response assistance</td> <td>CI</td> <td><a href="#03-06-02">Incident monitoring, reporting, and response assistance 03.06.02</a></td> </tr><tr><td>IR-07(01)</td> <td>Incident response assistance: Automation support for availability of information and support</td> <td>NCO</td> <td>none</td> </tr><tr><td>IR-08</td> <td>Incident response plan</td> <td>CI</td> <td><a href="#03-06-05">Incident response plan 03.06.05</a></td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab9"><caption>Table 9: Maintenance (MA)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>MA-01</td> <td>System maintenance policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>MA-02</td> <td>Controlled maintenance</td> <td>NCO</td> <td>none</td> </tr><tr><td>MA-03</td> <td>Maintenance tools</td> <td>CI</td> <td><a href="#03-07-04">Maintenance tools 03.07.04</a></td> </tr><tr><td>MA-03(01)</td> <td>Maintenance tools: Inspect tools</td> <td>CI</td> <td><a href="#03-07-04">Maintenance tools 03.07.04</a></td> </tr><tr><td>MA-03(02)</td> <td>Maintenance tools: Inspect media</td> <td>CI</td> <td><a href="#03-07-04">Maintenance tools 03.07.04</a></td> </tr><tr><td>MA-03(03)</td> <td>Maintenance tools: Prevent unauthorized removal</td> <td>CI</td> <td><a href="#03-07-04">Maintenance tools 03.07.04</a></td> </tr><tr><td>MA-04</td> <td>Non-local maintenance</td> <td>CI</td> <td><a href="#03-07-05">Non-local maintenance 03.07.05</a></td> </tr><tr><td>MA-04(01)</td> <td>Non-local maintenance: Logging and review</td> <td>NCO</td> <td>none</td> </tr><tr><td>MA-04(03)</td> <td>Non-local maintenance: Comparable security and sanitization</td> <td>ORC</td> <td>none</td> </tr><tr><td>MA-04(04)</td> <td>Non-local maintenance: Authentication and separation of maintenance sessions</td> <td>ORC</td> <td>none</td> </tr><tr><td>MA-04(05)</td> <td>Non-local maintenance: Approvals and notifications</td> <td>ORC</td> <td>none</td> </tr><tr><td>MA-04(06)</td> <td>Non-local maintenance: Cryptographic protection</td> <td>ORC</td> <td>none</td> </tr><tr><td>MA-05</td> <td>Maintenance personnel</td> <td>CI</td> <td><a href="#03-07-06">Maintenance personnel 03.07.06</a></td> </tr><tr><td>MA-05(01)</td> <td>Maintenance personnel: Individuals without appropriate access</td> <td>ORC</td> <td>none</td> </tr><tr><td>MA-06</td> <td>Timely maintenance</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab10"><caption>Table 10: Media protection (MP)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>MP-01</td> <td>Media protection policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>MP-02</td> <td>Media access</td> <td>CI</td> <td><a href="#03-08-02">Media access 03.08.02</a></td> </tr><tr><td>MP-03</td> <td>Media marking</td> <td>CI</td> <td><a href="#03-08-04">Media marking 03.08.04</a></td> </tr><tr><td>MP-04</td> <td>Media storage</td> <td>CI</td> <td><a href="#03-08-01">Media storage 03.08.01</a></td> </tr><tr><td>MP-05</td> <td>Media transport</td> <td>CI</td> <td><a href="#03-08-05">Media transport 03.08.05</a></td> </tr><tr><td>MP-06</td> <td>Media sanitization</td> <td>CI</td> <td><a href="#03-08-03">Media sanitization 03.08.03</a></td> </tr><tr><td>MP-06(03)</td> <td>Media sanitization: Non-destructive techniques</td> <td>ORC</td> <td>none</td> </tr><tr><td>MP-06(08)</td> <td>Media sanitization: Remote purging or wiping of information</td> <td>ORC</td> <td>none</td> </tr><tr><td>MP-07</td> <td>Media use</td> <td>CI</td> <td><a href="#03-08-07">Media use 03.08.07</a></td> </tr><tr><td>MP-08</td> <td>Media downgrading</td> <td>ORC</td> <td>none</td> </tr><tr><td>MP-08(03)</td> <td>Media downgrading: Protected information</td> <td>ORC</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab11"><caption>Table 11: Physical and environmental protection (PE)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>PE-01</td> <td>Physical and environmental protection policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>PE-02</td> <td>Physical access authorizations</td> <td>CI</td> <td><a href="#03-10-01">Physical access authorizations 03.10.01</a></td> </tr><tr><td>PE-02(400)</td> <td>Physical access authorizations: Identification cards requirements</td> <td>GC</td> <td>none</td> </tr><tr><td>PE-03</td> <td>Physical access control</td> <td>CI</td> <td><a href="#03-10-07">Physical access control 03.10.07</a></td> </tr><tr><td>PE-03(400)</td> <td>Physical access control: Security inspections</td> <td>GC</td> <td>none</td> </tr><tr><td>PE-04</td> <td>Access control for transmission</td> <td>CI</td> <td><a href="#03-10-08">Access control for transmission 03.10.08</a></td> </tr><tr><td>PE-05</td> <td>Access control for output devices</td> <td>CI</td> <td><a href="#03-10-07">Physical access control 03.10.07</a></td> </tr><tr><td>PE-06</td> <td>Monitoring physical access</td> <td>CI</td> <td><a href="#03-10-02">Monitoring physical access 03.10.02</a></td> </tr><tr><td>PE-06(01)</td> <td>Monitoring physical access: Intrusion alarms and surveillance equipment</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-08</td> <td>Visitor access records</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-09</td> <td>Power equipment and cabling</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-10</td> <td>Emergency shutoff</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-11</td> <td>Emergency power</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-12</td> <td>Emergency lighting</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-13</td> <td>Fire protection</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-13(01)</td> <td>Fire protection: Detection systems – automatic activation and notification</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-13(04)</td> <td>Fire protection: Inspections</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-13(400)</td> <td>Fire protection: Emergency services</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-14</td> <td>Environmental controls</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-15</td> <td>Water damage protection</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-16</td> <td>Delivery and removal</td> <td>NCO</td> <td>none</td> </tr><tr><td>PE-17</td> <td>Alternate work site</td> <td>CI</td> <td><a href="#03-10-06">Alternate work site 03.10.06</a></td> </tr><tr><td>PE-400</td> <td>Remote and telework environments</td> <td>GC</td> <td>none</td> </tr><tr><td>PE-400(01)</td> <td>Remote and telework environments: Physical information and assets storage</td> <td>GC</td> <td>none</td> </tr><tr><td>PE-400(02)</td> <td>Remote and telework environments: International remote/telework</td> <td>GC</td> <td>none</td> </tr><tr><td>PE-401</td> <td>Security operations centre</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab12"><caption>Table 12: Planning (PL)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>PL-01</td> <td>Planning policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>PL-02</td> <td>System security and privacy plans</td> <td>CI</td> <td><a href="#03-15-02">System security plan 03.15.02</a></td> </tr><tr><td>PL-04</td> <td>Rules of behaviour</td> <td>CI</td> <td><a href="#03-15-03">Rules of behaviour 03.15.03</a></td> </tr><tr><td>PL-04(01)</td> <td>Rules of behaviour: Social media and external site/application usage restrictions</td> <td>NCO</td> <td>none</td> </tr><tr><td>PL-08</td> <td>Security and privacy architectures</td> <td>NCO</td> <td>none</td> </tr><tr><td>PL-10</td> <td>Baseline selection</td> <td>GC</td> <td>none</td> </tr><tr><td>PL-11</td> <td>Baseline tailoring</td> <td>GC</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab13"><caption>Table 13: Program management (PM)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>PM-01</td> <td>Information security program plan</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-02</td> <td>Information security program leadership role</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-03</td> <td>Information security and privacy resources</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-04</td> <td>Plan of action and milestones process</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-05</td> <td>System and program inventory</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-05(01)</td> <td>System inventory: Inventory of personal information</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-06</td> <td>Measures of performance</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-07</td> <td>Enterprise architecture</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-07(01)</td> <td>Enterprise architecture: Offloading</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-08</td> <td>Critical infrastructure plan</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-09</td> <td>Risk management strategy</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-10</td> <td>Authorization process</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-11</td> <td>Mission and business process definition</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-12</td> <td>Insider threat program</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-13</td> <td>Security and privacy workforce</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-14</td> <td>Testing, training, and monitoring</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-15</td> <td>Security and privacy groups and associations</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-16</td> <td>Threat awareness program</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-16(01)</td> <td>Threat awareness program: Automated means for sharing threat intelligence</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-17</td> <td>Protecting controlled information on outsourced external systems</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-18</td> <td>Privacy program plan</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-19</td> <td>Privacy program leadership role</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-20</td> <td>Communication of key privacy services</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-20(01)</td> <td>Communication of key privacy services: Privacy policies on websites, applications, and digital services</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-21</td> <td>Maintain a record of disclosures</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-22</td> <td>Personal information quality management</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-23</td> <td>Data governance committee</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-24</td> <td>Data integrity board</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-25</td> <td>Minimization of personal information used in testing, training, and research</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-26</td> <td>Complaint management</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-27</td> <td>Privacy reporting</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-28</td> <td>Risk framing</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-29</td> <td>Risk management program leadership roles</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-30</td> <td>Supply chain risk management strategy</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-30(01)</td> <td>Supply chain risk management strategy: Suppliers of critical or mission-essential items</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-31</td> <td>Continuous monitoring strategy</td> <td>N/A</td> <td>none</td> </tr><tr><td>PM-32</td> <td>Purposing</td> <td>N/A</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab14"><caption>Table 14: Personnel security (PS)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>PS-01</td> <td>Personnel security policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>PS-02</td> <td>Position security analysis</td> <td>GC</td> <td>none</td> </tr><tr><td>PS-03</td> <td>Personnel screening</td> <td>CI</td> <td><a href="#03-09-01">Personnel screening 03.09.01</a></td> </tr><tr><td>PS-04</td> <td>Personnel termination</td> <td>CI</td> <td><a href="#03-09-02">Personnel termination and transfer 03.09.02</a></td> </tr><tr><td>PS-05</td> <td>Personnel transfer</td> <td>CI</td> <td><a href="#03-09-02">Personnel termination and transfer 03.09.02</a></td> </tr><tr><td>PS-06</td> <td>Access agreements</td> <td>NCO</td> <td>none</td> </tr><tr><td>PS-07</td> <td>External personnel security</td> <td>NCO</td> <td>none</td> </tr><tr><td>PS-08</td> <td>Personnel sanctions</td> <td>NCO</td> <td>none</td> </tr><tr><td>PS-09</td> <td>Position descriptions</td> <td>GC</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab15"><caption>Table 15: Personal information handling and transparency (PT)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>PT-01</td> <td>Personal information handling and transparency policy and procedures</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-02</td> <td>Authority to collect and use personal information</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-02(01)</td> <td>Authority to collect and use personal information: Data tagging</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-02(02)</td> <td>Authority to collect and use personal information: Automation</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-03</td> <td>Personal information handling uses and disclosures</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-03(01)</td> <td>Personal information handling uses and disclosures: Data tagging</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-03(02)</td> <td>Personal information handling uses and disclosures: Automation</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-04</td> <td>Consent</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-04(01)</td> <td>Consent: Tailored consent Government of Canada</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-04(02)</td> <td>Consent: Timely consent</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-04(03)</td> <td>Consent: Revocation</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-04(400)</td> <td>Consent: Tailored consent privatesector</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-05</td> <td>Privacy notice</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-05(01)</td> <td>Privacy notice: Timely privacy notice statements</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-05(02)</td> <td>Privacy notice: Privacy notice statements</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-06</td> <td>Personal information banks</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-06(01)</td> <td>Personal information banks: Consistent uses and disclosures</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-06(02)</td> <td>Personal information banks: Exempt banks</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-07</td> <td>Particularly sensitive personal information</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-07(01)</td> <td>Particularly sensitive personal information: Social insurance numbers</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-07(02)</td> <td>Particularly sensitive personal information: <em>Canadian Charter of Rights and Freedoms</em></td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-07(400)</td> <td>Particularly sensitive personal information: Private sector</td> <td>N/A</td> <td>none</td> </tr><tr><td>PT-08</td> <td>Data matching requirements</td> <td>N/A</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab16"><caption>Table 16: Risk assessment (RA)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>RA-01</td> <td>Risk assessment policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>RA-02</td> <td>Security categorization</td> <td>GC</td> <td>none</td> </tr><tr><td>RA-03</td> <td>Risk assessment</td> <td>CI</td> <td><a href="#03-11-01">Risk assessment 03.11.01</a></td> </tr><tr><td>RA-03(01)</td> <td>Risk assessment: Supply chain risk assessment</td> <td>CI</td> <td><a href="#03-11-01">Risk assessment 03.11.01</a></td> </tr><tr><td>RA-05</td> <td>Vulnerability monitoring and scanning</td> <td>CI</td> <td><a href="#03-11-02">Vulnerability monitoring and scanning 03.11.02</a></td> </tr><tr><td>RA-05(02)</td> <td>Vulnerability monitoring and scanning: Update vulnerabilities to be scanned</td> <td>CI</td> <td><a href="#03-11-02">Vulnerability monitoring and scanning 03.11.02</a></td> </tr><tr><td>RA-05(05)</td> <td>Vulnerability monitoring and scanning: Privileged access</td> <td>ORC</td> <td>none</td> </tr><tr><td>RA-05(11)</td> <td>Vulnerability monitoring and scanning: Public disclosure program</td> <td>NCO</td> <td>none</td> </tr><tr><td>RA-07</td> <td>Risk response</td> <td>CI</td> <td><a href="#03-11-04">Risk response 03.11.04</a></td> </tr><tr><td>RA-09</td> <td>Criticality analysis</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab17"><caption>Table 17: System and services acquisition (SA)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>SA-01</td> <td>System and services acquisition policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>SA-02</td> <td>Allocation of resources</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-03</td> <td>System development life cycle</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-04</td> <td>Acquisition process</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-04(01)</td> <td>Acquisition process: Functional properties of controls</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-04(09)</td> <td>Acquisition process: Functions, ports, protocols, and services in use</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-04(10)</td> <td>Acquisition process: Use of approved digital credential products</td> <td>GC</td> <td>none</td> </tr><tr><td>SA-04(12)</td> <td>Acquisition process: Data ownership</td> <td>GC</td> <td>none</td> </tr><tr><td>SA-05</td> <td>System documentation</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-08</td> <td>Security and privacy engineering principles</td> <td>CI</td> <td><a href="#03-16-01">Security engineering principles 03.16.01</a></td> </tr><tr><td>SA-09</td> <td>External system services</td> <td>CI</td> <td><a href="#03-16-03">External system services 03.16.03</a></td> </tr><tr><td>SA-09(01)</td> <td>External system services: Risk assessments and organizational approvals</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-09(02)</td> <td>External System Services: Identification of functions, ports,protocols, and services</td> <td>ORC</td> <td>none</td> </tr><tr><td>SA-10</td> <td>Developer configuration management</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-10(01)</td> <td>Developer configuration management: Software and firmware integrity verification</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-11</td> <td>Developer testing and evaluation</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-15</td> <td>Development process, standards, and tools</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-15(03)</td> <td>Development process, standards, and tools: Criticality Analysis</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-16</td> <td>Developer provided training</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-17</td> <td>Developer security and privacy architecture and design</td> <td>NCO</td> <td>none</td> </tr><tr><td>SA-22</td> <td>Unsupported system components</td> <td>CI</td> <td><a href="#03-16-02">Unsupported system components 03.16.02</a></td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab18"><caption>Table 18: System and communications protection (SC)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>SC-01</td> <td>System and communications protection policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>SC-02</td> <td>Separation of system and user functionality</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-04</td> <td>Information in shared system resources</td> <td>CI</td> <td><a href="#03-13-04">Information in shared system resources 03.13.04</a></td> </tr><tr><td>SC-05</td> <td>Denial-of-service protection</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-05(02)</td> <td>Denial-of-service protection: Capacity, bandwidth, and redundancy</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-05(03)</td> <td>Denial-of-service protection: Detection and monitoring</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-07</td> <td>Boundary protection</td> <td>CI</td> <td><a href="#03-13-01">Boundary protection 03.13.01</a></td> </tr><tr><td>SC-07(03)</td> <td>Boundary protection: Access points</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-07(04)</td> <td>Boundary protection: External telecommunications services</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-07(05)</td> <td>Boundary protection: Deny by default – allow by exception</td> <td>CI</td> <td><a href="#03-13-06">Network communications – deny by default – allow by exception 03.13.06</a></td> </tr><tr><td>SC-07(07)</td> <td>Boundary protection: Split tunneling for remote devices</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-07(08)</td> <td>Boundary protection: Route traffic to authenticated proxy servers</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-07(09)</td> <td>Boundary protection: Restrict threatening outgoing communications traffic</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-07(11)</td> <td>Boundary protection: Incoming communications traffic</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-07(12)</td> <td>Boundary protection: Host-based protection</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-07(13)</td> <td>Boundary protection: Isolation of security tools, mechanisms, and support components</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-08</td> <td>Transmission confidentiality and integrity</td> <td>CI</td> <td><a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a></td> </tr><tr><td>SC-08(01)</td> <td>Transmission confidentiality and integrity: Cryptographic protection</td> <td>CI</td> <td><a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a></td> </tr><tr><td>SC-10</td> <td>Network disconnect</td> <td>CI</td> <td><a href="#03-13-09">Network disconnect 03.13.09</a></td> </tr><tr><td>SC-12</td> <td>Cryptographic key establishment and management</td> <td>CI</td> <td><a href="#03-13-10">Cryptographic key establishment and management 03.13.10</a></td> </tr><tr><td>SC-12(01)</td> <td>Cryptographic key establishment and management: Availability</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-13</td> <td>Cryptographic protection</td> <td>CI</td> <td><a href="#03-13-11">Cryptographic protection 03.13.11</a></td> </tr><tr><td>SC-15</td> <td>Collaborative computing devices and applications</td> <td>CI</td> <td><a href="#03-13-12">Collaborative computing devices and applications 03.13.12</a></td> </tr><tr><td>SC-15(03)</td> <td>Collaborative computing devices and applications: Disabling and removal in secure work areas</td> <td>GC</td> <td>none</td> </tr><tr><td>SC-17</td> <td>Public key infrastructure certificates</td> <td>GC</td> <td>none</td> </tr><tr><td>SC-18</td> <td>Mobile code</td> <td>CI</td> <td><a href="#03-13-13">Mobile code 03.13.13</a></td> </tr><tr><td>SC-18(01)</td> <td>Mobile code: Identify unacceptable code and take corrective actions</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-18(02)</td> <td>Mobile code: Acquisition, development, and use</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-18(03)</td> <td>Mobile code: Prevent downloading and execution</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-18(04)</td> <td>Mobile code: Prevent automatic execution</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-18(05)</td> <td>Mobile code: Allow execution only in confined environments</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-20</td> <td>Secure name/address resolution service (authoritative source)</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-21</td> <td>Secure name/address resolution service (recursive or caching resolver)</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-22</td> <td>Architecture and provisioning for name/address resolution service</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-23</td> <td>Session authenticity</td> <td>CI</td> <td><a href="#03-13-15">Session authenticity 03.13.15</a></td> </tr><tr><td>SC-23(01)</td> <td>Session authenticity: Invalidate session identifiers at logout</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-23(03)</td> <td>Session authenticity: Unique system-generated session identifiers</td> <td>ORC</td> <td>none</td> </tr><tr><td>SC-28</td> <td>Protection of information at rest</td> <td>CI</td> <td><a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a></td> </tr><tr><td>SC-28(01)</td> <td>Protection of information at rest: Cryptographic protection</td> <td>CI</td> <td><a href="#03-13-08">Transmission and storage confidentiality 03.13.08</a></td> </tr><tr><td>SC-29</td> <td>Heterogeneity</td> <td>NCO</td> <td>none</td> </tr><tr><td>SC-39</td> <td>Process isolation</td> <td>NCO</td> <td>none</td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab19"><caption>Table 19: System and information integrity (SI)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>SI-01</td> <td>System and information integrity policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>SI-02</td> <td>Flaw remediation</td> <td>CI</td> <td><a href="#03-14-01">Flaw remediation 03.14.01</a></td> </tr><tr><td>SI-02(02)</td> <td>Flaw remediation: Automated flaw remediation status</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-02(06)</td> <td>Flaw remediation: Removal of previous versions of software and firmware</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-03</td> <td>Malicious code protection</td> <td>CI</td> <td><a href="#03-14-02">Malicious code protection 03.14.02</a></td> </tr><tr><td>SI-03(04)</td> <td>Malicious code protection: Updates only by privileged users</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04</td> <td>System monitoring</td> <td>CI</td> <td><a href="#03-14-06">System monitoring 03.14.06</a></td> </tr><tr><td>SI-04(02)</td> <td>System monitoring: Automated tools and mechanisms for real-time analysis</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(04)</td> <td>System monitoring: Inbound and outbound communications traffic</td> <td>CI</td> <td><a href="#03-14-06">System monitoring 03.14.06</a></td> </tr><tr><td>SI-04(05)</td> <td>System monitoring: System-generated alerts</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(10)</td> <td>System monitoring: Visibility of encrypted communications</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(11)</td> <td>System monitoring: Analyze communications traffic anomalies</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(12)</td> <td>System monitoring: Automated organization-generated alerts</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(13)</td> <td>System monitoring: Analyze traffic and event patterns</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(14)</td> <td>System monitoring: Wireless intrusion detection</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-04(15)</td> <td>System monitoring: Wireless to wireline communications</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-05</td> <td>Security alerts, advisories, and directives</td> <td>CI</td> <td><a href="#03-14-03">Security alerts, advisories, and directives 03.14.03</a></td> </tr><tr><td>SI-07</td> <td>Software, firmware, and information integrity</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-07(01)</td> <td>Software, firmware, and information integrity: Integrity checks</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-07(02)</td> <td>Software, firmware, and information integrity: Automated notifications of integrity violations</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-07(03)</td> <td>Software, firmware, and information integrity: Centrally-managed integrity tools</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-07(07)</td> <td>Software, firmware, and information integrity: Integration of detection and response</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-08</td> <td>Spam protection</td> <td>ORC</td> <td>none</td> </tr><tr><td>SI-08(02)</td> <td>Spam protection: Automatic updates</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-10</td> <td>Information input validation</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-11</td> <td>Error handling</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-12</td> <td>Information management and retention </td> <td>CI</td> <td><a href="#03-14-08">Information management and retention 03.14.08</a></td> </tr><tr><td>SI-16</td> <td>Memory protection</td> <td>NCO</td> <td>none</td> </tr><tr><td>SI-400</td> <td>Dedicated administration workstation</td> <td>CI</td> <td><a href="#03-14-09">Dedicated administration workstation 03.14.09</a></td> </tr></tbody></table></div> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab20"><caption>Table 20: Supply chain risk management (SR)</caption> <thead><tr class="active"><th class="text-center" scope="col">Control / activity number</th> <th class="text-center" scope="col">ITSP.10.033-01 Medium impact baseline</th> <th class="text-center" scope="col">Tailoring criteria</th> <th class="text-center" scope="col">Security requirement</th> </tr></thead><tbody><tr><td>SR-01</td> <td>Supply chain risk management policy and procedures</td> <td>CI</td> <td><a href="#03-15-01">Policy and procedures 03.15.01</a></td> </tr><tr><td>SR-02</td> <td>Supply chain risk management plan</td> <td>CI</td> <td><a href="#03-17-01">Supply chain risk management plan 03.17.01</a></td> </tr><tr><td>SR-02(01)</td> <td>Supply chain risk management plan: Establish <abbr title="supply chain risk management">SCRM</abbr> team</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-03</td> <td>Supply chain controls and processes</td> <td>CI</td> <td><a href="#03-17-03">Supply chain requirements and processes 03.17.03</a></td> </tr><tr><td>SR-05</td> <td>Acquisition strategies, tools, and methods</td> <td>CI</td> <td><a href="#03-17-02">Acquisition strategies, tools, and methods 03.17.02</a></td> </tr><tr><td>SR-06</td> <td>Supplier assessments and reviews</td> <td>CI</td> <td><a href="#03-11-01">Risk assessment 03.11.01</a></td> </tr><tr><td>SR-08</td> <td>Notification agreements</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-10</td> <td>Inspection of systems or components</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-11</td> <td>Component authenticity</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-11(01)</td> <td>Component authenticity: Anti-counterfeit training</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-11(02)</td> <td>Component authenticity: Configuration control for component service and repair</td> <td>NCO</td> <td>none</td> </tr><tr><td>SR-12</td> <td>Component disposal</td> <td>ORC</td> <td>none</td> </tr></tbody></table></div> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="AB">Annex B Organization-defined parameters</h2> <p>This appendix lists the organization-defined parameters (ODPs) that are included in the security requirements in Section 3. The <abbr title="organization-defined parameter">ODP</abbr>s are listed sequentially by requirement family, beginning with the first requirement containing an <abbr title="organization-defined parameter">ODP</abbr> in the Access Control (AC) family and ending with the last requirement containing an <abbr title="organization-defined parameter">ODP</abbr> in the Supply Chain Risk Management (SR) family.</p> <div class="table-responsive col-md-12"> <table class="table table-bordered" id="tab21"><caption>Table 21: Organization-defined parameters</caption> <thead><tr class="active"><th class="text-center" scope="col">Security requirement</th> <th class="text-center" scope="col">Organization-defined parameter</th> </tr></thead><tbody><tr><td><a href="#03-01-01">Account management 03.01.01</a>.F.02</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-01">Account management 03.01.01</a>.G.01</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-01">Account management 03.01.01</a>.G.02</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-01">Account management 03.01.01</a>.G.03</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-01">Account management 03.01.01</a>.H</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-01">Account management 03.01.01</a>.H</td> <td>[Assignment: organization-defined circumstances]</td> </tr><tr><td><a href="#03-01-05">Least privilege 03.01.05</a>.B</td> <td>[Assignment: organization-defined security functions]</td> </tr><tr><td><a href="#03-01-05">Least privilege 03.01.05</a>.B</td> <td>[Assignment: organization-defined security-relevant information]</td> </tr><tr><td><a href="#03-01-05">Least privilege 03.01.05</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-01-06">Least privilege – privileged accounts 03.01.06</a>.A</td> <td>[Assignment: organization-defined personnel or roles]</td> </tr><tr><td><a href="#03-01-08">Unsuccessful logon attempts 03.01.08</a>.A</td> <td>[Assignment: organization-defined number]</td> </tr><tr><td><a href="#03-01-08">Unsuccessful logon attempts 03.01.08</a>.A</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-01-08">Unsuccessful logon attempts 03.01.08</a>.B</td> <td>[Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt; notify system administrator; take other action]</td> </tr><tr><td><a href="#03-01-10">Device lock 03.01.10</a>.A</td> <td>[Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]</td> </tr><tr><td><a href="#03-01-11">Session termination 03.01.11</a></td> <td>[Assignment: organization-defined conditions or trigger events requiring session disconnect]</td> </tr><tr><td><a href="#03-01-20">Use of external systems 03.01.20</a>.B</td> <td>[Assignment: organization-defined security requirements]</td> </tr><tr><td><a href="#03-02-01">Literacy training and awareness 03.02.01</a>.A.01</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-02-01">Literacy training and awareness 03.02.01</a>.A.02</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-02-01">Literacy training and awareness 03.02.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-02-01">Literacy training and awareness 03.02.01</a>.B</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-02-02">Role-based training 03.02.02</a>.A.01</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-02-02">Role-based training 03.02.02</a>.A.02</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-02-02">Role-based training 03.02.02</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-02-02">Role-based training 03.02.02</a>.B</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-03-01">Event logging 03.03.01</a>.A</td> <td>[Assignment: organization-defined event types]</td> </tr><tr><td><a href="#03-03-01">Event logging 03.03.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-03-04">Response to audit logging process failures 03.03.04</a>.A</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-03-04">Response to audit logging process failures 03.03.04</a>.B</td> <td>[Assignment: organization-defined additional actions]</td> </tr><tr><td><a href="#03-03-05">Audit record review, analysis, and reporting 03.03.05</a>.A</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-03-07">Time stamps 03.03.07</a>.B</td> <td>[Assignment: organization-defined granularity of time measurement]</td> </tr><tr><td><a href="#03-04-01">Baseline configuration 03.04.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-04-02">Configuration settings 03.04.02</a>.A</td> <td>[Assignment: organization-defined configuration settings]</td> </tr><tr><td><a href="#03-04-06">Least functionality 03.04.06</a>.B</td> <td>[Assignment: organization-defined functions, ports, protocols, connections, and/or services]</td> </tr><tr><td><a href="#03-04-06">Least functionality 03.04.06</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-04-08">Authorized software – allow by exception 03.04.08</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-04-10">System component inventory 03.04.10</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-04-12">System and component configuration for high-risk areas 03.04.12</a>.A</td> <td>[Assignment: organization-defined system configurations]</td> </tr><tr><td><a href="#03-04-12">System and component configuration for high-risk areas 03.04.12</a>.B</td> <td>[Assignment: organization-defined security requirements]</td> </tr><tr><td><a href="#03-05-01">User identification, authentication, and re-authentication 03.05.01</a>.B</td> <td>[Assignment: organization-defined circumstances or situations requiring re-authentication]</td> </tr><tr><td><a href="#03-05-02">Device identification and authentication 03.05.02</a></td> <td>[Assignment: organization-defined devices or types of devices]</td> </tr><tr><td><a href="#03-05-05">Identifier management 03.05.05</a>.C</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-05-05">Identifier management 03.05.05</a>.D</td> <td>[Assignment: organization-defined characteristic identifying individual status]</td> </tr><tr><td><a href="#03-05-07">Password management 03.05.07</a>.A</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-05-07">Password management 03.05.07</a>.F</td> <td>[Assignment: organization-defined composition and complexity rules]</td> </tr><tr><td><a href="#03-05-12">Authenticator management 03.05.12</a>.E</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-05-12">Authenticator management 03.05.12</a>.E</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-06-02">Incident monitoring, reporting, and response assistance 03.06.02</a>.B</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-06-02">Incident monitoring, reporting, and response assistance 03.06.02</a>.C</td> <td>[Assignment: organization-defined authorities]</td> </tr><tr><td><a href="#03-06-03">Incident response testing 03.06.03</a></td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-06-04">Incident response training 03.06.04</a>.A.01</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-06-04">Incident response training 03.06.04</a>.A.03</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-06-04">Incident response training 03.06.04</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-06-04">Incident response training 03.06.04</a>.B</td> <td>[Assignment: organization-defined events]</td> </tr><tr><td><a href="#03-08-07">Media use 03.08.07</a>.A</td> <td>[Assignment: organization-defined types of system media]</td> </tr><tr><td><a href="#03-09-01">Personnel screening 03.09.01</a>.B</td> <td>[Assignment: organization-defined conditions requiring rescreening]</td> </tr><tr><td><a href="#03-09-02">Personnel termination and transfer 03.09.02</a>.A.01</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-10-01">Physical access authorizations 03.10.01</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-10-02">Monitoring physical access 03.10.02</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-10-02">Monitoring physical access 03.10.02</a>.B</td> <td>[Assignment: organization-defined events or potential indications of events]</td> </tr><tr><td><a href="#03-10-06">Alternate work site 03.10.06</a>.B</td> <td>[Assignment: organization-defined security requirements]</td> </tr><tr><td><a href="#03-11-01">Risk assessment 03.11.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-11-02">Vulnerability monitoring and scanning 03.11.02</a>.A</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-11-02">Vulnerability monitoring and scanning 03.11.02</a>.B</td> <td>[Assignment: organization-defined response times]</td> </tr><tr><td><a href="#03-11-02">Vulnerability monitoring and scanning 03.11.02</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-12-01">Security assessment 03.12.01</a></td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-12-05">Information exchange 03.12.05</a>.A</td> <td>[Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service-level agreements; user agreements; nondisclosure agreements; other types of agreements]</td> </tr><tr><td><a href="#03-12-05">Information exchange 03.12.05</a>.C</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-13-09">Network disconnect 03.13.09</a></td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-13-10">Cryptographic key establishment and management 03.13.10</a></td> <td>[Assignment: organization-defined requirements for key establishment and management]</td> </tr><tr><td><a href="#03-13-11">Cryptographic protection 03.13.11</a></td> <td>[Assignment: organization-defined types of cryptography]</td> </tr><tr><td><a href="#03-13-12">Collaborative computing devices and applications 03.13.12</a>.A</td> <td>[Assignment: organization-defined exceptions where remote activation is to be allowed]</td> </tr><tr><td><a href="#03-14-01">Flaw remediation 03.14.01</a>.B</td> <td>[Assignment: organization-defined time period]</td> </tr><tr><td><a href="#03-14-02">Malicious code protection 03.14.02</a>.C.01</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-15-01">Policy and procedures 03.15.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-15-02">System security plan 03.15.02</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-15-03">Rules of behaviour 03.15.03</a>.D</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-16-01">Security engineering principles 03.16.01</a></td> <td>[Assignment: organization-defined systems security engineering principles]</td> </tr><tr><td><a href="#03-16-03">External system services 03.16.03</a>.A</td> <td>[Assignment: organization-defined security requirements]</td> </tr><tr><td><a href="#03-17-01">Supply chain risk management plan 03.17.01</a>.B</td> <td>[Assignment: organization-defined frequency]</td> </tr><tr><td><a href="#03-17-03">Supply chain requirements and processes 03.17.03</a>.B</td> <td>[Assignment: organization-defined security requirements]</td> </tr></tbody></table></div> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–><!–FOOTNOTE SECTION EN–> <aside class="wb-fnote" role="note"><h2 id="reference">Notes</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>System that is used or operated by a <abbr title="Government of Canada">GC</abbr> department or agency, by a contractor, or by another organization on behalf of a department or agency. The term system as used in this publication includes people, processes and technologies involved in the handling, processing, storage or transmission of <abbr title="controlled information">CI</abbr>. Systems can include operational technology (OT), information technology (IT), Internet of Things (IoT) devices, industrial IoT (IIoT) devices, specialized systems, cyber-physical systems, embedded systems, and sensors.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 2</dt> <dd id="fn2"> <p>Components include workstations, servers, notebook computers, smartphones, tablets, input and output devices, network components, operating systems, virtual machines, database management systems, and applications.</p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></div> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="635" about="/en/guidance/mobile-device-guidance-high-profile-travellers-itsap-00088" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–DESKTOP STARTS HERE–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>March 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.00.088</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>March 2025 | Awareness series</strong></p> </div> <!–pdf download–> <p>High-profile positions, such as politics or senior management, often require travel for work. These roles typically involve using mobile devices to access sensitive data while traveling for business. Mobile devices can be targeted by threat actors seeking information, including foreign intelligence services, criminal groups, or competitor organizations. If a device is compromised, it may lead to unauthorized access to an organization’s network and important data. It is advisable to assess the risks of using mobile devices in certain locations before embarking on business travels.</p> <h2 class="text-info">Threats to your mobile devices and information</h2> <p>Threat actors use different techniques to gain access to devices and sensitive information. The following are examples of common attack methods.</p> <ul><li><strong>Shoulder surfing:</strong> Using in-person techniques to physically view and steal your sensitive information.</li> <li>Phishing: Sending fraudulent emails or texts that include malicious files, malicious links, or requests for personal information. <ul><li><strong>Spear-phishing:</strong> Attacking a select group of individuals or a single person and including details that are tailored to be more convincing, making the source appear more legitimate.</li> <li><strong>Whaling:</strong> Attacking a big “phish” such as a CEO, or executive because of their level of authority and possible access to more sensitive information.</li> </ul></li> <li><strong>Network spoofing:</strong> Masquerading as a legitimate network.</li> <li><strong>Signal jamming:</strong> Interfering with, disrupting, or blocking communications signals and services.</li> <li><strong>Adversary-in-the-middle attacks (AitM):</strong> Exploiting vulnerabilities to intercept and potentially manipulate communications in transit.</li> <li><strong>Ransomware:</strong> Using malicious software to encrypt files or lock systems and devices until the victim pays a sum of money.</li> </ul><p>For more information on these types of threats, refer to:</p> <ul><li><a href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)</a></li> <li><a href="/en/guidance/protecting-your-organization-while-using-wi-fi-itsap80009">Protecting your organization while using Wi-Fi (ITSAP.80.009)</a></li> <li><a href="/en/guidance/ransomware-how-prevent-and-recover-itsap00099">Ransomware: How to prevent and recover (ITSAP.00.099)</a></li> </ul><h2 class="text-info">Travel devices</h2> <p>Your organization should identify and consider the risks for high-profile travellers and determine your level of tolerance. If the risk level is significant, you should consider issuing travel devices for high-profile travellers as a mitigation measure. Travel devices have limitations in user functionality and data storage.</p> <p>If travel devices are not available, your organization should ensure that travellers use corporately owned devices with the appropriate security controls installed. High-profile travellers should also complete awareness training to further mitigate risks.</p> <p>Your organization should advise against the use of personal devices for business use during travel. For more information on device security and travel, refer to <a href="https://www.cyber.gc.ca/en/guidance/device-security-travel-and-telework-abroad-itsap00188">Device security for travel and telework abroad (ITSAP.00.188)</a>.</p> <h3>High-risk travel</h3> <p>Travel is considered high risk if a traveller’s identity or occupation is well known or high profile. This is especially true if they are travelling to a widely known event or if the destination is considered high risk by <a href="https://travel.gc.ca/travelling/advisories">Global Affairs Canada (GAC) Travel advice and advisories by destination</a>.</p> <p>Your organization should consider all potential risks introduced by international travel and determine its level of tolerance. You and your organization should implement measures to mitigate those identified risks. If you are unsure of the risk of your travel, contact your IT security department.</p> <h3>Guide for high-profile business travellers</h3> <p>Consider the following tips before, during and after your travel abroad.</p> <h4>Before your trip</h4> <ul><li>Contact your IT security department to implement any additional security measures on your devices or ask for a corporate temporary travel device</li> <li>Enforce multi-factor authentication (MFA) to access devices and accounts</li> <li>Install anti-virus and spyware protection and a firewall <ul><li>Configure devices to run anti-virus software on storage devices, such as USB drives, upon installation</li> </ul></li> <li>Run updates and install patches for operating systems and applications</li> <li>Backup devices for possible recovery upon return</li> <li>Remove unnecessary data and applications</li> <li>Install an approved virtual private network (VPN) application on your devices to securely transfer data</li> <li>Encrypt all sensitive information on your mobile device</li> <li>Limit administrative privileges in order to secure software settings and restrict downloadable applications</li> <li>Turn off Bluetooth, Wi-Fi, hotspot and location sharing when not strictly necessary or when not in use</li> </ul><h4>During your trip</h4> <ul><li>Encrypt sensitive information</li> <li>Avoid using personal accounts <ul><li>If necessary, secure accounts with MFA, inform IT of the use of your personal accounts and change passwords upon return</li> </ul></li> <li>Assume that communications transmitted over public servers can be intercepted</li> <li>Use your organization’s network and VPN to access and send sensitive information</li> <li>Be wary of devices and peripherals given to you by individuals outside of your</li> <li>organization</li> <li>Keep your devices in your possession and be aware of your surroundings at all times <ul><li>Encrypt your device</li> <li>Ensure your device is locked when not in use</li> <li>Maintain control of chargers, cables and peripherals</li> </ul></li> <li>Do not store or communicate information above the approved classification of the device</li> <li>Turn off devices before going through customs and security <ul><li>Inform IT if your device is inspected by security</li> </ul></li> <li>Communicate security concerns with your IT security department</li> </ul><h4>After your trip</h4> <ul><li>Use anti-virus software to scan devices for malicious activity before connecting to your home and work networks</li> <li>Change passphrases, passwords or PINs on your devices and accounts that you accessed while travelling</li> <li>Report suspected security concerns to your IT security department so they can complete the following steps: <ul><li>Compare the device’s image with a backup for signs of malicious activity</li> <li>Conduct forensic research and a factory reset if your device has been compromised</li> <li>Use secure backup to restore the device before further use</li> </ul></li> </ul><p>If you notice suspicious activity on your device during or after travel, follow these security measures:</p> <ul><li>Disconnect your device from the Internet and from any other devices</li> <li>Use another device to contact your service provider and your IT team to begin the appropriate incident management processes</li> <li>Keep the device disconnected for the rest of your trip</li> <li>Examine the device in your organization’s secure environment once you return from travelling</li> <li>Eliminate the threat from the device and use the latest secure backup to restore the device</li> <li>Replace the device’s SIM card</li> </ul><h2 class="text-info">Learn more</h2> <ul><li><a href="/en/guidance/using-your-mobile-device-securely-itsap00001">Using your mobile device securely (ITSAP.00.001)</a></li> <li><a href="/en/guidance/mobile-devices-and-business-travellers-itsap00087">Mobile devices and business travellers (ITSAP.00.087)</a></li> <li><a href="/en/guidance/securing-enterprise-mobility-itsm80001">Securing the enterprise for mobility (ITSM.80.001)</a></li> <li><a href="/en/guidance/security-considerations-mobile-device-deployments-itsap70002">Security considerations for mobile device deployments (ITSAP.70.002)</a></li> <li><a href="/en/guidance/using-encryption-keep-your-sensitive-data-secure-itsap40016">Using encryption to keep your sensitive data secure (ITSAP.40.016)</a></li> <li><a href="/en/guidance/virtual-private-networks-itsap80101">Virtual private networks (ITSAP.80.101)</a></li> </ul></div> </div> </div> </div> </div> </article>

Resources to learn more about cyber threats to elections and mitigate their impacts

<article data-history-node-id="6217" about="/en/guidance/using-security-information-event-management-tools-manage-cyber-security-risks-itsm80024" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 col-sm-12 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>March 2025</strong></p> </div> <div class="col-md-4 col-sm-12 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 col-sm-12 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.80.024</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>March 2025 | Management series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsm80024-e.pdf">Using security information and event management solutions to manage cyber security risks – ITSM.80.024 (PDF, 500 KB)</a></p> </div> <section><h2 class="mrgn-tp-0">Foreword</h2> <p>This is an UNCLASSIFIED publication that has been issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre).</p> <p>For more information, email, or phone our Contact Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span> <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1‑833‑CYBER‑88</a></p> </section></div> </div> <section><h2>Effective date</h2> <p>This publication takes effect on March 31, 2025.</p> </section><section><h2>Revision history</h2> <ol class="list-unstyled"><li><strong>First release:</strong> March 31, 2025</li> </ol></section><!–***************************************** TOC ***************************************************–><section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled mrgn-tp-md"><li><a href="#overview">Overview</a></li> <li><a href="#1">1 Introduction</a></li> <li><a href="#2">2 <abbr title="security information and event management">SIEM</abbr> capabilities</a> <ul><li><a href="#2.1">2.1 Next-gen solutions</a> <ul><li><a href="#2.1.1">2.1.1 User and entity behaviour analytics</a></li> <li><a href="#2.1.2">2.1.2 Security orchestration and automation response</a></li> </ul></li> </ul></li> <li><a href="#3">3 Benefits of <abbr title="security information and event management">SIEM</abbr></a></li> <li><a href="#4">4 Cloud-based <abbr title="security information and event management">SIEM</abbr></a> <ul><li><a href="#4.1">4.1 Types of cloud offerings</a> <ul><li><a href="#4.1.1">4.1.1 Managed</a></li> <li><a href="#4.1.2">4.1.2 Unmanaged</a></li> </ul></li> <li><a href="#4.2">4.2 Benefits of cloud-based <abbr title="security information and event management tools">SIEMs</abbr></a> <ul><li><a href="#4.2.1">4.2.1 Scalability and flexibility</a></li> <li><a href="#4.2.2">4.2.2 Reduced operational overhead</a></li> <li><a href="#4.2.3">4.2.3 Analytics</a></li> </ul></li> <li><a href="#4.3">4.3 Drawbacks of cloud-based <abbr title="security information and event management tools">SIEMs</abbr></a> <ul><li><a href="#4.3.1">4.3.1 Data privacy concerns</a></li> <li><a href="#4.3.2">4.3.2 Vendor lock-in</a></li> <li><a href="#4.3.3">4.3.3 Cost</a></li> </ul></li> </ul></li> <li><a href="#5">5 Best practices for implementing a <abbr title="security information and event management">SIEM</abbr> solution</a> <ul><li><a href="#5.1">5.1 General best practices</a></li> <li><a href="#5.2">5.2 Quality log data</a> <ul><li><a href="#5.2.1">5.2.1 Choose appropriate log collection methods</a></li> <li><a href="#5.2.2">5.2.2 Review and update log dissectors</a></li> <li><a href="#5.2.3">5.2.3 Manage log storage appropriately</a></li> <li><a href="#5.2.4">5.2.4 Activate indexing of most-searched fields</a></li> <li><a href="#5.2.5">5.2.5 Normalize log data</a></li> <li><a href="#5.2.6">5.2.6 Adjust correlation rules and thresholds</a></li> </ul></li> </ul></li> <li><a href="#6">6 Zero trust architecture</a></li> <li><a href="#7">7 Summary</a></li> <li><a href="#reference">Reference</a></li> </ul></details></section><!–***************************************** END TOC ***************************************************–><!–***************************************** PUBLICATION ***************************************************–><section><h2 id="overview">Overview</h2> <p>This publication provides large organizations and enterprises with advice and guidance related to security information and event management (SIEM) solutions. <abbr title="security information and event management">SIEM</abbr> solutions are sets of tools and services that collect, aggregate and analyze volumes of data from multiple sources in real time. <abbr title="security information and event management tools">SIEMs</abbr> are an important enterprise security solution to incorporate in a defence-in-depth approach to cyber security and risk management. Defence-in-depth involves using multiple layers to protect information integrity. A <abbr title="security information and event management">SIEM</abbr> solution gives your organization better insight into vulnerabilities, helps to quickly contain and eliminate cyber security threats, and ensures continuous compliance with regulatory requirements. A <abbr title="security information and event management">SIEM</abbr> solution can help your organization manage cyber security risks and increase cyber resilience based on your organization’s resources and the sensitivity of your organization’s assets.</p> <p>This publication will help your organization understand the:</p> <ul><li>functionality of <abbr title="security information and event management">SIEM</abbr> solutions</li> <li>importance of <abbr title="security information and event management">SIEM</abbr> solutions in cyber security</li> <li>best practices for using <abbr title="security information and event management">SIEM</abbr> solutions</li> </ul><p>Additionally, this publication provides information on cloud-based <abbr title="security information and event management">SIEM</abbr> solutions and how they fit into a zero trust architecture (ZTA). Cloud-based <abbr title="security information and event management">SIEM</abbr> technology and <abbr title="zero trust architecture">ZTA</abbr> both offer enhanced protection for your infrastructure and data in an ever-changing cyber threat landscape.</p> </section><section><h2 id="1">1 Introduction</h2> <p>Your organization’s networks are the backbone infrastructure for your information technology (IT) systems, operational technology (OT) and industrial control systems (ICS). Therefore, it is important to secure your network infrastructure to protect your organization from breaches, intrusions and other cyber threats. Network logging and monitoring security events will help you to:</p> <ul><li>secure your network infrastructure</li> <li>identify indicators of compromise (IoCs)</li> <li>take corrective actions in a timely manner</li> <li>minimize the impact when a security incident occurs</li> </ul><p>A <abbr title="security information and event management">SIEM</abbr> solution consolidates monitoring and logging functions. The term <abbr title="security information and event management">SIEM</abbr> was first coined by Gartner<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> in 2005 to describe the combination of the following approaches:</p> <ul><li>security information management (SIM), which refers to activities related to collecting data such as log files from multiple sources into a central repository</li> <li>security event management (SEM), which refers to activities related to the real-time monitoring and analysis of specific security events that may be red flags</li> </ul><p>Traditionally, <abbr title="security information and event management">SIEM</abbr> solutions mostly offered protection for on-premises (on-prem) environments with limited data sources and capabilities. <abbr title="security information and event management">SIEM</abbr> solutions have evolved, with next-generation (next-gen) <abbr title="security information and event management tools">SIEMs</abbr> offering more capabilities to address advanced cyber threats and handle massive volumes of data. Many cloud-based <abbr title="security information and event management">SIEM</abbr> solutions that can protect assets both on-prem and in the cloud are now available.</p> </section><!–** TOP OF PAGE ******–><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 id="2">2 <abbr title="security information and event management">SIEM</abbr> capabilities</h2> <p>A <abbr title="security information and event management">SIEM</abbr> solution is a set of tools and services that collect, aggregate and analyze volumes of data from multiple sources in real time. Some basic <abbr title="security information and event management">SIEM</abbr> capabilities include:</p> <ul><li>aggregating data from many sources, such as users, network devices, applications, endpoints and cloud-deployed infrastructure</li> <li>monitoring and analyzing real-time and historical events</li> <li>normalizing or reformatting log data into a standard format to facilitate analysis</li> <li>correlating security events that have common attributes</li> <li>facilitating audit record correlation and analysis (e.g., by correlating events with vulnerability scan results)</li> <li>detecting <abbr title="indicators of compromise">IoCs</abbr> collected dynamically from threat feeds</li> <li>issuing notifications and alerts when real or potential threats are identified</li> <li>managing the triaging of alert</li> <li>archiving logs to facilitate the correlation of data over time for incident investigation and compliance requirements</li> <li>verifying cryptographic integrity and validating logs to determine whether they have been tampered with</li> </ul><h3 id="2.1">2.1 Next-gen solutions</h3> <p>Next-gen <abbr title="security information and event management">SIEM</abbr> solutions incorporate the following technologies to detect complex threats and lateral movement, and to automate incident responses:</p> <h4 id="2.1.1">2.1.1 User and entity behaviour analytics</h4> <p>User and entity behaviour analytics (UEBA) use algorithms and machine learning to detect anomalous patterns of behaviour of users and devices (e.g., routers, servers and endpoints) on the network. <abbr title="user and entity behaviour analytics">UEBA</abbr> allow your organization to identify a wider range of cyber threats, such as brute-force attacks, distributed denial-of-service (DDoS) and insider threats.</p> <h4 id="2.1.2">2.1.2 Security orchestration and automation response</h4> <p>Security orchestration and automation response (SOAR) helps coordinate and automate the responses to identified threats using automated playbooks or workflows. It also uses artificial intelligence (AI) to learn behaviour patterns to predict similar threats before they occur.</p> </section><!–** TOP OF PAGE ******–><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 id="3">3 Benefits of <abbr title="security information and event management">SIEM</abbr> solutions</h2> <p>A <abbr title="security information and event management">SIEM</abbr> solution can help manage your organization’s cyber security risks by supporting threat detection, compliance and security incident management activities. <abbr title="security information and event management">SIEM</abbr> solutions allow your security team to:</p> <ul><li>manage the continuous supply of log data from many disparate sources <ul><li>helps reduce the cost of individual tools used by different groups within your organization</li> <li>centralizes log data into a single repository</li> </ul></li> <li>correlate and analyze large volumes of data to allow you to proactively identify potential threats as they leave traces across disparate log sources</li> <li>automate security tasks to reduce security analysts’ workloads by automating repetitive tasks</li> <li>receive automated alerts and response actions via an automated trigger based on specific use cases to facilitate quick incident response</li> <li>obtain organization-wide real-time data to help your organization quickly identify and eliminate vulnerability blind spots across your network</li> <li>search historical log data for different network nodes and time periods to support root-cause analyses to discover incidents after a breach has occurred</li> <li>generate reports for auditors to demonstrate compliance with regulatory requirements and detect potential violations early so they can be addressed</li> <li>view management dashboards that display event data in informational charts to see patterns of unusual activities <ul><li>helps your organization prioritize resources to address the most critical threats first.</li> </ul></li> </ul><p><abbr title="security information and event management">SIEM</abbr> solutions allow your organization to automate the implementation, assessment and continuous monitoring of security controls. According to the <a href="https://csrc.nist.gov/pubs/sp/800/137/final">National Institute of Technology Standards (NIST) special publication (SP) 800-137</a>, <abbr title="security information and event management">SIEM</abbr> technologies can help organizations to automate many specific security controls. These technical, operational and management security controls are as described in the Cyber Centre’s <a href="/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33"><abbr title="information technology">IT</abbr> Security Risk Management: A Lifecycle Approach (ITSG-33)</a>.</p> <ul><li>Technical security controls <ul><li><a href="/en/guidance/annex-3a-security-control-catalogue-itsg-33#a31ac5">AC-5 Separation of Duties</a></li> <li><a href="/en/guidance/annex-3a-security-control-catalogue-itsg-33#a33au2">AU-2 Auditable Events</a></li> <li><a href="/en/guidance/annex-3a-security-control-catalogue-itsg-33#a33au6">AU-6 Audit Review, Analysis, and Reporting</a></li> <li><a href="/en/guidance/annex-3a-security-control-catalogue-itsg-33#a33au7">AU-7 Audit Reduction and Report Generation</a></li> </ul></li> <li>Operational security controls <ul><li><a href="/en/guidance/annex-3a-security-control-catalogue-itsg-33#a38ir5">IR-5 Incident Monitoring</a></li> <li><a href="/en/guidance/annex-3a-security-control-catalogue-itsg-33#a311pe6">PE-6 Monitoring Physical Access</a></li> <li><a href="/en/guidance/annex-3a-security-control-catalogue-itsg-33#a317si4">SI-4 Information System Monitoring</a></li> </ul></li> <li>Management security controls <ul><li><a href="/en/guidance/annex-3a-security-control-catalogue-itsg-33#a34ca2">CA-2 Security Assessments</a></li> <li><a href="/en/guidance/annex-3a-security-control-catalogue-itsg-33#a34ca7">CA-7 Continuous Monitoring</a></li> <li><a href="/en/guidance/annex-3a-security-control-catalogue-itsg-33#a314ra3">RA-3 Risk Assessment</a></li> <li><a href="/en/guidance/annex-3a-security-control-catalogue-itsg-33#a314ra5">RA-5 Vulnerability Scanning</a></li> </ul></li> </ul></section><!–** TOP OF PAGE ******–><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 id="4">4 Cloud-based <abbr title="security information and event management">SIEM</abbr> solutions</h2> <p>In the realm of cyber security, the shift to cloud-based <abbr title="security information and event management">SIEM</abbr> solutions is reshaping how organizations manage and interact with their data. In a <a href="https://www.gartner.com/en/articles/searching-for-a-siem-solution-here-are-7-things-it-likely-needs">2023 report from Gartner</a>, it was estimated that 90% of <abbr title="security information and event management">SIEM</abbr> solutions would offer capabilities delivered exclusively in the cloud by the end of the year. Unlike traditional on-prem <abbr title="security information and event management">SIEM</abbr> solutions that require dedicated hardware and software within an organization’s own infrastructure, a cloud-based <abbr title="security information and event management">SIEM</abbr> solution is hosted on servers maintained by a third-party cloud service provider (CSP).</p> <p>Cloud-based <abbr title="security information and event management">SIEM</abbr> solutions allow your organization to offload most of the infrastructure management to the <abbr title="cloud service provider">CSP</abbr> and focus on using your system to meet your security objectives. In practice, this means that the data logs from your organization’s network devices and systems are collected, transferred to the cloud, and securely stored on the <abbr title="cloud service provider">CSP</abbr>’s servers.</p> <p>Your organization can then engage with your data through a web-based interface or an application programming interface (API) provided by the <abbr title="cloud service provider">CSP</abbr>. This <abbr title="application programming interface">API</abbr> typically includes a suite of tools for data analysis, visualization and reporting. This allows your organization to perform sophisticated analytics to detect, investigate and respond to security incidents.</p> <p>Cloud-based <abbr title="security information and event management">SIEM</abbr> solutions often come equipped with machine learning and <abbr title="artificial intelligence">AI</abbr> capabilities to better detect anomalies and potential threats. This happens in real time and at scale, providing organizations with a powerful, flexible and efficient tool for managing their cyber security posture.</p> <h3 id="4.1">4.1 Types of cloud offerings</h3> <p>There are two types of offerings for cloud-based <abbr title="security information and event management">SIEM</abbr> solutions: managed and unmanaged</p> <h4 id="4.1.1">4.1.1 Managed</h4> <p>This is closer to a “<abbr title="security information and event management">SIEM</abbr>-as-a-service” model, where the <abbr title="security information and event management">SIEM</abbr> solution vendor is accountable for the cloud infrastructure and its maintenance. The <abbr title="security information and event management">SIEM</abbr> solution vendor also provides the customer with real-time incident monitoring and threat detection services. The customer usually has less control over the <abbr title="security information and event management">SIEM</abbr> solution’s lifecycle management since this is the vendor’s responsibility. Although managed solutions can be more expensive, they relieve the customer of the burden of implementing and maintaining the <abbr title="security information and event management">SIEM</abbr> solution.</p> <h4 id="4.1.2">4.1.2 Unmanaged</h4> <p>The customer is responsible for creating, maintaining, troubleshooting and managing the lifecycle of all the <abbr title="security information and event management">SIEM</abbr> solution’s components. A third party may provide additional assistance, but the customer is generally responsible for the <abbr title="security information and event management">SIEM</abbr> solution’s availability and stability. Unmanaged solutions may be suitable options for organizations with highly sensitive assets that need full control over their <abbr title="security information and event management">SIEM</abbr> solution.</p> <h3 id="4.2">4.2 Benefits of cloud-based <abbr title="security information and event management">SIEM</abbr> solutions</h3> <p>Cloud-based <abbr title="security information and event management">SIEM</abbr> solutions can provide several benefits to your organization.</p> <h4 id="4.2.1">4.2.1 Scalability and flexibility</h4> <p>As your organization grows or experiences demand fluctuations, cloud-based solutions can adapt to meet your needs. This scalability also means that you only pay for what you use, which could be a cost-effective choice for many businesses.</p> <h4 id="4.2.2">4.2.2 Reduced operational overhead</h4> <p>With an on-prem <abbr title="security information and event management">SIEM</abbr> solution, your organization is responsible for the upkeep of the hardware and software, which can be resource intensive. Cloud-based <abbr title="security information and event management">SIEM</abbr> solutions shift much of this responsibility to the <abbr title="cloud service provider">CSP</abbr>. This allows your security team to focus on strategic tasks rather than maintenance.</p> <h4 id="4.2.3">4.2.3 Analytics</h4> <p>Cloud-based <abbr title="security information and event management">SIEM</abbr> solutions often include commercial off-the-shelf (COTS) analytics specific to the <abbr title="cloud service provider">CSP</abbr>. These analytics are designed to work optimally within the provider’s infrastructure, potentially offering superior threat detection and data analysis capabilities. Having these analytics can enhance your organization’s cyber defence capabilities by harnessing the provider’s specialized knowledge and resources.</p> <h3 id="4.3">4.3 Drawbacks of cloud-based <abbr title="security information and event management">SIEM</abbr> solutions</h3> <p>Although cloud-based <abbr title="security information and event management">SIEM</abbr> solutions can offer many benefits to your organization, you should be aware of the potential drawbacks.</p> <h4 id="4.3.1">4.3.1 Data privacy concerns</h4> <p>When you use a cloud-based <abbr title="security information and event management">SIEM</abbr> solution, your data resides on the <abbr title="cloud service provider">CSP</abbr>’s servers. Before moving to a cloud-based solution, ensure you fully understand and are comfortable with your provider’s data handling and storage practices.</p> <h4 id="4.3.2">4.3.2 Vendor lock-in</h4> <p>Moving to a cloud-based <abbr title="security information and event management">SIEM</abbr> can lead to vendor lock-in, which is when it is difficult or expensive to switch to another provider or to revert to an on-prem solution. Many cloud services are the <abbr title="cloud service provider">CSP</abbr>’s property, which can make migrating data challenging. Before choosing a cloud-based <abbr title="security information and event management">SIEM</abbr> solution, ensure you understand the terms of service, including what switching providers would entail.</p> <h4 id="4.3.3">4.3.3 Cost</h4> <p>Cloud-based <abbr title="security information and event management">SIEM</abbr> solutions can provide cost savings, especially in terms of maintenance and infrastructure, but they can also increase costs. This is particularly true if your organization’s data usage is high since many <abbr title="cloud service provider">CSP</abbr>s charge based on the amount of data processed.</p> </section><!–** TOP OF PAGE ******–><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 id="5">5 Best practices for implementing a <abbr title="security information and event management">SIEM</abbr> solution</h2> <p>Secure deployment and operation of <abbr title="security information and event management">SIEM</abbr> solutions is vital. <abbr title="security information and event management">SIEM</abbr> solutions should be considered a system of higher value, like administrative control or access control systems. Due to its role in monitoring and detecting security incidents, extra care should be taken to ensure the assurance of both the product and vendor. In the event of a zero-day vulnerability, and due to the sensitivity of the data and the level of access of the <abbr title="security information and event management">SIEM</abbr> solution, it is the view of the Cyber Centre to design your <abbr title="security information and event management">SIEM</abbr> architecture based on multiple vendor solutions rather than being locked into a single vendor. This approach enhances the overall security posture by mitigating risks associated with vendor-specific vulnerabilities.</p> <p>An improperly implemented <abbr title="security information and event management">SIEM</abbr> solution can produce a higher number of false positives, detect more “abnormal” events and generate additional, unhelpful alerts. This can put a strain on your cyber security team’s resources. By implementing the following best practices, your organization can best benefit from your <abbr title="security information and event management">SIEM</abbr> solution.</p> <h3 id="5.1">5.1 General best practices</h3> <ul><li>Define use cases for monitoring, alerting and auditing <ul><li>From those use cases, identify log sources to be ingested and analyzed</li> </ul></li> <li>Consider conducting a proof of concept (POC) to assess if the <abbr title="security information and event management">SIEM</abbr> solution is suitable for your environment <ul><li>Set up the <abbr title="proof of concept">POC</abbr> in a test environment that is based on well-defined user scenarios and is a representative subset of your infrastructure and data</li> </ul></li> <li>Identify your most critical resources, such as data and devices, and set up the <abbr title="security information and event management">SIEM</abbr> solution to monitor them</li> <li>Configure appropriate log source monitoring and alerts to ensure you are notified of log collection problems</li> <li>Assess how much data you want to collect to get a comprehensive view of your network</li> <li>At a minimum, you should collect log data on: <ul><li>authorization transactions (successful and failed attempts)</li> <li>modifications to user privileges, including changes to user accounts (including creation and deletion), modifications to group memberships and authentication mechanisms (passwords and multi-factor configuration), and the addition or removal of privileged access</li> <li>application errors</li> <li>opt-in processes, such as terms and conditions</li> <li>actions performed by all users with administrative privileges</li> <li>registration of new devices to infrastructure, including any “bring your own devices” mobile phones and personal devices</li> </ul></li> <li>Prevent your <abbr title="security information and event management">SIEM</abbr> solution from collecting sensitive data such as: <ul><li>financial information (e.g., bank records or credit card data)</li> <li>personally identifiable information (e.g., government-issued identification number)</li> <li>passwords and encryption keys</li> </ul></li> <li>Understand your business compliance requirements and configure the <abbr title="security information and event management">SIEM</abbr> solution accordingly.</li> <li>Conduct regular reviews and test your <abbr title="security information and event management">SIEM</abbr> solution to ensure that it has been properly configured based on the security controls and policies implemented</li> <li>Establish an incident response plan so that your organization is prepared to properly handle the event when a security incident occurs <ul><li>Consult our publication <a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003)</a> for more information</li> </ul></li> <li>Synchronize all network devices to a central time server to ensure that recorded audit logs use the same time source <ul><li>Set up a minimum of 3 time servers to facilitate maintenance and troubleshooting issues</li> </ul></li> <li>Subscribe to external threat feeds and create alerts based on the data shared regularly update detection logic to identify new threats <ul><li>The Cyber Centre provides <abbr title="indicators of compromise">IoCs</abbr> to organizations, including partners in Canadian critical infrastructure, through an automated system called AVENTAIL, which can be integrated directly into your <abbr title="security information and event management">SIEM</abbr></li> </ul></li> </ul><h3 id="5.2">5.2 Quality log data</h3> <p>To ensure that your organization gets the most useful insights into the activities within your network, make sure that high-quality log data is fed into your <abbr title="security information and event management">SIEM</abbr> tool.</p> <h4 id="5.2.1">5.2.1 Choose appropriate log collection methods</h4> <p><abbr title="security information and event management">SIEM</abbr> solutions can collect and store security logs from multiple sources. Determine which log collection method is appropriate for your organization’s needs.</p> <ul><li>Log stream:<strong> </strong>Devices generate logs and send them via a continuous stream to the <abbr title="security information and event management">SIEM</abbr> solution’s log collector. This provides the <abbr title="security information and event management">SIEM</abbr> solution with live information.</li> <li>Log push: A device gathers logs autonomously and pushes (uploads) the logs, either continuously or at regular intervals, to the <abbr title="security information and event management">SIEM</abbr> solution’s log collector. The log collector is configured to accept the logs in a specified format and protocol (syslog, FTP, etc.)</li> <li>Log pull:<strong> </strong>Like a log push, this method uses the <abbr title="security information and event management">SIEM</abbr> solution’s log collector to initiate the connection and request logs. This method is often used to gather operating system–level logs by using a software agent.</li> </ul><h4 id="5.2.2">5.2.2 Review and update log dissectors</h4> <p>Different systems generate logs in different formats. Some log formats have a well-defined structure and are easy for a <abbr title="security information and event management">SIEM</abbr> solution to ingest, while other log formats are less consistent and more challenging for a <abbr title="security information and event management">SIEM</abbr> solution to dissect and ingest. Ensure the <abbr title="security information and event management">SIEM</abbr> solution you select can understand the logs it will receive.</p> <p>Log formats can also change over time (e.g., after software updates), which can result in the <abbr title="security information and event management">SIEM</abbr> being unable to dissect and index logs from a particular source. Review the log dissectors regularly and update them as needed.</p> <h4 id="5.2.3">5.2.3 Manage log storage appropriately</h4> <p>Log data received by the <abbr title="security information and event management">SIEM</abbr> solution is stored according to the configured retention policies. Logs can be sent to storage for archiving or can be sent to the <abbr title="security information and event management">SIEM</abbr> solution’s correlation engine, where they will be analyzed and correlated against other logs. This correlation can provide meaningful information for your <abbr title="information technology">IT</abbr> team.</p> <p>Depending on which <abbr title="security information and event management">SIEM</abbr> solution you choose, logs can be stored either as they were received or in a compressed format. Since searching compressed logs takes more time, some <abbr title="security information and event management">SIEM</abbr> solutions retain recent logs in an uncompressed format. After a predefined amount of time, the logs are compressed to reduce storage usage.</p> <p><abbr title="security information and event management">SIEM</abbr> solutions can receive thousands of logs every second, so keeping uncompressed logs for an extended period can result in high storage costs. If the <abbr title="security information and event management">SIEM</abbr> solution stores logs in the cloud, storage costs could also increase significantly.</p> <p>Removing logs after they are no longer of value will help with both storage costs and performance. Logs that exceed the retention policy can be discarded or stored in lower-cost solutions.</p> <h5 id="5.2.3.1">5.2.3.1 Log data retention</h5> <p>Log retention policies can help keep storage needs under control. When developing your organization’s log retention policy, carefully consider how long to retain security logs. As a general guideline, we recommend retaining your organization’s important logs for <strong>at least 6 months</strong>. For more critical logs, consider a retention period of 13 months.</p> <p>Your retention period will depend on your:</p> <ul><li>organization’s industry standards</li> <li>regulations and laws</li> <li>specific cyber security concerns unique to your business environment</li> <li>storage costs and availability</li> </ul><p>Many compromises are discovered long after the breach occurred. According to IBM’s publication <a href="https://www.ibm.com/reports/data-breach">Cost of a Data Breach Report 2023</a>, the mean time to identify a breach was 204 days. If your organization experiences a breach, your logs are crucial evidence that will help you identify and investigate the incident. Take care in developing your log retention policy and periodically review it to see if adjustments are necessary and whether your logs are being retained for the appropriate amount of time.</p> <h4 id="5.2.4">5.2.4 Activate indexing of most-searched fields</h4> <p>Logs from different source types contain different information and use different formats. <abbr title="security information and event management">SIEM</abbr> solutions use log dissectors to understand log formats and the information that logs contain. This can include the log itself, date and time information, and the location of the username or machine name in the log stream. These fields can be indexed, which will result in faster search results.</p> <p>Indexing logs makes searching faster, but requires additional storage and central processing unit (CPU) resources, which can affect the performance of the <abbr title="security information and event management">SIEM</abbr> solution. We recommend only indexing fields that are searched often.</p> <p>The <abbr title="security information and event management">SIEM</abbr> solution should be able to provide information on searches, including which fields are searched and if those fields are indexed. Using this information, the <abbr title="security information and event management">SIEM</abbr> administrator can activate or deactivate indexing based on how often the fields are searched.</p> <h4 id="5.2.5">5.2.5 Normalize log data</h4> <p>Normalizing logs is important for correlating events and investigating incidents. A <abbr title="security information and event management">SIEM</abbr> solution may ingest logs in different formats. For example, your network might have devices in different time zones, some logs may use the 12-hour format while others use the 24-hour format, or your active directory (AD) logs may contain usernames while cloud logs show a person’s email address as their username.</p> <p>The <abbr title="security information and event management">SIEM</abbr> solution should be able to normalize as many fields as possible to limit the number of search strings pointing to the same user or resource. During an incident investigation, searching for events that occurred within a particular period should return logs from all devices, regardless of the time zone to which the <abbr title="security information and event management">SIEM</abbr> solution has been configured.</p> <h4 id="5.2.6">5.2.6 Adjust correlation rules and thresholds</h4> <p>Event correlation refers to analyzing events against business contexts and drawing connections between them based on a set of predefined rules. These rules allow your <abbr title="security information and event management">SIEM</abbr> solution to determine which suspicious activities should be treated as potential security threats. To accurately detect incidents, the <abbr title="security information and event management">SIEM</abbr> solution’s correlation engine must be configured properly. Adjust the correlation rules and set thresholds based on your organization’s specific use cases or business needs. You can start with the <abbr title="security information and event management">SIEM</abbr> solution’s default configuration rules and deactivate and activate parameters according to what you want correlated.</p> </section><!–** TOP OF PAGE ******–><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 id="6">6 Zero trust architecture</h2> <p>The term “zero trust” (ZT) represents a security framework for protecting infrastructure and data. <abbr title="zero trust">ZT</abbr>’s central tenet is that no subject (application, user or device) in an information system is trusted by default. Trust must be assessed and verified every time a subject requests access to a new resource. The degree of access provided is dynamically adjusted based on the level of trust established with the subject. <abbr title="zero trust">ZT</abbr> involves adopting a new security mindset by always assuming a breach and focusing on protecting resources (e.g., services and data). A zero trust architecture (ZTA) is an enterprise approach to designing systems in which security is based on <abbr title="zero trust">ZT</abbr> principles. To learn more about <abbr title="zero trust architecture">ZTA</abbr>, refer to our publication <a href="/en/guidance/zero-trust-approach-security-architecture-itsm10008">A zero trust approach to security architecture (ITSM.10.088)</a>.</p> <p><a href="https://csrc.nist.gov/pubs/sp/1800/35/2prd">NIST SP 1800-35B Implementing a Zero Trust Architecture</a> describes example solutions for implementing <abbr title="zero trust architecture">ZTA</abbr>. The solutions assume that <abbr title="security information and event management">SIEM</abbr> technology is one of an organization’s baseline cyber security functions to gradually add capabilities as it evolves toward a <abbr title="zero trust architecture">ZTA</abbr>. <abbr title="security information and event management">SIEM</abbr> solutions support <abbr title="zero trust architecture">ZTA</abbr> implementation since the data they collect could feed into the <abbr title="zero trust architecture">ZTA</abbr> policy engine to help with dynamic access decisions.</p> </section><!–** TOP OF PAGE ******–><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 id="7">7 Summary</h2> <p>Large organizations and enterprises are facing an ever-evolving cyber threat landscape. To mitigate attacks by advanced threat actors, your organization should invest in security tools that provide real-time insights about activities in your network. Cyber security tools like <abbr title="security information and event management">SIEM</abbr> solutions can provide you with a single interface to get these insights. A <abbr title="security information and event management">SIEM</abbr> solution can help your organization to detect, analyze and respond to cyber security threats before they disrupt your business operations. As with any significant <abbr title="information technology">IT</abbr> decision, you should weigh all the information presented in this publication against your organization’s specific needs and circumstances to determine if a <abbr title="security information and event management">SIEM</abbr> solution is the best fit for you.</p> </section><!–** TOP OF PAGE ******–><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–><!–***************************************** END PUBLICATION ***********************************************–><!–***************************************** REFERENCES ***************************************************–><!–FOOTNOTE SECTION EN–> <aside class="wb-fnote" role="note"><h2 id="reference">Reference</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>IBM. “<a href="https://www.ibm.com/think/topics/siem">What is security information and event management (SIEM)?</a>”</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside><!–***************************************** END REFERENCES ***************************************************–></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6102" about="/en/geekweek/geekweek-10" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p><img alt="geekweek banner" class="img-responsive mrgn-bttm-lg" src="/sites/default/files/images/geekweek-10-1170×347.jpg" /></p> <h2 class="page-header">Demystify Cyber Security</h2> <p>GeekWeek provides an opportunity for participants to take few days away from their day-to-day and work with public sector, industry, critical infrastructure and international partners to explore innovative ideas in the cyber security space.</p> <div class="row"> <section class="col-md-4 col-sm-5 pull-right well well-sm mrgn-tp-lg mrgn-bttm-lg"><h3 class="mrgn-tp-sm">Venue</h3> <img alt="Photo of Vanier Facility" class="img-responsive" src="/sites/default/files/images/vanier-edifice-vanier_1.jpg" /><p class="mrgn-tp-md">Canadian Centre for Cyber Security<br /> 1625 Vanier Parkway, Ottawa, ON<br /> K1L 7P1</p> </section><div class="col-md-8 col-sm-7 mrgn-tp-lg"> <h2 class="page-header">Event date</h2> <p>May 28 to June 6, 2025</p> <p class="mrgn-bttm-lg">If you’re interested in future Geek events, reach out to <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>.</p> <h2 class="page-header">Registration information</h2> <p>Given the technical nature of the workshop, GeekWeek is an <strong>invitation-only event</strong>.</p> </div> </div> <h2 class="page-header">Keynote speaker</h2> <p class="mrgn-bttm-lg">Since 2014, Jeff Yates has made understanding misinformation on the web his journalistic specialty. After creating <em>Inspector</em>, a blog in the <em>Métro</em> newspaper, which was the first platform understanding viral fake news from a Quebec media outlet, he quickly became a known in the field. In addition to fake news, he is interested in the effects of social networks and algorithms on information, web propaganda, and the exploitation of new forms of communication.</p> <h2 class="page-header">Participating organizations</h2> <p class="mrgn-bttm-lg">To be confirmed.</p> <h2 class="page-header">Topics and themes</h2> <p>The following topics and themes have been proposed for GeekWeek 10.</p> <ul class="list-unstyled"><li> <details><summary>Physical cyber systems </summary><ul><li>Preparing for a wireless future</li> <li>Industrial spectrum monitoring</li> <li>Industrial control systems – Operational technology security for energy</li> <li>Digital identity</li> <li>Security gateway for connected cars</li> <li>Hunting the hunters</li> <li>Firmware security</li> </ul></details></li> <li> <details><summary>Cyber toolboxes and analytical environments </summary><ul><li>Memory analysis</li> <li>Live sandboxes</li> <li>Industrial control systems honeypot</li> <li>Remote desktop protocol honeypot</li> <li>Home modems and routers protection</li> <li>Internet scanner</li> </ul></details></li> <li> <details><summary>Cyber threat hunting </summary><ul><li>Detecting and decoding advanced persistent threat malware</li> <li>Validation cyber threat infrastructure</li> <li>Cyber artifact crowdsourcing</li> <li>Malicious infrastructure and threat hunting</li> <li>Operationalize hunting malicious samples</li> <li>Cross-organization data harvesting and analytics</li> <li>It’s all about money</li> </ul></details></li> <li> <details><summary>Cyber threat analytics </summary><ul><li>Cyber security posture</li> <li>Cyber threat storytelling</li> <li>Protecting country-specific domains from phishing campaigns</li> <li>Advanced genetic malware analysis</li> <li>Malicious email identification and triage enhancement with large language models (LLMs)</li> <li>Cyber news aggregation ad summarization with LLMs</li> <li>Automated signature generation</li> </ul></details></li> <li> <details><summary>Cyber protection, assessment and defence </summary><ul><li>Building secure cloud applications</li> <li>Monitoring, analytics and scaling security in the cloud</li> <li>Hardened router operating system</li> <li>Analyze this!</li> <li>Feeding the dragon: Threat modeling and risk assessment made easy</li> <li>Evaluating software deployed through business networks</li> <li>Bridging the communication gap in cyber security</li> <li>Secure and private mobile operating system</li> </ul></details></li> <li> <details><summary>Open-source solutions: Giving back to the cyber security community </summary><ul><li>Cyber range development</li> <li>Cyber tools development: Kangooroo, Borealis, Chameleon/Beever, BeAVER, Assemblyline and BADGER</li> </ul></details></li> <li> <details><summary>Cyber defence turnkey solutions </summary><ul><li>Cyber defense Fly-Away kit</li> <li>Secure operations centre (SOC) in a box <ul><li>Platform</li> <li>Pipeline for data collection</li> <li>Analytics</li> <li>Machine learning-based analytics</li> </ul></li> </ul></details></li> </ul><div class="clearfix"> </div> <p>For more general information about GeekWeek, visit the <a href="/en/geekweek">GeekWeek page</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="701" about="/en/guidance/cyber-supply-chain-security-small-medium-sized-organizations-itsap00070" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><!–ENGLISH Intro paragraph plus pdf download–> <div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>March 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.00.070</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>March 2025 | Awareness series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <p>A supply chain is a network of companies and individuals involved in the production of a product or service. It includes the critical links between your organization and others that help you serve your customers. Whether you own a flower shop or an advertising agency, the quality and security of your supply chain is a key factor in the success of your organization.</p> <p>Supply chains increasingly feature the bidirectional movement of digital information in addition to the movement of products, services, and currency. Cyber threats propagate through digital information transfer, meaning supply chains provide an extended attack surface against Canadian organizations and an alternative for cyber threat actors to direct action against an organization’s networks.</p> <p>As an organization owner, have you ever thought about the kind of information you share across your supply chain? Do you know how your suppliers handle and store your information? It is important to ask these and other questions to keep your organization secure. Cyber attacks are not only costly to address but can put your organization and its reputation at risk.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#risks">Risks to your supply chain</a></li> <li><a href="#verifying">Verifying your supply chain for weak links</a></li> <li><a href="#evaluating">Evaluating your supply chain</a></li> <li><a href="#concerns">Addressing <abbr title="information technology">IT</abbr> security concerns</a></li> <li><a href="#processes">Creating supply chain security processes</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="risks">Risks to your supply chain</h2> <p>You may not think that your small or medium-sized organization is a target for threat actors, but it could be. All organization, no matter the size, hold information that makes them attractive targets to cyber threat actors.<strong> </strong>Small and medium-sized organizations may also use outdated software or hardware that requires replacement or updates and is vulnerable to threat actors looking for soft targets.</p> <p>Threat actors may target your supply chain, especially if your organization:</p> <ul><li>collects personal information from clients, such as <ul><li>names</li> <li>addresses</li> <li>phone numbers</li> <li>email addresses</li> <li>birthdays</li> </ul></li> <li>possesses trade secrets or other intellectual property</li> <li>has competitors interested in learning the identity of your clients</li> <li>uses point-of-sale systems for payment information that hold credit card and client information</li> <li>connects to other databases or systems of interest to a threat actor via your supply chain</li> <li>is responsible for critical infrastructure systems that may be targeted by state-sponsored attackers</li> </ul><p>Remember, even if your organization has top-notch security, a vulnerable partner in your supply chain is a risk to everyone in the chain.</p> <h2 class="text-info" id="verifying">Verifying your supply chain for weak links</h2> <p>A chain is only as strong as its weakest link. You should verify the risk of supply chain compromise and the trustworthiness of the products and services you buy, download, or access for free. When you take the time to understand and secure your supply chain, you reduce the possibility of sensitive information falling into the hands of threat actors. Your customers will also feel more comfortable engaging with your organization knowing that you have taken steps to secure their information.</p> <h2 class="text-info" id="evaluating">Evaluating your supply chain</h2> <p>The first step in securing any supply chain is to know your vendors who have access to your data and support your critical business functions. You can’t look at all vendors with the same approach. Knowing your vendors will assist you in examining your supply chain for weaknesses. You may find vulnerabilities in your information technology (IT) and operational technology (OT) equipment and devices. You may also find vulnerabilities in other aspects of your supply chain, such as access controls to physical premises or systems, transportation or product sourcing.</p> <p>You should create an inventory of all third parties that interact with your organization, including vendors, contractors and service providers. We also recommend you categorize or classify third parties based on their criticality to your organization’s operations. For example, a critical supplier who provides essential components would have a higher impact than a non-critical service provider.</p> <p>When evaluating your supply chain, start with the following considerations:</p> <ul><li>Evaluate the kind of information you share with your suppliers and contractors</li> <li>Understand what needs to be protected, such as organizational assets and sensitive information</li> <li>Be aware of the types of cyber threats your company could face and develop security controls around your specific threat environment</li> <li>Know that tampering can occur or unauthorized replacement parts can be installed when <ul><li>electronic equipment is serviced or repaired, or</li> <li>new equipment is shipped or received</li> </ul></li> <li>Understand that malicious activity, including covert installation of unauthorized software, can occur when software is installed, updated or uninstalled</li> <li>Beware of counterfeit goods sold by unofficial resellers and always buy hardware and software from vendors approved by the manufacturer</li> <li>Ensure only trusted personnel, including contract personnel, have access to sensitive data like company secrets, financial information and personal information</li> <li>Request and assess the security plan of a supplier’s facility if you intend to store sensitive information or devices offsite</li> </ul><h2 class="text-info" id="concerns">Addressing <abbr title="information technology">IT</abbr> security concerns</h2> <p>You should work with your <abbr title="information technology">IT</abbr> service providers and vendors to address supply chain concerns. These providers can be the company hosting your online store, the <abbr title="information technology">IT</abbr> service team that maintains your equipment, or the company that sells you <abbr title="information technology">IT</abbr> equipment. Your supply chain includes all software and digital services you use. This includes platforms such as free open-source software, mobile applications (apps), and spreadsheet templates.</p> <p>Here are some sample questions you can ask these providers:</p> <ul><li>How do you protect customer data?</li> <li>How do you encrypt data?</li> <li>Where do you store customer information, in the cloud, onsite, on a <abbr title="personal computer">PC</abbr>?</li> <li>What ongoing connections do you maintain to our organization’s hardware and software?</li> <li>How long do you retain information and how do you destroy it?</li> <li>Do you share information with third-party contractors?</li> <li>How do you secure your network and devices against attacks?</li> <li>How do you ensure software is up to date and how do you address known vulnerabilities?</li> <li>What is your disaster recovery strategy?</li> <li>Do you follow regulations for the data you process, and do you have the proper certifications?</li> <li>How quickly do you release security patches and updates after discovering vulnerabilities?</li> <li>Will you inform me if there has been a cyber event? If so, how quickly?</li> </ul><h2 class="text-info" id="processes">Creating supply chain security processes</h2> <p>Your organization should create clear processes to help prevent security issues stemming from your supply chain. These should include:</p> <ul><li>setting minimum security requirements for your suppliers</li> <li>prioritizing security considerations when choosing between 2 solutions of similar cost and function</li> <li>adding clauses to address basic supply chain risks when contracting for products and services that may affect your infrastructure or data</li> <li>including stipulations in contracts that vendors notify your organization within a specified time frame in the event of security incidents and vulnerabilities</li> <li>building assurance activities like internal audits and risk assessments into your supply chain management strategy</li> <li>reviewing your supply chain security as your organization changes</li> <li>re-evaluating contractors and suppliers regularly to ensure they still meet your security requirements</li> <li>considering place of origin and the implications of foreign ownership in your procurement</li> <li>maintaining open lines of communication with suppliers</li> <li>promoting awareness and continuous improvement of your supply chain security</li> <li>being aware of the latest and most common cyber attacks and preparing a response plan that includes tabletop exercises</li> <li>regularly rescreening and retraining your employees on cyber security supply chain essentials</li> <li>ensuring your systems stay up to date with the latest security patches to protect from cyber attacks and security threats</li> <li>using third-party assessments to assess critical suppliers</li> <li>creating plans to manage supplied product obsolescence</li> </ul><h2 class="text-info" id="learn">Learn more</h2> <ul><li><a href="/en/guidance/cyber-supply-chain-approach-assessing-risk-itsap10070">Cyber supply chain: An approach to assessing risk (ITSAP.10.070)</a></li> <li><a href="/en/guidance/protecting-high-value-information-tips-small-and-medium-organizations-itsap40001">Protecting high-value information: Tips for small and medium organizations (ITSAP.40.001)</a></li> <li><a href="/en/guidance/top-measures-enhance-cyber-security-small-and-medium-organizations-itsap10035">Top measures to enhance cyber security for small and medium organizations (ITSAP.10.035)</a></li> <li><a href="/en/guidance/foundational-cyber-security-actions-small-organizations-itsap10300">Foundational cyber security actions for small organizations (ITSAP.10.300)</a></li> <li><a href="/en/guidance/protecting-your-organization-software-supply-chain-threats-itsm10071">Protecting your organization from software supply chain threats (ITSM.10.071)</a></li> <li><a href="/en/guidance/cyber-threat-supply-chains">The cyber threat from supply chains</a></li> </ul></div> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6163" about="/en/news-events/communications-security-establishment-canada-releases-2025-update-report-cyber-threats-canadas-democratic-process" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> </div> </div> </div> </article>

<article data-history-node-id="6062" about="/en/guidance/cyber-threats-canadas-democratic-process-2025-update" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><section class="row"><div class="col-md-12"> <h2 class="text-info page-header mrgn-tp-lg" id="about_us">About us</h2> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 pull-right mrgn-tp-sm mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/tdp-2025-e-v1.pdf">Cyber Threats to Canada’s Democratic Process: 2025 Update (PDF, 3.69 MB)</a></p> </div> <p>The Communications Security Establishment Canada (CSE) is Canada’s centre of excellence for cyber operations. As one of Canada’s key security and intelligence organizations, CSE protects the computer networks and information of greatest importance to Canada and collects foreign signals intelligence. CSE also provides assistance to federal law enforcement and security organizations in their legally authorized activities when they may need our unique technical capabilities.</p> <p>CSE protects computer networks and electronic information of importance to the Government of Canada, helping to thwart state-sponsored or criminal cyber threat activity on our systems. In addition, CSE’s foreign signals intelligence work supports government decision-making in the fields of national security and foreign policy, providing a better understanding of global events and crises, helping to further Canada’s national interest in the world.</p> <p>Part of CSE is the Canadian Centre for Cyber Security (Cyber Centre), Canada’s technical authority on cyber security. The Cyber Centre is the single unified source of expert advice, guidance, services, and support on cyber security for Canadians and Canadian organizations. CSE and the Cyber Centre play an integral role in helping to protect Canada and Canadians against foreign threats, helping to ensure our nation’s security, stability, and prosperity. Threats include foreign-based terrorism, foreign espionage, cyber threat activity, kidnapping of Canadians abroad and attacks on our embassies, among others.</p> </div> </section><section class="row"><div class="clearfix"> </div> <div class="col-md-12 mrgn-tp-md"> <details><summary><h2 class="h3">Table of contents</h2> </summary><ul><li><a href="#about_us">About us</a></li> <li><a href="#executive_summary">Executive summary</a> <ul><li><a href="#key_findings">Key findings and global trends</a></li> </ul></li> <li><a href="#about_report">About this report</a> <ul><li><a href="#scope">Scope</a></li> <li><a href="#sources">Sources</a></li> <li><a href="#more_information">More information</a></li> <li><a href="#estimative_language">Estimative language</a></li> </ul></li> <li><a href="#introduction">Introduction</a> <ul><li><a href="#elections">Canadian elections: An attractive target for foreign actors</a></li> <li><a href="#threats">AI-enabled cyber threats to Canada’s democratic process</a></li> </ul></li> <li><a href="#changes">Changes in AI technology</a> <ul><li><a href="#llm">Large language models ( <abbr title="Large Language Models">LLMs </abbr>)</a></li> <li><a href="#deepfakes">The rise of deepfakes</a></li> <li><a href="#machine">Machine learning analytics and the exploitation of big data</a></li> </ul></li> <li><a href="#global_trends">Global trends</a> <ul><li><a href="#trend1">Trend 1: Generative AI is polluting the information ecosystem</a></li> <li><a href="#trend2">Trend 2: AI involvement uncertain in phishing against electoral institutions</a></li> <li><a href="#trend3">Trend 3: Advanced targeting based on machine learning analytics</a></li> <li><a href="#trend4">Trend 4: Threat actors are using generative AI to harass public figures</a></li> </ul></li> <li><a href="#actors">Main threat actors using AI to target democratic processes</a> <ul><li><a href="#russia">Russia</a></li> <li><a href="#prc">The People’s Republic of China </a></li> <li><a href="#iran">Iran</a></li> <li><a href="#nonstate">Cybercriminals and non-state actors</a></li> </ul></li> <li><a href="#implications">Implications for Canadian elections</a></li> <li><a href="#looking">Looking ahead</a></li> <li><a href="#fn">Endnotes</a></li> </ul></details></div> </section><div class="clearfix"> </div> <section class="mrgn-tp-lg"><h2 class="text-info page-header mrgn-tp-lg" id="executive_summary">Executive summary</h2> <p>Hostile actors are increasingly leveraging artificial intelligence (AI) tools in attempts to interfere in democratic processes, including elections, around the globe. Over the past two years, these tools have become more powerful and easier to use. They now play a pervasive role in political disinformation, as well as the harassment of political figures. They can also be used to enhance hostile actors’ capacity to carry out cyber espionage and malicious cyber activities.</p> <p>This report is an update to the <a href="/en/guidance/cyber-threats-canadas-democratic-process-2023-update">Cyber Threats to Canada’s Democratic Process: 2023 Update</a> (TDP 2023). Although the assessments contained in that report remain relevant, the rapid technological advances over the past two years in AI pose a new challenge. Accordingly, this update addresses exclusively threat actors and their use of AI to target democratic processes globally and in Canada. While it is difficult to predict what disinformation or influence campaigns will gain traction, we assess that it is very unlikely (i.e. roughly 10-30% chance) that disinformation, or any AI-enabled cyber activity, would fundamentally undermine the integrity of Canada’s democratic processes in the next Canadian general election. As AI technologies continue to advance and cyber adversaries improve their proficiency in using AI, the threat against future Canadian general elections is likely to increase.</p> <h3 id="key_findings">Key findings and global trends</h3> <ul><li>In the last two years, hostile actors have increasingly used generative AI to target global elections, including in Europe, Asia, and in the Americas. While <abbr title="Cyber Threats to Canada’s Democratic Process">TDP </abbr> 2023 counted only one case of generative <abbr title="Artificial Intelligence">AI </abbr> being used to target an election between 2021 and 2023, we observed 102 reported cases of generative <abbr title="Artificial Intelligence">AI </abbr> being used to interfere with or influence 41 elections, or 27% of elections, held between 2023 and 2024. These cases involved the use of <abbr title="Artificial Intelligence">AI </abbr> to create disinformation, actively spread disinformation online, and harass politicians. These new developments are driven by improvements in the quality, cost, efficiency, and accessibility of <abbr title="Artificial Intelligence">AI </abbr> technology.</li> <li>While we were unable to attribute the majority of the <abbr title="Artificial Intelligence">AI </abbr>-enabled campaigns against global elections to specific actors, our research did identify a high number of threat activities attributed to Russia and the People’s Republic of China (PRC). We assess it almost certain that these states, as well as a range of non-state actors, leverage generative <abbr title="Artificial Intelligence">AI </abbr> to spread disinformation narratives, in particular to sow division and distrust within democratic societies. We assess it very likely that Russia and the PRC will continue to be responsible for most of the attributable nation state <abbr title="Artificial Intelligence">AI </abbr>-enabled cyber threat and disinformation activity targeting democratic processes.</li> <li>A range of threat actors are using generative <abbr title="Artificial Intelligence">AI </abbr> to pollute the information environment. Of 151 global elections between 2023 and 2024, there were 60 reported <abbr title="Artificial Intelligence">AI </abbr>-generated synthetic disinformation campaigns and 34 known and likely cases of <abbr title="Artificial Intelligence">AI </abbr>-enabled social botnets. The increased use of generative <abbr title="Artificial Intelligence">AI </abbr> marks a change in how disinformation is created and spread but not in the underlying motives and intended effects of disinformation campaigns. We assess it likely that such campaigns will continue to grow in scale as AI technology enabling synthetic disinformation becomes increasingly available.</li> <li>We assess it likely that, consistent with non-AI-enabled forms of disinformation, most foreign created <abbr title="Artificial Intelligence">AI </abbr>-generated content does not gain significant visibility in democratic societies. However, information that does gain visibility is usually wittingly or unwittingly amplified by popular domestic and transnational commentators. In addition, foreign actors have displayed an ability to create and spread viral disinformation using generative <abbr title="Artificial Intelligence">AI </abbr>. We assess it likely that, as foreign actors refine their <abbr title="Artificial Intelligence">AI </abbr>-enabled methods, their disinformation will gain greater exposure online. Nonetheless, it remains difficult to predict which piece of disinformation will gain exposure or find resonance online.</li> <li>The <a href="/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a> ( <abbr title="National Cyber Threat Assessment">NCTA </abbr> 2025-2026) documented that cybercriminals and state-sponsored actors are using generative <abbr title="Artificial Intelligence">AI </abbr> to make social engineering attacks more personal and persuasive. We assess it likely that over the next two years, threat actors will integrate generative <abbr title="Artificial Intelligence">AI </abbr> into social engineering attacks against political and public figures, as well as election management bodies. Although we have not yet observed an actor using generative <abbr title="Artificial Intelligence">AI </abbr> to target elections in this way, we cannot rule out the possibility it has already happened.</li> <li>We further assess it likely that, over the next two years, actors targeting Canada will use a range of <abbr title="Artificial Intelligence">AI </abbr> technologies to improve the stealth and efficacy of malware they seek to deploy against target voters, politicians, public figures, and electoral institutions.</li> <li>Nation states, in particular the <abbr title="People’s Republic of China">PRC </abbr>, are undertaking massive data collection campaigns, collecting billions of data points on democratic politicians, public figures, and citizens around the world. Advances in predictive <abbr title="Artificial Intelligence">AI </abbr> allow human analysts to quickly query and analyze these data. We assess it likely that such states are gaining an improved understanding of democratic political environments as a result. By possessing detailed profiles of key targets, social networks, and voter psychographics, threat actors are almost certainly enhancing their capabilities to conduct targeted influence and espionage campaigns.</li> <li>Cybercriminals and non-state actors are using generative <abbr title="Artificial Intelligence">AI </abbr> to create deepfake pornography of politicians and public figures—almost all the targets were women. While most cases do not appear to have been part of a deliberate influence campaign, deepfake pornography deters participation in democracy for those targeted. Further, we assess it likely that, on at least one occasion, that content was seeded to deliberately sabotage the campaign of a candidate running for office. We assess that these AI-enabled personal attacks will almost certainly increase given the wide availability of these models.</li> </ul></section><section class="panel panel-primary"><header class="panel-heading"><h4 class="panel-title">Key terms</h4> </header><div class="panel-body"> <ul><li><strong>Machine learning</strong>: Methods or models that enable machines to learn how to complete a task from given data without explicitly programming a step-by-step solution.</li> <li><strong>Generative <abbr title="Artificial Intelligence">AI </abbr></strong>: A subset of machine learning that generates new content based on patterns extracted from large volumes of training data. Generative <abbr title="Artificial Intelligence">AI </abbr> can create many forms of content including text, images, audio, video, or software code.</li> <li><strong>Predictive <abbr title="Artificial Intelligence">AI </abbr></strong>: A subset of machine learning that consumes input data but, rather than producing an image or a text, it discovers patterns in data to classify new data, like object recognition in images or words in speech recognition.</li> </ul></div> </section><section class="mrgn-tp-lg"><h2 class="text-info page-header mrgn-tp-lg" id="about_report">About this report</h2> <p>This report provides an update to <abbr title="Cyber Threats to Canada’s Democratic Process">TDP </abbr> 2023, published in December 2023. Given the changes in <abbr title="Artificial Intelligence">AI </abbr> and machine learning technology since then, the report focuses on the threat posed by hostile actors using these technologies to target Canada’s democratic process in 2025. The key findings stated in <abbr title="Cyber Threats to Canada’s Democratic Process">TDP </abbr> 2023 remain relevant to the present threat environment.</p> <h3 id="scope">Scope</h3> <p>This report considers <abbr title="Artificial Intelligence">AI </abbr>-enabled cyber threat activity that affects democratic processes globally. Cyber threat activity (e.g. spear phishing, malware) is <abbr title="Artificial Intelligence">AI </abbr>-enabled when it integrates <abbr title="Artificial Intelligence">AI </abbr> components (generative or other machine learning methods) to compromise the security of an information system by altering the confidentiality, integrity, or availability of a system or the information it contains. This assessment also considers <abbr title="Artificial Intelligence">AI </abbr>-enabled influence campaigns, which occur when cyber threat actors use generative <abbr title="Artificial Intelligence">AI </abbr> and predictive <abbr title="Artificial Intelligence">AI </abbr> to research intelligence targets and to covertly manipulate online information.</p> <p>We discuss a wide range of cyber threats to global and Canadian political and electoral activities, particularly in the context of Canada’s next general election, currently set for 2025. Providing threat mitigation advice is outside the scope of this report.</p> <h3 id="sources">Sources</h3> <p>In producing this report, we relied on reporting from both classified and unclassified sources. CSE’s foreign intelligence mandate provides us with valuable insights into adversarial behaviour. Defending the Government of Canada’s information systems also provides CSE with a unique perspective to observe trends in the cyber threat environment.</p> <h3 id="more_information">More information</h3> <p>Further resources can be found on the <a href="/en/guidance">Cyber Centre’s cyber security guidance page</a> and on the <a href="https://www.getcybersafe.gc.ca/en/home">Get Cyber Safe</a> website.</p> <p>For more information about cyber tools and the evolving cyber threat landscape, consult the following publications:</p> <ul><li><a href="/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a></li> <li><a href="/en/guidance/introduction-cyber-threat-environment">An Introduction to the Cyber Threat Environment</a></li> <li><a href="/en/guidance/how-identify-misinformation-disinformation-and-malinformation-itsap00300">How to identify misinformation, disinformation, and malinformation</a></li> </ul><div class="panel panel-default col-md-12"> <div class="panel-body"> <figure><h4 class="mrgn-lft-md text-center" id="estimative_language">Estimative language</h4> <p class="mrgn-bttm-lg">Our judgements are based on an analytical process that includes evaluating the quality of available information, exploring alternative explanations, mitigating biases, and using probabilistic language. We use terms such as "we assess" or "we judge" to convey an analytic assessment. We use qualifiers such as "possibly", "likely", and "very likely" to convey probability according to the chart below.</p> <p class="mrgn-bttm-lg">The contents of this report are based on information available as of <strong>January 27, 2025</strong>.</p> <p class="mrgn-bttm-lg">The chart below matches estimative language with approximate percentages. These percentages are not derived via statistical analysis, but are based on logic, available information, prior judgements, and methods that increase the accuracy of estimates.</p> <img alt="Estimated language chart long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/tdp4-language-chart-e.jpg" /><details class="brdr-tp brdr-rght brdr-bttm brdr-lft mrgn-bttm-sm"><summary>Long description – Estimative language chart </summary><ul class="list-unstyled mrgn-tp-md"><li>1 to 9% Almost no chance</li> <li>10 to 24% Very unlikely/Very Improbable</li> <li>25 to 39% Unlikely/Improbable</li> <li>40 to 59% Roughly even chance</li> <li>60 to 74% Likely/probably</li> <li>75 to 89% Very likely/very probable</li> <li>90 to 99% Almost certainly</li> </ul></details></figure></div> </div> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section class="mrgn-tp-lg"><h2 class="text-info page-header mrgn-tp-lg" id="introduction">Introduction</h2> <p>Compared with earlier versions of Cyber Threats to Canada’s Democratic Process, which focused on the broad cyber threat to national elections, this update focuses exclusively on the threat posed by <abbr title="Artificial Intelligence">AI </abbr>. It provides information on how cyber threat actors are using powerful developments in <abbr title="Artificial Intelligence">AI </abbr>, specifically generative <abbr title="Artificial Intelligence">AI </abbr> and predictive <abbr title="Artificial Intelligence">AI </abbr>, to target the electoral process, harm democratic actors, and mislead and disinform voters.</p> <h3 id="elections">Canadian elections: An attractive target for foreign actors</h3> <p>Foreign threat actors are interested in targeting Canadian elections for a multitude of reasons. Canada is a member of the North Atlantic Treaty Organization (NATO), the Five Eyes (FVEY) intelligence alliance, and is economically and culturally integrated with the United States (US).</p> <p>As an active player in the international community, Canada participates in key institutions such as the United Nations (UN), Organization for Economic Cooperation and Development (OECD), the World Trade Organization (WTO), the International Monetary Fund (IMF), and the World Bank. As a major economy, Canada is a member of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), as well as multilateral forums such as the Group of 20 (G20) and the Group of 7 (G7). Government of Canada decisions on matters of military, trade, investment, and migration all affect the global community, as do the products of Canadian culture and science. We assess it almost certain that foreign actors target Canadian elections to influence how these decisions are made, as well to weaken our capacity for decision-making entirely.</p> <h3 id="threats"><abbr title="Artificial Intelligence">AI </abbr>-enabled cyber threats to Canada’s democratic process</h3> <p>The malicious use of <abbr title="Artificial Intelligence">AI </abbr> is a growing threat to Canadian elections, a point first noted in the Cyber Centre’s <a href="/en/guidance/2019-update-cyber-threats-canadas-democratic-process">2019 Update: Cyber Threats to Canada’s Democratic Process</a>. Generative <abbr title="Artificial Intelligence">AI </abbr> at that time was expensive and required technical knowledge to use but has since become less costly and more accessible to non-technical users. User-friendly web interfaces, easy prompts, and few regulations or guardrails make it easier for more threat actors to engage in malicious cyber activity.<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> The speed and quality of output from generative <abbr title="Artificial Intelligence">AI </abbr> models has also markedly improved, for instance from the first Generative Pre-Trained Transformer 1 (GPT-1) to GPT-4 now used for high-quality synthetic content generation.<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup> These and related technologies have enabled adversarial actors to generate persuasive deepfakes and design convincing chatbots capable of spreading disinformation personalized to their target audience. The customization of content to specific targets with generative <abbr title="Artificial Intelligence">AI </abbr> has also been used to enhance phishing attacks and enable new forms of digital harassment, cybercrime, and espionage. Predictive analytics allow data processing at a sophistication and volume unachievable by non-AI enabled methods, allowing human analysts to swiftly identify targets for potential hacking operations or populations to be flooded with targeted propaganda.<sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup></p> <p>The increased accessibility of generative <abbr title="Artificial Intelligence">AI </abbr> compounds the risk to countries like Canada, whose citizens and infrastructure are highly connected. According to DataReportal, 94.3% of Canadians are registered Internet users while 80% of Canadians are active users of social media.<sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup> Survey data from Statistics Canada indicate that the majority of Canadians receive their news and information from the Internet or social media, increasing Canadians’ exposure to <abbr title="Artificial Intelligence">AI </abbr>-enabled malign influence campaigns.<sup id="fn5-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup></p> <p>Although Canada’s general elections are conducted by paper ballot, much of the surrounding electoral infrastructure is digitized, including voter registration systems, election websites, and communications between election management bodies and their employees. This creates a threat surface vulnerable to malicious cyber activity aimed at compromising the confidentiality, integrity, or availability of the underlying system before or during an election period. Cyber actors can use generative <abbr title="Artificial Intelligence">AI </abbr> to quickly create targeted and convincing phishing emails, potentially allowing them illicit entry to this infrastructure, where they can install malware or exfiltrate and expose sensitive information.<sup id="fn6-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup> Canadians, their data, and public and political organizations are all potential targets of <abbr title="Artificial Intelligence">AI </abbr>-enabled influence operations. Virtually every politician, candidate, and media personality has an online presence from which data can be mined and used to create fake content. Canadian political parties hold terabytes<sup id="fn*-rf"><a class="fn-lnk" href="#fn*"><span class="wb-inv">Footnote </span>*</a></sup> of politically relevant data about Canadian voters as do commercial data brokers.<sup id="fn7-rf"><a class="fn-lnk" href="#fn7"><span class="wb-inv">Footnote </span>7</a></sup></p> <section class="panel panel-primary"><header class="panel-heading"><h4 class="panel-title"><abbr title="People’s Republic of China">PRC </abbr> state-affiliated actors steal United Kingdom voter registry data</h4> </header><div class="panel-body"> <p>In July 2024, the United Kingdom (UK) government attributed a hack of the UK Electoral Commission to <abbr title="People’s Republic of China">PRC </abbr> state-affiliated actors. In addition to commission emails, hackers gained access to copies of electoral registries with the names and addresses of anyone registered to vote between 2014 and 2021.<sup id="fn8-rf"><a class="fn-lnk" href="#fn8"><span class="wb-inv">Footnote </span>8</a></sup>  <abbr title="Artificial Intelligence">AI </abbr>-enabled cyber actors can use data such as this to develop propaganda campaigns tailored to specific audiences.</p> </div> </section><p>We assess foreign actors are almost certainly attempting to acquire this data, which they can then weaponize against Canadian democratic processes. Cyber actors can combine purchased or stolen data with public data about Canadians to create targeted propaganda campaigns, built on predictive analytics and using <abbr title="Artificial Intelligence">AI </abbr>-generated content.<sup id="fn9-rf"><a class="fn-lnk" href="#fn9"><span class="wb-inv">Footnote </span>9</a></sup> Malicious cyber actors have also used social botnets to take advantage of social media recommendation algorithms, amplify disinformation narratives, and even engage directly with voters in other countries.<sup id="fn10-rf"><a class="fn-lnk" href="#fn10"><span class="wb-inv">Footnote </span>10</a></sup> Based on this capacity, we assess that cyber actors can almost certainly target Canadian voters in the same manner.</p> <p>We assess that countries pursuing adversarial strategies against Canada and our allies almost certainly possess the capabilities illustrated above. We assess that the <abbr title="People’s Republic of China">PRC </abbr> is likely to employ these capabilities to push narratives favourable to its interests and spread disinformation among Canadian voters. For Russia and Iran, we assess that Canadian elections are almost certainly lower priority targets compared to the US or the UK. We also assess that, if these states do target Canada, they are more likely to use low-effort cyber or influence operations.</p> <p>Domestic actors, as well as activists and thrill-seekers based abroad, also possess access to off-the-shelf generative <abbr title="Artificial Intelligence">AI </abbr> tools. We assess such actors will almost certainly use these tools to spread disinformation ahead of a national election. We assess that increased geopolitical tensions between Canada and other states are likely to result in cyber threat actors, including non-state actors, using <abbr title="Artificial Intelligence">AI </abbr>-enabled tools to target Canada’s democratic process. Ahead of the 2021 general election, for example, known or likely <abbr title="People’s Republic of China">PRC </abbr> affiliated actors spread non- <abbr title="Artificial Intelligence">AI </abbr> enabled disinformation about politicians running for office, whom they assessed to be anti- <abbr title="People’s Republic of China">PRC </abbr>.<sup id="fn11-rf"><a class="fn-lnk" href="#fn11"><span class="wb-inv">Footnote </span>11</a></sup></p> <h2 class="text-info page-header mrgn-tp-lg" id="changes">Changes in AI technology</h2> <p>Generative <abbr title="Artificial Intelligence">AI </abbr> is a type of artificial intelligence that generates new content by modelling features of data from large datasets. Generative <abbr title="Artificial Intelligence">AI </abbr> can create new content in many forms, including text, image, audio, or computer code. Similar to generative <abbr title="Artificial Intelligence">AI </abbr>, predictive <abbr title="Artificial Intelligence">AI </abbr> consumes input data but, rather than producing an image or a text, it applies the patterns it has discovered to make an informed prediction to classify new data. As a result, software can quickly assess large pools of data to identify patterns and perform analysis that would otherwise require time consuming and costly manual annotation by a team of humans. Both types of <abbr title="Artificial Intelligence">AI </abbr> rely on machine learning, which is the process by which machines learn how to complete a task from given data without explicitly programming a step-by-step solution.</p> <h3 id="llm">Large language models (LLMs)</h3> <p>Large language models (LLMs) are machine learning models that are trained on very large sets of language data using self- and semi-supervised learning. Early language models generated text via next word prediction, but more recent <abbr title="Large Language Models">LLMs </abbr> have significantly built on this function—learning from very large text datasets and sophisticated modelling—so that users can enter prompts on applications such as ChatGPT to output complete sentences or generate entire documents on a given topic, in a given style.<sup id="fn14-rf"><a class="fn-lnk" href="#fn14"><span class="wb-inv">Footnote </span>14</a></sup></p> <p>The growing accessibility and diminishing cost of these technologies has enabled their use in cybercrime and in spreading disinformation and attacking democratic infrastructure.<sup id="fn6a-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup> Through either a fake or compromised account, a threat actor can use an LLM to write plausible communication that persuades the target to click a malicious link or inadvertently share their credentials or sensitive information.</p> <section class="panel panel-primary"><header class="panel-heading"><h4 class="panel-title"><abbr title="Large Language Models">LLMs </abbr> can quickly produce tailored phishing products</h4> </header><div class="panel-body"> <p>To demonstrate the potential threat, a researcher at the University of Oxford used ChatGPT and other <abbr title="Large Language Models">LLMs </abbr> to draft (but not send) personalized spear phishing emails to over 600 members of British Parliament.<sup id="fn12-rf"><a class="fn-lnk" href="#fn12"><span class="wb-inv">Footnote </span>12</a></sup> Research has shown that <abbr title="Large Language Models">LLMs </abbr> can produce these emails at much faster rates than human researchers and are able to persuade targets to click on malicious links at rates comparable to phishing emails created by humans.<sup id="fn13-rf"><a class="fn-lnk" href="#fn13"><span class="wb-inv">Footnote </span>13</a></sup></p> </div> </section><h3 id="deepfakes">The rise of deepfakes</h3> <p>Deepfakes refer to pictographic, video, and audio content that has been altered or created by a machine learning model. They can be distinguished from "cheap fakes," which are also designed to deceive, but, because they are created with less sophisticated software, are of lower quality and easier to identify.<sup id="fn16-rf"><a class="fn-lnk" href="#fn16"><span class="wb-inv">Footnote </span>16</a></sup></p> <p>Although deepfake technology has existed since 2014, it was difficult to use and computationally intensive until the 2021-2022 release of image generation models such as GPT, DALL-E, and Midjourney.<sup id="fn17-rf"><a class="fn-lnk" href="#fn17"><span class="wb-inv">Footnote </span>17</a></sup></p> <p>Today, a convincing deepfake can be made from only a few seconds of video or audio, requiring little technical expertise from the user.<sup id="fn19-rf"><a class="fn-lnk" href="#fn19"><span class="wb-inv">Footnote </span>19</a></sup> Deepfakes are being used against elections globally, primarily to spread disinformation.<sup id="fn20-rf"><a class="fn-lnk" href="#fn20"><span class="wb-inv">Footnote </span>20</a></sup> A deepfaked voice or video call can also be used by a malicious actor to trick a target into sharing sensitive information. Although we have not yet observed this in the context of an election, cyber criminals have successfully used generative <abbr title="Artificial Intelligence">AI </abbr> in this manner to carry out billions of dollars’ worth in fraud.<sup id="fn21-rf"><a class="fn-lnk" href="#fn21"><span class="wb-inv">Footnote </span>21</a></sup></p> <section class="panel panel-primary"><header class="panel-heading"><h4 class="panel-title">AI-enabled scammers steal $35 million</h4> </header><div class="panel-body"> <p>In 2024, hackers used a deepfake to impersonate the Chief Financial Officer (CFO) of a company based in Hong Kong. During a video call with a financial worker, they tricked the worker into transferring nearly $35 million (CAD) to the hacker’s bank accounts.<sup id="fn18-rf"><a class="fn-lnk" href="#fn18"><span class="wb-inv">Footnote </span>18</a></sup></p> </div> </section><h3 id="machine">Machine learning analytics and the exploitation of big data</h3> <p>Machine learning models are powerful tools for analyzing big data. Master datasets are created by collecting, purchasing, or acquiring huge amounts of data, measured in peta- or exabytes,<sup id="fn**-rf"><a class="fn-lnk" href="#fn**"><span class="wb-inv">Footnote </span>**</a></sup> and require powerful computers to store, query, and analyze. Advances in chip design, software architecture, and computing power have enabled advanced analytics, vastly increasing the speed and accuracy with which big data can be processed.<span class="nowrap"><sup id="fn22-rf"><a class="fn-lnk" href="#fn22"><span class="wb-inv">Footnote </span>22</a></sup></span></p> <p>Machine learning analytics are used by social media companies to identify and promote content assessed as most likely to sustain and generate engagement from a user. Social media platforms have designed their machine learning recommendation algorithms to favour emotionally charged and polarizing content, which can be used to misinform, radicalize, and divide users.<sup id="fn23-rf"><a class="fn-lnk" href="#fn23"><span class="wb-inv">Footnote </span>23</a></sup></p> <p>Malicious actors may take advantage of these algorithms to promote their favoured political narratives ahead of elections, while certain platforms themselves have been noted to amplify biased content.<sup id="fn24-rf"><a class="fn-lnk" href="#fn24"><span class="wb-inv">Footnote </span>24</a></sup></p> <p>In the hands of adversarial actors, big data can be exploited by machine learning to provide intelligence that enables threat actors to influence targets, including through both human operations and targeted propaganda.<sup id="fn25-rf"><a class="fn-lnk" href="#fn25"><span class="wb-inv">Footnote </span>25</a></sup> The collation of data, for example, can produce profiles of users—or psychographic information individualized to each voter or voter group, reflecting their attitudes, aspirations, values, and fears.<sup id="fn26-rf"><a class="fn-lnk" href="#fn26"><span class="wb-inv">Footnote </span>26</a></sup> Likewise, real-time data analytics, capable of collecting and processing data as it is created, enable instantaneous feedback responses and on-demand intelligence reporting.<sup id="fn27-rf"><a class="fn-lnk" href="#fn27"><span class="wb-inv">Footnote </span>27</a></sup></p> </section><section class="panel panel-primary"><header class="panel-heading"><h4 class="panel-title">Russian propaganda agencies purchase targeted advertising to target US federal elections</h4> </header><div class="panel-body"> <p>According to the US Federal Bureau of Investigation (FBI), in fall 2023, Russian propaganda agencies purchased Meta’s advertising services, which rely on predictive <abbr title="Artificial Intelligence">AI </abbr>, to direct propaganda towards groups that Russian agencies had assessed as receptive towards given propaganda narratives.<span class="nowrap"><sup id="fn29-rf"><a class="fn-lnk" href="#fn29"><span class="wb-inv">Footnote </span>29</a></sup></span></p> </div> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section class="mrgn-tp-lg"><h2 class="text-info page-header mrgn-tp-lg" id="global_trends">Global trends</h2> <p>The Cyber Centre has analyzed cyber threat activity targeting national level elections since 2015. This update focuses on <abbr title="Artificial Intelligence">AI </abbr>-enabled threats, with data starting from 2023, the year in which our research first indicated that threat actors used generative <abbr title="Artificial Intelligence">AI </abbr> to target a democratic process.</p> <p>Since 2023, we have observed an increase in the amount of <abbr title="Artificial Intelligence">AI </abbr>-enabled cyber threat activity targeting elections worldwide. We assess that the data almost certainly underestimates the total number of events targeting global democratic processes, as not all cyber activity is reported or detected. Similarly, deepfakes and LLM-generated texts can be difficult to identify or distinguish from human-generated content. Based on our observations from 2023 and 2024, we identified four global trends.</p> <!– IMAGE EN –><!– END IMAGE EN –> <section><div class="col-md-8 col-sm-offset-2"> <div class="panel panel-default"> <h3 class="mrgn-lft-md text-center">Figure 1: Growth in <abbr title="Artificial Intelligence">AI </abbr>-enabled threats to democratic processes from 2023 to 2024</h3> <div class="panel-body"> <figure><img alt="Figure 1 – Long description immediately follows" class="img-responsive mrgn-bttm-md" src="/sites/default/files/images/2425-0354-tdp-2025-X-figure1-web-e.jpg" /></figure><details><summary>Long description – Figure 1: Growth in <abbr title="Artificial Intelligence">AI </abbr>-enabled threats to democratic processes </summary><p>This bar chart shows the increase from 2023 to 2024 in the percentage of elections targeted globally by 3 types of <abbr title="Artificial Intelligence">AI </abbr>-enabled threats:</p> <table class="table table-condensed table-bordered"><caption>Figure 1: Growth in <abbr title="Artificial Intelligence">AI </abbr>-enabled threats to democratic processes from 2023 to 2024</caption> <thead><tr class="active"><th scope="col">Year</th> <th scope="col">Synthetic disinformation campaign</th> <th scope="col">Social botnet campaign</th> <th scope="col"><abbr title="Artificial Intelligence">AI </abbr>-enabled harassment campaign</th> </tr></thead><tbody><tr><th scope="row">2024</th> <td>27%</td> <td>16%</td> <td>6%</td> </tr><tr><th scope="row">2023</th> <td>14%</td> <td>6%</td> <td>0%</td> </tr></tbody></table></details></div> </div> </div> </section><div class="clearfix"> </div> <section class="panel panel-primary"><header class="panel-heading"><h4 class="panel-title">Types of <abbr title="Artificial Intelligence">AI </abbr>-enabled threats</h4> </header><div class="panel-body"> <p><strong>Synthetic disinformation campaign</strong>: The use of <abbr title="Artificial Intelligence">AI </abbr> to create disinformation to be spread online, pushing a consistent message or theme, or as part of a sporadic and uncoordinated effort to create disinformation about candidates running for office.</p> <p><strong>Social botnet campaign</strong>: Automated botnets, characterized by the use of <abbr title="Large Language Models">LLMs </abbr> to generate content or <abbr title="Artificial Intelligence">AI </abbr>-generated profiles.</p> <p><strong><abbr title="Artificial Intelligence">AI </abbr>-enabled harassment campaign</strong>: The use of <abbr title="Artificial Intelligence">AI </abbr> to aggressively pressure or intimidate.</p> </div> </section><div class="clearfix"> </div> <h3 id="trend1">Trend 1: Generative AI is polluting the information ecosystem</h3> <p>Between 2023 and 2024, there were 124 national level elections around the globe, as well as the European Union (EU) parliamentary elections in 2024, which took place across the EU’s 27 member states. Of these 151 total elections, Cyber Centre research indicates that 40 were targeted by actors using generative <abbr title="Artificial Intelligence">AI </abbr> to <strong>create</strong> or <strong>spread </strong>disinformation at least once during the 12 months leading up to the election. Since some countries were targeted multiple times, we identified 60 unique synthetic disinformation campaigns, meaning hostile actors used generative <abbr title="Artificial Intelligence">AI </abbr> to create disinformation to be spread online. These campaigns either pushed a consistent message or theme or were part of a sporadic and uncoordinated effort to create disinformation about candidates running for office. These include cases where <abbr title="Artificial Intelligence">AI </abbr> imagery, audio, or text was used to confuse or disinform voters.</p> <p>We also detected 36 known or likely cases where automated botnets were used to spread disinformation. These social botnets were often characterized by their use of <abbr title="Artificial Intelligence">AI </abbr>-generated profile pictures, while the bots themselves proved capable of posting links, amplifying content, and interacting with authentic users. On several occasions, researchers and independent watchdogs observed social botnets attempting to manipulate social media recommendation algorithms. Affected platforms included X, Facebook, TikTok, WeChat, Telegram, and country-specific platforms such as Taiwan’s <span class="nowrap">PTT.<sup id="fn28-rf"><a class="fn-lnk" href="#fn28"><span class="wb-inv">Footnote </span>28</a></sup></span></p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <section><div class="col-md-8 col-sm-offset-2"> <div class="panel panel-default"> <h4 class="mrgn-lft-md text-center">Figure 2: AI-enabled disinformation campaigns targeting democratic processes</h4> <div class="panel-body"> <figure><img alt="Figure 2 – Long description immediately follows" class="img-responsive mrgn-bttm-md" src="/sites/default/files/images/figure2-tdp-2025-e.png" /></figure><details><!–Needs "number of campaigns data added"–><summary>Long description – Figure 2: <abbr title="Artificial Intelligence">AI </abbr>-enabled disinformation campaigns targeting democratic processes </summary><p>The data for this chart is as follows:</p> <table class="table table-condensed table-bordered"><caption><abbr title="Artificial Intelligence">Figure 2: AI </abbr>-enabled disinformation campaigns targeting democratic processes</caption> <thead><tr class="active"><th scope="col">Year</th> <th scope="col">Synthetic disinformation campaigns</th> <th scope="col">Social botnet campaigns</th> </tr></thead><tbody><tr><th scope="row">2023</th> <td>7</td> <td>3</td> </tr><tr><th scope="row">2024</th> <td>53</td> <td>33</td> </tr></tbody></table></details></div> </div> </div> </section><div class="clearfix"> </div> <h3 id="trend2">Trend 2: <abbr title="Artificial Intelligence">AI </abbr> involvement uncertain in phishing against electoral institutions</h3> <p>Between 2023 and 2024, we observed three reported cases where threat actors launched phishing campaigns in attempts to harvest credentials or engage in hack-and-leak operations against political and government organizations.<sup id="fn30-rf"><a class="fn-lnk" href="#fn30"><span class="wb-inv">Footnote </span>30</a></sup></p> <p>While we cannot assess that generative AI was used in these cases, we note that the frequency with which adversaries have used <abbr title="Large Language Models">LLMs </abbr> to enhance their phishing attacks in other contexts has rapidly increased over the past two years.<span class="nowrap"><sup id="fn31-rf"><a class="fn-lnk" href="#fn31"><span class="wb-inv">Footnote </span>31</a></sup></span> Likewise, over the past two years, <abbr title="Artificial Intelligence">AI </abbr> technology to improve and speed up phishing campaigns has proliferated on the dark web, as have the discovery of new techniques to circumvent safety controls on legitimate technology.<sup id="fn32-rf"><a class="fn-lnk" href="#fn32"><span class="wb-inv">Footnote </span>32</a></sup> We assess that <abbr title="Artificial Intelligence">AI </abbr>-enabled phishing attacks against democratic targets will almost certainly increase over the next two years.</p> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h3 id="trend3">Trend 3: Advanced targeting based on machine learning analytics</h3> <p>It is difficult to observe in every case how nation states are using machine learning to analyze big data. However, we have observed the <abbr title="People’s Republic of China">PRC </abbr> and, to a lesser extent, Russia engaging in massive data collection campaigns, typically accomplished through open source acquisition, covert purchase, and theft.<sup id="fn33-rf"><a class="fn-lnk" href="#fn33"><span class="wb-inv">Footnote </span>33</a></sup> Datasets of interest include information that is expressly political, such as voter registries or campaign data, or specific information that reveals, for example, an individual’s shopping habits, health records, and browsing and social media activity.<sup id="fn34-rf"><a class="fn-lnk" href="#fn34"><span class="wb-inv">Footnote </span>34</a></sup></p> <p>As assessed in <abbr title="National Cyber Threat Assessment">NCTA </abbr> 2025-2026, well-resourced nation states are very likely relying on <abbr title="Artificial Intelligence">AI </abbr> to process and analyze these datasets, producing information for follow-on intelligence operations, including against elections.<sup id="fn35-rf"><a class="fn-lnk" href="#fn35"><span class="wb-inv">Footnote </span>35</a></sup> Hostile actors are also using this data to enhance surveillance of, or online operations against, diaspora groups and their political representatives.<sup id="fn36-rf"><a class="fn-lnk" href="#fn36"><span class="wb-inv">Footnote </span>36</a></sup> Separately, according to an FBI affidavit, Russia covertly used targeted advertising products sold by social media companies and search engines to conduct their propaganda efforts.<sup id="fn37-rf"><a class="fn-lnk" href="#fn37"><span class="wb-inv">Footnote </span>37</a></sup></p> </section><section><h3 id="trend4">Trend 4: Threat actors are using generative AI to harass public figures</h3> <p>Of the 151 elections we assessed from 2023 to 2024, at least 6 had instances where deepfakes were used to harass or intimidate politicians. The deepfakes used in this manner are of an exclusively sexual nature and have primarily targeted women politicians or 2SLGBTQI+ identifying persons in politics. This is consistent with a broader trend concerning <abbr title="Artificial Intelligence">AI </abbr>: deepfake pornography makes up 98% of all deepfake videos online and 99% of those deepfakes target women.<sup id="fn41-rf"><a class="fn-lnk" href="#fn41"><span class="wb-inv">Footnote </span>41</a></sup></p> <p><abbr title="Artificial Intelligence">AI </abbr> is being used in this way to humiliate, intimidate, and exclude targeted persons from political participation. While most efforts do not appear to have been part of deliberate influence campaigns, we assess it likely that, on at least one occasion, content was seeded to deliberately sabotage the campaign of a candidate running for office.</p> </section><div class="clearfix"> </div> <section class="panel panel-primary"><header class="panel-heading"><h4 class="panel-title">Women disproportionately targeted</h4> </header><div class="panel-body"> <p>In June 2024, British media reported that 400 digitally altered pornographic pictures of more than 30 high-profile women politicians had been found online.<sup id="fn38-rf"><a class="fn-lnk" href="#fn38"><span class="wb-inv">Footnote </span>38</a></sup> In Greece, <abbr title="Artificial Intelligence">AI </abbr> was used to create a nude image of a party leader, sparking derogatory homophobic comments. <sup id="fn39-rf"><a class="fn-lnk" href="#fn39"><span class="wb-inv">Footnote </span>39</a></sup> Ahead of Bangladesh’s 2024 elections, photographs were shared online falsely depicting a woman politician in a bikini.<sup id="fn40-rf"><a class="fn-lnk" href="#fn40"><span class="wb-inv">Footnote </span>40</a></sup></p> <p><abbr title="Artificial Intelligence">AI </abbr> is being used in this way to humiliate, intimidate, and exclude targeted persons from political participation. While these efforts appear primarily criminal or sadistic in nature, in at least one occasion, we assess it likely that content was seeded to deliberately sabotage the campaign of a candidate running for office.<sup id="fn42-rf"><a class="fn-lnk" href="#fn42"><span class="wb-inv">Footnote </span>42</a></sup></p> </div> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section class="mrgn-tp-lg"><h2 class="text-info page-header mrgn-tp-lg" id="actors">Main threat actors using AI to target democratic processes</h2> <p>Around 49% of the <abbr title="Artificial Intelligence">AI </abbr>-enabled activity that we observed—all of which involved the spread of disinformation or the harassment of politicians—could not be credibly attributed to a specific actor. From our research, the majority of <strong>attributed</strong> AI-enabled cyber threat activity emanates from state-sponsored actors with links to Russia, the <abbr title="People’s Republic of China">PRC </abbr>, and Iran. We assess their goal is almost certainly to break democratic alliances and entrench divisions within and between democratic states while also advancing their geopolitical goals.<sup id="fn43-rf"><a class="fn-lnk" href="#fn43"><span class="wb-inv">Footnote </span>43</a></sup> We also note that political parties have maliciously used <abbr title="Artificial Intelligence">AI </abbr> within their own countries, typically through the spread of disinformation.</p> <div class="col-md-10 col-sm-offset-1"> <div class="panel panel-default"> <h3 class="mrgn-lft-md text-center">Figure 3: Attributions of threats to democratic processes</h3> <div class="panel-body"> <figure><img alt="Figure 3 – Long description immediately follows" class="img-responsive mrgn-bttm-md" src="/sites/default/files/images/figure-3-tdp-2025-e.jpg" /></figure><details><summary>Long description – Figure 3: Attributions of threats to democratic processes </summary><p>This bar chart shows the percentage of <abbr title="Artificial Intelligence">AI </abbr>-enabled threat events by 6 types of threat actors:</p> <ul><li>Unattributed: 49%</li> <li>Russia/Russia-aligned: 19%</li> <li>Domestic actors: 17%</li> <li><abbr title="People’s Republic of China">PRC </abbr>/PRC-aligned: 11%</li> <li>Iran: 2%</li> <li>Other: 2%</li> </ul></details></div> </div> </div> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h3 id="russia">Russia</h3> <p>Consistent with statistics we gathered in <abbr title="Cyber Threats to Canada’s Democratic Process">TDP </abbr> 2023, Russia and pro-Russia non-state actors remain the most aggressive among attributed actors targeting global elections. We assess Russia’s cyber threat activity is almost certainly aimed at harming the electoral prospects of parties or candidates that Russia perceives as pro-West in ideology and foreign policy orientation. Over the past two years, at least four prominent Russian networks have used <abbr title="Artificial Intelligence">AI </abbr> to spread disinformation in distinctive ways.</p> <p>Although we have not definitively observed Russian actors using <abbr title="Artificial Intelligence">AI </abbr> to enhance their phishing or hack-and-leak efforts against elections, we assess it almost certain that they possess this capability. This assessment is based on similar activity undertaken by criminal groups and other nation states.<span class="nowrap"><sup id="fn44-rf"><a class="fn-lnk" href="#fn44"><span class="wb-inv">Footnote </span>44</a></sup></span> Likewise, we assess it very likely that Russia has the capability to use <abbr title="Artificial Intelligence">AI </abbr> to improve the efficacy and stealth of malware to deploy against target assets.<span class="nowrap"><sup id="fn45-rf"><a class="fn-lnk" href="#fn45"><span class="wb-inv">Footnote </span>45</a></sup></span></p> <p>With regard to <abbr title="Artificial Intelligence">AI </abbr>-enabled disinformation, a network known as Doppelganger (founded in April 2022) is operated by two Russia-based companies with known links to the Russian state.<sup id="fn46-rf"><a class="fn-lnk" href="#fn46"><span class="wb-inv">Footnote </span>46</a></sup> Doppelganger relies on <abbr title="Artificial Intelligence">AI </abbr> to spoof legitimate news websites, such as Der Spiegel or The Guardian, while using <abbr title="Large Language Models">LLMs </abbr> to generate articles containing disinformation.<sup id="fn47-rf"><a class="fn-lnk" href="#fn47"><span class="wb-inv">Footnote </span>47</a></sup> A similar network known as CopyCop uses <abbr title="Large Language Models">LLMs </abbr> to create disinformation articles and deliver them via websites that purport to be news organizations based in western states.<sup id="fn48-rf"><a class="fn-lnk" href="#fn48"><span class="wb-inv">Footnote </span>48</a></sup> Storm-1679, a third network active since 2023, relies on generative <abbr title="Artificial Intelligence">AI </abbr> to spam media organizations, researchers, and fact checkers with requests for story verification, in an effort to overwhelm their anti-disinformation resources.<sup id="fn49-rf"><a class="fn-lnk" href="#fn49"><span class="wb-inv">Footnote </span>49</a></sup> Each of these networks has leveraged generative <abbr title="Artificial Intelligence">AI </abbr> to create content as well as social botnets to amplify disinformation across various online mediums.</p> <p>While the quality of Russian disinformation has varied, Russia and pro-Russia non-state actors have displayed an ability to create bespoke propaganda, designed to enhance its virality and political impact on the target state. In October 2024, Storm-1516 released a tailored deepfake of an individual claiming to have been abused by US vice-presidential candidate Tim Walz.<sup id="fn50a-rf"><a class="fn-lnk" href="#fn50"><span class="wb-inv">Footnote </span>50</a></sup> The attack was a blend of methods, combining disinformation with sexual degradation without concern for the intermediary victim.</p> <section class="panel panel-primary"><header class="panel-heading"><h4 class="panel-title">US vice-presidential candidate Tim Walz deepfake</h4> </header><div class="panel-body"> <p>The deepfake claimed to have been abused by Walz during Walz’s former job as a high school teacher. Although the video was fake, the person in the video appeared to have been an actual student at Walz’s school. To create the deepfake, Storm-1516 had likely researched students at Walz’s former school, used <abbr title="Artificial Intelligence">AI </abbr> to create a fake video based on their likeness, and then deployed it against Walz.<sup id="fn50-rf"><a class="fn-lnk" href="#fn50"><span class="wb-inv">Footnote </span>50</a></sup></p> </div> </section><p>Despite these efforts, we assess it likely that Russia’s campaigns generally do not gain significant visibility without the amplification of witting or unwitting actors from within the targeted state.<sup id="fn51-rf"><a class="fn-lnk" href="#fn51"><span class="wb-inv">Footnote </span>51</a></sup> According to German intelligence, Russia’s Doppelganger campaigns garnered only 800,000 <span class="nowrap">views<sup id="fn***-rf"><a class="fn-lnk" href="#fn***"><span class="wb-inv">Footnote </span>***</a></sup></span> of its 700 fake websites across all its campaigns between November 2023 and August 2024.<sup id="fn52-rf"><a class="fn-lnk" href="#fn52"><span class="wb-inv">Footnote </span>52</a></sup> Another researcher noted that most of the links shared by Doppelganger received little to zero engagement.<sup id="fn53-rf"><a class="fn-lnk" href="#fn53"><span class="wb-inv">Footnote </span>53</a></sup> The Tim Walz abuse claim only gained significant attention after it was covered by influential American commentators.<sup id="fn50b-rf"><a class="fn-lnk" href="#fn50"><span class="wb-inv">Footnote </span>50</a></sup> Responsive efforts by the targeted states to remove the online infrastructure supporting these websites as well as deplatforming operations carried out by social media companies have blunted their overall visibility.<sup id="fn54-rf"><a class="fn-lnk" href="#fn54"><span class="wb-inv">Footnote </span>54</a></sup> Nonetheless, we assess that Russia almost certainly retains the intent and capability to continue using generative <abbr title="Artificial Intelligence">AI </abbr> to pollute the democratic information environment. Recent trends among social media companies to move away from professional fact checking will likely increase user engagement with misleading <span class="nowrap">content.<sup id="fn55-rf"><a class="fn-lnk" href="#fn55"><span class="wb-inv">Footnote </span>55</a></sup></span></p> <h3 id="prc">The People’s Republic of China</h3> <p>The <abbr title="People’s Republic of China">PRC </abbr> poses a sophisticated and pervasive threat in the cyber domain. Using cyber and non-cyber means, the <abbr title="People’s Republic of China">PRC </abbr> carried out an aggressive malign influence campaign around Taiwan’s 2024 presidential election.<sup id="fn56-rf"><a class="fn-lnk" href="#fn56"><span class="wb-inv">Footnote </span>56</a></sup> With regard to <abbr title="Artificial Intelligence">AI </abbr>, Taiwanese-based researchers identified a likely social botnet composed of over 14,000 accounts across Facebook, X, YouTube, TikTok, and PTT, a Taiwanese social media platform.<sup id="fn57-rf"><a class="fn-lnk" href="#fn57"><span class="wb-inv">Footnote </span>57</a></sup> The profile avatars for the bots were in some instances created by generative <abbr title="Artificial Intelligence">AI </abbr>, while the bots themselves exhibited coordinated behaviour and similarity in commenting patterns. The accounts echoed narratives pushed by <abbr title="People’s Republic of China">PRC </abbr> state media and often sought to denigrate the US-Taiwanese relationship and harm the electoral candidacy of Lai Ching-Te, the leader of the Democratic People’s Party.<span class="nowrap"><sup id="fn57a-rf"><a class="fn-lnk" href="#fn57"><span class="wb-inv">Footnote </span>57</a></sup></span> The botnet also shared and amplified content that disparaged the character of various Taiwanese politicians, including the leak of an alleged deepfake sex tape posted to a pornographic website.<sup id="fn58-rf"><a class="fn-lnk" href="#fn58"><span class="wb-inv">Footnote </span>58</a></sup></p> <section class="panel panel-primary"><header class="panel-heading"><h4 class="panel-title">Spamouflage Dragon</h4> </header><div class="panel-body"> <p>In 2023, the Spamouflage network spread disinformation targeting dozens of MPs, including the Prime Minister, the leader of the opposition, and several members of Cabinet. The network has also used generative <abbr title="Artificial Intelligence">AI </abbr> to target Mandarin-speaking figures in Canada.<sup id="fn59-rf"><a class="fn-lnk" href="#fn59"><span class="wb-inv">Footnote </span>59</a></sup></p> </div> </section><p>Similarly, Spamouflage Dragon, a probable <abbr title="People’s Republic of China">PRC </abbr>-driven propaganda campaign that has targeted Canada in the past, has used generative <abbr title="Artificial Intelligence">AI </abbr> to create disinformation to influence foreign voters ahead of democratic elections <span class="nowrap">internationally.<sup id="fn60-rf"><a class="fn-lnk" href="#fn60"><span class="wb-inv">Footnote </span>60</a></sup></span></p> <p>Although these efforts did not garner much attention, independent research organizations have noted that the <abbr title="People’s Republic of China">PRC </abbr> is refining its propaganda efforts, which are starting to gain more engagement from authentic citizens in the targeted electorate.<sup id="fn61-rf"><a class="fn-lnk" href="#fn61"><span class="wb-inv">Footnote </span>61</a></sup></p> <p>As stated earlier, the <abbr title="People’s Republic of China">PRC </abbr> conducts massive data collection operations against Western populations. Although these data serve various purposes, we assess it likely that the <abbr title="People’s Republic of China">PRC </abbr> has both the ability and intent to use machine learning to analyze these data to produce detailed intelligence profiles of potential targets connected to democratic processes.<sup id="fn62-rf"><a class="fn-lnk" href="#fn62"><span class="wb-inv">Footnote </span>62</a></sup> These include voters, politicians, members of the media, public servants, and activists.<sup id="fn63-rf"><a class="fn-lnk" href="#fn63"><span class="wb-inv">Footnote </span>63</a></sup> Working in cooperation with <abbr title="People’s Republic of China">PRC </abbr>-based technology companies, the <abbr title="People’s Republic of China">PRC </abbr> uses this data to aid intelligence work, including to:</p> <ul><li>inform decision-making</li> <li>identify recruitment opportunities</li> <li>enhance influence operations<sup id="fn64-rf"><a class="fn-lnk" href="#fn64"><span class="wb-inv">Footnote </span>64</a></sup></li> </ul><p>We assess it almost certain that the <abbr title="People’s Republic of China">PRC </abbr> will continue to harvest politically relevant information from Western societies.</p> <p>We assess it likely that the <abbr title="People’s Republic of China">PRC </abbr> has leveraged TikTok, a social media platform owned by the <abbr title="People’s Republic of China">PRC </abbr>-based company ByteDance, to promote pro- <abbr title="People’s Republic of China">PRC </abbr> narratives in democratic states and to censor anti- <abbr title="People’s Republic of China">PRC </abbr> narratives.<sup id="fn66-rf"><a class="fn-lnk" href="#fn66"><span class="wb-inv">Footnote </span>66</a></sup> According to the Network Contagion Research Institute, the <abbr title="People’s Republic of China">PRC </abbr> "is deploying algorithmic manipulation in combination with prolific information operations to impact user beliefs and behaviours on a massive scale."<sup id="fn67-rf"><a class="fn-lnk" href="#fn67"><span class="wb-inv">Footnote </span>67</a></sup> We assess it likely that these operations have, on at least one occasion, targeted voters ahead of an election.<sup id="fn68-rf"><a class="fn-lnk" href="#fn68"><span class="wb-inv">Footnote </span>68</a></sup></p> <h3 id="iran">Iran</h3> <p>According to the FBI, in 2024, the Islamic Revolutionary Guard Corps (IRGC) used spear phishing to hack into one US presidential campaign and attempt to hack into the campaign of a second candidate.<sup id="fn69-rf"><a class="fn-lnk" href="#fn69"><span class="wb-inv">Footnote </span>69</a></sup> It remains unclear whether the <abbr title="Islamic Revolutionary Guard Corps">IRGC </abbr> used <abbr title="Artificial Intelligence">AI </abbr> in this case. However, the <abbr title="Islamic Revolutionary Guard Corps">IRGC </abbr> has been observed in other cases using <abbr title="Large Language Models">LLMs </abbr> to generate targeted and convincing emails inciting their target to click a link (or open an attachment) to navigate to a malicious webpage or download malware.<sup id="fn70-rf"><a class="fn-lnk" href="#fn70"><span class="wb-inv">Footnote </span>70</a></sup></p> <p>We assess it very likely that a hostile actor like the <abbr title="Islamic Revolutionary Guard Corps">IRGC </abbr> could integrate <abbr title="Artificial Intelligence">AI </abbr> into a similar cyber attack against election infrastructure. The <abbr title="Islamic Revolutionary Guard Corps">IRGC </abbr> has also spoofed login pages to harvest the credentials of their victims, a task which, like phishing, can be enhanced by <abbr title="Artificial Intelligence">AI </abbr> technologies.<sup id="fn71-rf"><a class="fn-lnk" href="#fn71"><span class="wb-inv">Footnote </span>71</a></sup> It is also likely that the <abbr title="Islamic Revolutionary Guard Corps">IRGC </abbr> has used <abbr title="Large Language Models">LLMs </abbr> to improve their malware code, disable antivirus software, and evade detection.<sup id="fn72-rf"><a class="fn-lnk" href="#fn72"><span class="wb-inv">Footnote </span>72</a></sup></p> <section class="panel panel-primary"><header class="panel-heading"><h4 class="panel-title">IRGC hack of US presidential campaign</h4> </header><div class="panel-body"> <p>During a 2024 hack of a US presidential campaign, the <abbr title="Islamic Revolutionary Guard Corps">IRGC </abbr> exfiltrated sensitive information and attempted to share it with the media and individuals that <abbr title="Islamic Revolutionary Guard Corps">IRGC </abbr> believed to be associated with rival campaigns. The media and rival campaigns rebuffed these efforts, reporting them to law enforcement, which minimized the effects of the operation.<span class="nowrap"><sup id="fn65-rf"><a class="fn-lnk" href="#fn65"><span class="wb-inv">Footnote </span>65</a></sup></span> Although it is unclear if <abbr title="Artificial Intelligence">AI </abbr> was used by the <abbr title="Islamic Revolutionary Guard Corps">IRGC </abbr> in this case, the <abbr title="Islamic Revolutionary Guard Corps">IRGC </abbr> has been known to use <abbr title="Large Language Models">LLMs </abbr> in similar activities.</p> </div> </section><h3 id="nonstate">Cybercriminals and non-state actors</h3> <p>Cybercriminals and non-state actors are almost certainly responsible for the vast majority of non-consensual deepfake pornography targeting politicians, public figures, and people in the media. Cybercriminals also prolifically conduct hack-and-leak operations against commercial and public databases, including in democratic states.<sup id="fn73-rf"><a class="fn-lnk" href="#fn73"><span class="wb-inv">Footnote </span>73</a></sup> While the Cyber Centre defines cybercrime as financially motivated cyber threat activity, nation states are known buyers of stolen <span class="nowrap">data.<sup id="fn74-rf"><a class="fn-lnk" href="#fn74"><span class="wb-inv">Footnote </span>74</a></sup></span> Stolen data can be used for various purposes, and we assess it likely that some of this data is used by nation states to enhance their <abbr title="Artificial Intelligence">AI </abbr>- and machine learning-enabled operations against democratic processes.</p> <p>Cybercriminals are also known to take advantage of events with high media coverage, such as an election, as an opportunity to commit scams and fraud against voters.<sup id="fn75-rf"><a class="fn-lnk" href="#fn75"><span class="wb-inv">Footnote </span>75</a></sup> We assess it very likely that, over the next two years, cybercriminals will use deepfakes and <abbr title="Artificial Intelligence">AI </abbr>-enabled phishing to deploy a range of cyber attacks against democratic processes. These include more disruptive forms of cybercrime like ransomware.<sup id="fn76-rf"><a class="fn-lnk" href="#fn76"><span class="wb-inv">Footnote </span>76</a></sup></p> <p>Non-state actors or domestic influencers may wittingly or unwittingly amplify <abbr title="Artificial Intelligence">AI </abbr>-enabled foreign disinformation. Given that such actors typically form more connected and trusted links within domestic social networks, their impact on the amplification of disinformation is larger than that of regular users. As noted earlier, attempts by Russia-linked actors to seed salacious stories about Tim Walz failed to generate much attention until key American influencers engaged with and amplified the content from their platforms.<sup id="fn50c-rf"><a class="fn-lnk" href="#fn50"><span class="wb-inv">Footnote </span>50</a></sup></p> <div class="clearfix"> </div> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <h2 class="text-info page-header mrgn-tp-lg" id="implications">Implications for Canadian elections</h2> <p>We assess that the <abbr title="People’s Republic of China">PRC </abbr>, Russia, and Iran will very likely use <abbr title="Artificial Intelligence">AI </abbr>-enabled tools to attempt to interfere with Canada’s democratic process before and during the 2025 election. We assess it likely that cybercriminals will take advantage of election-related opportunities in Canada to conduct scams and fraud, without being uniquely focused on exploiting Canadian elections.</p> <p>When targeting Canadian elections, threat actors are most likely to use generative <abbr title="Artificial Intelligence">AI </abbr> as a means of creating and spreading disinformation, designed to sow division among Canadians and push narratives conducive to the interests of foreign states. We assess it very likely that <abbr title="People’s Republic of China">PRC </abbr>-affiliated actors will continue to specifically target Chinese-diaspora communities in Canada, pushing narratives favourable to <abbr title="People’s Republic of China">PRC </abbr> interests on social media platforms.<sup id="fn77-rf"><a class="fn-lnk" href="#fn77"><span class="wb-inv">Footnote </span>77</a></sup> Since Canadians share a common information ecosystem with the US, Canadians have already been exposed to <abbr title="Artificial Intelligence">AI </abbr>-enabled disinformation targeting US citizens.<sup id="fn78-rf"><a class="fn-lnk" href="#fn78"><span class="wb-inv">Footnote </span>78</a></sup> It is almost certain that this trend will continue. However, the extent to which any given piece of disinformation will gain visibility or resonance among Canadians is unpredictable.</p> <p>Canadian politicians and political parties are likely to be targeted by threat actors seeking to conduct hack-and-leak operations. As we have observed in other contexts, we assess it likely that threat actors will leverage <abbr title="Large Language Models">LLMs </abbr> to engage with targets as part of an extended phishing operation. However, we assess it very unlikely that hostile actors will carry out a destructive cyber attack against election infrastructure, such as attempting to paralyze telecommunications systems on election day, outside of imminent or direct armed conflict.</p> <p>Finally, Canadian public figures, especially women and members of the 2SLGBTQI+ community, are at heightened risk of being targeted by deepfake pornography. Without updated legal and regulatory guidelines, we assess it very likely that the spread of this content will continue unabated.</p> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info page-header mrgn-tp-lg" id="looking">Looking ahead</h2> <p>Cyber threat activity continues to be used to target democratic processes globally. The Cyber Centre, as part of CSE, produces advice and guidance to help inform Canadians about the <a href="/en/guidance/cyber-threats-elections">cyber threats to Canada’s elections</a>.</p> <p>We provide cyber security advice and guidance to all major political parties, in part through publications such as the <a href="https://cyber.gc.ca/en/guidance/cyber-security-guide-campaign-teams">Cyber Security Guide for Campaign Teams</a> and <a href="/en/guidance/cyber-security-advice-political-candidates">Cyber Security Advice for Political Candidates</a>. Representatives from CSE form part of Canada’s <a href="https://www.canada.ca/en/democratic-institutions/services/protecting-democracy/security-task-force.html">Security and Intelligence Threats to Elections (SITE)</a> task force.</p> <p>We work closely with Elections Canada to protect its infrastructure and defend our elections from cyber threats. CSE is authorized by the Minister of National Defence to conduct defensive cyber operations (DCO) to protect the Government of Canada, including Elections Canada. This authorization allows CSE to disrupt malicious cyber activities against those systems. CSE is also authorized to protect systems of importance to the government, such as those related to a general election.</p> <p>Additionally, the <a href="https://www.cse-cst.gc.ca/en/accountability/transparency/reports/communications-security-establishment-annual-report-2023-2024#9-1-1">Cyber Centre’s sensors program</a> helps defend Elections Canada’s infrastructure by monitoring and mitigating potential cyber threats. We also provide expert advice through publications like <a href="/en/guidance/security-considerations-electronic-poll-book-systems-itsm10101">Security Considerations for Electronic Poll Book Systems</a> and <a href="/en/guidance/cyber-security-guidance-elections-authorities-itsm10020">Cyber Security Guidance for Elections Authorities</a> to help electoral bodies enhance their cyber security measures.</p> <p>To further protect our democratic institutions, the Privy Council Office has published <a href="https://www.canada.ca/en/democratic-institutions/services/protecting-democratic-institutions.html">resources for how to combat disinformation and foreign interference</a>. These include toolkits for community leaders, elected officials, public office holders, and public servants.</p> <p>We encourage Canadians to consult the following resources related to the themes in this assessment:</p> <ul><li><a href="/en/guidance/generative-artificial-intelligence-ai-itsap00041">Cyber Security Guidance on Generative Artificial Intelligence (AI)</a></li> <li><a href="/en/guidance/security-considerations-when-using-social-media-your-organization-itsm10066">Guide on Security Considerations When Using Social Media in Your Organization</a></li> <li><a href="https://www.canada.ca/en/campaign/online-disinformation.html">Cyber Security Guidance on Identifying and Countering Online Disinformation</a></li> <li><a href="https://www.getcybersafe.gc.ca/en/secure-your-accounts/social-media">Guidance on Using Social Media Safely</a></li> <li><a href="/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a></li> <li><a href="/en/guidance/how-identify-misinformation-disinformation-and-malinformation-itsap00300">How to Identify Misinformation, Disinformation, and Malinformation</a></li> <li><a href="/en/guidance/fact-sheet-canadian-voters-online-influence-activities">Fact Sheet for Canadian Voters</a></li> </ul><p>CSE’s <a href="https://www.getcybersafe.gc.ca/en">Get Cyber Safe</a> campaign continues to publish relevant advice and guidance throughout the year to inform Canadians about cyber security and the steps they can take to protect themselves online.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><aside class="wb-fnote" role="note"><h2 id="fn">Endnotes</h2> <dl><dt>*</dt> <dd id="fn*"> <p>A single terabyte is the equivalent of approximately 500 hours of HD video or 6.5-million document pages stored in PDF form.</p> <p class="fn-rtn"><a href="#fn*-rf"><span class="wb-inv">Return to footnote </span>*<span class="wb-inv"> referrer</span></a></p> </dd> <dt>**</dt> <dd id="fn**"> <p>A petabyte is 1,000 terabytes, or the equivalent of 11,000 HD movies. An exabyte is 1,000 petabytes.</p> <p class="fn-rtn"><a href="#fn**-rf"><span class="wb-inv">Return to footnote </span>**<span class="wb-inv"> referrer</span></a></p> </dd> <dt>***</dt> <dd id="fn***"> <p>For contrast, the Frankfurter Allgemeine Zeitung, a popular German newspaper, typically receives over nine million views per month.</p> <p class="fn-rtn"><a href="#fn***-rf"><span class="wb-inv">Return to footnote </span>***<span class="wb-inv"> referrer</span></a></p> </dd> <dt>1</dt> <dd id="fn1"> <p>Jack Nicas and Lucía Cholakian Herrera, "<a href="https://www.nytimes.com/2023/11/15/world/americas/argentina-election-ai-milei-massa.html">Is Argentina the First A.I. Election?</a>," The New York Times, November 15, 2023.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote </span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>2</dt> <dd id="fn2"> <p>"<a href="https://toloka.ai/blog/history-of-generative-ai">History of Generative <abbr title="Artificial Intelligence">AI </abbr></a>," Toloka, August 22, 2023.</p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote </span>2<span class="wb-inv"> referrer</span></a></p> </dd> <dt>3</dt> <dd id="fn3"> <p>Paul Scharre, Four Battlegrounds: Power in the Age of Artificial Intelligence (New York: W.W. Norton and Company, 2023); "<a href="https://www.intelligenceonline.com/surveillance–interception/2023/03/22/uae-s-edge-group-and-g42-get-into-natural-language-processing,109926405-art">UAE : UAE’s Edge Group and G42 Get into Natural Language Processing – 22/03/2023</a>," Intelligence Online, December 17, 2024.</p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote </span>3<span class="wb-inv"> referrer</span></a></p> </dd> <dt>4</dt> <dd id="fn4"> <p>"<a href="https://datareportal.com/reports/digital-2024-canada">Digital 2024: Canada</a>," DataReportal – Global Digital Insights, February 22, 2024.</p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote </span>4<span class="wb-inv"> referrer</span></a></p> </dd> <dt>5</dt> <dd id="fn5"> <p>Statistics Canada, "<a href="https://www150.statcan.gc.ca/n1/daily-quotidien/231110/dq231110b-eng.htm">Canadian Social Survey – Quality of Life, Virtual Health Care and Trust, 2023</a>," November 10, 2023.</p> <p class="fn-rtn"><a href="#fn5-rf"><span class="wb-inv">Return to footnote </span>5<span class="wb-inv"> referrer</span></a></p> </dd> <dt>6</dt> <dd id="fn6"> <p>Belle Lin, "<a href="https://www.wsj.com/articles/welcome-to-the-era-of-badgpts-a104afa8">Welcome to the Era of BadGPTs</a>," The Wall Street Journal, February 28, 2024; "<a href="https://www.ncsc.gov.uk/report/impact-of-ai-on-cyber-threat">The Near-Term Impact of <abbr title="Artificial Intelligence">AI </abbr> on the Cyber Threat</a>," National Cyber Security Centre, January 24, 2024.</p> <p class="fn-rtn"><a href="#fn6-rf"><span class="wb-inv">Return to footnote </span>6<span class="wb-inv"> referrer</span></a></p> </dd> <dt>7</dt> <dd id="fn7"> <p>Elizabeth Judge and Michael Pal, "Voter Privacy and Big-Data Elections," Osgoode Hall Law Journal 58, no. 1 (March 9, 2021): 1–55.</p> <p class="fn-rtn"><a href="#fn7-rf"><span class="wb-inv">Return to footnote </span>7<span class="wb-inv"> referrer</span></a></p> </dd> <dt>8</dt> <dd id="fn8"> <p>"<a href="https://www.ncsc.gov.uk/news/china-state-affiliated-actors-target-uk-democratic-institutions-parliamentarians">UK Calls out China State-Affiliated Actors for Malicious Cyber Targeting of UK Democratic Institutions and Parliamentarians</a>," National Cyber Security Centre, March 25, 2024.</p> <p class="fn-rtn"><a href="#fn8-rf"><span class="wb-inv">Return to footnote </span>8<span class="wb-inv"> referrer</span></a></p> </dd> <dt>9</dt> <dd id="fn9"> <p>Dan Milmo, "<a href="https://www.theguardian.com/politics/2023/aug/09/hacked-uk-electoral-commission-data-target-voter-disinformation-warn-expert">Hacked UK Voter Data Could Be Used to Target Disinformation, Warn Experts</a>," The Guardian, August 9, 2023,.</p> <p class="fn-rtn"><a href="#fn9-rf"><span class="wb-inv">Return to footnote </span>9<span class="wb-inv"> referrer</span></a></p> </dd> <dt>10</dt> <dd id="fn10"> <p>Darren Linvill and Patrick Warren, "<a href="https://open.clemson.edu/mfh_reports/7/">Digital Yard Signs: Analysis of an <abbr title="Artificial Intelligence">AI </abbr> Bot Political Influence Campaign on X</a>," Clemson University Media Forensics Hub, September 30, 2024; Kai-Cheng Yang and Filippo Menczer, "Anatomy of an AI-Powered Malicious Social Botnet," Journal of Quantitative Description: Digital Media 4 (May 29, 2024).</p> <p class="fn-rtn"><a href="#fn10-rf"><span class="wb-inv">Return to footnote </span>10<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 11</dt> <dd id="fn11"> <p>"<a href="https://foreigninterferencecommission.ca/fileadmin/user_upload/Foreign_Interference_Commission_-_Initial_Report__May_2024__-_Digital.pdf">Public Inquiry into Foreign Interference in Federal Electoral Processes and Democratic Institutions (PDF)</a>," Foreign Interference Commission, May 3, 2024, 128–35.</p> <p class="fn-rtn"><a href="#fn11-rf"><span class="wb-inv">Return to footnote </span>11<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 12</dt> <dd id="fn12"> <p>Julian Hazell, "<a href="https://cdn.governance.ai/Spear_Phishing_with_Large_Language_Models.pdf">Spear Phishing with Large Language Models (PDF)</a>," Oxford Internet Institute, December 14, 2023.</p> <p class="fn-rtn"><a href="#fn12-rf"><span class="wb-inv">Return to footnote </span>12<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 13</dt> <dd id="fn13"> <p>Fredrik Heiding, Bruce Schneier, and Arun Vishwanath, "<a href="https://hbr.org/2024/05/ai-will-increase-the-quantity-and-quality-of-phishing-scams"> <abbr title="Artificial Intelligence">AI </abbr> Will Increase the Quantity — and Quality — of Phishing Scams</a>," Harvard Business Review, May 30, 2024.</p> <p class="fn-rtn"><a href="#fn13-rf"><span class="wb-inv">Return to footnote</span>13<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 14</dt> <dd id="fn14"> <p>"<a href="https://openai.com/index/better-language-models/">Better Language Models and Their Implications</a>," Open <abbr title="Artificial Intelligence">AI </abbr>, February 14, 2019.</p> <p class="fn-rtn"><a href="#fn14-rf"><span class="wb-inv">Return to footnote </span>14<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 15</dt> <dd id="fn15"> <p>Belle Lin, "<a href="https://www.wsj.com/articles/welcome-to-the-era-of-badgpts-a104afa8">Welcome to the Era of BadGPTs (PDF)</a>," The Wall Street Journal, February 28, 2024.</p> <p class="fn-rtn"><a href="#fn15-rf"><span class="wb-inv">Return to footnote </span>15<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 16</dt> <dd id="fn16"> <p>A summary of deepfake technology and the threat it could pose to Canada can be found at <a href="https://www.canada.ca/en/security-intelligence-service/corporate/publications/the-evolution-of-disinformation-a-deepfake-future.html">"The Evolution of Disinformation: A Deepfake Future</a>," Canadian Security Intelligence Service, October 2023.</p> <p class="fn-rtn"><a href="#fn16-rf"><span class="wb-inv">Return to footnote </span>16<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 17</dt> <dd id="fn17"> <p><a href="https://www.canada.ca/en/security-intelligence-service/corporate/publications/the-evolution-of-disinformation-a-deepfake-future.html">"The Evolution of Disinformation: A Deepfake Future (PDF)</a>," Canadian Security Intelligence Service, October 2023.</p> <p class="fn-rtn"><a href="#fn17-rf"><span class="wb-inv">Return to footnote </span>17<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 18</dt> <dd id="fn18"> <p>Kathryn Mannie, "<a href="https://globalnews.ca/news/10273167/deepfake-scam-cfo-coworkers-video-call-hong-kong-ai/">Company out $35M after Scammers Stage Video Call with Deepfake CFO, Coworkers</a>,"Global News, February 5, 2024.</p> <p class="fn-rtn"><a href="#fn18-rf"><span class="wb-inv">Return to footnote </span>18<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 19</dt> <dd id="fn19"> <p>Nate Nelson, "<a href="https://www.darkreading.com/threat-intelligence/deepfake-apps-explode-multimillion-dollar-corporate-heists">Deepfake-Generating Apps Explode, Allowing Multimillion-Dollar Corporate Heists</a>," February 5, 2024.</p> <p class="fn-rtn"><a href="#fn19-rf"><span class="wb-inv">Return to footnote </span>19<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 20</dt> <dd id="fn20"> <p>"<a href="https://www.ft.com/video/4f473456-ca0e-4f0b-a9aa-9bac1e3220a6"> <abbr title="Artificial Intelligence">AI </abbr> Deepfakes Can Sway Voters and Disrupt Elections</a>," Financial Times, July 7, 2024.</p> <p class="fn-rtn"><a href="#fn20-rf"><span class="wb-inv">Return to footnote </span>20<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 21</dt> <dd id="fn21"> <p>Satish Lalchand et al., "<a href="https://www2.deloitte.com/us/en/insights/industry/financial-services/financial-services-industry-predictions/2024/deepfake-banking-fraud-risk-on-the-rise.html">Generative AI Is Expected to Magnify the Risk of Deepfakes and Other Fraud in Banking</a>", Deloitte, May 29, 2024.</p> <p class="fn-rtn"><a href="#fn21-rf"><span class="wb-inv">Return to footnote </span>21<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 22</dt> <dd id="fn22"> <p>"<a href="https://www.techtarget.com/searchdatamanagement/feature/Top-trends-in-big-data-for-2021-and-beyond">Top Trends in Big Data for 2024 and Beyond</a>," TechTarget, January 12, 2024; Our World Data, "<a href="https://ourworldindata.org/grapher/artificial-intelligence-training-computation">Computation Used to Train Notable Artificial Intelligence Systems, by Domain</a>," 2023.</p> <p class="fn-rtn"><a href="#fn22-rf"><span class="wb-inv">Return to footnote </span>22<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 23</dt> <dd id="fn23"> <p>William J. Brady et al., "Algorithm-Mediated Social Learning in Online Social Networks," Trends in Cognitive Sciences 27, no. 10 (October 1, 2023): 947–60.</p> <p class="fn-rtn"><a href="#fn23-rf"><span class="wb-inv">Return to footnote </span>23<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 24</dt> <dd id="fn24"> <p>Smitha Milli et al., "<a href="http://knightcolumbia.org/content/engagement-user-satisfaction-and-the-amplification-of-divisive-content-on-social-media">Engagement, User Satisfaction, and the Amplification of Divisive Content on Social Media</a>," Columbia University, January 3, 2024; Dominik Bär et al., "<a href="https://doi.org/10.1093/pnasnexus/pgae247">Systematic Discrepancies in the Delivery of Political Ads on Facebook and Instagram</a>," PNAS Nexus 3, no. 7 (July 1, 2024); Joel Finkelstein et al., "<a href="https://networkcontagion.us/reports/the-ccps-digital-charm-offensive/">The CCP’s Digital Charm Offensive: How TikTok’s Search Algorithm and Pro-China Influence Networks Indoctrinate GenZ Users in the United States</a>," Network Contagion Research Institute, August 2024; Karen Hao, "<a href="https://www.technologyreview.com/2021/09/16/1035851/facebook-troll-farms-report-us-2020-election/">Troll Farms Reached 140 Million Americans a Month on Facebook before 2020 Election, Internal Report Shows</a>," MIT Technology Review, September 16, 2021.</p> <p class="fn-rtn"><a href="#fn24-rf"><span class="wb-inv">Return to footnote </span>24<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 25</dt> <dd id="fn25"> <p>Robert McMillan, Dustin Volz, and Aruna Viswanatha, "<a href="https://www.wsj.com/tech/ai/china-is-stealing-ai-secrets-to-turbocharge-spying-u-s-says-00413594">China Is Stealing <abbr title="Artificial Intelligence">AI </abbr> Secrets to Turbocharge Spying, U.S. Says</a>," The Wall Street Journal , December 25, 2023.</p> <p class="fn-rtn"><a href="#fn25-rf"><span class="wb-inv">Return to footnote </span>25<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 26</dt> <dd id="fn26"> <p>Mohar Chatterjee, "<a href="https://www.politico.com/news/2024/08/15/what-ai-is-doing-to-campaigns-00174285">What AI Is Doing to Campaigns</a>," Politico, August 15, 2024.</p> <p class="fn-rtn"><a href="#fn26-rf"><span class="wb-inv">Return to footnote </span>26<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 27</dt> <dd id="fn27"> <p>Sandro Shubladze, "<a href="https://www.forbes.com/councils/forbestechcouncil/2024/04/30/empowering-decision-making-with-real-time-data-analytics/">Empowering Decision-Making With Real-Time Data Analytics</a>," Forbes , April 30, 2024.</p> <p class="fn-rtn"><a href="#fn27-rf"><span class="wb-inv">Return to footnote </span>27<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 28</dt> <dd id="fn28"> <p>See, for example: "<a href="https://openai.com/index/disrupting-deceptive-uses-of-AI-by-covert-influence-operations/">Disrupting deceptive uses of AI by covert influence operations</a>", Open AI, May 30, 2024; "<a href="https://ailabs.tw/wp-content/uploads/2024/01/2024-Taiwan-Presidential-Election-Information-Manipulation-AI-Observation-Report-2.pdf">2024 Taiwan Presidential Election Information Manipulation <abbr title="Artificial Intelligence">AI </abbr> Observation Report (PDF)</a>," AI Labs, 2024; Morgan Wack, Darren Linvill, and Patrick Warren, "<a href="https://open.clemson.edu/mfh_reports/5">Old Despots, New Tricks – An <abbr title="Artificial Intelligence">AI </abbr>-Empowered Pro-Kagame/RPF Coordinated Influence Network on X</a>," Media Forensics Hub Reports, June 2024.</p> <p class="fn-rtn"><a href="#fn28-rf"><span class="wb-inv">Return to footnote </span>28<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 29</dt> <dd id="fn29"> <p><a href="https://www.justice.gov/opa/media/1366261/dl">US FBI Affidavit in Support of Seizure Warrant</a>," United States District Court for the Eastern District of Pennsylvania, September 9, 2024, 30–31, 219.</p> <p class="fn-rtn"><a href="#fn29-rf"><span class="wb-inv">Return to footnote </span>29<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 30</dt> <dd id="fn30"> <p>The three observed cases were phishing campaigns against the Trump and Harris presidential campaigns, and against Moldovan officials during the Moldovan election in fall 2024. Daryna Antoniuk, "<a href="https://therecord.media/iran-targets-us-election">Google: Islamic Hackers Targeting Affiliates of Both US Presidential Campaigns</a>," August 15, 2024; "<a href="https://research.checkpoint.com/2024/disinformation-campaign-moldova/">Operation MiddleFloor: Disinformation Campaign Targets Moldova Ahead of Presidential Elections and EU Membership Referendum</a>," Check Point Research, October 9, 2024.</p> <p class="fn-rtn"><a href="#fn30-rf"><span class="wb-inv">Return to footnote </span>30<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 31</dt> <dd id="fn31"> <p>Deepen Desai and Rohit Hedge, "<a href="https://www.zscaler.com/blogs/security-research/phishing-attacks-rise-58-year-ai-threatlabz-2024-phishing-report">Phishing Attacks Rise: ThreatLabz 2024 Phishing Report</a>," ZScaler, April 2024.</p> <p class="fn-rtn"><a href="#fn31-rf"><span class="wb-inv">Return to footnote </span>31<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 32</dt> <dd id="fn32"> <p>Belle Lin, "<a href="https://www.wsj.com/articles/welcome-to-the-era-of-badgpts-a104afa8">Welcome to the Era of BadGPTs</a>," The Wall Street Journal , February 28, 2024.; Kevin Poireault, "<a href="https://www.infosecurityeurope.com/en-gb/blog/threat-vectors/generative-ai-dark-web-bots.html">The Dark Side of Generative <abbr title="Artificial Intelligence">AI </abbr>: Five Malicious <abbr title="Large Language Models">LLMs </abbr> Found on the Dark Web</a>," Infosecurity Europe, August 10, 2023.</p> <p class="fn-rtn"><a href="#fn32-rf"><span class="wb-inv">Return to footnote </span>32<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 33</dt> <dd id="fn33"> <p>Cate Cadell, "<a href="https://www.washingtonpost.com/national-security/china-harvests-masses-of-data-on-western-targets-documents-show/2021/12/31/3981ce9c-538e-11ec-8927-c396fa861a71_story.html">China Harvests Masses of Data on Western Targets, Documents Show</a>," Washington Post, December 31, 2021; Craig Silverman, "<a href="https://www.propublica.org/article/google-russia-rutarget-sberbank-sanctions-ukraine">Google Allowed a Sanctioned Russian Ad Company to Harvest User Data for Months</a>," ProPublica, July 1, 2022.</p> <p class="fn-rtn"><a href="#fn33-rf"><span class="wb-inv">Return to footnote </span>33<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 34</dt> <dd id="fn34"> <p>Mark Landler and Stephen Castle, "<a href="https://www.nytimes.com/2024/03/25/world/europe/uk-china-cyberattack-hacking.html">U.K. Accuses China of Cyberattacks Targeting Voter Data and Lawmakers</a>," The New York Times, March 25, 2024; Christopher Balding, "<a href="https://doi.org/10.2139/ssrn.3691999">Chinese Open Source Data Collection, Big Data, And Private Enterprise Work For State Intelligence and Security: The Case of Shenzhen Zhenhua</a>," SSRN Scholarly Paper (Rochester, NY: Social Science Research Network, September 13, 2020).</p> <p class="fn-rtn"><a href="#fn34-rf"><span class="wb-inv">Return to footnote </span>34<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 35</dt> <dd id="fn35"> <p>Patrick Tucker, "<a href="https://www.defenseone.com/technology/2024/04/how-china-used-tiktok-ai-and-big-data-target-taiwans-elections/395569/">How China Used TikTok, <abbr title="Artificial Intelligence">AI </abbr>, and Big Data to Target Taiwan’s Elections</a>," April 8, 2024.</p> <p class="fn-rtn"><a href="#fn35-rf"><span class="wb-inv">Return to footnote </span>35<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 36</dt> <dd id="fn36"> <p>See, for example, "<a href="https://www.justice.gov/usao-edny/pr/34-officers-peoples-republic-china-national-police-charged-perpetrating-transnational">Press Release: Eastern District of New York | 34 Officers of People’s Republic of China National Police Charged with Perpetrating Transnational Repression Scheme Targeting U.S. Residents</a>," United States Attorney’s Office, April 17, 2023. Read the full indictment “<a href="https://web.archive.org/web/20250204065726/https:/www.justice.gov/d9/2023-04/squad_912_-_23-mj-0334_redacted_complaint_signed.pdf"> Complaint and Affidavit in Support of Application for Arrest Warrant (PDF)</a>,” especially p.8-9.</p> <p class="fn-rtn"><a href="#fn36-rf"><span class="wb-inv">Return to footnote </span>36<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 37</dt> <dd id="fn37"> <p>"<a href="https://www.justice.gov/archives/opa/media/1366261/dl">US FBI Affidavit in Support of Seizure Warrant</a>,” United States District Court for the Eastern District of Pennsylvania, September 9, 2024, 30, 216–20.</p> <p class="fn-rtn"><a href="#fn37-rf"><span class="wb-inv">Return to footnote </span>37<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 38</dt> <dd id="fn38"> <p>Kathy Newman, "<a href="https://www.channel4.com/news/exclusive-top-uk-politicians-victims-of-deepfake-pornography">Exclusive: Top UK Politicians Victims of Deepfake Pornography</a>," Channel 4, July 1, 2024.</p> <p class="fn-rtn"><a href="#fn38-rf"><span class="wb-inv">Return to footnote </span>38<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 39</dt> <dd id="fn39"> <p>Thanos Sitistas Epachtitis, “<a href="https://www.factchecker.gr/2024/04/03/ai-generated-image-of-kasselakis-and-tyler-naked-on-a-beach/"><span lang="el" xml:lang="el" xml:lang="el">Κατασκευασμένη με λογισμικό AI η φωτογραφία που “δείχνει” τον Σ. Κασσελάκη και τον Τ. Μακμπέθ γυμνούς σε παραλία</span> (in Greek only)</a>,” Greece Fact Check, April 3, 2024.</p> <p class="fn-rtn"><a href="#fn39-rf"><span class="wb-inv">Return to footnote </span>39<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 40</dt> <dd id="fn40"> <p>The Tribune, "<a href="https://www.tribuneindia.com/news/science-technology/from-rashmika-mandanna-to-bangladeshi-politician-filmed-in-a-bikini-90-per-cent-of-deepfake-videos-online-are-pornographic-571782/">Pakistanis, Bangladeshi Politicians Are New Targets of Deepfake, 90 per Cent of Videos Online Are Pornographic</a>," December 14, 2023.</p> <p class="fn-rtn"><a href="#fn40-rf"><span class="wb-inv">Return to footnote</span>40<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 41</dt> <dd id="fn41"> <p>"<a href="https://www.securityhero.io/state-of-deepfakes/">2023 State Of Deepfakes: Realities, Threats, And Impact</a>," Security Hero, December 2023.</p> <p class="fn-rtn"><a href="#fn41-rf"><span class="wb-inv">Return to footnote</span>41<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 42</dt> <dd id="fn42"> <p> Chen-Ling Hung et al., "<a href="https://www.thomsonfoundation.org/media/268943/ai_disinformation_attacks_taiwan.pdf">AI Disinformation Attacks and Taiwan’s Responses during the 2024 Presidential Election (PDF)</a>," Thomson Foundation, April 2024, 5.</p> <p class="fn-rtn"><a href="#fn42-rf"><span class="wb-inv">Return to footnote</span>42<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 43</dt> <dd id="fn43"> <p>Max Seddon, Demetri Sevastopulo, and Joe Leahy, "<a href="https://www.ft.com/content/f77028c8-c960-4d10-b0eb-4c511924a4d5">Vladimir Putin and Xi Jinping Vow to Co-Operate against ‘Destructive and Hostile’ US</a>," Financial Times, May 16, 2024; Jonathan Rauch, "<a href="https://www.theatlantic.com/ideas/archive/2024/07/russia-china-nato-axis-resistance/678831/">Confronting the Axis of Resistance – The Atlantic</a>," The Atlantic, July 1, 2024.</p> <p class="fn-rtn"><a href="#fn43-rf"><span class="wb-inv">Return to footnote</span>43<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 44</dt> <dd id="fn44"> <p>James Rundle, "<a href="https://www.wsj.com/articles/generative-ai-could-revolutionize-emailfor-hackers-5a8c725c">Generative <abbr title="Artificial Intelligence">AI </abbr> Could Revolutionize Email—for Hackers</a>," The Wall Street Journal, September 6, 2023.</p> <p class="fn-rtn"><a href="#fn44-rf"><span class="wb-inv">Return to footnote</span>44<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 45</dt> <dd id="fn45"> <p>Other state actors have been observed relying on <abbr title="Large Language Models">LLMs </abbr> to develop code to evade anti-virus protection software. See Microsoft Security, "<a href="https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/">Staying Ahead of Threat Actors in the Age of <abbr title="Artificial Intelligence">AI </abbr></a>," February 14, 2024.</p> <p class="fn-rtn"><a href="#fn45-rf"><span class="wb-inv">Return to footnote</span>45<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 46</dt> <dd id="fn46"> <p>"<a href="https://home.treasury.gov/news/press-releases/jy2195">Treasury Sanctions Actors Supporting Kremlin-Directed Malign Influence Efforts</a>," U.S. Department of the Treasury, 20 2024; Sarah Thust, "<a href="https://correctiv.org/en/fact-checking-en/2024/11/15/doppelganger-correctiv-investigations-bring-russian-propaganda-campaign-to-a-halt/">Doppelganger: CORRECTIV Investigations Bring Russian Propaganda Campaign to a Halt</a>," Correctiv, November 15, 2024.</p> <p class="fn-rtn"><a href="#fn46-rf"><span class="wb-inv">Return to footnote</span>46<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 47</dt> <dd id="fn47"> <p>Information about Doppelganger, including on their use of <abbr title="Artificial Intelligence">AI </abbr>, can be found at "<a href="https://www.disinfo.eu/doppelganger-operation/">What Is the Doppelganger Operation? List of Resources</a>," EU DisinfoLab, October 30, 2024.</p> <p class="fn-rtn"><a href="#fn47-rf"><span class="wb-inv">Return to footnote</span>47<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 48</dt> <dd id="fn48"> <p>"<a href="https://go.recordedfuture.com/hubfs/reports/cta-2024-0509.pdf">Russia-Linked CopyCop Uses <abbr title="Large Language Models">LLMs </abbr> to Weaponize Influence Content at Scale (PDF)</a>," Insikt Group, May 9, 2024.</p> <p class="fn-rtn"><a href="#fn48-rf"><span class="wb-inv">Return to footnote</span>48<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 49</dt> <dd id="fn49"> <p>"<a href="https://go.recordedfuture.com/hubfs/reports/ta-ru-2024-1023.pdf">Operation Overload Impersonates Media to Influence 2024 US Election (PDF)</a>," Insikt Group, October 23, 2024.</p> <p class="fn-rtn"><a href="#fn49-rf"><span class="wb-inv">Return to footnote</span>49<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 50</dt> <dd id="fn50"> <p>David Gilbert, "<a href="https://www.wired.com/story/russian-propaganda-unit-storm-1516-false-tim-walz-sexual-abuse-claims/">Russian Propaganda Unit Appears to Be Behind Spread of False Tim Walz Sexual Abuse Claims</a>," Wired, October 21, 2024.</p> <p class="fn-rtn"><a href="#fn50-rf"><span class="wb-inv">Return to footnote</span>50<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 51</dt> <dd id="fn51"> <p>Matthew Leake, "<a href="https://reutersinstitute.politics.ox.ac.uk/news/are-fears-about-online-misinformation-us-election-overblown-evidence-suggests-they-might-be">Are Fears about Online Misinformation in the US Election Overblown? The Evidence Suggests They Might Be</a>," Reuters Institute for the Study of Journalism, October 24, 2024. For a related study on the visibility of (non- <abbr title="Artificial Intelligence">AI </abbr> related) pro-Russian content, see Jennifer Allen, "<a href="https://mediabiasdetector.com/blog">Worried about the Russians Dividing America? The Call Is Coming from inside the House</a>," Media Bias Detector, September 28, 2024.</p> <p class="fn-rtn"><a href="#fn51-rf"><span class="wb-inv">Return to footnote </span>51<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 52</dt> <dd id="fn52"> <p><a href="https://www.verfassungsschutz.bayern.de/mam/anlagen/baylfv_vollanalyse_doppelgaenger.pdf">"Doppelgänger" Interne Details Zu Russicher Desinformationaskampagne (in German only) (PDF)</a>, (Bayerisches Landesamt für Verfassungsschutz, August 2024).</p> <p class="fn-rtn"><a href="#fn52-rf"><span class="wb-inv">Return to footnote </span>52<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 53</dt> <dd id="fn53"> <p>Thomas Rid, "<a href="https://www.foreignaffairs.com/united-states/lies-russia-tells-itself">The Lies Russia Tells Itself</a>," Foreign Affairs, September 30, 2024.</p> <p class="fn-rtn"><a href="#fn53-rf"><span class="wb-inv">Return to footnote </span>53<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 54</dt> <dd id="fn54"> <p>See, for example: "<a href="https://blog.google/threat-analysis-group/tag-bulletin-q3-2024/">TAG Bulletin: Q3 2024</a>," Google Threat Analysis Group, September 12, 2024; Margarita Franklin et al., "<a href="https://md.teyit.org/file/meta-threat-report.pdf">Adversarial Threat Report (PDF)</a>," Meta, May 2024.</p> <p class="fn-rtn"><a href="#fn54-rf"><span class="wb-inv">Return to footnote </span>54<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 55</dt> <dd id="fn55"> <p>Yuwei Chuai et al., "<a href="https://doi.org/10.1145/3686967">Did the Roll-Out of Community Notes Reduce Engagement With Misinformation on X/Twitter?</a>," Proceedings of the ACM on Human-Computer Interaction 8, no. CSCW2 (November 2024).</p> <p class="fn-rtn"><a href="#fn55-rf"><span class="wb-inv">Return to footnote </span>55<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 56</dt> <dd id="fn56"> <p>Stuart Lau, "<a href="https://www.politico.eu/article/china-bombards-taiwan-with-fake-news-ahead-of-election/">China Bombards Taiwan with Fake News Ahead of Election</a>," Politico, January 10, 2024; Maggie Miller and Joseph Gedeon, "<a href="https://www.politico.com/news/2024/01/11/taiwan-cyberattacks-election-china-00134841">Taiwan Bombarded with Cyberattacks Ahead of Election</a>," Politico, January 11, 2024; Alan Yu, Michael Clark, and Megan Shahi, "<a href="https://www.americanprogress.org/article/taiwans-election-prc-interference-and-its-implications-for-the-2024-election-landscape/">Taiwan’s Election: <abbr title="People’s Republic of China">PRC </abbr> Interference and Its Implications for the 2024 Election Landscape</a>," Center for American Progress, February 1, 2024.</p> <p class="fn-rtn"><a href="#fn56-rf"><span class="wb-inv">Return to footnote </span>56<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 57</dt> <dd id="fn57"> <p>"<a href="https://ailabs.tw/wp-content/uploads/2024/01/2024-Taiwan-Presidential-Election-Information-Manipulation-AI-Observation-Report-2.pdf">2024 Taiwan Presidential Election Information Manipulation <abbr title="Artificial Intelligence">AI </abbr> Observation Report (PDF)</a>," AI Labs, 2024</p> <p class="fn-rtn"><a href="#fn57-rf"><span class="wb-inv">Return to footnote </span>57<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 58</dt> <dd id="fn58"> <p>Chen Cheng-yu and Liu Hsin-han, "<a href="https://www.taipeitimes.com/News/taiwan/archives/2024/01/10/2003811892">2024 Elections: Cabinet Supports Probe of Deepfake Video of Legislator</a>," Taipei Times, January 10, 2024; Chen-Ling Hung et al., "<a href="https://www.thomsonfoundation.org/media/268943/ai_disinformation_attacks_taiwan.pdf"> <abbr title="Artificial Intelligence">AI </abbr> Disinformation Attacks and Taiwan’s Responses during the 2024 Presidential Election (PDF)</a>," Thomson Foundation, April 2024, 5.</p> <p class="fn-rtn"><a href="#fn58-rf"><span class="wb-inv">Return to footnote </span>58<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 59</dt> <dd id="fn59"> <p>"<a href="https://www.international.gc.ca/transparency-transparence/rapid-response-mechanism-mecanisme-reponse-rapide/2023-spamouflage.aspx?lang=eng">Probable <abbr title="People’s Republic of China">PRC </abbr> ‘Spamouflage’ Campaign Targets Dozens of Canadian Members of Parliament in Disinformation Campaign</a>," Global Affairs Canada, October 23, 2023.</p> <p class="fn-rtn"><a href="#fn59-rf"><span class="wb-inv">Return to footnote </span>59<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 60</dt> <dd id="fn60"> <p>"<a href="https://public-assets.graphika.com/reports/graphika-report-the-americans.pdf">The #Americans : Chinese State-Linked Influence Operation Spamoflage Masquerades as U.S. Voters to Divisive Narratives Ahead of 2024 Election (PDF)</a>," Graphika, September 2024; "Probable <abbr title="People’s Republic of China">PRC </abbr> ‘Spamouflage’ Campaign Targets Dozens of Canadian Members of Parliament in Disinformation Campaign." “<a href="https://www.international.gc.ca/transparency-transparence/rapid-response-mechanism-mecanisme-reponse-rapide/2023-spamouflage.aspx?lang=eng">Probable <abbr title="People’s Republic of China">PRC </abbr> ‘Spamouflage’ Campaign Targets Dozens of Canadian Members of Parliament in Disinformation Campaign</a>,” Global Affairs Canada, October 23, 2023.</p> <p class="fn-rtn"><a href="#fn60-rf"><span class="wb-inv">Return to footnote </span>60<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 61</dt> <dd id="fn61"> <p>David Gilbert, "<a href="https://www.wired.com/story/china-bad-at-disinformation/">Why China Is So Bad at Disinformation</a>," Wired, April 29, 2024.</p> <p class="fn-rtn"><a href="#fn61-rf"><span class="wb-inv">Return to footnote </span>61<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 62</dt> <dd id="fn62"> <p>"<a href="https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a>", Canadian Centre for Cyber Security, November 2024; Robert McMillan, Dustin Volz, and Aruna Viswanatha, "<a href="https://www.wsj.com/tech/ai/china-is-stealing-ai-secrets-to-turbocharge-spying-u-s-says-00413594">China Is Stealing <abbr title="Artificial Intelligence">AI </abbr> Secrets to Turbocharge Spying, U.S. Says</a>," The Wall Street Journal, December 25, 2023.</p> <p class="fn-rtn"><a href="#fn62-rf"><span class="wb-inv">Return to footnote </span>62<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 63</dt> <dd id="fn63"> <p>Christopher Balding, "<a href="https://doi.org/10.2139/ssrn.3691999">Chinese Open Source Data Collection, Big Data, And Private Enterprise Work For State Intelligence and Security: The Case of Shenzhen Zhenhua</a>," in SSRN Scholarly Paper (Rochester, NY: Social Science Research Network, 2020).</p> <p class="fn-rtn"><a href="#fn63-rf"><span class="wb-inv">Return to footnote </span>63<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 64</dt> <dd id="fn64"> <p>McMillan, Volz, and Viswanatha, "China Is Stealing <abbr title="Artificial Intelligence">AI </abbr> Secrets to Turbocharge Spying, U.S. Says"; Zach Dorfman, "<a href="https://foreignpolicy.com/2020/12/23/china-tech-giants-process-stolen-data-spy-agencies/">How China’s Tech Giants Like Alibaba, Tencent, and Baidu Aid Spy Agencies</a>," Foreign Policy, December 23, 2020.</p> <p class="fn-rtn"><a href="#fn64-rf"><span class="wb-inv">Return to footnote </span>64<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 65</dt> <dd id="fn65"> <p>"<a href="https://www.justice.gov/opa/pr/three-irgc-cyber-actors-indicted-hack-and-leak-operation-designed-influence-2024-us">Press Release: Three <abbr title="Islamic Revolutionary Guard Corps">IRGC </abbr> Cyber Actors Indicted for ‘Hack-and-Leak’ Operation Designed to Influence the 2024 U.S. Presidential Election</a>," Office of Public Affairs, U.S. Department of Justice, September 27, 2024. Read the full indictment at "<a href="https://www.justice.gov/opa/media/1371191/dl">United States of America vs Masoud Jalili, Seyyed Ali Aghamiri and Yasar Balagui</a>."</p> <p class="fn-rtn"><a href="#fn65-rf"><span class="wb-inv">Return to footnote </span>65<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 66</dt> <dd id="fn66"> <p>"<a href="https://storage.courtlistener.com/recap/gov.uscourts.cadc.40861/gov.uscourts.cadc.40861.1208648321.0.pdf">TikTok Inc. and Bytedance Ltd. v. Merrick B. Garland, Amended Public Redacted Brief for the Respondent (PDF)</a>," September 16, 2024, 35–44.</p> <p class="fn-rtn"><a href="#fn66-rf"><span class="wb-inv">Return to footnote </span>66<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 67</dt> <dd id="fn67"> <p>Joel Finkelstein et al., "<a href="https://networkcontagion.us/reports/the-ccps-digital-charm-offensive/">The CCP’s Digital Charm Offensive: How TikTok’s Search Algorithm and Pro-China Influence Networks Indoctrinate GenZ Users in the United States</a>," Network Contagion Research Institute, August 2024; see also "<a href="https://networkcontagion.us/reports/12-21-23-a-tik-tok-in-timebomb-how-tiktoks-global-platform-anomalies-align-with-the-chinese-communist-partys-geostrategic-objectives/">A Tik-Tok-Ing Timebomb: How TikTok’s Global Platform Anomalies Align with the Chinese Communist Party’s Geostrategic Objectives</a>," Network Contagion Research Institute, December 2023.</p> <p class="fn-rtn"><a href="#fn67-rf"><span class="wb-inv">Return to footnote </span>67<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 68</dt> <dd id="fn68"> <p>Stuart Lau, "<a href="https://www.politico.eu/article/china-bombards-taiwan-with-fake-news-ahead-of-election/">China Bombards Taiwan with Fake News Ahead of Election</a>," Politico, January 10, 2024</p> <p class="fn-rtn"><a href="#fn68-rf"><span class="wb-inv">Return to footnote </span>68<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 69</dt> <dd id="fn69"> <p>"<a href="https://www.justice.gov/opa/pr/three-irgc-cyber-actors-indicted-hack-and-leak-operation-designed-influence-2024-us">Press Release: Three IRGC Cyber Actors Indicted for ‘Hack-and-Leak’ Operation Designed to Influence the 2024 U.S. Presidential Election</a>," Office of Public Affairs, U.S. Department of Justice, September 27, 2024.</p> <p class="fn-rtn"><a href="#fn69-rf"><span class="wb-inv">Return to footnote </span>69<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 70</dt> <dd id="fn70"> <p>The tactics, techniques, and procedures of the <abbr title="Islamic Revolutionary Guard Corps">IRGC </abbr> and other actors affiliated with Iran involving <abbr title="Artificial Intelligence">AI </abbr> are described in "<a href="https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/">Staying Ahead of Threat Actors in the Age of <abbr title="Artificial Intelligence">AI </abbr></a>," Microsoft Security, February 14, 2024; "<a href="https://cdn.openai.com/threat-intelligence-reports/influence-and-cyber-operations-an-update_October-2024.pdf">Influence and Cyber Operations: An Update (PDF)</a>," Open AI, October 2024, 14–19.</p> <p class="fn-rtn"><a href="#fn70-rf"><span class="wb-inv">Return to footnote </span>70<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 71</dt> <dd id="fn71"> <p><a href="https://www.cisa.gov/news-events/alerts/2024/10/08/cisa-and-fbi-release-fact-sheet-protecting-against-iranian-targeting-accounts-associated-national">"How to Protect against Iranian Targeting of Accounts Associated with National Political Organizations</a>," Cybersecurity and Infrastructure Security Agency, October 8, 2024.</p> <p class="fn-rtn"><a href="#fn71-rf"><span class="wb-inv">Return to footnote </span>71<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 72</dt> <dd id="fn72"> <p>"<a href="https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/">Staying Ahead of Threat Actors in the Age of <abbr title="Artificial Intelligence">AI </abbr></a>," Microsoft Security, February 14, 2024.</p> <p class="fn-rtn"><a href="#fn72-rf"><span class="wb-inv">Return to footnote </span>72<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 73</dt> <dd id="fn73"> <p>"<a href="https://www.resecurity.com/blog/article/global-malicious-activity-targeting-elections-is-skyrocketing">Global Malicious Activity Targeting Elections Is Skyrocketing</a>," Resecurity, February 12, 2024; John Leyden, "<a href="https://www.darkreading.com/endpoint-security/hacked-iraqi-voter-information-found-for-sale-online">Hacked Iraqi Voter Information Found for Sale Online</a>," February 20, 2024.</p> <p class="fn-rtn"><a href="#fn73-rf"><span class="wb-inv">Return to footnote </span>73<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 74</dt> <dd id="fn74"> <p>Amy Hawkins, "<a href="https://www.theguardian.com/technology/2024/feb/23/huge-cybersecurity-leak-lifts-lid-on-world-of-chinas-hackers-for-hire">Huge Cybersecurity Leak Lifts Lid on World of China’s Hackers for Hire</a>," The Guardian, February 23, 2024.</p> <p class="fn-rtn"><a href="#fn74-rf"><span class="wb-inv">Return to footnote </span>74<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 75</dt> <dd id="fn75"> <p>"<a href="https://bolster.ai/blog/phishing-online-scams-targeting-the-2024-election">Cyber Threats to Democracy: A Special Report on Phishing and Online Scams Targeting the 2024 Election</a>,"Bolster <abbr title="Artificial Intelligence">AI </abbr>, October 2024.</p> <p class="fn-rtn"><a href="#fn75-rf"><span class="wb-inv">Return to footnote </span>75<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 76</dt> <dd id="fn76"> <p>Belle Lin and Catherine Stupp, "<a href="https://www.wsj.com/articles/cyber-threats-and-the-election-what-you-need-to-know-c9dcaa7d">Cyber Threats and the Election: What You Need to Know</a>," The Wall Street Journal , November 1, 2024; Arda Akartuna, "<a href="https://www.elliptic.co/blog/as-the-us-election-nears-ai-political-deepfake-scams-are-targeting-crypto-users">As the US Election Nears, <abbr title="Artificial Intelligence">AI </abbr> Political Deepfake Scams Are Targeting Crypto Users</a>," August 15, 2024.</p> <p class="fn-rtn"><a href="#fn76-rf"><span class="wb-inv">Return to footnote </span>76<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 77</dt> <dd id="fn77"> <p>"<a href="https://foreigninterferencecommission.ca/fileadmin/foreign_interference_commission/Documents/Exhibits_and_Presentations/Exhibits/CAN.SUM.000005.pdf">Country Summary: People’s Republic of China (PDF)</a>," Foreign Interference Commission, 2024; Aengus Bridgman et al., "<a href="https://osf.io/ubfmx">Mis- and Disinformation during the 2021 Canadian Federal Election</a>", Media Ecosystem Observatory, June 8, 2022, 60–64.</p> <p class="fn-rtn"><a href="#fn77-rf"><span class="wb-inv">Return to footnote </span>77<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 78</dt> <dd id="fn78"> <p>Non- <abbr title="Artificial Intelligence">AI </abbr> enabled disinformation emanating from the United States was observed in Canadian media ecosystems ahead of the 2021 election. See Bridgman et al., "<a href="https://osf.io/ubfmx">Mis- and Disinformation during the 2021 Canadian Federal Election</a>" Media Ecosystem Observatory, June 8, 2022, 60–64.</p> <p class="fn-rtn"><a href="#fn78-rf"><span class="wb-inv">Return to footnote </span>78<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6161" about="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>March 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Practitioner series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSP.40.111</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>March 2025 | Practitioner series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsp.40.111-e_1.pdf">Cryptographic algorithms for unclassified, protected A, and protected B information (Version 4) – ITSP.40.111 (PDF, 1 MB)</a></p> </div> <h2 class="text-info" id="n1">Foreword</h2> <p>Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information is an UNCLASSIFIED publication issued by the Head, Canadian Centre for Cyber Security (Cyber Centre) and provides an update to and supersedes the previously published version. For more information, email, or phone our Contact Centre at: <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>, <a href="tel:+16139497048">(613) 949-7048</a> or <a href="tel:+18332923788">1-833-CYBER-88</a>.</p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on March 5, 2025.</p> <h2 class="text-info">Revision history</h2> <ol><li><strong>First release:</strong> August 2, 2016</li> <li><strong>Updated version (version 2):</strong> August 17, 2022</li> <li><strong>Updated version (version 3):</strong> December 14, 2023</li> <li><strong>Updated version (version 4):</strong> March 5, 2025</li> </ol><section><h2 class="text-info">Overview</h2> <p>This publication identifies and describes recommended cryptographic algorithms and appropriate methods of use that organizations can implement to protect sensitive information. For Government of Canada departments and agencies, the guidance in this publication applies to UNCLASSIFIED, PROTECTED A, and PROTECTED B information.</p> <p>Your organization’s ability to protect sensitive data and information is fundamental to the delivery of programs and services. Properly configured cryptography provides security mechanisms which can be used to protect the authenticity, confidentiality, and integrity of information. Several algorithms may be required to satisfy your organization’s security requirements, and each algorithm should be selected and implemented to meet those requirements.</p> </section><section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#a1">1 Introduction</a> <ul class="lst-none"><li><a href="#a11">1.1 Practitioner notes</a></li> <li><a href="#a12">1.2 Policy drivers</a></li> <li><a href="#a13">1.3 Relationship to the <abbr title="information technology">IT</abbr> risk management process</a></li> </ul></li> <li><a href="#a2">2 Post quantum cryptography</a></li> <li><a href="#a3">3 Encryption algorithms</a> <ul class="lst-none"><li><a href="#a31">3.1 Advanced encryption standard algorithm</a></li> </ul></li> <li><a href="#a4">4 Encryption algorithm modes of operation</a> <ul class="lst-none"><li><a href="#a41">4.1 Protecting the confidentiality of information</a></li> <li><a href="#a42">4.2 Protecting the confidentiality and authenticity of information</a></li> </ul></li> <li><a href="#a5">5 Key establishment schemes</a> <ul class="lst-none"><li><a href="#a51">5.1 Rivest-Shamir-Adleman</a></li> <li><a href="#a52">5.2 Finite Field Cryptography Diffie-Hellman and Menezes-Qu-Vanstone</a></li> <li><a href="#a53">5.3 Elliptic curve cryptography Cofactor Diffie-Hellman and Menezes-Qu-Vanstone</a></li> <li><a href="#a54">5.4 Module-Lattice-Based Key-Encapsulation Mechanism</a></li> </ul></li> <li><a href="#a6">6 Digital signature schemes</a> <ul class="lst-none"><li><a href="#a61">6.1 Rivest-Shamir-Adelman</a></li> <li><a href="#a62">6.2 Digital Signature Algorithm </a></li> <li><a href="#a63">6.3 Elliptic Curve Digital Signature Algorithm</a></li> <li><a href="#a64">6.4 Edwards-Curve Digital Signature Algorithm</a></li> <li><a href="#a65">6.5 Module-Lattice-Based Digital Signature Algorithm</a></li> <li><a href="#a66">6.6 Stateless Hash-Based Signature Algorithm</a></li> <li><a href="#a67">6.7 Stateful hash-based signature schemes</a></li> </ul></li> <li><a href="#a7">7 Hash functions</a> <ul class="lst-none"><li><a href="#a71">7.1 Secure Hash Algorithm 1</a></li> <li><a href="#a72">7.2 Secure Hash Algorithm 2</a></li> <li><a href="#a73">7.3 Secure Hash Algorithm 3</a></li> </ul></li> <li><a href="#a8">8 Extendable output functions</a> <ul class="lst-none"><li><a href="#a81">8.1 SHAKE</a></li> </ul></li> <li><a href="#a9">9 Message Authentication Codes</a> <ul class="lst-none"><li><a href="#a91">9.1 Keyed-Hash Message Authentication Code</a></li> <li><a href="#a92">9.2 Cipher-based Message Authentication Code</a></li> <li><a href="#a93">9.3 Galois/Counter Mode Message Authentication Code</a></li> <li><a href="#a94">9.4 KECCAK Message Authentication Code</a></li> </ul></li> <li><a href="#a10">10 Key Derivation Functions</a> <ul class="lst-none"><li><a href="#a101">10.1 One-Step Key Derivation Function</a></li> <li><a href="#a102">10.2 Two-Step Key Derivation Function</a></li> <li><a href="#a103">10.3 Key Derivation using pseudorandom functions</a></li> <li><a href="#a104">10.4 Internet Key Exchange version 2 Key Derivation Function</a></li> <li><a href="#a105">10.5 Transport Layer Security version 1.2 Key Derivation Function</a></li> <li><a href="#a106">10.6 Secure Shell Key Derivation Function</a></li> <li><a href="#a107">10.7 Secure Real-time Transport Protocol Key Derivation Function</a></li> <li><a href="#a108">10.8 Trusted Platform Module Key Derivation Function</a></li> <li><a href="#a109">10.9 Password-based Key Derivation Function</a></li> </ul></li> <li><a href="#b11">11 Key wrap modes of operation</a> <ul class="lst-none"><li><a href="#b111">11.1 Advanced Encryption Stnadard Key Wrap</a></li> <li><a href="#b112">11.2 Advanced Encryption Standard Key Wrap with Padding</a></li> </ul></li> <li><a href="#b12">12 Deterministic random bit generators</a></li> <li><a href="#b13">13 Commercial technologies assurance programs</a></li> <li><a href="#b14">14 Summary</a></li> <li><a href="#fig1">Figure 1: <abbr title="information technology">IT</abbr> security risk management process</a></li> <li><a href="#b15">Annex 1: Revisions</a></li> </ul></details></section><section><h2 class="text-info" id="a1">1 Introduction</h2> <p>Organizations rely on information technology (IT) systems to achieve business objectives. These interconnected systems can be the targets of serious threats and cyber attacks that threaten the availability, authenticity, confidentiality, and integrity of the information assets. Compromised networks, systems, or information can negatively affect business activities and may result in data breaches and financial loss.</p> <p>This publication helps technology practitioners choose and appropriately use cryptographic algorithms. When used with valid domain parameters and specific key lengths, the cryptographic algorithms listed in this publication are recommended cryptographic mechanisms for protecting the authenticity, confidentiality, and integrity of sensitive UNCLASSIFIED, PROTECTED A, and PROTECTED B information to the medium injury level, as defined in the Cyber Centre’s <a href="/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33"><abbr title="information technology">IT</abbr> Security Risk Management: A Lifecycle Approach (ITSG-33)</a>. For requirements on the use of Cyber Centre approved cryptography to protect PROTECTED C and classified information, email the Cyber Centre at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>.</p> <p>This document complements the <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=26262">Treasury Board of Canada Secretariat Guideline on Defining Authentication Requirements</a>. Organizations are responsible for determining their security objectives and requirements as part of their risk management framework.</p> <h3 id="a11">1.1 Practitioner notes</h3> <p>In this publication, the Cyber Centre makes recommendations for cryptographic algorithms and parameters. We also list algorithms that should be phased out. New applications should not use these algorithms. Where these algorithms are used in existing applications, they should be replaced with the recommended algorithms in this publication. For certain algorithms, we specify a date by which organizations should replace these algorithms. In other instances, organizations should replace these algorithms as soon as possible.</p> <p>When an algorithm requires a primitive, organizations should choose one of the algorithms recommended in this publication, unless otherwise specified. For example, a hash function from sections <a href="#a72">7.2 Secure Hash Algorithm-2</a> or <a href="#a73">7.3 Secure Hash Algorithm-3</a> should be used when using the Keyed-Hash Message Authentication Code (HMAC) from section <a href="#a91">9.1 Keyed-Hash Message Authentication Code</a>. When an algorithm requires a parameter, organizations should select one of the recommended ones in the given reference for the algorithm, unless otherwise specified.</p> <h3 id="a12">1.2 Policy drivers</h3> <p>Addressing and countering cyber threats and network vulnerabilities are crucial steps in securing networks, data, and assets. Government of Canada departments must implement <abbr title="information technology">IT</abbr> security policies and procedures in accordance with the <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=16578">Treasury Board of Canada Policy on Government Security</a>.</p> <h3 id="a13">1.3 Relationship to the <abbr title="information technology">IT</abbr> risk management process</h3> <p>The Cyber Centre’s <a href="https://www.cyber.gc.ca/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33"><abbr title="information technology">IT</abbr> Security Risk Management: A Lifecycle Approach (ITSG-33)</a> guidelines recommend that organizations undertake activities at 2 levels: the departmental level and the information system level.</p> <div class="panel panel-default col-md-12"> <div class="panel-body"> <figure><figcaption class="text-center" id="fig1"><strong>Figure 1: <abbr title="information technology">IT</abbr> Security risk management process</strong></figcaption><img alt="Figure 1 – Long description immediately follows" class="img-responsive center-block" src="/sites/default/files/images/itsp.40.111-fig1-e.png" /></figure><details><summary>Long description – <abbr title="information technology">IT</abbr> Security risk management process </summary><p>This figure describes the high-level departmental <abbr title="information technology">IT</abbr> security risk management process and associated activities, as well as the information system security risk management activities. It also highlights how the <abbr title="information technology">IT</abbr> security risk management activities at both levels act together in a continuous cycle to efficiently maintain and improve the security posture of departmental information systems.</p> <p>At the departmental level, the <abbr title="information technology">IT</abbr> security risk management activities conducted by the departmental security authorities (e.g. CSO, ITSC) include:</p> <ul><li>Define departmental <abbr title="information technology">IT</abbr> security needs and security controls</li> <li>Deploy security controls</li> <li>Monitor and assess performance of security controls – maintain authorization</li> <li>Identify security control updates</li> </ul><p>The key deliverables of the deploy security controls activity are departmental control profiles and departmental <abbr title="information technology">IT</abbr> threat assessment reports. These deliverables are key inputs into the security risk management activities at the information system level.</p> <p>At the information system level, the <abbr title="information technology">IT</abbr> security risk management activities conducted by <abbr title="information technology">IT</abbr> project managers, security practitioners and developers include:</p> <ul><li>Define <abbr title="information technology">IT</abbr> security needs and security controls</li> <li>Design and develop or acquire information system with security</li> <li>Integrate, test, and install information system with security</li> <li>Operate, monitor, and maintain information systems with security</li> <li>Securely dispose of <abbr title="information technology">IT</abbr> assets at retirement</li> </ul><p>Information from the operations and maintenance activities provide feed back into the monitor and assess activity at the departmental level. The <abbr title="information technology">IT</abbr> security performance feedback supports the maintain authorization activity under the monitor and assess.</p> </details></div> </div> <p>Departmental-level activities are integrated into the organization’s security program to plan, manage, assess, and improve the management of <abbr title="information technology">IT</abbr> security-related risks faced by the organization. Cryptographic algorithms should be considered during the define, deploy, and monitor and assess stages of the risk-management process. These activities are described in detail in <a href="/en/guidance/annex-1-departmental-it-security-risk-management-activities-itsg-33">Annex 1 – Departmental <abbr title="information technology">IT</abbr> security risk management activities (ITSG-33)</a>.</p> <p>Information system-level activities are integrated into an information system lifecycle to ensure:</p> <ul><li><abbr title="information technology">IT</abbr> security needs of supported business activities are met</li> <li>appropriate security controls are implemented and operating as intended</li> <li>continued performance of the implemented security controls is assessed, reported back, and acted upon to address any issues</li> </ul><p>Cryptographic algorithms should be considered during all information system-level activities. These activities are described in detail in <a href="https://www.cyber.gc.ca/en/guidance/annex-2-information-system-security-risk-management-activities-itsg-33">Annex 2 – Information system security risk management activities (ITSG-33)</a>.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a2">2 Post quantum cryptography</h2> <p>In August 2024, the United States National Institute of Standards and Technology (NIST) published standards for 3 post-quantum algorithms which are secure against known attacks from a quantum computer:</p> <ul><li>Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) (see section <a href="#a54">5.4 Module-Lattice-Based Key-Encapsulation Mechanism)</a></li> <li>Module-Lattice-Based Digital Signature Algorithm (ML-DSA) (see section <a href="#a65">6.5 Module-Lattice-Based Digital Signature Algorithm</a>)</li> <li>Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) (see section <a href="#a66">6.6 Stateless Hash-Based Digital Signature Algorithm</a>)</li> </ul><p><abbr title="Module-Lattice-Based Key-Encapsulation Mechanism">ML-KEM</abbr> establishes shared key material between 2 parties over a public channel. It will replace the key establishment schemes in sections <a href="#a51">5.1 Rivest Shamir-Adleman</a>, <a href="#a52">5.2 Finite Field Cryptography Diffie-Hellman and Menezes-Qu-Vanstone</a>, and <a href="#a53">5.3 Elliptic Curve Cryptography Cofactor Diffie-Hellman and Menezes-Qu-Vanstone</a> for most use cases.</p> <p><abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> and <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> are digital signature schemes. <abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> is a general-purpose, lattice-based, signature scheme and will replace the signature schemes in sections <a href="#a61">6.1 Rivest-Shamir-Adelman</a> to <a href="#a64">6.4 Edwards-Curve Digital Signature Algorithm</a> for most use cases. Hash-bashed signatures, including post-quantum stateful hash-based signature schemes and <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr>, rely on a different mathematical problem than <abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr>. Stateful hash-based signature schemes have the additional complexity that signature generation implementations must carefully manage an internal state. Mismanagement can result in a complete loss of security. <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> does not require state management but has inferior performance and larger signatures than <abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> and the stateful hash-bashed signature schemes.</p> <p>International standards bodies are incorporating these new post-quantum algorithms into network protocols. As new protocol standards become available, the <a href="https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Cyber Centre’s Guidance on securely configuring network protocols (ITSP.40.062)</a> will be updated to include post-quantum configurations. For more detailed information on how to prepare, see <a href="https://www.cyber.gc.ca/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017">Preparing your organization for the quantum threat to cryptography (ITSAP.00.017)</a>.</p> <p>Future updates to this publication will provide guidance on the timelines for deprecation of non-post-quantum public key cryptosystems.</p> <p><strong>Organizations should only use post-quantum public-key encryption and signature schemes that comply with the final, published standards (as referenced in this publication) to protect information or systems.</strong></p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a3">3 Encryption algorithms</h2> <p>The following section outlines the recommended encryption algorithms for protecting the confidentiality of UNCLASSIFIED, PROTECTED A, and PROTECTED B information.</p> <h3 id="a31">3.1 Advanced encryption standard algorithm</h3> <p>We recommend the Advanced Encryption Standard (AES) algorithm as specified in <abbr title="National Institute of Standards and Technology">NIST</abbr> Federal Information Processing Standards (FIPS) <a href="https://csrc.nist.gov/pubs/fips/197/final">197: Advanced Encryption Standard</a> with key lengths of 128, 192, and 256 bits.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a4">4 Encryption algorithm modes of operation</h2> <p>The following section outlines the encryption algorithm modes of operation that we recommend for use with the <abbr title="Advanced Encryption Standard">AES</abbr> algorithm specified in section <a href="#a31">3.1 Advanced Encryption Standard Algorithm</a>.</p> <h3 id="a41">4.1 Protecting the confidentiality of information</h3> <p>We recommend the following block cipher modes of operation for protecting the confidentiality of UNCLASSIFIED, PROTECTED A, and PROTECTED B information, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/a/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38A: Recommendation for Block Cipher Modes of Operation: Methods and Techniques</a>:</p> <ul><li>Electronic Codebook (ECB) mode is only suitable for situations in which a single block of data is being encrypted, or as specified in derived algorithms such as key wrapping (see section <a href="#b11">11 Key wrap modes of operation</a>). It should not be used for bulk data encryption</li> <li>Cipher Feedback (CFB)</li> <li>Output Feedback (OFB)</li> <li>Counter (CTR)</li> <li>Cipher Block Chaining (CBC) <ul><li>when using <abbr title="Cipher Block Chaining">CBC</abbr> mode with a plaintext input of bit length greater than or equal to the block size, a padding method must be used as described in Appendix A of <abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38A: Recommendation for Block Cipher Modes of Operation: Methods and Techniques. Protocols typically specify particular padding methods that may be used</li> <li>if no padding method is specified, we recommend the following modes from Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for <abbr title="Cipher Block Chaining">CBC</abbr> Mode <ul><li>CBC-CS1</li> <li>CBC-CS2</li> <li>CBC-CS3</li> </ul></li> </ul></li> </ul><p><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38A: Recommendation for Block Cipher Modes of Operation: Methods and Techniques lists several important requirements, which are as follow:</p> <ul><li><abbr title="Cipher Block Chaining">CBC</abbr> and <abbr title="Cipher Feedback">CFB</abbr> modes require unpredictable Initialization Vectors (IVs)</li> <li>for <abbr title="Output Feedback">OFB</abbr> mode, the <abbr title="Initialization Vectors">IV</abbr> must be a nonce that is unique to each execution of the encryption operation. It does not need to be unpredictable</li> <li><abbr title="Counter">CTR</abbr> mode requires a unique counter block for each block of plaintext ever encrypted under a given key, across all messages</li> </ul><p>For protecting data on storage devices, we recommend XTS-<abbr title="Advanced Encryption Standard">AES</abbr> mode as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/e/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38E: Recommendation for Block Cipher Modes of Operation: The XTS-<abbr title="Advanced Encryption Standard">AES</abbr> Mode for Confidentiality on Storage Devices</a>.</p> <h3 id="a42">4.2 Protecting the confidentiality and authenticity of information</h3> <p>We recommend the following modes of operation for protecting the confidentiality and authenticity of UNCLASSIFIED, PROTECTED A, and PROTECTED B information:</p> <ul><li>Counter with Cipher Block Chaining Message Authentication Code (CCM) as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/c/upd1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800–38C: Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality</a></li> <li>Galois/Counter Mode (GCM) as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/d/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and <abbr title="Galois/Counter Mode Message Authentication Code">GMAC</abbr></a></li> </ul></section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a5">5 Key establishment schemes</h2> <p>A key establishment scheme is a procedure by which multiple participants create or obtain shared secrets, such as cryptographic keys. The following section outlines the key establishment schemes that we recommend for use with cryptographic algorithms for protecting UNCLASSIFIED, PROTECTED A, and PROTECTED B information.</p> <h3 id="a51">5.1 Rivest-Shamir-Adleman</h3> <p>We recommend the Rivest-Shamir-Adleman (RSA)-based key-transport and key-agreement schemes as specified in <a href="https://csrc.nist.gov/pubs/sp/800/56/b/r2/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-56B Rev. 2: Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography</a> with an <abbr title="Rivest-Shamir-Adleman">RSA</abbr> modulus length of at least 2048 bits.</p> <p><strong>The <abbr title="Rivest-Shamir-Adleman">RSA</abbr> modulus length should be increased to at least 3072 bits by the end of 2030.</strong></p> <h3 id="a52">5.2 Finite Field Cryptography Diffie-Hellman and Menezes-Qu-Vanstone</h3> <p>We recommend the Finite Field Cryptography (FFC) Diffie-Hellman (DH) and <abbr title="Finite Field Cryptography">FFC</abbr> Menezes-Qu-Vanstone (MQV)-based key-agreement schemes with valid domain parameters for the Feedback or Field Cryptography <abbr title="Finite Field Cryptography">FFC</abbr> parameter-size sets as specified in <a href="https://csrc.nist.gov/pubs/sp/800/56/a/r3/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-56A Rev. 3: Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</a>. The field size (prime modulus parameter) should be at least 2048 bits.</p> <p><strong>The <abbr title="Finite Field Cryptography">FFC</abbr> field size should be increased to at least 3072 bits by the end of 2030.</strong></p> <h3 id="a53">5.3 Elliptic curve cryptography Cofactor Diffie-Hellman and Menezes-Qu-Vanstone</h3> <p>We recommend the Elliptic Curve Cryptography (ECC) Cofactor Diffie-Hellman (ECC CDH) and <abbr title="Elliptic Curve Cryptography">ECC</abbr> <abbr title="Menezes-Qu-Vanstone">MQV</abbr>-based key-agreement schemes as specified in <a href="https://csrc.nist.gov/pubs/sp/800/56/a/r3/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-56A Rev. 3: Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</a>. We recommend the following elliptic curves specified in <a href="https://csrc.nist.gov/pubs/sp/800/186/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-186: Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters</a>:</p> <ul><li>Curve P-224</li> <li>Curve P-256</li> <li>Curve P-384</li> <li>Curve P-521</li> </ul><p><strong>Curve P-224 should be phased out by the end of 2030.</strong></p> <p>We no longer recommend binary curves specified in <a href="https://csrc.nist.gov/pubs/fips/186-4/final">Appendix D of <abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-4: Digital Signature Standard</a>.</p> <p><strong>All binary curves should be phased out by the end of 2030. A list of the curves to be phased out can be found in Section 3.3 of the <a href="https://csrc.nist.gov/pubs/sp/800/186/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-186 Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters</a></strong>.</p> <h3 id="a54">5.4 Module-Lattice-Based Key-Encapsulation Mechanism</h3> <p>We recommend the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) as a general-purpose, post-quantum key establishment scheme, as specified in <a href="https://csrc.nist.gov/pubs/fips/203/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard</a>, with the following parameters:</p> <ul><li>ML-KEM-512</li> <li>ML-KEM-768</li> <li>ML-KEM-1024</li> </ul></section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a6">6 Digital signature schemes</h2> <p>The following section outlines the algorithms that we recommend for digital signature applications providing data integrity and data origin authentication of UNCLASSIFIED, PROTECTED A, and PROTECTED B information. We also specify a digital signature scheme that was recommended in a previous version of this publication but should be phased out by the end of 2030.</p> <h3 id="a61">6.1 Rivest-Shamir-Adleman</h3> <p>We recommend the Rivest-Shamir-Adleman (RSA) digital signature algorithm, using RSASSA-PKCS1-v1.5 or RSASSA-PSS, as specified in <a href="https://csrc.nist.gov/pubs/fips/186-5/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-5: Digital Signature Standard</a> with an <abbr title="Rivest-Shamir-Adleman">RSA</abbr> modulus length of at least 2048 bits.</p> <p><strong>The <abbr title="Rivest-Shamir-Adleman">RSA</abbr> modulus length should be increased to at least 3072 bits by the end of 2030.</strong></p> <h3 id="a62">6.2 Digital Signature Algorithm</h3> <p><strong>The use of Digital Signature Algorithm (DSA) should be phased out by the end of 2030.</strong></p> <p>We no longer recommend the <abbr title="Digital Signature Algorithm">DSA</abbr> as specified in <a href="https://csrc.nist.gov/pubs/fips/186-4/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-4: Digital Signature Standard</a> for new applications. Existing applications must use valid domain parameters for a field size of at least 2048 bits.</p> <h3 id="a63">6.3 Elliptic Curve Digital Signature Algorithm (ECDSA)</h3> <p>We recommend the Elliptic Curve Digital Signature Algorithm (ECDSA) and deterministic <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr><sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> as specified in <a href="https://csrc.nist.gov/pubs/fips/186-5/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-5: Digital Signature Standard</a>. We recommend the following elliptic curves specified in <a href="https://csrc.nist.gov/pubs/sp/800/186/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-186: Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters</a>:</p> <ul><li>Curve P-224</li> <li>Curve P-256</li> <li>Curve P-384</li> <li>Curve P-521</li> </ul><p><strong>Curve P-224 should be phased out by the end of 2030.</strong></p> <p>We no longer recommend binary curves specified in Appendix D of <a href="https://csrc.nist.gov/pubs/fips/186-4/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-4: Digital Signature Standard</a>.</p> <p><strong>All binary curves should be phased out by the end of 2030.</strong> A list of the curves to be phased out can be found in section 3.3 of <a href="https://csrc.nist.gov/pubs/sp/800/186/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-186 Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters</a>.</p> <h3 id="a64">6.4 Edwards-Curve Digital Signature Algorithm (EdDSA)</h3> <p>We recommend the Edwards-Curve Digital Signature Algorithm (EdDSA) as specified in <a href="https://csrc.nist.gov/pubs/fips/186-5/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-5: Digital Signature Standard</a> with the following elliptic curves specified in <a href="https://csrc.nist.gov/pubs/sp/800/186/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-186: Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters</a>:</p> <ul><li>Edwards25519</li> <li>Edwards448</li> </ul><p>We do not recommend the prehash version Hash<abbr title="Edwards-Curve Digital Signature Algorithm">EdDSA</abbr>.</p> <h3 id="a65">6.5 Module-Lattice-Based Digital Signature Algorithm</h3> <p>We recommend the Module-Lattice-Based Digital Signature scheme (ML-DSA) as a general-purpose, post-quantum digital signature scheme as specified in <a href="https://csrc.nist.gov/pubs/fips/204/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 204: Module-Lattice-Based Digital Signature Standard</a> with the following parameters:</p> <ul><li>ML-DSA-44</li> <li>ML-DSA-65</li> <li>ML-DSA-87</li> </ul><h3 id="a66">6.6 Stateless Hash-Based Digital Signature Algorithm</h3> <p>We recommend the <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> scheme as specified in <a href="https://csrc.nist.gov/pubs/fips/205/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 205: Stateless Hash-Based Digital Signature Standard</a> with the following parameters:</p> <ul><li>SLH-DSA-SHA2-128s</li> <li>SLH-DSA-SHAKE-128s</li> <li>SLH-DSA-SHA2-128f</li> <li>SLH-DSA-SHAKE-128f</li> <li>SLH-DSA-SHA2-192s</li> <li>SLH-DSA-SHAKE-192s</li> <li>SLH-DSA-SHA2-192f</li> <li>SLH-DSA-SHAKE-192f</li> <li>SLH-DSA-SHA2-256s</li> <li>SLH-DSA-SHAKE-256s</li> <li>SLH-DSA-SHA2-256f</li> <li>SLH-DSA-SHAKE-256f</li> </ul><h3 id="a67">6.7 Stateful hash-based signature schemes</h3> <p>Implementations of signature generation for stateful hash-based signature schemes must carefully manage an internal state. This is an additional complexity in comparison to other types of digital signature schemes. Mismanagement of the internal state can result in a complete loss of security. Previously, we recommended stateful hash-based signatures when certain conditions applied, including when a post-quantum signature scheme must be implemented before general-purpose, post-quantum signature schemes were standardized. Although stateful hash-based signature schemes can still be used, the newly standardized post-quantum digital signature schemes <abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> and <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> do not require state management (sections <a href="#a65">6.5 Module-Lattice-Based Digital Signature Algorithm</a> and <a href="#a66">6.6 Stateless Hash-Based Digital Signature Algorithm</a>) and can be used in most situations where a digital signature scheme is needed. Stateful hash-based signatures should only be used when the signer is not required to rapidly produce signatures and is able to protect and manage private key state.</p> <p>If you are using stateful hash-bashed signatures, we recommend the following signature schemes, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/208/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-208: Recommendation for Stateful Hash-based Signatures Scheme</a>, using one of the hash functions <abbr title="Secure Hash Algorithm">SHA</abbr>-256, <abbr title="Secure Hash Algorithm">SHA</abbr>-256/192, SHAKE256/256, or SHAKE256/192 specified in section 2.3 of <a href="https://csrc.nist.gov/pubs/sp/800/208/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-208: Recommendation for Stateful Hash-Based Signature Schemes</a>.</p> <ul><li>Leighton-Micali Signature (LMS)</li> <li>Hierarchical Signature System (HSS)</li> <li>eXtended Merkle Signature Scheme (XMSS)</li> <li>Multi-tree eXtended Merkle Signature Scheme (XMSS^MT)</li> </ul></section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a7">7 Hash functions</h2> <p>A hash function is a procedure to transform a message of arbitrary length into an output, called a “digest”, of fixed length. A secure (cryptographic) hash function should satisfy additional properties, such as “collision resistance”, whereby it is infeasible to find distinct messages with the same digest. The following section outlines the recommended hash functions for use with the cryptographic algorithms specified in this publication for protecting UNCLASSIFIED, PROTECTED A, and PROTECTED B information.</p> <h3 id="a71">7.1 Secure Hash Algorithm-1</h3> <p>We no longer recommend the use of Secure Hash Algorithm-1 (SHA-1), as specified in <a href="https://csrc.nist.gov/pubs/fips/180-4/upd1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 180-4: Secure Hash Standard</a>, which was previously approved for use with keyed-hash message authentication codes, Key Derivation Functions (KDF), and random bit generators.</p> <p><strong><abbr title="Secure Hash Algorithm">SHA</abbr>-1 must not be used with digital signature schemes or with any applications that require collision resistance. <abbr title="Secure Hash Algorithm">SHA</abbr>-1 should be phased out for use in keyed-hash message authentication codes, <abbr title="Key Derivation Function">KDF</abbr>s, and random bit generators.</strong></p> <h3 id="a72">7.2 Secure Hash Algorithm-2</h3> <p>We recommend <abbr title="Secure Hash Algorithm">SHA</abbr>-224, <abbr title="Secure Hash Algorithm">SHA</abbr>-256, <abbr title="Secure Hash Algorithm">SHA</abbr>-384, <abbr title="Secure Hash Algorithm">SHA</abbr>-512, <abbr title="Secure Hash Algorithm">SHA</abbr>-512/224, and <abbr title="Secure Hash Algorithm">SHA</abbr>-512/256, as specified in <a href="https://csrc.nist.gov/pubs/fips/180-4/upd1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 180-4: Secure Hash Standard</a>, for use with digital signature schemes, keyed-hash message authentication codes, <abbr title="Key Derivation Function">KDF</abbr>s, and random bit generators. The truncated hash function <abbr title="Secure Hash Algorithm">SHA</abbr>-256/192 specified in <a href="https://csrc.nist.gov/pubs/sp/800/208/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-208: Recommendation for Stateful Hash-Based Signature Schemes</a> is only recommended for use with the stateful hash-based signature schemes listed in section <a href="#a67">6.7 Stateful hash-based signature schemes</a>.</p> <p><strong><abbr title="Secure Hash Algorithm">SHA</abbr>-224 should be phased out by the end of 2030.</strong></p> <h3 id="a73">7.3 Secure Hash Alogorithm-3</h3> <p>We recommend <abbr title="Secure Hash Algorithm">SHA</abbr>3-224, <abbr title="Secure Hash Algorithm">SHA</abbr>3-256, <abbr title="Secure Hash Algorithm">SHA</abbr>3-384, and <abbr title="Secure Hash Algorithm">SHA</abbr>3-512, as specified in <a href="https://csrc.nist.gov/pubs/fips/202/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 202: <abbr title="Secure Hash Algorithm">SHA</abbr>-3 Standard: Permutation-Based Hash and Extendable-Output Functions</a>, for use with digital signature schemes, keyed-hash message authentication codes, <abbr title="Key Derivation Function">KDF</abbr>s, and random bit generators.</p> <p><strong><abbr title="Secure Hash Algorithm">SHA</abbr>3-224 should be phased out by the end of 2030.</strong></p> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="a8">8 Extendable-Output Functions</h2> <p>An extendable-output function (XOF) is a procedure to transform a message of arbitrary length into an output that can be extended to any desired length. A secure <abbr title="extendable-output function">XOF</abbr> should satisfy additional properties, such as “collision resistance”, whereby it is infeasible to find distinct messages with the same output. The following section outlines 2 <abbr title="extendable-output function">XOF</abbr>s that we recommend for use with select cryptographic algorithms specified in this publication for protecting UNCLASSIFIED, PROTECTED A, and PROTECTED B information.</p> <h3 id="a81">8.1 SHAKE</h3> <p>We recommend SHAKE128, as specified in <a href="https://csrc.nist.gov/pubs/fips/202/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 202: <abbr title="Secure Hash Algorithm">SHA</abbr>-3 Standard: Permutation Based Hash and Extendable-Output Functions</a>, for use in the following:</p> <ul><li><abbr title="Module-Lattice-Based Key-Encapsulation Mechanism">ML-KEM</abbr> (section <a href="#a54">5.4 Module-Lattice-Based Key-Encapsulation Mechanism</a>)</li> <li>The digital signature schemes <ul><li><abbr title="Rivest-Shamir-Adleman">RSA</abbr> (section <a href="#a61">6.1 Rivest-Shamir-Adelman</a>)</li> <li><abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr> (section <a href="#a63">6.3 Elliptic Curve Digital Signature Algorithm</a>)</li> <li><abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> (section <a href="#a65">6.5 Module-Lattice-Based Digital Signature Algorithm</a>)</li> </ul></li> <li>KECCAK Message Authentication Code (KMAC) (section <a href="#a94">9.4 KECCAK Message Authentication Code</a>)</li> </ul><p>We recommend SHAKE256, as specified in <a href="https://csrc.nist.gov/pubs/fips/202/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 202: <abbr title="Secure Hash Algorithm">SHA</abbr>-3 Standard: Permutation Based Hash and Extendable-Output Functions</a>, for use in the following:</p> <ul><li><abbr title="Module-Lattice-Based Key-Encapsulation Mechanism">ML-KEM</abbr> (section <a href="#a54">5.4 Module-Lattice-Based Key-Encapsulation Mechanism</a>)</li> <li>The digital signature schemes <ul><li><abbr title="Rivest-Shamir-Adleman">RSA</abbr> (section <a href="#a61">6.1 Rivest-Shamir-Adelman</a>)</li> <li><abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr> (section <a href="#a63">6.3 Elliptic Curve Digital Signature Algorithm</a>)</li> <li><abbr title="Edwards-Curve Digital Signature Algorithm">EdDSA</abbr> (section <a href="#a64">6.4 Edwards-Curve Digital Signature Algorithm</a>) with curve Edwards448</li> <li><abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> (section <a href="#a65">6.5 Module-Lattice-Based Digital Signature Algorithm</a>)</li> <li><abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> (section <a href="#a66">6.6 Stateless Hash-Based Digital Signature Algorithm</a>)</li> <li>Stateful hash-based digital signature schemes (section <a href="#a67">6.7 Stateful hash-based signature schemes</a>)</li> </ul></li> <li>KMAC (section <a href="#a94">9.4 KECCAK Message Authentication Code</a>)</li> </ul><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="a9">9 Message Authentication Codes</h2> <p>A Message authentication code (MAC) is a fixed-length tag used to verify the authenticity and integrity of a message. The following sections outline the <abbr title="Message Authentication Code">MAC</abbr> algorithms that we recommend for data integrity and data origin authentication of UNCLASSIFIED, PROTECTED A, and PROTECTED B information.</p> <h3 id="a91">9.1 Keyed-Hash Message Authentication Code</h3> <p>We recommend Keyed-Hash Message Authentication Code (HMAC), as specified in <a href="https://csrc.nist.gov/pubs/fips/198-1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 198-1: The Keyed-Hash Message Authentication Code</a>, with a key length of at least 112 bits.</p> <p><strong>The key length should be increased to at least 128 bits by the end of 2030.</strong></p> <h3 id="a92">9.2 Cipher-based Message Authentication Code</h3> <p>We recommend Cipher-based Message Authentication Code (CMAC), as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/b/upd1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38B: Recommendation for Block Cipher Modes of Operation: The <abbr title="Cipher-based Message Authentication Code">CMAC</abbr> Mode for Authentication</a>. <abbr title="Cipher-based Message Authentication Code">CMAC</abbr> is only recommended for use with the <abbr title="Advanced Encryption Standard">AES</abbr> algorithm as specified in section <a href="#a31">3.1 Advanced Encryption Standard algorithm</a>.</p> <h3 id="a93">9.3 Galois/Counter Mode Message Authentication Code</h3> <p>We recommend Galois/Counter Mode Message Authentication Code (GMAC), as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/d/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and <abbr title="Galois/Counter Mode Message Authentication Code">GMAC</abbr></a>. <abbr title="Galois/Counter Mode Message Authentication Code">GMAC</abbr> is only recommended for use with the <abbr title="Advanced Encryption Standard">AES</abbr> algorithm as specified in section <a href="#a31">3.1 Advanced Encryption Standard algorithm</a>.</p> <h3 id="a94">9.4 KECCAK Message Authentication Code (KMAC)</h3> <p>We recommend <abbr title="KECCAK Message Authentication Code">KMAC</abbr>128 and <abbr title="KECCAK Message Authentication Code">KMAC</abbr>256 as specified in <a href="https://csrc.nist.gov/pubs/sp/800/185/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-185: <abbr title="Secure Hash Algorithm">SHA</abbr>3-Derived Functions: cSHAKE, <abbr title="KECCAK Message Authentication Code">KMAC</abbr>, TupleHash and ParallelHash</a> with a key length of at least 112 bits.</p> <p><strong>The key length should be increased to at least 128 bits by the end of 2030.</strong></p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a10">10 Key Derivation Functions</h2> <p>A <abbr title="Key Derivation Function">KDF</abbr> is a transformation of secret (as well as possibly non-secret) data into a cryptographically strong secret key. The following sections outline the <abbr title="Key Derivation Function">KDF</abbr>s that we recommend for the derivation of cryptographic keys from key establishment or pre-shared secrets, used for protecting UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> <h3 id="a101">10.1 One-Step Key Derivation Function</h3> <p>We recommend the one-step KDF, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/56/c/r2/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-56C Rev. 2: Recommendation for Key-Derivation Methods in Key-Establishment Schemes</a>.</p> <h3 id="a102">10.2 Two-Step Key Derivation Function</h3> <p>We recommend the two-step, extraction-then-expansion, key derivation procedure, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/56/c/r2/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-56C Rev. 2: Recommendation for Key-Derivation Methods in Key-Establishment Schemes</a>10. Note that the <abbr title="Hash Message Authentication Code">HMAC</abbr>-based Extract-and-Expand Key Derivation Function (HKDF) function used in the Transport Layer Security (TLS) version 1.3 protocol follows this specification.</p> <h3 id="a103">10.3 Key derivation using pseudorandom functions</h3> <p>We recommend the <abbr title="Key Derivation Function">KDF</abbr>s using Pseudorandom Functions (PRFs) as specified in <a href="https://csrc.nist.gov/pubs/sp/800/108/r1/upd1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-108 Rev. 1: Recommendation for Key Derivation Using Pseudorandom Functions</a>.</p> <h3 id="a104">10.4 Internet Key Exchange version 2 Key Derivation Function</h3> <p>When used in the context of the Internet Key Exchange version 2 (IKEv2) protocol, we recommend the IKEv2 <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/135/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-135 Rev. 1: Recommendation for Existing Application-Specific Key Derivation Functions</a>.</p> <h3 id="a105">10.5 Transport Layer Security version 1.2 Key Derivation Function</h3> <p>When used in the context of the <abbr title="Transport Layer Security">TLS</abbr> version 1.2 protocol, we recommend the <abbr title="Transport Layer Security">TLS</abbr> 1.2 <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/135/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-135 Rev. 1: Recommendation for Existing Application-Specific Key Derivation Functions</a>.</p> <h3 id="a106">10.6 Secure Shell Key Derivation Function</h3> <p>When used in the context of the Secure Shell (SSH) protocol, we recommend the SSH <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/135/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-135 Rev. 1: Recommendation for Existing Application-Specific Key Derivation Functions</a>.</p> <h3 id="a107">10.7 Secure Real-time Transport Protocol Key Derivation Function</h3> <p>When used in the context of the Secure Real-time Transport Protocol (SRTP), we recommend the SRTP <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/135/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-135 Rev. 1: Recommendation for Existing Application-Specific Key Derivation Functions</a>.</p> <h3 id="a108">10.8 Trusted Platform Module Key Derivation Function</h3> <p>When used in the context of a Trusted Platform Module (TPM) session, we recommend the TPM <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/135/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-135 Rev. 1: Recommendation for Existing Application-Specific Key Derivation Functions</a>.</p> <h3 id="a109">10.9 Password-based Key Derivation Function</h3> <p>For protected data on storage devices, we recommend the Password-Based Key Derivation function, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/132/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-132: Recommendation for Password-Based Key Derivation: Part 1: Storage Applications</a>, using a password of at least 12 characters. For more information on passwords and passphrases, read <a href="https://www.cyber.gc.ca/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a>.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="b11">11 Key wrap modes of operation</h2> <p>The following sections outline the key wrap modes of operation that we recommend for key wrapping to protect the confidentiality and integrity of cryptographic keys used for protecting UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> <h3 id="b111">11.1 Advanced Encryption Standard Key Wrap</h3> <p>When input is known to always be a multiple of 64-bits, we recommend the <abbr title="Advanced Encryption Standard">AES</abbr> Key Wrap (KW) mode, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/f/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38F: Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping</a>.</p> <h3 id="b112">11.2 Advanced Encryption Standard Key Wrap with Padding</h3> <p>When input is not a multiple of 64-bits, we recommend the <abbr title="Advanced Encryption Standard">AES</abbr> Key Wrap with Padding (KWP) mode, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/f/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38F: Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping</a>.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="b12">12 Deterministic Random Bit Generators</h2> <p>A random bit generator produces a sequence of bits (0 or 1) which appear statistically independent and unbiased. A Deterministic Random Bit Generator (DRBG) always produces the same output sequence when given the same initial seed. We recommend the following DRBGs, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/90/a/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-90A Rev. 1: Recommendation for Random Number Generation Using Deterministic Random Bit Generators</a>, for producing random bits for cryptographic applications that protect UNCLASSIFIED, PROTECTED A, and PROTECTED B information:</p> <ul><li>Hash_DRBG</li> <li>HMAC_DRBG</li> <li>CTR_DRBG</li> </ul><p>The initial seed for a <abbr title="Deterministic Random Bit Generator">DRBG</abbr> should contain entropy assessed to be at least 112 bits. We recommend that additional entropy be periodically added to the <abbr title="Deterministic Random Bit Generator">DRBG</abbr> via the reseed function.</p> <p><strong>The assessed entropy of the initial seed for a <abbr title="Deterministic Random Bit Generator">DRBG</abbr> should be increased to at least 128 bits by the end of 2030.</strong></p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="b13">13 Commercial technologies assurance programs</h2> <p>In addition to using the cryptographic algorithms, parameters, and key lengths recommended in this document to ensure a suitable level of cryptographic security, we recommend the following with respect to implementation assurance programs:</p> <ul><li>cryptographic algorithm implementations should be tested and validated under the <a href="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program"><abbr title="National Institute of Standards and Technology">NIST</abbr> Cryptographic Algorithm Validation Program (CAVP)</a></li> <li>cryptographic modules should be tested and validated under the <a href="https://csrc.nist.gov/Projects/cryptographic-module-validation-program"><abbr title="National Institute of Standards and Technology">NIST</abbr> Cryptographic Module Validation Program (CMVP)</a> for compliance with <a href="https://csrc.nist.gov/pubs/fips/140-3/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 140-3: Security Requirements for Cryptographic Modules</a></li> <li>ensuring <abbr title="information technology">IT</abbr> security products are evaluated and certified to meet the <a href="https://cyber.gc.ca/en/common-criteria">Common Criteria</a> standard. This should be done through a Certificate Authorizing Scheme that is a member of the International Common Criteria Recognition Arrangement</li> </ul><p>Products containing cryptographic modules validated under the <abbr title="Cryptographic Module Validation Program">CMVP</abbr> are referenced on <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Cryptographic Module Validation Program">CMVP</abbr> validated modules lists</a> and are accompanied by a vendor-supplied, non-proprietary, security policy document (read <a href="https://cyber.gc.ca/en/selecting-cmvp-validated-product">Selecting a <abbr title="Cryptographic Module Validation Program">CMVP</abbr> validated product</a>). The security policy document specifies the cryptographic security provided by a module and describes its capabilities, protection, and access controls. We recommend using the security policy document to select suitable cryptographic security products and to configure those products in <abbr title="Federal Information Processing Standards">FIPS</abbr>-approved mode of operation, as defined in <a href="https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips 140-3/FIPS 140-3 IG.pdf">Implementation Guidance for <abbr title="Federal Information Processing Standards">FIPS</abbr> PUB 140-3 and the Cryptographic Module Validation Program (PDF)</a>, to ensure that only the algorithms recommended by the Cyber Centre are used.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="b14">14 Summary</h2> <p>Cryptography provides security mechanisms which can be used to protect the authenticity, confidentiality, and integrity of sensitive information. Several algorithms may be required to satisfy security requirements, and each algorithm should be selected and implemented to ensure these requirements are met. This publication provides guidance on the use of the cryptographic algorithms recommended by the Cyber Centre to protect UNCLASSIFIED, PROTECTED A, and PROTECTED B information.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="b15">A.1 Revisions</h2> <p>The original version of this document was published in August 2016. The summary below lists notable changes in the most recent revision (version 4), as well as in previous versions.</p> <p>In this version 4, we made the following revisions:</p> <ul><li>We included the new <abbr title="National Institute of Standards and Technology">NIST</abbr> post-quantum standards: <ul><li><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 203 Module-Lattice-Based Key-Encapsulation Mechanism (<a href="#a54">Section 5.4</a>)</li> <li><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 204 Module-Lattice-Based Digital Signature Standard (<a href="#a65">Section 6.5</a>)</li> <li><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 205 Stateless Hash-Based Digital Signature Standard (<a href="#a66">Section 6.6</a>)</li> </ul></li> <li>We updated the section on post-quantum cryptography and moved it to Section 2.</li> <li>In Section 3, Encryption algorithms, we removed the subsections on TDEA and CAST5, as all use of TDEA and CAST5 should have been phased out by the end of 2023.</li> <li>In Section 6.7, Stateful Hash-Based Signature Schemes, we clarified guidance for use of stateful hash-based signatures with respect to other post-quantum signature schemes.</li> <li>In Section 87, Hash functions, extendable output functions (XOF), we added <abbr title="Module-Lattice-Based Key-Encapsulation Mechanism">ML-KEM</abbr>, <abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr>, and <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> to the list of algorithms that can use SHAKE. We also added the distinction that <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> and <abbr title="Edwards-Curve Digital Signature Algorithm">EdDSA</abbr> only allow for SHAKE256, (and for <abbr title="Edwards-Curve Digital Signature Algorithm">EdDSA</abbr> it is only with curve Ed448).</li> <li>In Section 9.2, Cipher-based message authentication code, we removed the statement requiring a key length increase to at least 128 bits by 2023. Instead, we recommended that <abbr title="Cipher-based Message Authentication Code">CMAC</abbr> only be used with <abbr title="Advanced Encryption Standard">AES</abbr>, as TDEA and CAST5 have been removed.</li> <li>In Section 11 Key wrap modes of operation, we removed the subsection on TDEA Key Wrap, as all use of TDEA should have been phased out by the end of 2023.</li> <li>We removed the supporting content section. References are linked throughout the document, glossary items are either defined in the text or in the CCCS glossary, and abbreviations are spelled out when they first appear in the document.</li> </ul><p>In version 3, published in March 2024, we made the following revisions:</p> <ul><li>We made various changes to align with <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-5 <ul><li>In Section 4.3, <abbr title="Elliptic Curve Cryptography">ECC</abbr> <abbr title="Diffie-Hellman">DH</abbr> and <abbr title="Menezes-Qu-Vanstone">MQV</abbr> and Section 5.3 <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr>, we only recommend the use of 4 elliptic curves (Curve P-224, Curve P-256, Curve P-384 and Curve P-521). We added a note that Curve P-224 and all binary curves should be phased out by the end of 2030. In Section 5.3, we explicitly recommend deterministic <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr>.</li> <li>In Section 5, Digital signature schemes, we recommend phasing out DSA by the end of 2030, and added the new subsection 5.4 Edwards-Curve Digital Signature Algorithm (EdDSA).</li> </ul></li> <li>We added a new section on extendable output functions (XOF) (Section 7).</li> <li>In Section 8, Message authentication codes, we added the new subsection on KECCAK Message Authentication Code (KMAC) (Section 8.4).</li> <li>In Section 11, Deterministic random bit generators, we added the following requirements on the assessed entropy of the initial seed for a <abbr title="Deterministic Random Bit Generator">DRBG</abbr>. <ul><li>The initial seed for a <abbr title="Deterministic Random Bit Generator">DRBG</abbr> should contain entropy assessed to be at least 112 bits. We recommend that additional entropy be periodically added to the <abbr title="Deterministic Random Bit Generator">DRBG</abbr> via the reseed function.</li> <li>The assessed entropy of the initial seed for a <abbr title="Deterministic Random Bit Generator">DRBG</abbr> should be increased to at least 128 bits by the end of 2030</li> </ul></li> </ul><p>In version 2, published in August 2022, we made the following revisions:</p> <ul><li>We updated language from “approved/discontinued” to “recommend/phase out”.</li> <li>We replaced references to CSE with CCCS or the Cyber Centre.</li> <li>In Section 2, Encryption algorithms, we recommend phasing out CAST5 and TDEA by 2023. The 2016 version did not have a discontinuation date for CAST5, and version 2 recommended discontinuing TDEA by 2030. We also added a restriction that one key bundle should not be used to encrypt more than <span aria-hidden="true">2²⁰</span><span class="wb-inv">2 to the power of 20</span> 64-bit data blocks in TDEA.</li> <li>In Section 3, Encryption algorithm modes of operation, we provided some additional guidance on the use of <abbr title="Electronic Codebook">ECB</abbr> mode, as well as recommendations for <abbr title="Initialization Vectors">IV</abbr> generation.</li> <li>In Section 5, Digital signature schemes, we added a new subsection on Stateful Hash-based signature schemes.</li> <li>In Section 6, Secure Hash Algorithms, we no longer recommend the use of <abbr title="Secure Hash Algorithm">SHA</abbr>-1, which was previously approved for use with keyed-hash message authentication codes, key derivation functions, and random bit generators. We added stronger wording (in bold) warning against its use for any application that requires collision resistance. We also added phase-out dates for <abbr title="Secure Hash Algorithm">SHA</abbr>-224 and <abbr title="Secure Hash Algorithm">SHA</abbr>3-224.</li> <li>In Section 7, Message Authentication Codes, we updated the recommendation for the <abbr title="Cipher-based Message Authentication Code">CMAC</abbr> key length to be increased to at least 128 bits by the end of 2023 (we previously recommended 2030). We also added the statement “<abbr title="Galois/Counter Mode Message Authentication Code">GMAC</abbr> is only recommended for use with the Advanced Encryption Standard (AES) algorithm as specified in Section 2.1”, which was not explicitly stated in the previous version.</li> <li>In Section 8, Key Derivation Functions, we updated some of the wording. For example, Single-Step <abbr title="Key Derivation Function">KDF</abbr>s and Extraction-Then-Expansion <abbr title="Key Derivation Function">KDF</abbr>s are now referred to as One-Step and Two-Step <abbr title="Key Derivation Function">KDF</abbr>s respectively (this is consistent with the referenced <abbr title="National Institute of Standards and Technology">NIST</abbr> standards). We removed the IKEv1 <abbr title="Key Derivation Function">KDF</abbr> and added a section for password-based <abbr title="Key Derivation Function">KDF</abbr>s.</li> <li>In Section 9, Key Wrap Modes of Operation, we no longer recommend the Triple Data Encryption Algorithm Key Wrap (TKW). We also recommend a phase-out date of 2023 (previously 2030).</li> <li>In Section 11, Commercial Technologies Assurance Programs, we added a reference to the <abbr title="Cryptographic Algorithm Validation Program">CAVP</abbr> and to the common criteria program. We also added the Cyber Centre website as reference.</li> <li>We added a new Section entitled “Preparing for post-quantum cryptography” (Section 12).</li> </ul><aside class="wb-fnote" role="note"><h3 id="fn">Footnotes</h3> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>From SP 800-186, Deterministic <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr> “is a variant of <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr>, where a per-message secret number is a function of the message that is signed, thereby resulting in a deterministic mapping of messages to signatures”. Signature verification in deterministic <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr> is unchanged from <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr>.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote </span>1<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></section></div> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6017" about="/en/guidance/cyber-threat-bulletin-peoples-republic-china-sponsored-cyber-activity-against-canadian-provincial-territorial-indigenous-and-municipal-governments" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><h2 class="text-info mrgn-tp-sm"><abbr title="People’s Republic of China">PRC</abbr> cyber actors compromise Canadian government networks</h2> <p>The Canadian Centre for Cyber Security (Cyber Centre) is warning Canadian provincial, territorial, Indigenous, and municipal governments, as well as Indigenous governance organizations, of the threat from the People’s Republic of China (PRC).</p> <p><abbr title="People’s Republic of China">PRC</abbr> cyber actors almost certainly pose the greatest ongoing cyberespionage threat to Canada. The Cyber Centre has previously warned that <abbr title="People’s Republic of China">PRC</abbr> cyber threat activity outpaces other nation state cyber threats in volume, sophistication, and breadth of targeting<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>. <abbr title="People’s Republic of China">PRC</abbr> actors are well resourced, persistent, and capable of sustaining multiple concurrent operations in Canada.</p> <p>We have observed repeated targeting of all levels of government, as well as multiple compromises of government networks. While individual instances of targeting are very likely opportunistic, such as the <abbr title="People’s Republic of China">PRC</abbr> exploiting weak defences, they collectively represent a significant strategic threat to the security of Canadian systems. It is important to note that when the Cyber Centre is aware of cyber threat activity targeting an entity, we alert them of that threat.</p> <p>Our assessment is based on reporting from multiple sources. We rely on CSE’s foreign intelligence mandate to provide us with valuable insights into adversary behaviour in cyberspace. We also leverage the Cyber Centre’s experience defending Government of Canada information systems.</p> <h2 class="text-info mrgn-tp-sm">Provincial, territorial, Indigenous, and municipal governments are ongoing targets</h2> <p>The <abbr title="People’s Republic of China">PRC</abbr> almost certainly views provincial, territorial, Indigenous, and municipal governments as valuable targets for cyberespionage. Cyber threat activity targeting these levels of government likely mirrors the ongoing activity targeting the Government of Canada. All government networks hold information on decision-making and regional affairs, as well as personal information of Canadians.</p> <p><abbr title="People’s Republic of China">PRC</abbr> cyber threat actors often serve the direct or indirect requirements of <abbr title="People’s Republic of China">PRC</abbr> intelligence services. Their targets frequently reflect the <abbr title="People’s Republic of China">PRC</abbr>’s national policy objectives. These cyber threat actors routinely seek to compromise networks to acquire information that will provide an economic or diplomatic advantage in the <abbr title="People’s Republic of China">PRC</abbr>-Canada bilateral relationship. They also look to obtain information related to technologies prioritized in the <abbr title="People’s Republic of China">PRC</abbr>’s central planning. Additionally, <abbr title="People’s Republic of China">PRC</abbr> cyber threat actors frequently aim to collect large datasets containing personal information, likely for the purposes of bulk data analysis and further targeting.</p> <p>Governments at all levels manage large networks with unique services, often relying on a complex web of managed service providers (MSPs) and third-party vendors. <abbr title="People’s Republic of China">PRC</abbr> cyber actors have accessed victims by exploiting <abbr title="managed service providers">MSP</abbr>s and software vendors, creating opportunities to access government networks.</p> <h2 class="text-info mrgn-tp-sm"><abbr title="People’s Republic of China">PRC</abbr> cyber actors are sophisticated and difficult to detect</h2> <p><abbr title="People’s Republic of China">PRC</abbr> cyber actors avoid detection, blend into normal system traffic, and access targets at scale. It is likely, therefore, that some <abbr title="People’s Republic of China">PRC</abbr> cyber activity goes unnoticed by network defenders.</p> <p><abbr title="People’s Republic of China">PRC</abbr> cyber threat actors operate in ways that make it more difficult to detect their activity, including:</p> <ul><li>compromising small office and home office (SOHO) routers—usually those located in the same geographic area as their victims—and using these routers as proxy networks to hide the origins of their activity</li> <li>“living off the land” using a system’s built-in network administration tools, including using legitimate, compromised credentials and logging into victim networks via public-facing appliances like virtual private networks (VPN)</li> <li>adjusting their operations to remain undetected following the release of information related to ongoing campaigns</li> <li>compromising trusted service providers to access client information or networks</li> <li>rapidly weaponizing and proliferating exploits for newly revealed vulnerabilities</li> </ul><div class="well"> <p><strong>Government of Canada agencies and departments have been compromised by <abbr title="People’s Republic of China">PRC</abbr> cyber threat actors more than 20 times over the past few years.</strong></p> <p>Despite our best efforts at defending the Government of Canada, the Cyber Centre observes near constant reconnaissance activity by the <abbr title="People’s Republic of China">PRC</abbr> against Government of Canada systems. While all known compromises have been addressed, <abbr title="People’s Republic of China">PRC</abbr> cyber actors are well resourced, sophisticated, and persistent. Taken together, <abbr title="People’s Republic of China">PRC</abbr> cyber actors have both the volume of resources and the sophistication to pursue multiple government targets in Canada simultaneously.</p> </div> <h2 class="text-info mrgn-tp-sm">Information sharing enables detection and remediation</h2> <p>While the threat to federal networks from the <abbr title="People’s Republic of China">PRC</abbr> is the Cyber Centre’s most significant concern, Government of Canada information and communication technology is also where we have the greatest visibility. We draw on multiple sources and partners to identify malicious cyber threat activity targeting other levels of government in Canada. However, without information from potential victims, the Cyber Centre is unable to determine the size, scope, and impact of cyber threat activity.</p> <p>Information sharing is necessary to enable effective detection and remediation, particularly when dealing with sophisticated cyber threat actors like those sponsored by the <abbr title="People’s Republic of China">PRC</abbr>. The scope and scale of cyber activity targeting provincial, territorial, Indigenous, and municipal governments remains largely unknown. Information sharing allows the Cyber Centre to better assess threats, collectively mitigate and respond, and inform potential victims and targets as soon as possible.</p> <h2 class="text-info mrgn-tp-sm">Mitigating this threat</h2> <p>The Cyber Centre encourages provincial, territorial, Indigenous, and municipal governments, as well as Indigenous governance organizations, to bolster their awareness of and protection against sophisticated cyber threat activity. This includes fostering increased information sharing between federal, provincial, Indigenous, and municipal government partners to enable more effective threat detection and remediation.</p> <p>In addition to increased cooperation, the Cyber Centre urges provincial, territorial, Indigenous, and municipal governments, as well as Indigenous governance organizations, to adopt the following measures:</p> <ul class="lst-spcd"><li>manage your identities and use multi-factor authentication (MFA) <ul><li>separate user and privileged accounts to make it more difficult for threat actors to gain access to administrator or privileged accounts, even if common user accounts are compromised</li> <li>see <a href="https://www.cyber.gc.ca/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit#2.4">Separating user and privileged accounts</a> from our Cross-Sector Cyber Security Readiness Goals Toolkit for more information</li> </ul></li> <li>use phishing-resistant <abbr title="multi-factor authentication">MFA</abbr> <ul><li>prioritize accounts with the highest risk, such as privileged administrative accounts for key IT systems</li> <li>see <a href="https://www.cyber.gc.ca/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit#2.7">Phishing-resistant <abbr title="multi-factor authentication">MFA</abbr></a> from our Cross-Sector Cyber Security Readiness Goals Toolkit for more information</li> </ul></li> <li>establish a robust vulnerability management program for all systems and services that are accessible from the internet</li> <li>patch all known exploited vulnerabilities in internet-facing systems within a risk-informed timespan <ul><li>prioritize patching more critical assets first</li> <li>see <a href="https://www.cyber.gc.ca/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit#1.1">Cross-Sector Cyber Security Goal 1.1</a> from our Cross-Sector Cyber Security Readiness Goals Toolkit for more information</li> </ul></li> <li>maintain comprehensive and historical logging information <ul><li>collect and store logs for use in both detection and incident response activities (for example, forensics), including the following logs: <ul><li>access- and security-focused (for example, intrusion detection systems / intrusion prevention systems)</li> <li>firewalls</li> <li>data loss prevention</li> <li><abbr title="virtual private network">VPN</abbr>s</li> </ul></li> <li>see <a href="https://www.cyber.gc.ca/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit#2.15">Cross-Sector Cyber Security Goal 2.15</a> from our Cross-Sector Cyber Security Readiness Goals Toolkit for more information</li> </ul></li> <li>audit network appliance and edge device configurations with indicators of malicious activity for signs of unauthorized or malicious configuration changes</li> <li>reduce the response time for critical breaches by identifying and implementing priority monitoring of critical identities and resources</li> <li>have a cyber incident response and recovery plan, as well as continuity of operations and communications plans <ul><li>be prepared to use them</li> <li>see <a href="https://www.cyber.gc.ca/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit#1.3">Cross-Sector Cyber Security Goal 1.3</a> and <a href="https://www.cyber.gc.ca/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit#5.0">Cross-Sector Cyber Security Goal 5.0</a> from our Cross-Sector Cyber Security Readiness Goals Toolkit for more information</li> </ul></li> <li>implement network segmentation to reduce the likelihood that threat actors will access the operational technology network after compromising the IT network <ul><li>see <a href="https://www.cyber.gc.ca/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit#2.5">Cross-Sector Cyber Security Goal 2.5</a> from our Cross-Sector Cyber Security Readiness Goals Toolkit for more information</li> </ul></li> <li><strong><a href="https://www.cyber.gc.ca/en/incident-management">contact the Cyber Centre</a> to inform us of suspicious or malicious cyber activity</strong> <ul><li>see <a href="https://www.cyber.gc.ca/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit#4.0">Cross-Sector Cyber Security Goal 4.0</a> from our Cross-Sector Cyber Security Readiness Goals Toolkit for more information</li> </ul></li> </ul><p>Some of the mitigation measures above are covered in the Cyber Centre’s newly published <a href="https://www.cyber.gc.ca/en/cyber-security-readiness/cyber-security-readiness-goals-securing-our-most-critical-systems">Cyber Security Readiness Goals</a> (CRGs). The <abbr title="Cyber Security Readiness Goals">CRG</abbr>s consist of 36 foundational goals that can be used by any organization in Canada to improve its cyber security posture. The Cyber Centre encourages organizations of all sizes to implement all the <abbr title="Cyber Security Readiness Goals">CRG</abbr>s as a minimum baseline for cyber security protection.</p> <p>The Cyber Centre is working with provincial and territorial partners to mitigate ongoing compromises and to warn of potential malicious cyber threat activity from sophisticated actors. We are also enabling other levels of government to better assess threats and remediate compromises to their systems. In January 2024, following a series of cyber incidents targeting northern institutions, the Cyber Centre began proactively deploying sensors to territorial government <abbr title="information technology">IT</abbr> assets in Yukon, the Northwest Territories, and Nunavut. These sensors detect malicious cyber activity in devices at the network perimeter and in the cloud. They are one of the Cyber Centre’s most important tools for defending Government of Canada networks.</p> <h2 class="text-info mrgn-tp-sm">Useful resources</h2> <p>Refer to the following online resources for more information and for useful advice and guidance.</p> <h3>Reports and advisories</h3> <ul><li>Cyber threat assessments <ul><li><a href="https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-threats-canadas-democratic-process-2023-update">Cyber Threats to the Democratic Process: 2023 update</a></li> </ul></li> <li>Joint advisories and partner publications <ul><li><a href="https://www.ncsc.gov.uk/news/china-state-affiliated-actors-target-uk-democratic-institutions-parliamentarians">UK calls out China state-affiliated actors for malicious cyber targeting of UK democratic institutions and parliamentarians</a></li> <li><a href="https://www.cyber.gc.ca/en/news-events/advisory-peoples-republic-china-state-sponsored-cyber-threat">Joint cyber security advisory on <abbr title="People’s Republic of China">PRC</abbr> state-sponsored cyber threat</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/joint-cybersecurity-advisory">Technical approaches to uncovering and remediating malicious activity</a></li> <li><a href="https://www.cyber.gc.ca/en/news-events/mitigating-cyber-threats-with-limited-resources-guidance-civil-society">Mitigating cyber threats with limited resources: Guidance for civil society</a></li> <li><a href="https://www.cyber.gc.ca/en/news-events/joint-guidance-executives-and-leaders-critical-infrastructure-organizations-protecting-infrastructure-and-essential-functions-against-prc-cyber-activity">Joint guidance for executives and leaders of critical infrastructure organizations on protecting infrastructure and essential functions against <abbr title="People’s Republic of China">PRC</abbr> cyber activity</a></li> <li><a href="https://www.cisa.gov/resources-tools/resources/identifying-and-mitigating-living-land-techniques">Identifying and mitigating living off the land techniques</a></li> <li><a href="https://www.cyber.gc.ca/en/news-events/joint-guidance-network-intrusion-threats-prc-state-sponsored-cyber-group">Joint guidance on network intrusion threats from <abbr title="People’s Republic of China">PRC</abbr> state-sponsored cyber group</a></li> </ul></li> </ul><h3>Advice and guidance</h3> <ul><li><a href="https://www.cyber.gc.ca/en/cyber-security-readiness/cyber-security-readiness-goals-securing-our-most-critical-systems">Cyber Security Readiness Goals (CRGs): Securing our most critical systems</a></li> <li><a href="https://www.cyber.gc.ca/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit">Cross-Sector Cyber Security Readiness Goals Toolkit</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/security-considerations-your-website-itsm60005">Security considerations for your website (ITSM.60.005)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/top-10-it-security-actions-protect-internet-connected-networks-and-information-itsm10089">Top 10 <abbr title="information technology">IT</abbr> security actions to protect internet connected networks and information (ITSM.10.089)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/security-vulnerabilities-and-patches-explained-it-security-bulletin-government-canada-itsb">Top 10 <abbr title="information technology">IT</abbr> security action items: No. 2 patch operating systems and applications (ITSM.10.096)</a></li> </ul><!–FOOTNOTE SECTION EN–><aside class="wb-fnote" role="note"><h2 id="reference">Notes</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>Canadian Center for Cyber Security. <a href="https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-cyber-centre-urges-canadians-be-aware-and-protect-against-prc-cyber-threat-activity">Cyber threat bulletin: Cyber Centre urges Canadians to be aware of and protect against <abbr title="People’s Republic of China">PRC</abbr> cyber threat activity</a></p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></div> </div> </div> </div> </div> </article>

<article data-history-node-id="666" about="/en/guidance/security-considerations-when-using-open-source-software-itsap10059" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm mrgn-lft-0"> <p class="text-left"><strong>February 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.10.059</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>February 2025 | Awareness series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <p>When looking to acquire software, your organization might consider using open-source software (OSS). <abbr title="open-source software">OSS</abbr> uses publicly available source code and may seem more affordable and flexible than other software options. Although the initial acquisition and onboarding are affordable, <abbr title="open-source software">OSS</abbr> can introduce vulnerabilities and security risks to your organization.</p> <p>The ongoing management of these risks and vulnerabilities, as well as related security incidents, can lead to significant losses for your organization. This publication outlines the risks related to <abbr title="open-source software">OSS</abbr> and the steps your organization can take to minimize them.</p> <section><h2 class="h3 text-info">On this page</h2> <ul><li><a href="#A">Defining "open source"</a></li> <li><a href="#B">Risks of using open-source software</a></li> <li><a href="#C">Open-source software development lifecycle</a></li> <li><a href="#D">Protecting your organization</a></li> <li><a href="#E">Considerations for using open-source software</a></li> <li><a href="#F">Learn more</a></li> </ul></section><div class="clearfix"> </div> <h2 class="text-info" id="A">Defining “open source”</h2> <p>“Open source” refers to an approach for creating computer programs using publicly available code that has been licensed by the original authors so that anyone can see it, modify it, and distribute new versions of it. Software developers create open-source code through voluntary collaboration. Developers can extend open-source code to create new standalone products or to add new functionality to existing software products.</p> <p>Examples of open-source products include Google Chrome and Firefox web browsers. Because <abbr title="open-source software">OSS</abbr> is publicly available, anyone can make changes to the existing open-source code. This makes it easy for users to customize <abbr title="open-source software">OSS</abbr> to suit their business needs by adding, removing or modifying capabilities.</p> <h2 class="text-info" id="B">Risks of using open-source software</h2> <p>Before you acquire and implement <abbr title="open-source software">OSS</abbr>, it is essential that you conduct assurance activities. This will allow you to continue to protect the security of your organization’s networks, systems and information.</p> <p>Not all <abbr title="open-source software">OSS</abbr> carry the same level of risk. In fact, many commercial IT security products have open-source components worked into their code. For example, companies that manufacture <abbr title="information technology">IT</abbr> security products with cryptographic functionality use OpenSSL, an open-source cryptographic library.</p> <p>Consider the following risks before you implement <abbr title="open-source software">OSS</abbr> in your organization.</p> <h3>Excessive access</h3> <p>Open access means the code is available to everybody. This creates opportunities for cyber threat actors to manipulate the code for malicious purposes. <abbr title="open-source software">OSS</abbr> can also present threat actors with opportunities to gain access to your networks and information.</p> <h3>Lack of verification</h3> <p>There is no guarantee that qualified experts conducted proper testing and quality assurance throughout an <abbr title="open-source software">OSS</abbr>’s development, or that those who reviewed the code did a thorough security check. This lack of verification can make your <abbr title="information technology">IT</abbr> infrastructure vulnerable.</p> <h3>Lack of support</h3> <p>Most <abbr title="open-source software">OSS</abbr> do not have dedicated support and are reliant on the project community to maintain, report and patch the <abbr title="open-source software">OSS</abbr> for any known vulnerabilities. Without a dedicated support team, updates and security patches may not be available. Cyber threat actors can exploit these vulnerabilities to gain access to your organization’s network, systems and information.</p> <h2 class="text-info" id="C">Open-source software development lifecycle</h2> <p>An <abbr title="open-source software">OSS</abbr> approach is built on the values of collaboration, transparency and community-oriented development. The development lifecycle for <abbr title="open-source software">OSS</abbr> includes:</p> <ul><li>collecting requirements</li> <li>designing</li> <li>implementing</li> <li>testing</li> <li>releasing</li> <li>maintaining</li> </ul><p><abbr title="open-source software">OSS</abbr> is released to the public as soon as the project team gets it running, even if it contains bugs. <abbr title="open-source software">OSS</abbr> often depends on public inspection and review to improve the product over time. Volunteers test the software and then report bugs and suggest fixes. The project team uses this feedback to develop and release updated software. This process happens as many times as needed to improve the software and release more stable versions.</p> <p>Security is not necessarily incorporated into the design and development of <abbr title="open-source software">OSS</abbr>. This may lead to vulnerabilities and introduce risks to your organization.</p> <p>Many large organizations support <abbr title="open-source software">OSS</abbr> projects. However, these projects may rely on work conducted by smaller, volunteer-run <abbr title="open-source software">OSS</abbr> projects. For smaller <abbr title="open-source software">OSS</abbr> projects, volunteers may have less time to fix problems or conduct security testing. Also, these projects may not receive the funding needed to hire expert security auditors.</p> <section class="panel panel-primary"><header class="panel-heading"><h3 class="panel-title">Improving the security of open-source software</h3> </header><div class="panel-body"> <p>Secure-by-design initiatives urge software creators to increase the safety of their products, including <abbr title="open-source software">OSS</abbr>, before releasing them to the public.</p> <p>Building security into the <abbr title="open-source software">OSS</abbr> design and lifecycle increases safety for users. <abbr title="open-source software">OSS</abbr> developed using memory-safe languages such as Rust and Python can be less prone to vulnerabilities.</p> </div> </section><h2 class="text-info" id="D">Protecting your organization</h2> <p>To protect your organization from the risks of <abbr title="open-source software">OSS</abbr>, make sure you have an <abbr title="open-source software">OSS</abbr> security framework. Here are some recommendations for what your framework should include.</p> <h3>Supply chain security</h3> <p>Address supply chain security considerations as part of your organization’s <abbr title="open-source software">OSS</abbr> strategy. Understand supply chain risks and their implications on your environment.</p> <h3>Software bill of materials and open-source software tracking</h3> <p>Continuously track all <abbr title="open-source software">OSS</abbr> running in your environment. Monitor public disclosures of vulnerabilities and align with your patch management strategies accordingly.</p> <p>Request a software bill of materials (SBOM) for all software, including projects that are not open source, to understand the implications of vulnerability disclosures on your environment.</p> <h3>Secure deployment</h3> <p>Secure deployment of <abbr title="open-source software">OSS</abbr> is as important as its development framework. Understand and take advantage of an <abbr title="open-source software">OSS</abbr>’s security features before its deployment. If security protections are insufficient, conduct a security assessment to identify potential mitigation measures, or reconsider using the <abbr title="open-source software">OSS</abbr>.</p> <h3>Licensing risks</h3> <p>Understand the <abbr title="open-source software">OSS</abbr>’s licensing and copyright restrictions to avoid legal contraventions. Some <abbr title="open-source software">OSS</abbr> may require attribution, while others may have sharing or usage restrictions. Ensure there are no jurisdictional legal implications for your data.</p> <h2 class="text-info" id="E">Considerations for using open-source software</h2> <p>Ultimately, <abbr title="open-source software">OSS</abbr> should align with your organization’s overall IT strategy. Here are some factors to consider when using <abbr title="open-source software">OSS</abbr>.</p> <h3>Before acquiring new software</h3> <p>Your organization should determine its risk tolerance level. When your risk tolerance is clearly identified, you can narrow down software choices and pick the products that meet your business needs and security requirements.</p> <h3>Before installing new software</h3> <p>Your organization needs procedures to detect and mitigate vulnerabilities. These can include:</p> <ul><li>proactive software security testing</li> <li>software update vetting</li> <li>removal of deprecated protocols</li> <li>security hardening</li> <li>incident response monitoring</li> </ul><p>Always test software before installing it. Continue to test software throughout its lifecycle, such as when it needs to be updated or patched. Continuous monitoring and testing can reduce the risk of exploitation.</p> <h3>When using open-source software</h3> <p>Manage all <abbr title="open-source software">OSS</abbr> using the same procedures and tools that you use for commercial products. Train your employees on cyber security best practices to help them use and manage software products securely. Consider identifying security champions within your organization to advocate for safer and more secure practices.</p> <h2 class="text-info" id="F">Learn more</h2> <ul><li><a href="/en/news-events/joint-guidance-choosing-secure-and-verifiable-technologies">Secure-by-design: Choosing secure and verifiable technologies</a></li> <li><a href="/en/news-events/case-memory-safety-roadmaps">The case for memory safety roadmaps</a></li> <li><a href="/en/news-events/joint-advisory-exploring-memory-safety-critical-open-source-projects">Exploring memory safety in critical open-source projects</a></li> <li><a href="/en/guidance/cyber-supply-chain-approach-assessing-risk-itsap10070">Cyber supply chain: An approach to assessing risk (ITSAP.10.070)</a></li> </ul></div> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="724" about="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>January 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Practitioner series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSP.40.062</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>January 2025 | Practitioner series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg mrgn-bttm-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsp.40.062-en_0.pdf">Guidance on securely configuring network protocols – ITSP.40.062 (PDF, 855 KB)</a></p> </div> <h2 class="text-info mrgn-tp-0">Foreword</h2> <p>This is an UNCLASSIFIED publication issued by the Canadian Centre for Cyber Security (Cyber Centre) and provides an update to the previously published version.</p> <p>We recommend that you also read <a href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic Algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information (ITSP.40.111)</a><sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>. The configurations in this publication comply with the cryptographic requirements in ITSP.40.111.</p> <h2 class="h3">Effective date</h2> <p>This publication takes effect January 2025.</p> <h2 class="h3">Revision history</h2> <ol><li>First release: August 2, 2016</li> <li>Updated version (version 2): October 13, 2020</li> <li>Updated version (version 3): January 2025</li> </ol></div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#overview">Overview</a></li> </ul><p><a href="#1">Introduction</a></p> <ul><li><a href="#1.1">1.1 IT security risk management process</a></li> <li><a href="#1.2">1.2 Recommendations</a> <ul><li><a href="#1.2.1">1.2.1 Recommended</a></li> <li><a href="#1.2.2">1.2.2 Sufficient </a></li> <li><a href="#1.2.3">1.2.3 Phase out </a></li> </ul></li> </ul><p><a href="#2">2 Public Key Infrastructure</a></p> <p><a href="#3">3 Transport Layer Security</a></p> <ul><li><a href="#3.1">3.1 TLS cipher suites</a></li> <li><a href="#3.2">3.2 TLS extensions</a></li> <li><a href="#3.3">3.3 Client and server authentication</a></li> <li><a href="#3.4">3.4 Other TLS configuration guidelines</a></li> </ul><p><a href="#4">4 Internet Protocol Security</a></p> <ul><li><a href="#4.1">4.1 Internet key exchange protocol version 2</a> <ul><li><a href="#4.1.1">4.1.1 Authentication</a></li> <li><a href="#4.1.2">4.1.2 Message encryption</a></li> <li><a href="#4.1.3">4.1.3 Key exchange</a></li> <li><a href="#4.1.4">4.1.4 Pseudo-random functions for key generation</a></li> <li><a href="#4.1.5">4.1.5 Integrity protection</a></li> <li><a href="#4.1.6">4.1.6 Extensible Authentication Protocol</a></li> <li><a href="#4.1.7">4.1.7 Distributed denial-of-service protection</a></li> <li><a href="#4.1.8">4.1.8 Key and authentication lifetimes</a></li> <li><a href="#4.1.9">4.1.9 Session resumption</a></li> </ul></li> <li><a href="#4.2">4.2 Internet Protocol Security</a> <ul><li><a href="#4.2.1">4.2.1 Key generation</a></li> <li><a href="#4.2.2">4.2.2 Data and integrity protection</a></li> <li><a href="#4.3.3">4.2.3 Replay protection</a></li> </ul></li> </ul><p><a href="#5">5 Secure Shell </a></p> <ul><li><a href="#5.1">5.1 SSH authentication</a></li> <li><a href="#5.2">5.2 SSH port forwarding</a></li> <li><a href="#5.3">5.3 SSH root access</a></li> <li><a href="#5.4">5.4 SSH parameter selection</a> <ul><li><a href="#5.4.1">5.4.1 Encryption algorithm selection</a></li> <li><a href="#5.4.1">5.4.2 MAC algorithm selection</a></li> <li><a href="#5.4.3">5.4.3 Key exchange algorithm</a></li> <li><a href="#5.4.4">5.4.4 Public key algorithm</a></li> </ul></li> </ul><p><a href="#6">6 Simple Network Management Protocol </a></p> <ul><li><a href="#6.1">6.1 SNMPv3 interfaces and access control </a></li> <li><a href="#6.2">6.2 SNMPv3 USM security model </a> <ul><li><a href="#6.2.1">6.2.1 SNMPv3 USM authentication algorithms</a></li> <li><a href="#6.2.2">6.2.2 SNMPv3 USM privacy algorithms </a></li> <li><a href="#6.2.3">6.2.3 USM authentication and privacy secrets</a></li> </ul></li> <li><a href="#6.3">6.3 TSM security model </a> <ul><li><a href="#6.3.1">6.3.1 SNMPv3 over TLS/DTLS</a></li> <li><a href="#6.3.2">6.3.2 SNMPv3 over SSH</a></li> </ul></li> <li><a href="#6.4">6.4 SNMPv3 over an IPsec tunnel </a></li> <li><a href="#6.5">6.5 SNMPv3 notifications: Traps and informs</a></li> <li><a href="#6.6">6.6 SNMPv3 discovery process</a></li> </ul><p><a href="#7">7 Secure/Multipurpose Internet Mail Extensions</a></p> <ul><li><a href="#7.1">7.1 Digest algorithms</a></li> <li><a href="#7.2">7.2 Signature algorithms</a></li> <li><a href="#7.3">7.3 Key encryption algorithms</a> <ul><li><a href="#7.3.1">7.3.1 Key wrap algorithms</a></li> </ul></li> <li><a href="#7.4">7.4 Content encryption algorithms</a></li> </ul><p><a href="#8">8 Commercial technologies assurance programs</a></p> <p><a href="#9">9 Preparing for post quantum cryptography</a></p> <p><a href="#10">10 Summary</a></p> <p><a href="#11">11 Supporting content </a></p> <ul><li><a href="#11.1">11.1 List of abbreviations</a></li> <li><a href="#11.2">11.2 Glossary</a></li> <li><a href="#11.3">11.3 References</a></li> </ul><h2>List of figures</h2> <ul class="list-unstyled"><li><a href="#fig1">Figure 1: IT security risk management process </a></li> </ul><h2>Lists</h2> <ul class="list-unstyled"><li><a href="#t1">List 1: Recommended cipher suites for TLS version 1.3. </a></li> <li><a href="#t2">List 2: Recommended cipher suites for TLS 1.2 </a></li> <li><a href="#t3">List 3: TLS supported groups that conform to ITSP.40.111. </a></li> <li><a href="#t4">List 4: TLS signature algorithms that comply with ITSP.40.111. </a></li> <li><a href="#t5">List 5: Recommended TLS extensions </a></li> <li><a href="#t6">List 6: TLS extensions to phase out </a></li> <li><a href="#t7">List 7: Recommended IKEv2 authentication schemes. </a></li> <li><a href="#t8">List 8: Recommended IKEv2 Message Encryption Algorithms. </a></li> <li><a href="#t9">List 9: Recommended IKEv2 Key Exchange Groups. </a></li> <li><a href="#t10">List 10: Sufficient PRF for IKEv2 key generation </a></li> <li><a href="#t11">List 11: Sufficient and phase out integrity protection mechanisms. </a></li> <li><a href="#t12">List 12: Recommended ESP packet encryption algorithms. </a></li> <li><a href="#t13">List 13: Sufficient and phase out integrity protection mechanisms. </a></li> <li><a href="#t14">List 14: Recommended SSH encryption algorithms. </a></li> <li><a href="#t15">List 15: Sufficient and phase out SSH MAC algorithms. </a></li> <li><a href="#t16">List 16: Recommended SSH key exchange algorithms. </a></li> <li><a href="#t17">List 17: Recommended SSH public key algorithms. </a></li> <li><a href="#t18">List 18: Sufficient and phase out authentication algorithms for SNMPv3 USM </a></li> <li><a href="#t19">List 19: Sufficient and phase out privacy protection for SNMPv3 USM.</a></li> <li><a href="#t20">List 20: Sufficient and phase out S/MIME digest algorithms</a></li> <li><a href="#t21">List 21: Recommended S/MIME signature algorithms</a></li> <li><a href="#t22">List 22: Recommended S/MIME key encryption algorithms</a></li> <li><a href="#t23">List 23: Recommended S/MIME key wrap algorithms</a></li> <li><a href="#t24">List 24: S/MIME content encryption algorithms </a></li> </ul></details></section><h2 class="text-info" id="overview">Overview</h2> <p>This publication identifies and describes acceptable security protocols, and their appropriate methods of use, that organizations can implement to protect sensitive information. For Government of Canada (GC) departments and agencies, the guidance in this publication applies to UNCLASSIFIED, PROTECTED A, and PROTECTED B information.</p> <p>Your organization’s ability to securely transmit sensitive data and information is fundamental to the delivery of your programs and services. Using cryptographic security protocols ensures the confidentiality, integrity, and availability of information and helps provide protection against certain cyber intrusion threats.</p> <p>Data confidentiality, integrity, availability, stakeholder authentication and accountability, and non-repudiation are all benefits of properly configured security protocols. Various protocols may be required to satisfy your organization’s specific security requirements, and each protocol should be selected and implemented to ensure all requirements are met.</p> <p>For more information on securely configuring network protocols, contact our Contact Centre by email at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> or by phone at <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:1-833-292-3788">1-833-CYBER-88</a>.</p> <h2 class="text-info" id="1">1 Introduction</h2> <p>Organizations rely on information technology (IT) systems to achieve business objectives. These interconnected systems can be the targets of serious threats and cyber attacks that jeopardize the availability, the confidentiality, and the integrity of information assets. Compromised networks, systems, or information can have adverse effects on business activities and may result in data breaches and financial loss.</p> <p>This publication provides guidance on the following topics:</p> <ul><li>Securely configuring network protocols to protect sensitive information</li> <li>Approved algorithms that the Cyber Centre recommends for use with these network protocols</li> <li>Standards and National Institute of Standards and Technology (NIST) special publications that provide additional information on these network protocols</li> </ul><p>This publication aids technology practitioners in choosing and using appropriate security protocols for protecting sensitive information (UNCLASSIFIED, PROTECTED A, and PROTECTED B information) and complements the <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=26262">Treasury Board of Canada Secretariat (TBS) Guideline on Defining Authentication Requirements</a><sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup>. This publication also provides cryptographic guidance for IT solutions at the UNCLASSIFIED, PROTECTED A, and PROTECTED B levels. Organizations are responsible for determining their security objectives and requirements as part of their risk management framework.</p> <h3 id="1.1">1.1 IT security risk management process</h3> <p>When implementing security protocols, practitioners should consider the IT security risk management activities described in <a href="/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33">IT Security Risk Management: A Lifecycle Approach (ITSG-33)</a><sup id="fn3a-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup>. ITSG-33 addresses two levels of IT security risk management activities: departmental-level activities and information system-level activities. It also includes a catalogue of security controls (for example, standardized security requirements to protect the confidentiality, integrity, and availability of IT assets). See Figure 1: for an overview of the IT security risk management activity levels.</p> <p>Additionally, organizations should consider the following activity areas: define, deploy, monitor, and assess. See Annex 1 of ITSG‑33<sup id="fn3b-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup> for more information on these activities.</p> <p>Departmental‑level activities (or organizational‑level activities for non‑GC organizations) are included in departmental or organizational security programs to plan, manage, assess, and improve the management of IT security risks.</p> <p>Information system‑level activities are included in an information system’s lifecycle through the information system security implementation process (ISSIP). When implementing network security protocols, you should consider all the steps in the ISSIP. See Annex 2 of ITSG‑33<sup id="fn3c-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup> for more information.</p> <!– IMAGE EN –> <section class="panel panel-default col-md-12"><div class="panel-body"> <p class="text-center" id="fig1"><strong>Figure 1: IT security risk management process </strong></p> <figure><img alt="Figure 1 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/itsp.40.062-fig-1-en.png" /></figure><details><summary>Long description – Figure 1: IT security risk management process </summary><p>This figure describes the high-level departmental IT security risk management activities within the Departmental IT security function. The figure also describes the information system security risk management activities within IT projects and operational groups. It also highlights how the IT security risk management activities as both levels act together in a continuous cycle to efficiently maintain and improve the security posture of departmental information systems.</p> <p>The departmental IT security risk management activities are targeted at an audience of departmental security authorities and encompass the following steps:</p> <ol class="lst-spcd"><li>Define the business needs for security and the security controls</li> <li>Deploy the security controls, including developing department security control profiles and department IT threat assessment reports</li> <li>Continuously monitor and assess the performance of the security controls and maintain authorization</li> <li>Identify security control updates</li> </ol><p>The information security risk management activities are aimed at IT project managers, security practitioners and developers. They encompass the following steps:</p> <ol class="lst-spcd"><li>Initiation: Define IT security needs and security controls</li> <li>Development/acquisition: Design and develop or acquire information system with security</li> <li>Integration and installation: Integrate, test, and install information system with security</li> <li>Operation and maintenance: Operate, monitor, and maintain</li> <li>Disposal: Dispose of IT assets securely at retirement</li> </ol></details></div> </section><!– END IMAGE EN –><h3 id="1.2">1.2 Recommendations</h3> <p>Throughout this publication, we make recommendations that fall within three categories: recommended, sufficient, and phase out.</p> <h4 id="1.2.1">1.2.1 Recommended</h4> <p>Configurations listed in the Recommended column have advantages over those in the Sufficient column. Recommended configurations should always be implemented if allowed by the remote connection profile.</p> <h4 id="1.2.2">1.2.2 Sufficient</h4> <p>Configurations listed in the Sufficient column are appropriate to be used as deemed necessary to support the profile of remote connections. Sufficient configurations should be applied when it is not possible to implement a Recommended profile.</p> <h4 id="1.2.3 ">1.2.3 Phase out</h4> <p>Configurations listed in the Phase Out column are marked for transition according to guidance in ITSP.40.111<sup id="fn1b-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> or due to protocol‑specific concerns.</p> <p>If you have systems that use Phase Out selections, we recommend that you transition to Recommended or Sufficient alternatives as soon as possible.</p> <p><strong>Note</strong>: Systems do not need to be configured with all the selections listed in the recommended or sufficient columns. The chosen configurations will depend on an organization’s remote connection profile. The protocol selections should be implemented to limit the network attack surface.</p> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="2">2 Public Key Infrastructure</h2> <p>Public Key Infrastructures (PKIs) support the management of public keys for security services in PKI‑enabled protocols, including Transport Layer Security (TLS), Internet Protocol Security (IPsec), and Secure/Multipurpose Internet Mail Extensions (S/MIME).</p> <p>PKI key management guidance is provided in <a href="https://csrc.nist.gov/pubs/sp/800/57/pt3/r1/final">NIST Special Publication (SP) 800-57 Part 3 Revision 1 – Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance</a><sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup>. We recommend that you refer to section 2 of NIST SP 800-57 Part 3 Rev. 1<sup id="fn4a-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup> for the guidance on installing and administering PKI.</p> <p>Your implementations must not reuse public key pairs across multiple protocols within the PKI. For example, key pairs used in IKEv2 must not be reused for Secure Shell (SSH).</p> <p>You should format public key certificates in the X.509 version 3 certificate format, as specified in <a href="https://datatracker.ietf.org/doc/html/rfc5280">Request for Comments (RFC) 5280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</a><sup id="fn5-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup>.</p> <p>To support algorithm and key size agility, protocol implementations should support multiple certificates with their associated private keys. Public key certificates used for signing, key agreement, or key encipherment should be distinguished by the key usage extension, asserting one of the following bit-valued flags:</p> <ul><li>digitalSignature</li> <li>keyAgreement</li> <li>keyEncipherment</li> </ul><p><strong>To satisfy the cryptographic guidance provided in Cryptographic Algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information (ITSP.40.111)<sup id="fn1c-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>, SHA-1 should not be used to generate or verify public key certificate digital signatures.</strong></p> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="3">3 Transport Layer Security</h2> <p>Transport Layer Security (TLS) is a protocol developed to protect the confidentiality, integrity, and availability of Internet communications between server and client applications.</p> <p>As specified in <a href="https://datatracker.ietf.org/doc/html/rfc8446">RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3</a><sup id="fn6-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup>, we <strong>recommend </strong>configuring TLS servers and clients to use TLS 1.3. Using TLS version 1.2, updated in RFC 8446<sup id="fn6g-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup> , is <strong>sufficient</strong> if it is required for wider compatibility, internal audit compliance, or threat monitoring systems. You should phase out versions of TLS older than 1.2 or any versions of Secure Sockets Layer (SSL).</p> <p>Servers that use TLS to protect HTTP traffic (i.e. HTTPS) should support HTTP Strict Transport Security (HSTS), as specified in <a href="https://datatracker.ietf.org/doc/html/rfc6797">RFC 6797 HTTP Strict Transport Security (HSTS)</a><sup id="fn7-rf"><a class="fn-lnk" href="#fn7"><span class="wb-inv">Footnote </span>7</a></sup>.</p> <p>An email server acting as a Message Transfer Agent (MTA) for Simple Mail Transfer Protocol (SMTP) should support the negotiation of TLS with other MTAs. SMTP traffic can be upgraded to TLS using STARTTLS, as specified in <a href="https://datatracker.ietf.org/doc/html/rfc3207">RFC 3207 SMTP Service Extension for Secure SMTP over Transport Layer Security</a><sup id="fn8-rf"><a class="fn-lnk" href="#fn8"><span class="wb-inv">Footnote </span>8</a></sup>. To ensure the use of TLS for SMTP traffic, MTAs should either support <a href="https://datatracker.ietf.org/doc/html/rfc8461">RFC 8461 SMTP MTA Strict Transport Security (MTA-STS)</a><sup id="fn9-rf"><a class="fn-lnk" href="#fn9"><span class="wb-inv">Footnote </span>9</a></sup> and be configured to use the "enforce" policy mode or support <a href="https://datatracker.ietf.org/doc/html/rfc7672">RFC 7672 SMTP Security via Opportunistic DNS Based Authentication of Named Entities (DANE) Transport Layer Security (TLS)</a><sup id="fn10-rf"><a class="fn-lnk" href="#fn10"><span class="wb-inv">Footnote </span>10</a></sup>.</p> <p><strong>Note</strong>: These opportunistic encryption techniques are only supported on a hop‑by‑hop basis. End‑to‑end message protection is provided by S/MIME. For more information, see <a href="#Section7">Section 7 – Secure/multi-purpose Internet mail extensions</a>.</p> <p>When TLS is used to protect the confidentiality or integrity of PROTECTED A or PROTECTED B information you should use X.509 version 3 certificates to mutually authenticate between the server and the client.</p> <h3 id="3.1">3.1 TLS cipher suites</h3> <p>If the server or the client is configured to support TLS version 1.3, then the server or the client should be configured to support only the cipher suites listed in List 1:</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t1">Recommended cipher suites for TLS version 1.3</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Recommended</h5> </div> <ul class="list-unstyled"><li>TLS_AES_256_GCM_SHA384</li> <li>TLS_AES_128_GCM_SHA256</li> <li>TLS_AES_128_CCM_SHA256</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>TLS_AES_128_CCM_8_SHA256</li> </ul></div> </section><p>If TLS 1.2 support is required, a TLS server or client should be configured to support only the TLS 1.2 cipher suites listed in List 2:</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5">Recommended cipher suites for TLS 1.2</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Recommended</h5> </div> <ul class="list-unstyled"><li>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</li> <li>TLS_ECDHE_ECDSA_WITH_AES_256_CCM</li> <li>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</li> <li>TLS_ECDHE_ECDSA_WITH_AES_128_CCM</li> <li>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</li> <li>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8</li> <li>TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8</li> <li>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</li> <li>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</li> <li>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</li> <li>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</li> <li>TLS_DHE_DSS_WITH_AES_256_GCM_SHA384</li> <li>TLS_DHE_RSA_WITH_AES_256_CCM</li> <li>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</li> <li>TLS_DHE_DSS_WITH_AES_128_GCM_SHA256</li> <li>TLS_DHE_RSA_WITH_AES_128_CCM</li> <li>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</li> <li>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</li> <li>TLS_RSA_WITH_AES_256_GCM_SHA384</li> <li>TLS_RSA_WITH_AES_128_GCM_SHA256</li> <li>TLS_RSA_WITH_AES_256_CBC_SHA256</li> <li>TLS_RSA_WITH_AES_256_CBC_SHA</li> <li>TLS_RSA_WITH_AES_128_CBC_SHA256</li> <li>TLS_RSA_WITH_AES_128_CBC_SHA</li> <li>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</li> <li>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</li> <li>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</li> <li>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</li> <li>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</li> <li>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</li> <li>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</li> <li>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</li> <li>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</li> </ul></div> </section><p>TLS servers and clients may use any or all the listed cipher suites according to the deployment profile. However, if an Internet‑facing deployment requires cipher suites listed in the Phase Out column, we recommend you transition away from these as soon as possible. Your internal enterprise or data centre deployments of TLS may continue to use cipher suites with RSAkey transport if required for audit compliance or threat monitoring systems, but this guidance may change in the future.</p> <p>Cipher suites do not specify a key size for the public key algorithm. TLS servers and clients should ensure that the server and client ephemeral key pairs that are used to establish the main secret satisfy the key length requirements specified in ITSP.40.111<sup id="fn1d-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>. List 3:  lists the Supported Groups that conform to ITSP.40.111<sup id="fn1e-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <h3 id="t3">TLS supported groups that conform to ITSP.40.111</h3> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Recommended</h5> </div> <ul class="list-unstyled"><li>secp256r1</li> <li>secp384r1</li> <li>secp521r1</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>ffdhe3072</li> <li>ffdhe4096</li> <li>ffdhe6144</li> <li>ffdhe8192</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>secp224r1</li> <li>sect233r1</li> <li>sect233k1</li> <li>sect283k1</li> <li>sect283r1</li> <li>sect409k1</li> <li>sect409r1</li> <li>sect571k1</li> <li>sect571r1</li> <li>ffdhe2048</li> </ul></div> </section><p>List 4:  lists the Signature Algorithms that comply with ITSP.40.111<sup id="fn1f-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t4">TLS signature algorithms that comply with ITSP.40.111</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Recommended</h5> </div> <ul class="list-unstyled"><li>ecdsa_secp256r1_sha256</li> <li>ecdsa_secp384r1_sha384</li> <li>ecdsa_secp521r1_sha512</li> <li>ed25519</li> <li>ed448</li> <li>rsa_pss_pss_sha256</li> <li>rsa_pss_pss_sha384</li> <li>rsa_pss_pss_sha512</li> <li>rsa_pss_rsae_sha256</li> <li>rsa_pss_rsae_sha384</li> <li>rsa_pss_rsae_sha512</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>rsa_pkcs1_sha256</li> <li>rsa_pkcs1_sha384</li> <li>rsa_pkcs1_sha512</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>ecdsa_secp224r1_sha224</li> <li>rsa_pkcs1_sha224</li> <li>dsa_sha224</li> <li>dsa_sha256</li> <li>dsa_sha384</li> <li>dsa_sha512</li> </ul></div> </section><p>We recommend that TLS servers and clients support the extensions listed in List 5:</p> <h3 id="3.2">3.2 TLS extensions</h3> <table class="table table-condensed table-bordered" id="t5"><caption>Recommended TLS extension names</caption> <thead><tr class="active"><th scope="col">Extension name</th> <th scope="col">Extension code point</th> <th scope="col">References</th> <th scope="col">Notes</th> </tr></thead><tbody><tr><th scope="row">Application-Layer Protocol Negotiation</th> <td>application_layer_protocol_negotiation</td> <td><a href="https://datatracker.ietf.org/doc/html/rfc7301">RFC 7301</a> <sup id="fn11-rf"><a class="fn-lnk" href="#fn11"><span class="wb-inv">Footnote </span>11</a></sup></td> <td> </td> </tr><tr><th scope="row">Certificate Signature Algorithms</th> <td>signature_algorithms_cert</td> <td>RFC 8446 <sup id="fn6e-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup> section 4.2.3</td> <td> </td> </tr><tr><th scope="row">Certificate Status Request</th> <td>status_request</td> <td><a href="https://datatracker.ietf.org/doc/html/rfc6066">RFC 6066</a> <sup id="fn12-rf"><a class="fn-lnk" href="#fn12"><span class="wb-inv">Footnote </span>12</a></sup> section 8</td> <td>TLS 1.3 only</td> </tr><tr><th scope="row">Cookie</th> <td>cookie</td> <td>RFC 8446 <sup id="fn6d-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup> section 4.2.2</td> <td>TLS 1.3 only</td> </tr><tr><th scope="row">Encrypt-then-MAC</th> <td>encrypt_then_mac</td> <td><a href="https://datatracker.ietf.org/doc/html/rfc7366">RFC 7366</a> <sup id="fn13b-rf"><a class="fn-lnk" href="#fn13"><span class="wb-inv">Footnote </span>13</a></sup></td> <td>TLS 1.2 only</td> </tr><tr><th scope="row">Extended Main Secret</th> <td>extended_main_secret / extended_master secret</td> <td><a href="https://datatracker.ietf.org/doc/html/rfc7627">RFC 7627</a> <sup id="fn14-rf"><a class="fn-lnk" href="#fn14"><span class="wb-inv">Footnote </span>14</a></sup></td> <td>TLS 1.2 only</td> </tr><tr><th scope="row">Key Share</th> <td>key_share</td> <td>RFC 8446 <sup id="fn6f-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup> section 4.2.8</td> <td>TLS 1.3 only</td> </tr><tr><th scope="row">Multiple Certificate Status</th> <td>status_request_v2</td> <td><a href="https://datatracker.ietf.org/doc/html/rfc6961">RFC 6961</a> <sup id="fn15-rf"><a class="fn-lnk" href="#fn15"><span class="wb-inv">Footnote </span>15</a></sup></td> <td>TLS 1.2 only</td> </tr><tr><th scope="row">Pre-Shared Key</th> <td>pre_shared_key</td> <td>RFC 8446 <sup id="fn6h-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup> section 4.2.11</td> <td>TLS 1.3 only</td> </tr><tr><th scope="row">Pre-shared Key Exchange Modes</th> <td>psk_key_exchange_modes</td> <td>RFC 8446 <sup id="fn6i-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup> section 4.2.9</td> <td>TLS 1.3 only</td> </tr><tr><th scope="row">Renegotiation Indication</th> <td>renegotiation_info</td> <td><a href="https://datatracker.ietf.org/doc/html/rfc5746">RFC 5746</a> <sup id="fn16-rf"><a class="fn-lnk" href="#fn16"><span class="wb-inv">Footnote </span>16</a></sup></td> <td>TLS 1.2 only</td> </tr><tr><th scope="row">Server Name Indication</th> <td>server_name</td> <td>RFC 6066 <sup id="fn12a-rf"><a class="fn-lnk" href="#fn12"><span class="wb-inv">Footnote </span>12</a></sup> section 3</td> <td> </td> </tr><tr><th scope="row">Signature Algorithms</th> <td>signature_algorithms</td> <td>RFC 8446 <sup id="fn6j-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup> section 4.2.3</td> <td> </td> </tr><tr><th scope="row">Supported Groups</th> <td>supported_groups</td> <td><a href="https://datatracker.ietf.org/doc/html/rfc8422">RFC 8422</a> <sup id="fn17-rf"><a class="fn-lnk" href="#fn17"><span class="wb-inv">Footnote </span>17</a></sup> section 5.1.1, <a href="https://datatracker.ietf.org/doc/html/rfc7919">RFC 7919</a> <sup id="fn18-rf"><a class="fn-lnk" href="#fn18"><span class="wb-inv">Footnote </span>18</a></sup></td> <td>Renamed from “elliptic_curves”</td> </tr><tr><th scope="row">Supported Point Formats</th> <td>ec_point_formats</td> <td>RFC 8422 <sup id="fn17a-rf"><a class="fn-lnk" href="#fn17"><span class="wb-inv">Footnote </span>17</a></sup> section 5.1.2</td> <td>TLS 1.2 only</td> </tr><tr><th scope="row">Supported Versions</th> <td>supported_versions</td> <td>RFC 8446 <sup id="fn6k-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup> section 4.2.1</td> <td>TLS 1.3 only</td> </tr><tr><th scope="row">Transparency Information</th> <td>transparency_info</td> <td><a href="https://datatracker.ietf.org/doc/html/rfc9162">RFC 9162</a> <sup id="fn19-rf"><a class="fn-lnk" href="#fn19"><span class="wb-inv">Footnote </span>19</a></sup> section 6.5</td> <td> </td> </tr><tr><th scope="row">Trusted CA Indication</th> <td>trusted_ca_keys</td> <td>RFC 6066 <sup id="fn12b-rf"><a class="fn-lnk" href="#fn12"><span class="wb-inv">Footnote </span>12</a></sup> section 6</td> <td>TLS 1.2 only</td> </tr></tbody></table><p> </p> <p><strong>Note</strong>: Do not enable extensions in your configurations that are not listed above.</p> <p>We recommend that TLS servers and clients Phase Out the extensions listed in List 6:</p> <table class="table table-condensed table-bordered" id="t6"><caption>TLS extensions to phase out</caption> <thead><tr class="active"><th scope="col">Extension name</th> <th scope="col">Extension code point</th> <th scope="col">References</th> <th scope="col">Rationale</th> </tr></thead><tbody><tr><th scope="row">Signed Certificate Timestamp</th> <td>signed_certificate_timestamp</td> <td><a href="https://datatracker.ietf.org/doc/html/rfc6962">RFC 6962</a> <sup id="fn20-rf"><a class="fn-lnk" href="#fn20"><span class="wb-inv">Footnote </span>20</a></sup></td> <td>Made obsolete by “transparency_info” extension.</td> </tr></tbody></table><h3 id="3.3">3.3 Client and server authentication</h3> <p>The client must validate the server certificate according to RFCs 5280 <sup id="fn5a-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup> and 8446 <sup id="fn6a-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup>. The revocation status of the certificate must be checked using a certificate revocation list (CRL) or the Online Certificate Status Protocol (OCSP)and the client should verify that the certificate appears in a certificate transparency log according to RFC 9162 Certificate Transparency Info Version 2.0 <sup id="fn19a-rf"><a class="fn-lnk" href="#fn19"><span class="wb-inv">Footnote </span>19</a></sup>. The client must check that the certificate contains a value in the Subject Alternative Name extension or in the Subject Distinguished Name field that matches the DNS or IP address requested.</p> <p>If the client included the certificate signature algorithms extension, the client should verify that the certificate signature algorithm matches one of the proposed values. Otherwise, the client should verify that the certificate signature algorithm matches one of the proposed values in the signature algorithms extension.</p> <p>Finally, the client should verify the public key length in the certificate satisfies the key length requirements specified in ITSP.40.111 <sup id="fn1-rfg"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <p>If client authentication (also referred to as mutual authentication) is configured, the server must validate the client certificate according to RFCs 5280 <sup id="fn5b-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup> and 8446 <sup id="fn6c-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup>. The server must verify that the certificate validation path chains to a certificate authority (CA) that is trusted by the server to validate access to the requested resource. The revocation status of the certificate must be checked using a CRL or the OCSP. The server should check that the certificate contains a value in the Subject Alternative Name extension or in the Subject Distinguished Name field that matches an authorized client.</p> <p>Finally, the server should verify that the public key length in the certificate satisfies the key length requirements specified in ITSP.40.111 <sup id="fn1h-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <h3 id="3.4">3.4 Other TLS configuration guidelines</h3> <p>TLS clients and servers must be configured to disable TLS compression, which is done by negotiating the null compression method.</p> <p>Due to the complication of mitigating replay attacks, we recommend that configurations do not support the 0-RTT mode of TLS version 1.3.</p> <p>TLS 1.2 renegotiation without the Renegotiation Indication extension (see RFC 5746 Transport Layer Security [TLS] Renegotiation Indication Extension  <sup id="fn16a-rf"><a class="fn-lnk" href="#fn16"><span class="wb-inv">Footnote </span>16</a></sup> ) must be disabled. Furthermore, we recommend that TLS servers are configured to not accept client‑initiated renegotiation at all in favour of establishing a new TLS connection.</p> <p>If support for session resumption is desired, we recommend that you use the session identifier method in TLS 1.2 or session resumption via pre‑shared keys (PSKs) in TLS 1.3. You should use PSKs with an ECDHE/DHE key exchange to provide forward secrecy.</p> <div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="4">4 Internet Protocol Security</h2> <p>You can use a combination of the protocol pair Internet Key Exchange Protocol Version 2 (IKEv2) and Internet protocol security (IPsec) to create secure data tunneling at the network layer. The IKEv2 protocol establishes secure key material that can be used in the IPsec protocol to secure the data that is exchanged between peers.</p> <h3 id="4.1">4.1 Internet key exchange protocol version 2</h3> <p>Internet key exchange protocol version 2 (IKEv2) is specified in <a href="https://datatracker.ietf.org/doc/html/rfc7296">RFC 7296 Internet Key Exchange Protocol Version 2 (IKEv2)</a> <sup id="fn21-rf"><a class="fn-lnk" href="#fn21"><span class="wb-inv">Footnote </span>21</a></sup>.</p> <p><strong>Note</strong>: IKEv1 should no longer be used.</p> <h4 id="4.1.1">4.1.1   Authentication</h4> <p>When IKEv2 is used to set up an IPsec security association (SA) to protect the confidentiality of PROTECTED A or PROTECTED B information or the integrity of UNCLASSIFIED, PROTECTED A, or PROTECTED B information, digital signatures should be used for authentication. Pre-shared keys should not be used for authentication.</p> <p>List 7:  lists the authentication schemes that comply with ITSP.40.111<sup id="fn1g-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t7"> Recommended IKEv2 authentication schemes</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Recommended</h5> </div> <ul class="list-unstyled"><li>ECDSA with SHA-256 on the P‑256 curve</li> <li>ECDSA with SHA-384 on the P‑384 curve</li> <li>ECDSA with SHA-512 on the P‑521 curve</li> <li>Ed25519 with the identity hash</li> <li>ED448 with the identity hash</li> <li>RSASSA-PSS with bit length 3072 and SHA-384</li> <li>RSASSA-PSS with bit length 4096 and SHA-384</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>RSASSA-PKCS1-v1.5 with bit length 3072 and SHA-384</li> <li>RSASSA-PKCS1-v1.5 with bit length 4096 and SHA-384</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>RSASSA-PSS with bit length 2048 and SHA-256</li> <li>RSASSA-PKCS1-v1.5 with bit length 2048 and SHA-256</li> </ul></div> </section><h4 id="4.1.2">4.1.2 Message encryption</h4> <p>List 8:  lists the IKEv2 message encryption algorithms that comply with ITSP.40.111 <sup id="fn1ah-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> when used with a key length of 128, 192, or 256 bits.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t8">Recommended IKEv2 Message Encryption Algorithms</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Recommended</h5> </div> <ul class="list-unstyled"><li>ENCR_AES_GCM_16</li> <li>ENCR_AES_CCM_16</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>ENCR_AES_GCM_12</li> <li>ENCR_AES_CCM_12</li> <li>ENCR_AES_CBC</li> <li>ENCR_AES_CTR</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>ENCR_3DES</li> <li>ENCR_CAST</li> </ul></div> </section><p>We recommend using Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) to encrypt IKEv2 messages. If GCM or CCM is not supported, use an integrity protection mechanism from subsection 4.1.5.</p> <h4 id="4.1.3">4.1.3   Key exchange</h4> <p>List 9:  lists the IKEv2 key exchange groups that comply with ITSP.40.111<sup id="fn1i-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t9">Recommended IKEv2 Key Exchange Groups</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Recommended</h5> </div> <ul class="list-unstyled"><li>256-bit Random ECP Group</li> <li>384-bit Random ECP Group</li> <li>521-bit Random ECP Group</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>3072-bit MODP Group</li> <li>4096-bit MODP Group</li> <li>6144-bit MODP Group</li> <li>8192-bit MODP Group</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>2048-bit MODP Group</li> <li>2048-bit MODP Group with 224-bit Prime Order Subgroup</li> <li>2048-bit MODP Group with 256-bit Prime Order Subgroup</li> <li>224-bit Random ECP Group</li> </ul></div> </section><p>Implementations must check that received public values are between 1 and p‑1 and, in the case of Elliptic‑Curve Diffie‑Hellman (ECDH), satisfy the elliptic curve equation.</p> <p>We recommend that every key exchange uses a freshly generated ephemeral ECDH/DH key pair.</p> <h4 id="4.1.4">4.1.4   Pseudo-random functions for key generation</h4> <p>IKEv2 uses a pseudo‑random function (PRF) to generate key material. List 10:  lists PRFs that comply with ITSP.40.111 <sup id="fn1j-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t10">Sufficient PRF for IKEv2 key generation</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>PRF_HMAC_SHA2_256</li> <li>PRF_HMAC_SHA2_384</li> <li>PRF_HMAC_SHA2_512</li> <li>PRF_AES128_CMAC</li> </ul></div> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h4 id="4.1.5">4.1.5   Integrity protection</h4> <p>When not using an authenticated encryption (AEAD) algorithm (such as AES GCM) for message encryption, an additional integrity protection mechanism is required. List 11:  lists the integrity protection mechanisms that comply with ITSP.40.111 <sup id="fn1k-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t11">Sufficient and phase out integrity protection mechanisms for IKEv2</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>AUTH_HMAC_SHA2_256_128</li> <li>AUTH_HMAC_SHA2_384_192</li> <li>AUTH_HMAC_SHA2_512_256</li> <li>AUTH_AES_128_GMAC</li> <li>AUTH_AES_192_GMAC</li> <li>AUTH_AES_256_GMAC</li> <li>AUTH_AES_CMAC_96</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>AUTH_HMAC_SHA1_160</li> </ul></div> </section><h4 id="4.1.6">4.1.6   Extensible Authentication Protocol</h4> <p><a href="https://datatracker.ietf.org/doc/html/rfc7396">RFC 7396 JSON Merge Patch</a> <sup id="fn22-rf"><a class="fn-lnk" href="#fn22"><span class="wb-inv">Footnote </span>22</a></sup> specifies that Extensible Authentication Protocol (EAP) in IKEv2 can be used if it is used with the IKEv2 responder public key‑based authentication. <a href="https://datatracker.ietf.org/doc/html/rfc5998">RFC 5998 An Extension for EAP-Only Authentication in IKEv2</a> <sup id="fn23-rf"><a class="fn-lnk" href="#fn23"><span class="wb-inv">Footnote </span>23</a></sup> lists the methods that can be used in IKEv2 to provide mutual authentication and that do not require responder public key‑based authentication.</p> <p>While many authentication methods are listed as safe EAP methods in RFC 5998 <sup id="fn23a-rf"><a class="fn-lnk" href="#fn23"><span class="wb-inv">Footnote </span>23</a></sup>, we recommend that you use methods that support channel binding. We also recommend that you maintain the use of responder public key‑based authentication.</p> <h4 id="4.1.7">4.1.7   Distributed denial-of-service protection</h4> <p>IKEv2 is prone to DDoS attacks. In a DDoS attack, a threat actor overwhelms a responder with a huge number of SA requests that are sent from spoofed IP addresses, creating half‑open SAs.</p> <p>You should implement the DDoS protection mechanisms described in <a href="https://datatracker.ietf.org/doc/html/rfc8019">RFC 8019 Protecting IKEv2 Implementations from DDoS Attacks</a> <sup id="fn24-rf"><a class="fn-lnk" href="#fn24"><span class="wb-inv">Footnote </span>24</a></sup>. In particular, we recommend reducing the lifetime of half-open SAs as well as setting a limit on the number of half-open SAs allowed for any given IP address and introducing additional protective measures once that limit is met.</p> <p>You should not use IP fragmentation, as it is prone to DDoS attacks. Instead, use IKEv2 fragmentation and configure the size of the IKEv2 fragments. <a href="https://datatracker.ietf.org/doc/html/rfc7383">RFC 7383 Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation</a> <sup id="fn25-rf"><a class="fn-lnk" href="#fn25"><span class="wb-inv">Footnote </span>25</a></sup> recommends selecting an IKEv2 fragment size which results in a maximum datagram size of 1280 bytes for IPv6 traffic and 576 bytes for IPv4 traffic.</p> <h4 id="4.1.8">4.1.8   Key and authentication lifetimes</h4> <p>In the context of IKEv2, re‑keying creates new key material for the IKE SA or a CHILD SA via the CREATE_CHILD_SA exchange. Re‑authentication requires the creation of a new IKE SA. In this case, the old SAs are deleted.</p> <p>We recommend that you ensure that the re‑key period or key lifetime of a CHILD SA (including the Encapsulating Security Payload [ESP] SA) does not exceed 8 hours. The re‑authentication period or authentication lifetime of the IKE SA should not exceed 24 hours.</p> <h4 id="4.1.9">4.1.9   Session resumption</h4> <p><a href="https://datatracker.ietf.org/doc/html/rfc5723">RFC 5723 Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption</a><sup id="fn26-rf"><a class="fn-lnk" href="#fn26"><span class="wb-inv">Footnote </span>26</a></sup> offers a means for peers to reconnect a broken connection by using a previously established IKE SA.</p> <p>If session resumption is used, the ticket‑by‑reference method is recommended, under the condition that the peers can be trusted to maintain the security of stored SA information. We also recommend that you limit the lifetime of a ticket to no more than the re‑keying time.</p> <h3 id="4.2">4.2 Internet Protocol Security</h3> <p>Internet Protocol Security (IPsec) is a suite of network protocols developed to protect the confidentiality, integrity, and availability of Internet communications between network hosts, gateways, and devices. IPsec also provides access control, replay protection, and traffic analysis protection.</p> <p>IPsec hosts, gateways, and devices should be configured as specified in:</p> <ul><li><a href="https://datatracker.ietf.org/doc/html/rfc4301">RFC 4301 Security Architecture for the Internet Protocol</a><sup id="fn27-rf"><a class="fn-lnk" href="#fn27"><span class="wb-inv">Footnote </span>27</a></sup></li> <li><a href="https://datatracker.ietf.org/doc/html/rfc4303">RFC 4303 IP Encapsulating Security Payload (ESP)</a><sup id="fn28-rf"><a class="fn-lnk" href="#fn28"><span class="wb-inv">Footnote </span>28</a></sup></li> <li><a href="https://datatracker.ietf.org/doc/html/rfc7321">RFC 7321 Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)</a><sup id="fn29-rf"><a class="fn-lnk" href="#fn29"><span class="wb-inv">Footnote </span>29</a></sup></li> </ul><p>IPsec key management guidance is provided in NIST SP 800-57 Part 3 Rev. 1<sup id="fn4b-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup>. Refer to section 3 of that publication for further guidance on installing and administering IPsec.</p> <h4 id="4.2.1">4.2.1   Key generation</h4> <p>An IPsec SA specifies the key material used to encrypt and provide integrity protection for the traffic protected under a specific IPsec session. An IPsec SA must be established by a prior IKEv2 exchange as specified above.</p> <h4 id="4.2.2">4.2.2   Data and integrity protection</h4> <p>You should use digital signatures for authentication when IPsec is used to protect the confidentiality of PROTECTED A or PROTECTED B information or the integrity of UNCLASSIFIED, PROTECTED A, or PROTECTED B information. You should not use PSKs for authentication.</p> <p>IPsec should use ESP protocol in tunnel mode to protect the confidentiality, integrity, and availability of the packets and packet headers. Do not use the Authentication Header (AH) protocol. AH protocol cannot protect confidentiality.</p> <p>List 12:  lists the ESP packet encryption algorithms that comply with ITSP.40.111<sup id="fn1l-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> when used with a key length of 128, 192, or 256 bits.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t12">Recommended ESP packet encryption algorithms</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Recommended</h5> </div> <ul class="list-unstyled"><li>ENCR_AES_GCM_16</li> <li>ENCR_AES_CCM_16</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>ENCR_AES_GCM_12</li> <li>ENCR_AES_CCM_12</li> <li>ENCR_AES_CBC</li> <li>ENCR_AES_CTR</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>ENCR_3DES</li> <li>ENCR_CAST</li> </ul></div> </section><p>We recommend that you use AES in GCM for the encryption of ESP packets, as described in <a href="https://datatracker.ietf.org/doc/html/rfc4106">RFC 4106 The Use of Galois/Counter Mode (GCM) in IPSec Encapsulating Security Payload</a><sup id="fn30-rf"><a class="fn-lnk" href="#fn30"><span class="wb-inv">Footnote </span>30</a></sup>. If GCM or CCM is not supported, an integrity protection mechanism must be configured.</p> <p>List 13:  lists the integrity protection mechanisms that comply with ITSP.40.111<sup id="fn1m-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t13">Sufficient and phase out integrity protection mechanisms for ESP</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>AUTH_HMAC_SHA2_256_128</li> <li>AUTH_HMAC_SHA2_384_192</li> <li>AUTH_HMAC_SHA2_512_256</li> <li>AUTH_AES_128_GMAC</li> <li>AUTH_AES_192_GMAC</li> <li>AUTH_AES_256_GMAC</li> <li>AUTH_AES_CMAC_96</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>AUTH_HMAC_SHA1_160</li> </ul></div> </section><h4 id="4.2.3">4.2.3   Replay protection</h4> <p>Replay protection for IPsec implementations should be used. If performance allows, use the recommended anti-replay window size of 128.</p> <h2 class="text-info" id="5">5 Secure Shell</h2> <p>Secure Shell (SSH) is a protocol developed to protect the confidentiality, integrity, and availability of remote access, file transfer, and point‑to‑point tunneling over the Internet.</p> <p>SSH servers and clients should be configured to use SSH protocol version 2.0. SSH is a family of protocols that is specified in:</p> <ul><li><a href="https://datatracker.ietf.org/doc/html/rfc4251">RFC 4251 The Secure Shell (SSH) Protocol Architecture</a><sup id="fn31-rf"><a class="fn-lnk" href="#fn31"><span class="wb-inv">Footnote </span>31</a></sup></li> <li><a href="https://datatracker.ietf.org/doc/html/rfc4252">RFC 4252 The Secure Shell (SSH) Authentication Protocol</a><sup id="fn32-rf"><a class="fn-lnk" href="#fn32"><span class="wb-inv">Footnote </span>32</a></sup></li> <li><a href="https://datatracker.ietf.org/doc/html/rfc4253">RFC 4253 The Secure Shell (SSH) Transport Layer Protocol</a><sup id="fn33-rf"><a class="fn-lnk" href="#fn33"><span class="wb-inv">Footnote </span>33</a></sup></li> <li><a href="https://datatracker.ietf.org/doc/html/rfc4254">RFC 4254 The Secure Shell (SSH) Connection Protocol</a><sup id="fn34-rf"><a class="fn-lnk" href="#fn34"><span class="wb-inv">Footnote </span>34</a></sup></li> </ul><p><strong>SSH protocol version 1.0 has serious vulnerabilities. Administrators should verify that it is not running on their systems.</strong></p> <p>NIST SP 800-57 Part 3 Rev. 1<sup id="fn4c-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup> provides SSH key management guidance. Refer to section 10 of NIST SP 800-57 Rev. 1 for further guidance on installing and administering SSH.</p> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h3 id="5.1">5.1 SSH authentication</h3> <p>SSH offers both server‑only and server‑client mutual authentication.</p> <p>You should use server‑client mutual authentication. In this case, the server is first authenticated via the SSH Transport Layer Protocol, followed by client authentication via the SSH Authentication Protocol.</p> <p>Server authentication is performed with public key cryptography. Client authentication to the server can use various mechanisms. Client authentication that is based on public keys or Kerberos is preferred rather than the various forms of password authentication. You should not use SSH host‑based authentication as it is vulnerable to IP address spoofing.</p> <p>If using public key authentication, you should use public key certificates that are managed by a PKI framework for both server and client authentication.</p> <p>A PKI framework provides digital signing of keys by a trusted source. The framework also provides key management functions, such as revocation CRLs, key lifetime controls, and key usage restrictions. <a href="https://datatracker.ietf.org/doc/html/rfc6187">RFC 6187 x509.v3 Certificates for Secure Shell Authentication</a> <sup id="fn35-rf"><a class="fn-lnk" href="#fn35"><span class="wb-inv">Footnote </span>35</a></sup> specifies the use of x509.v3 certificates in SSH.</p> <p>Since SSH keys are typically system-level keys, keys should be generated upon session initialization to ensure uniqueness across devices and virtual machine images.</p> <h3 id="5.2">5.2 SSH port forwarding</h3> <p>With SSH port forwarding, a host can access an insecure network service on a machine residing behind a server that acts as an SSH VPN gateway. Port forwarding should be disabled for interactive user accounts. For devices that require SSH tunneling, the traffic should be secured with a second tunnel, for example by using IPsec.</p> <h3 id="5.3">5.3 SSH root access</h3> <p>You should disable remote root user account logins.</p> <h3 id="5.4">5.4 SSH parameter selection</h3> <p>This section details the cryptographic algorithms recommend for SSH that satisfy the cryptographic guidance of ITSP.40.111 <sup id="fn1n-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> and align with NIST SP 800-57 Part 3 Rev. 1 <sup id="fn4d-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup>. We recommend that you refer to subsection 10.2.1 of NIST SP 800‑57 Part 3 Rev. 1 for cryptographic guidance on the SSH Transport Layer Protocol.</p> <h3 id="5.4.1">5.4.1 Encryption algorithm selection</h3> <p>Do not use Cipher Block Chaining (CBC) mode in SSH. CBC mode is vulnerable to plaintext recovery attacks. <a href="https://datatracker.ietf.org/doc/html/rfc4344">RFC 4344 The Secure Shell (SSH) Transport Layer Encryption Modes</a> <sup id="fn36-rf"><a class="fn-lnk" href="#fn36"><span class="wb-inv">Footnote </span>36</a></sup> recommends using Counter (CTR) mode in SSH in place of CBC mode. Even better, authenticated encryption with associated data (AEAD) algorithms (such as AES GCM) protect both authenticity and confidentiality. Therefore, when you use AEAD algorithms, you do not need to use a separate message authentication code (MAC) algorithm.</p> <p>List 14:  lists the SSH encryption algorithms that satisfy the cryptographic guidance provided in ITSP.40.111 <sup id="fn1bc-rf"><a class="fn-lnk" href="#fn1o"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t14">Recommended SSH encryption algorithms</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Recommended</h5> </div> <ul class="list-unstyled"><li>AEAD_AES_128_GCM</li> <li>AEAD_AES_256_GCM</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>aes128-ctr</li> <li>aes192-ctr</li> <li>aes256-ctr</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>cast128-ctr</li> <li>3des-ctr</li> </ul></div> </section><p>The AEAD GCM encryption algorithms are vulnerable to nonce reuse. Implementations should ensure that the (key, nonce) pair is unique for each encrypted message.</p> <h3 id="5.4.2">5.4.2 MAC algorithm selection</h3> <p>In addition to the AEAD algorithms specified above, List 15:  lists the SSH MAC algorithms that satisfy the cryptographic guidance provided in ITSP.40.111 <sup id="fn1p-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t15">Sufficient and phase out SSH MAC algorithms</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>hmac-sha2-256</li> <li>hmac-sha2-512</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>hmac-sha1</li> </ul></div> </section><h4 id="5.4.3">5.4.3 Key exchange algorithm</h4> <p>List 16:  lists the SSH key exchange algorithms that satisfy the cryptographic guidance provided in ITSP.40.111 <sup id="fn1q-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t16">Recommended SSH key exchange algorithms</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Recommended</h5> </div> <ul class="list-unstyled"><li>ecdh-sha2-nistp256</li> <li>ecdh-sha2-nistp384</li> <li>ecdh-sha2-nistp521</li> <li>ecmqv-sha2</li> <li>gss-nistp256-sha256-*</li> <li>gss-nistp384-sha384-*</li> <li>gss-nistp521-sha512-*</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>diffie-hellman-group15-sha512</li> <li>diffie-hellman-group16-sha512</li> <li>diffie-hellman-group17-sha512</li> <li>diffie-hellman-group18-sha512</li> <li>gss-group15-sha512-*</li> <li>gss-group16-sha512-*</li> <li>gss-group17-sha512-*</li> <li>gss-group18-sha512-*</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>rsa2048-sha256</li> <li>diffie-hellman-group14-sha256</li> <li>gss-group14-sha256-*</li> </ul></div> </section><p>The SSH protocol allows the session keys to be renewed by either the client or the server. Re‑keying schedules are based on a time limit or a data volume, as described in RFC 4344 <sup id="fn36a-rf"><a class="fn-lnk" href="#fn36"><span class="wb-inv">Footnote </span>36</a></sup>.</p> <p>To avoid MAC collisions, RFC 4344 <sup id="fn36b-rf"><a class="fn-lnk" href="#fn36"><span class="wb-inv">Footnote </span>36</a></sup> recommends re‑keying after receiving <span aria-hidden="true">2³²</span><span class="wb-inv">2 to the power of 32</span> packets when a 32‑bit sequence number is used.</p> <h3 id="5.4.4">5.4.4 Public key algorithm</h3> <p>SSH optionally allows for authentication using public keys. List 17:  lists the SSH public key algorithms that satisfy the cryptographic guidance provided in ITSP.40.111 <sup id="fn1r-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t17">Recommended SSH public key algorithms</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Recommended</h5> </div> <ul class="list-unstyled"><li>ecdsa-sha2-nistp256</li> <li>ecdsa-sha2-nistp384</li> <li>ecdsa-sha2-nistp521</li> <li>ssh-ed25519</li> <li>ssh-ed448</li> <li>x509v3-ecdsa-sha2-nistp256</li> <li>x509v3-ecdsa-sha2-nistp384</li> <li>x509v3-ecdsa-sha2-nistp521</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>rsa-sha2-256</li> <li>rsa-sha2-512</li> <li>x509v3-rsa2048-sha256</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>x509v3-ecdsa-sha2-nistp224</li> </ul></div> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="6">6 Simple Network Management Protocol</h2> <p>Simple Network Management Protocol (SNMP) is an IETF protocol designed for managing and monitoring devices on a computer network. The latest version, SNMPv3, is specified in:</p> <ul><li><a href="https://datatracker.ietf.org/doc/html/rfc3411">An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks. Request for Comments (RFC) 3411</a><sup id="fn37-rf"><a class="fn-lnk" href="#fn37"><span class="wb-inv">Footnote </span>37</a></sup></li> <li><a href="https://datatracker.ietf.org/doc/html/rfc3412">Message Processing and Dispatching for the Simple Network Management Protocol (SNMP). Request for Comments (RFC) 3412</a><sup id="fn38-rf"><a class="fn-lnk" href="#fn38"><span class="wb-inv">Footnote </span>38</a></sup></li> <li><a href="https://datatracker.ietf.org/doc/html/rfc3413">Simple Network Management Protocol (SNMP) Applications. Request for Comments (RFC) 3413</a><sup id="fn39-rf"><a class="fn-lnk" href="#fn39"><span class="wb-inv">Footnote </span>39</a></sup></li> <li><a href="https://datatracker.ietf.org/doc/html/rfc3414">User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). Request for Comments (RFC) 3414</a><sup id="fn40-rf"><a class="fn-lnk" href="#fn40"><span class="wb-inv">Footnote </span>40</a></sup></li> <li><a href="https://datatracker.ietf.org/doc/html/rfc3415">View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). Request for Comments (RFC) 3415</a><sup id="fn41-rf"><a class="fn-lnk" href="#fn41"><span class="wb-inv">Footnote </span>41</a></sup></li> <li><a href="https://datatracker.ietf.org/doc/html/rfc3416">Protocol Operations for the Simple Network Management Protocol (SNMP). Request for Comments (RFC) 3416</a><sup id="fn42-rf"><a class="fn-lnk" href="#fn42"><span class="wb-inv">Footnote </span>42</a></sup></li> <li><a href="https://datatracker.ietf.org/doc/html/rfc3417">Transport Mappings for the Simple Network Management Protocol (SNMP). Request for Comments (RFC) 3417</a><sup id="fn43-rf"><a class="fn-lnk" href="#fn43"><span class="wb-inv">Footnote </span>43</a></sup></li> <li><a href="https://datatracker.ietf.org/doc/html/rfc3418">Management Information Base (MIB) for the Simple Network Management Protocol (SNMP). Request for Comments (RFC) 3418</a><sup id="fn44-rf"><a class="fn-lnk" href="#fn44"><span class="wb-inv">Footnote </span>44</a></sup></li> </ul><p>It provides security improvements to previous versions, such as SNMPv1, SNMPv2, SNMPv2c, SNMPv2u and SNMPv2*. All SNMP versions older than SNMPv3 should be phased out.</p> <p>SNMPv3 adds security and remote configuration capabilities to the previous versions and a new access control model. The SNMPv3 architecture introduces two security mechanisms: the User-based Security Model (USM) and the Transport Security Model (TSM).</p> <p>The use of USM is defined in RFC 3414 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol <sup id="fn40a-rf"><a class="fn-lnk" href="#fn40"><span class="wb-inv">Footnote </span>40</a></sup>. The use of TSM is defined for TLS/DTLS in <a href="https://datatracker.ietf.org/doc/html/rfc6353">RFC 6353 Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)</a> <sup id="fn45-rf"><a class="fn-lnk" href="#fn45"><span class="wb-inv">Footnote </span>45</a></sup> and for SSH in <a href="https://datatracker.ietf.org/doc/html/rfc5592">RFC 5592 Secure Shell Transport Model for the Simple Network Management Protocol (SNMP)</a> <sup id="fn46-rf"><a class="fn-lnk" href="#fn46"><span class="wb-inv">Footnote </span>46</a></sup>. TSM allows for a similar user-based access control. RFC 3415 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) <sup id="fn41a-rf"><a class="fn-lnk" href="#fn41"><span class="wb-inv">Footnote </span>41</a></sup> defines a process for controlling access to management information based on groups with specific access rights and security.</p> <h3 id="6.1">6.1 SNMPv3 interfaces and access control</h3> <p>We recommend that SNMP interfaces be accessible only from within an internal, corporate network and additionally on a specific management LAN or VLAN that is separate from regular network traffic. If external access is required, we recommend that access to the interface only be allowed within an IPsec tunnel.</p> <p>We recommend that SNMP be disabled on any device which is not being actively managed. Special care must be taken with new devices which may have SNMP enabled by default.</p> <p>Implementations can offer two security models: USM and TSM. There are 3 security levels for messages:</p> <ul><li>without authentication and without privacy (noAuthNoPriv)</li> <li>with authentication but without privacy (authNoPriv)</li> <li>with authentication and with privacy (authPriv)</li> </ul><p>We recommend the use of TSM as the security model when available. Specific recommendations for TSM are described in <a href="#6.3">section 6.3 TSM security model</a>. The use of USM is sufficient at the authPriv security level if it is configured following recommendations in <a href="#6.2">section 6.2 SNMPv3 USM security model</a>.</p> <p>We recommend that read-write access to management information be restricted and only granted to a limited number of administrative groups. We also recommend that accessible information for each user be explicitly specified in the configuration. We do not recommend relying solely on globally denying access to restricted information. Configurations should be reviewed periodically to determine if the assigned levels of access are still appropriate for groups and users.</p> <h3 id="6.2">6.2 SNMPv3 USM security model</h3> <p>The SNMPv3 User-Based Security Model (USM) described in RFC 3414 <sup id="fn40b-rf"><a class="fn-lnk" href="#fn40"><span class="wb-inv">Footnote </span>40</a></sup> offers both authentication and privacy for SNMPv3 messages. The USM was designed to function independently of other existing security infrastructures and can function when other network security infrastructures are unavailable. When configuring groups and users, we recommend that the required security level be set at the authPriv level to guarantee that both authentication and privacy will be applied. Recommended algorithms for authentication and privacy are defined in <a href="#6.2.1">6.2.1 SNMPv3 USM authentication algorithms</a> and <a href="#6.2.2">6.2.2 SNMPv3 USM privacy algorithms</a> respectively.</p> <h3 id="6.2.1">6.2.1 SNMPv3 USM authentication algorithms</h3> <p>SNMPv3 offers message authentication based on secure message digest (HMAC). List 18:  lists the algorithms that satisfy the cryptographic guidance provided in ITSP.40.111 <sup id="fn1s-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>. The option usmNoAuthProtocol provides no authentication and should not be used.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t18"> Sufficient and phase out authentication algorithms for SNMPv3 USM</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>usmHMAC192SHA256AuthProtocol</li> <li>usmHMAC256SHA384AuthProtocol</li> <li>usmHMAC384SHA512AuthProtocol</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>usmHMAC128SHA224AuthProtocol</li> <li>usmHMACSHAAuthProtocol</li> <li>usmHMACMD5AuthProtocol</li> </ul></div> </section><h3 id="6.2.2">6.2.2 SNMPv3 USM privacy algorithms</h3> <p>SNMPv3 USM offers privacy protection via message encryption. List 19:  lists the algorithms that satisfy the cryptographic guidance provided in ITSP.40.111 <sup id="fn1t-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>. The option usmNoPrivProtocol provides no privacy protection and should not be used.</p> <p>If not using the recommended method of salt generation for IV formation in <a href="https://datatracker.ietf.org/doc/html/rfc3826">RFC 3826 The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model</a> <sup id="fn47-rf"><a class="fn-lnk" href="#fn47"><span class="wb-inv">Footnote </span>47</a></sup>, implementations should use a method to ensure IVs are unpredictable in accordance with ITSP.40.111 <sup id="fn1u-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t19">Sufficient and phase out privacy protection for SNMPv3 USM</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>usmAesCfb128Protocol</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>usmNoPrivProtocol</li> <li>usmDESPrivProtocol</li> </ul></div> </section><h3 id="6.2.3">6.2.3 USM authentication and privacy secrets</h3> <p>USM authentication and privacy rely on choosing strong user secrets and protecting them from disclosure.</p> <p>We recommend that the USM authentication and privacy secrets be based on a randomly generated pre-shared key rather than derived from a user-generated password. If user-generated passwords are used, passwords are recommended to satisfy requirements set in <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">User authentication guidance for information technology systems (ITSP.30.031 v3)</a> <sup id="fn48-rf"><a class="fn-lnk" href="#fn48"><span class="wb-inv">Footnote </span>48</a></sup> and <a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a> <sup id="fn49-rf"><a class="fn-lnk" href="#fn49"><span class="wb-inv">Footnote </span>49</a></sup>. We strongly recommend not using the same secrets for privacy and authentication.</p> <p>We recommend that user secrets never be stored on any device performing SNMP encryption and authentication services, rather only the localized keys derived from the user secrets as defined in RFC 3414 <sup id="fn40c-rf"><a class="fn-lnk" href="#fn40"><span class="wb-inv">Footnote </span>40</a></sup> should be kept on such devices. We recommend that organizations create a system for securely managing user secrets.</p> <p>We recommend that a user’s localized keys be derived and configured locally on each managed device through the configuration interface. The localized keys should be set immediately after the new user is created as no default keys should be used to encrypt or authenticate messages.</p> <p>If a user’s localized keys are compromised on a device, we recommend that the user not directly change the compromised keys, but that the user’s secrets be changed, and new keys generated through the configuration interface.</p> <p>If new users are created by cloning a pre-existing user as defined in RFC 3414 <sup id="fn40d-rf"><a class="fn-lnk" href="#fn40"><span class="wb-inv">Footnote </span>40</a></sup>, we recommend that the user being cloned should have minimal access to management information and should not send messages on the network.</p> <p>We recommend that user secrets be periodically updated following recommendations set down in ITSP.30.031 <sup id="fn48a-rf"><a class="fn-lnk" href="#fn48"><span class="wb-inv">Footnote </span>48</a></sup> or organizational password policy.</p> <h3 id="6.3">6.3 TSM security model</h3> <p>The SNMPv3 Transport Security Model described in <a href="https://datatracker.ietf.org/doc/html/rfc5591">RFC 5591 Transport Security Model for the Simple Network Management Protocol (SNMP)</a> <sup id="fn50-rf"><a class="fn-lnk" href="#fn50"><span class="wb-inv">Footnote </span>50</a></sup> relies on the use of other specific secure transport protocols for mutual authentication, binding of keys, confidentiality, and integrity. RFC 5591 mandates how transport security protocols such as SSH, DTLS and TLS can be used to secure SNMPv3 traffic to meet one of the security levels mentioned in <a href="#6.1">section 6.1 SNMPv3 interfaces and access control</a>.</p> <p>TSM is a good choice for organizations that already have or are planning to deploy an X.509 PKI. The use of TSM precludes the necessity of managing SNMP USM private keys. Organizations using TSM may consider maintaining an equivalent USM configuration as backup, particularly if there is any concern about stressed or unavailable networks rendering the secure transport protocol inoperable. If USM is allowed as a fallback, its use should be logged and reported immediately to administrators as suspicious behaviour.</p> <h3 id="6.3.1">6.3.1 SNMPv3 over TLS/DTLS</h3> <p>RFC 6353 <sup id="fn45a-rf"><a class="fn-lnk" href="#fn45"><span class="wb-inv">Footnote </span>45</a></sup> spells out the general recommendations for configuring SNMPv3 in the TSM security model using TLS or DTLS. When using TLS or DTLS, the recommendations from <a href="#Section3">Section 3 Transport Layer Security </a> should be followed to achieve the equivalent of authPriv security and ensure that sufficient encryption and authentication services are applied. Acceptable cipher suites are listed in <a href="#t1a">List 1:  Recommended cipher suites for TLS 1.2</a>  and <a href="#t3a">List 3:  TLS supported groups that conform to ITSP.40.111</a>.</p> <p>As stated in RFC 6353 <sup id="fn45c-rf"><a class="fn-lnk" href="#fn45"><span class="wb-inv">Footnote </span>45</a></sup>, a certificate’s subjectAltName should be used to map certificates to SNMP security names.</p> <p>The choice of hash algorithm used in a certificate’s SnmpTLSFingerprint should be a collision resistant algorithm that follows the guidance from ITSP.40.111 <sup id="fn1v-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <h3 id="6.3.2">6.3.2 SNM Pv3 over SSH</h3> <p>The use of SSH with SNMPv3 is specified in RFC 5592 <sup id="fn46a-rf"><a class="fn-lnk" href="#fn46"><span class="wb-inv">Footnote </span>46</a></sup> and we recommend that the guidelines for establishing an SSH tunnel detailed in <a href="#Section5">Section 5 Secure Shell</a> be followed to ensure confidentiality and integrity. Acceptable mechanisms for client authentication are set out in List 17:  of this publication.</p> <p>Ensure that SSH is not configured to skip public-key verification.</p> <h3 id="6.4">6.4 SNMPv3 over an IPsec tunnel</h3> <p>An IPsec tunnel can be used to protect the SNMPv3 traffic already configured under the USM or the TSM as recommended above. Recommendations for the establishment of an IPsec tunnel are defined in <a href="#Section4">section 4 Internet Protocol Security</a>.</p> <h3 id="6.5">6.5 SNMPv3 notifications: Traps and informs</h3> <p>Trap and inform notifications should be transmitted securely. Implementations may use a separate configuration for notifications. When configuring the USM security level for notifications, we strongly recommend using the same security level as was used for SNMPv3 commands but protected by a different set of keys.</p> <h3 id="6.6">6.6 SNMPv3 discovery process</h3> <p>The SNMPv3 discovery process consists of one or more requests which allows an SNMP entity to obtain another entity’s configured identity when communicating with it for the first time.</p> <p>The second discovery request to determine the clock of the managed entity is authenticated and can be performed as often as needed to maintain time synchronisation (even if the initial request was not performed).</p> <p>When using USM, the discovery’s initial request and response are not authenticated or encrypted. This means the response which contains the entity’s identity could be spoofed or modified by a malicious agent. When using TSM, all discovery messages are authenticated and encrypted.</p> <p>SNMP entities making discovery requests should either:</p> <ul><li>maintain a list of identities with their network addresses to avoid having to make the initial request altogether</li> <li>make the initial request in an IPsec tunnel so that it is cryptographically protected</li> </ul><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="7">7 Secure/Multipurpose Internet Mail Extensions</h2> <p>Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard developed to protect the confidentiality, integrity, and availability of electronic messages over the Internet.</p> <p>S/MIME 4.0 as specified in <a href="https://datatracker.ietf.org/doc/html/rfc8551">RFC 8551 Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification</a> <sup id="fn51-rf"><a class="fn-lnk" href="#fn51"><span class="wb-inv">Footnote </span>51</a></sup> and <a href="https://datatracker.ietf.org/doc/html/rfc8550">RFC 8550 Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Certificate Handling</a> <sup id="fn52-rf"><a class="fn-lnk" href="#fn52"><span class="wb-inv">Footnote </span>52</a></sup> should be used. S/MIME 4.0 includes support for AES‑GCM.</p> <p><a href="https://datatracker.ietf.org/doc/html/rfc5753">RFC 5753 Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS)</a> <sup id="fn53-rf"><a class="fn-lnk" href="#fn53"><span class="wb-inv">Footnote </span>53</a></sup> provides guidance on the use of elliptic curve cryptography (ECC) in Cryptographic Message Syntax (CMS) for generating digital signatures and exchanging keys to encrypt or authenticate messages.</p> <p>Software vendors should implement multi‑part isolation with security considerations for dealing with HTML and multi‑part/mixed messages, as discussed in RFC 8551 <sup id="fn51a-rf"><a class="fn-lnk" href="#fn51"><span class="wb-inv">Footnote </span>51</a></sup>. Until such multi‑part isolation is supported, S/MIME clients must be configured to disable the loading of remote content or only display messages in plain text.</p> <h3 id="7.1">7.1 Digest algorithms</h3> <p>Digest algorithms are used in S/MIME for digesting the body of a message or as part of a signature algorithm. List 20:  lists the digest algorithms that satisfy the cryptographic guidance provided in ITSP.40.111 <sup id="fn1w-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t20">Sufficient and phase out S/MIME digest algorithms</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>SHA-256</li> <li>SHA-384</li> <li>SHA-512</li> <li>SHA3-256</li> <li>SHA3-384</li> <li>SHA3-512</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>SHA-224</li> <li>SHA3-224</li> </ul></div> </section><p>Using SHA-1 to generate digital signatures does not satisfy the cryptographic guidance provided in ITSP.40.111 <sup id="fn1x-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>. For S/MIME 3.2 or earlier versions, SHA‑1 should not be used as a digest algorithm to sign messages.</p> <h3 id="7.2">7.2 Signature algorithms</h3> <p>Signature algorithms should be used with a digest algorithm. List 21: lists the signature algorithms, which are paired with a digest algorithm from Section 7.1, that satisfy the cryptographic guidance provided in ITSP.40.111 <sup id="fn1y-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t21">Recommended S/MIME signature algorithms</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Recommended</h5> </div> <ul class="list-unstyled"><li>ECDSA with NIST P-256 curve</li> <li>ECDSA with NIST P-384 curve</li> <li>ECDSA with NIST P-521 curve</li> <li>EdDSA with curve25519</li> <li>RSASSA PSS with 3072-bit or larger modulus</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>RSASSA PKCS1v1.5 with 3072-bit or larger modulus</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>ECDSA with NIST P-224 curve</li> <li>RSASSA PSS with 2048-bit modulus</li> <li>RSASSA PKCS1v1.5 with 2048-bit modulus</li> <li>DSA with any group size</li> </ul></div> </section><p>We recommend using RSASSA-PSS (instead of PKCS #1 v1.5) as the encoding mechanism for RSA digital signatures. This applies to both X.509 certificates, as specified<a href="https://datatracker.ietf.org/doc/html/rfc5756"> RFC 5756 Updates for RSAES-OAEP and RSASSA-PSS Algorithm Parameters</a> <sup id="fn54-rf"><a class="fn-lnk" href="#fn54"><span class="wb-inv">Footnote </span>54</a></sup>, and signed‑data content types, as specified in <a href="https://datatracker.ietf.org/doc/html/rfc4056">RFC 4056 Use of the RSASSA-PSS Signature Algorithm in Cryptographic Message Syntax (CMS)</a> <sup id="fn55-rf"><a class="fn-lnk" href="#fn55"><span class="wb-inv">Footnote </span>55</a></sup>. If signing with multiple signature algorithms, implementations should use the multipleSignatures CMS attribute as specified in <a href="https://datatracker.ietf.org/doc/html/rfc5752">RFC 5752 Multiple Signatures in Cryptographic Message Syntax (CMS)</a> <sup id="fn56-rf"><a class="fn-lnk" href="#fn56"><span class="wb-inv">Footnote </span>56</a></sup>.</p> <p>Implementations of RSASSA-PSS should protect against possible hash algorithm substitution attacks. Implementations should check that the hash algorithm used to compute the digest of the message content is the same as the hash algorithm used to compute the digest of signed attributes.</p> <h3 id="7.3">7.3 Key encryption algorithms</h3> <p>Most key encryption algorithms for S/MIME require a key wrap algorithm to be specified as a parameter. Acceptable key wrap algorithms are specified in <a href="#7.3.1">subsection 7.3.1 Key wrap algorithms</a> of this document. List 22:  lists the key encryption algorithms that satisfy the cryptographic guidance provided in ITSP.40.111 <sup id="fn1z-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t22">Recommended S/MIME key encryption algorithms</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Recommended</h5> </div> <ul class="list-unstyled"><li>dhSinglePass stdDH SHA256 KDF with the NIST P-256 curve</li> <li>dhSinglePass stdDH SHA384 KDF with the NIST P-384 curve</li> <li>dhSinglePass stdDH SHA512 KDF with the NIST P-521 curve</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Sufficient</h5> </div> <ul class="list-unstyled"><li>RSAES OAEP with a 3072-bit or larger modulus</li> <li>dhSinglePass cofactorDH SHA256 KDF with the NIST P-256 curve</li> <li>dhSinglePass cofactorDH SHA384 KDF with the NIST P-384 curve</li> <li>dhSinglePass cofactorDH SHA512 KDF with the NIST P-521 curve</li> <li>mqvSinglePass SHA256 KDF with the NIST P-256 curve</li> <li>mqvSinglePass SHA384 KDF with the NIST P-384 curve</li> <li>mqvSinglePass SHA512 KDF with the NIST P-521 curve</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>dhSinglePass stdDH SHA224 KDF with the NIST P-224 curve</li> <li>dhSinglePass cofactorDH SHA224 KDF with the NIST P-224 curve</li> <li>RSA KEM with a 2048-bit modulus or larger</li> <li>RSAES OAEP with a 2048-bit modulus</li> <li>RSAES PKCS1v1.5 with a 2048-bit or larger modulus</li> </ul></div> </section><p>We recommend the use of standard Elliptic Curve Diffie-Hellman, as specified in <a href="https://datatracker.ietf.org/doc/html/rfc5753">RFC 5753 Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS)</a> <sup id="fn53a-rf"><a class="fn-lnk" href="#fn53"><span class="wb-inv">Footnote </span>53</a></sup>.</p> <p>If you are using RSA encryption, RSAES-OAEP should be implemented, as specified in <a href="https://datatracker.ietf.org/doc/html/rfc3560">RFC 3560 Use of the RSAES-OAEP Key Transport Algorithm in Cryptographic Message Syntax (CMS)</a> <sup id="fn57-rf"><a class="fn-lnk" href="#fn57"><span class="wb-inv">Footnote </span>57</a></sup> and RFC 5756 <sup id="fn54a-rf"><a class="fn-lnk" href="#fn54"><span class="wb-inv">Footnote </span>54</a></sup>, to meet the cryptographic guidance of ITSP.40.111 <sup id="fn1ab-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <p>Mitigations like careful checking or random filling should be implemented, as described in <a href="https://datatracker.ietf.org/doc/html/rfc3218">RFC 3218 Preventing the Million Message Attack on Cryptographic Message Syntax</a> <sup id="fn58-rf"><a class="fn-lnk" href="#fn58"><span class="wb-inv">Footnote </span>58</a></sup>, if you have S/MIME implementations that allow the decryption of PKCS #1 v1.5 encoding.</p> <h3 id="7.3.1">7.3.1 Key wrap algorithms</h3> <p>List 23:  lists the key wrap algorithms that can be used with an appropriate key encryption algorithm to satisfy the cryptographic guidance provided in ITSP.40.111 <sup id="fn1ac-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t23">Recommended S/MIME key wrap algorithms</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Recommended</h5> </div> <ul class="list-unstyled"><li>AES-128 Wrap</li> <li>AES-192 Wrap</li> <li>AES-256 Wrap</li> <li>AES-128 Wrap Pad</li> <li>AES-192 Wrap Pad</li> <li>AES-256 Wrap Pad</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>3DES Wrap</li> <li>CAST5 CMS Key Wrap with a key length of 128 bits</li> </ul></div> </section><h3 id="7.4">7.4 Content encryption algorithms</h3> <p>The S/MIME content encryption algorithms listed in List 24:  satisfy the cryptographic guidance provided in ITSP.40.111 <sup id="fn1ad-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>.</p> <section class="panel panel-default eqht-trgt"><div class="panel-heading"> <h4 class="panel-title h5" id="t24">S/MIME content encryption algorithms</h4> </div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Recommended</h5> </div> <ul class="list-unstyled"><li>AES-128 GCM</li> <li>AES-192 GCM</li> <li>AES-256 GCM</li> </ul></div> <div class="panel-body"> <div class="mrgn-tp-md well well-sm"> <h5 class="mrgn-tp-0 mrgn-bttm-0 h6">Phase out</h5> </div> <ul class="list-unstyled"><li>AES-128 CBC</li> <li>AES-192 CBC</li> <li>AES-256 CBC</li> </ul></div> </section><h2 class="text-info" id="8">8 Commercial technologies assurance programs</h2> <p>When implementing PKI, TLS, IPsec, SSH and S/MIME, the implementation assurance guidance in Section 11 of <a href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic Algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information (ITSP.40.111)</a> <sup id="fn1ae-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> should be followed.</p> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="9">9 Preparing for post quantum cryptography</h2> <p>Quantum computers threaten to break the public key cryptosystems and weaken the symmetric cryptosystems that we currently use. Although quantum technologies are not yet powerful enough to break the cryptography recommended in this publication, there is significant research in the area. In August 2024, NIST published standards for post-quantum cryptography that is designed to be resistant to the advantages of future quantum computers. Organizations that maintain the protocol standards listed in this publication are currently working on revising the protocols to integrate post-quantum cryptography. We expect to include recommendations for the configuration of post-quantum cryptography in an update to this publication once the protocol standards are finalized.</p> <p>In the meantime, we recommend the following high-level steps:</p> <ul><li>Evaluate the sensitivity of your organization’s information and determine its lifespan to identify information that may be at risk (for example, as part of on-going risk assessment processes)</li> <li>Review your IT lifecycle management plan and budget for potentially significant software and hardware updates</li> <li>Educate your workforce on the quantum threat</li> </ul><p>For more detailed information on how to prepare, consult <a href="/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017">Preparing your organization for the quantum threat to cryptography (ITSAP.00.017)</a> <sup id="fn59-rf"><a class="fn-lnk" href="#fn59"><span class="wb-inv">Footnote </span>59</a></sup>.</p> <p>Organizations should wait until the standards for using post-quantum cryptography in protocols are finalized before revising configurations to protect information or systems.</p> <h2 class="text-info" id="10">10 Summary</h2> <p>Your organization can use cryptographic security protocols to provide the security mechanisms to protect the confidentiality, integrity, and availability of information. As a first step, you should determine your organizational security requirements before choosing which protocols to use. Your organization may require the use of multiple protocols to satisfy a particular security requirement. You should select and implement each protocol in a manner that supports and meets your specific organizational requirements.</p> <section><h2 class="text-info" id="11">11 Supporting content</h2> <details><summary><h3 id="11.1">11.1 List of abbreviations</h3> </summary><dl class="dl-horizontal"><dt><strong>Term </strong></dt> <dd><strong>Definition </strong></dd> <dt>AEAD</dt> <dd>Authenticated Encryption with Associated Data</dd> <dt>AES</dt> <dd>Advanced Encryption Standard</dd> <dt>AH</dt> <dd>Authentication Header</dd> <dt>CA</dt> <dd>Certificate Authority</dd> <dt>CBC</dt> <dd>Cipher Block Chaining</dd> <dt>CMS</dt> <dd>Cryptographic Message Syntax</dd> <dt>CMVP</dt> <dd>Cryptographic Module Validation Program</dd> <dt>CRL</dt> <dd>Certificate Revocation List</dd> <dt>DANE</dt> <dd>DNS-Based Authentication of Named Entities</dd> <dt>DDoS</dt> <dd>Distributed Denial of Service</dd> <dt>DH</dt> <dd>Diffie-Hellman</dd> <dt>DNS</dt> <dd>Domain Name System</dd> <dt>DTLS</dt> <dd>Datagram Transport Layer Security</dd> <dt>ECC</dt> <dd>Elliptic Curve Cryptography</dd> <dt>ECDH</dt> <dd>Elliptic-Curve Diffie-Hellman</dd> <dt>ECDHE</dt> <dd>Ephemeral Elliptic Curve Diffie-Hellman</dd> <dt>ECDSA</dt> <dd>Elliptic Curve Digital Signature Algorithm</dd> <dt>ECP</dt> <dd>Elliptic Curve Groups modulo a Prime</dd> <dt>ESP</dt> <dd>Encapsulating Security Payload</dd> <dt>GC</dt> <dd>Government of Canada</dd> <dt>GCM</dt> <dd>Galois/Counter Mode</dd> <dt>HMAC</dt> <dd>Keyed-Hash Message Authentication Code</dd> <dt>HSTS</dt> <dd>HTTP Strict Transport Security</dd> <dt>IKE</dt> <dd>Internet Key Exchange</dd> <dt>IPsec</dt> <dd>Internet Protocol Security</dd> <dt>IT</dt> <dd>Information Technology</dd> <dt>MAC</dt> <dd>Message Authentication Code</dd> <dt>MTA</dt> <dd>Message Transfer Agent</dd> <dt>NIST</dt> <dd>National Institute of Standards and Technology</dd> <dt>PFS</dt> <dd>Perfect Forward Secrecy</dd> <dt>PKI</dt> <dd>Public Key Infrastructure</dd> <dt>PRF</dt> <dd>Pseudo-Random Function</dd> <dt>PSK</dt> <dd>Pre-shared Key</dd> <dt>RFC</dt> <dd>Request for Comments</dd> <dt>RSA</dt> <dd>Rivest Shamir Adleman</dd> <dt>SA</dt> <dd>Security Association</dd> <dt>SHA</dt> <dd>Secure Hash Algorithm</dd> <dt>SSH</dt> <dd>Secure Shell</dd> <dt>S/MIME</dt> <dd>Secure/Multipurpose Internet Mail Extensions</dd> <dt>SMTP</dt> <dd>Simple Mail Transfer Protocol</dd> <dt>SP</dt> <dd>Special Publication</dd> <dt>SSL</dt> <dd>Secure Socket Layer</dd> <dt>TBS</dt> <dd>Treasury Board of Canada Secretariat</dd> <dt>TLS</dt> <dd>Transport Layer Security</dd> <dt>CSE</dt> <dd>Communications Security Establishment</dd> <dt>GC</dt> <dd>Government of Canada</dd> <dt>IT</dt> <dd>Information Technology</dd> <dt>ITS</dt> <dd>Information Technology Security</dd> <dt>SSH</dt> <dd>Secure Shell</dd> <dt>TLS</dt> <dd>Transport Layer Protocol</dd> </dl></details><details><summary><h3 id="11.2">11.2 Glossary</h3> </summary><dl><dt><strong>Term</strong></dt> <dd><strong>Definition</strong></dd> <dt>Authentication</dt> <dd>A process or measure used to verify a user’s identity.</dd> <dt>Authenticity</dt> <dd>The state of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.</dd> <dt>Availability</dt> <dd>The ability for the right people to access the right information or systems when needed. Availability is applied to information assets, software, and hardware (infrastructure and its components).</dd> <dt>Classified information</dt> <dd>A Government of Canada label for specific types of sensitive data that, if compromised, could cause harm to the national interest (e.g. national defence, relationships with other countries, economic interests).</dd> <dt>Confidentiality</dt> <dd>The ability to protect sensitive information from being accessed by unauthorized people.</dd> <dt>Cryptography</dt> <dd>The study of techniques used to make plain information unreadable, as well as to convert it back to a readable form.</dd> <dt>Distributed denial of service (DDoS) Attack</dt> <dd>An attack in which multiple compromised systems are used to attack a single target. The flood of incoming messages to the target system forces it to shut down and denies service to legitimate users.</dd> <dt>Decryption</dt> <dd>A process that converts encrypted voice or data information into plain form by reversing the encryption process.</dd> <dt>Digital signature</dt> <dd>A cryptologic mechanism used to validate an item’s (e.g. document, software) authenticity and integrity.</dd> <dt>Encryption</dt> <dd>Converting information from one form to another to hide its content and prevent unauthorized access.</dd> <dt>Forward secrecy</dt> <dd>A property of key establishment protocols where the compromise of the long-term private key will not allow an adversary to re-compute previously derived keys or sessions.</dd> <dt>Integrity</dt> <dd>The ability to protect information from being modified or deleted unintentionally when it’s not supposed to be. Integrity helps determine that information is what it claims to be. Integrity also applies to business processes, software application logic, hardware, and personnel.</dd> <dt>Key management</dt> <dd>The procedures and mechanisms for generating, disseminating, replacing, storing, archiving, and destroying cryptographic keys.</dd> <dt>Replay attack</dt> <dd>A form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed.</dd> </dl></details><aside class="wb-fnote" role="note"><h3 id="11.3">11.3 References</h3> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>Canadian Centre for Cyber Security. <a href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic Algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information ( ITSP.40.111)</a>. September 2023.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote </span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 2</dt> <dd id="fn2"> <p>Treasury Board of Canada Secretariat. <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=26262">Guideline on Defining Authentication Requirements</a>. November 2012.</p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote </span>2<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 3</dt> <dd id="fn3"> <p>Canadian Centre for Cyber Security. <a href="/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33">IT Security Risk Management: A Lifecycle Approach (ITSG-33)</a>. November 2012.</p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote </span>3<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 4</dt> <dd id="fn4"> <p>National Institute of Standards and Technology. <a href="https://csrc.nist.gov/pubs/sp/800/57/pt3/r1/final">Recommendation for Key Management Part 3: Application-Specific Key Management Guidance Special Publication 800-57 Part 3 Rev 1</a>. January 2015.</p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote </span>4<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 5</dt> <dd id="fn5"> <p>Cooper, D., et al. <a href="https://datatracker.ietf.org/doc/html/rfc5280">Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. Request for Comments (RFC) 5280</a>. Internet Engineering Task Force (IETF). May 2008.</p> <p class="fn-rtn"><a href="#fn5-rf"><span class="wb-inv">Return to footnote </span>5<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 6</dt> <dd id="fn6"> <p>Rescorla, E. <a href="https://datatracker.ietf.org/doc/html/rfc8446">The Transport Layer Security (TLS) Protocol Version 1.3. Request for Comments (RFC) 8446</a>. Internet Engineering Task Force (IETF). August 2018.</p> <p class="fn-rtn"><a href="#fn6-rf"><span class="wb-inv">Return to footnote </span>6<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 7</dt> <dd id="fn7"> <p>Hodges, J., Jackson, C. and Barth, A. <a href="https://datatracker.ietf.org/doc/html/rfc6797">HTTP Strict Transport Security (HSTS). Request for Comments (RFC) 6797</a>. Internet Engineering Task Force (IETF). November 2012.</p> <p class="fn-rtn"><a href="#fn7-rf"><span class="wb-inv">Return to footnote </span>7<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 8</dt> <dd id="fn8"> <p>Hoffman, P. <a href="https://datatracker.ietf.org/doc/html/rfc3207">SMTP Service Extension for Secure SMTP over Transport Layer Security. Request for Comments (RFC) 3207</a>. Internet Engineering Task Force (IETF). February 2002.</p> <p class="fn-rtn"><a href="#fn8-rf"><span class="wb-inv">Return to footnote </span>8<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 9</dt> <dd id="fn9"> <p>Margolis, D., et al. <a href="https://datatracker.ietf.org/doc/html/rfc8461">SMTP MTA Strict Transport Security (MTA-STS). Request for Comments (RFC) 8461</a>. Internet Engineering Task Force (IETF). September 2018.</p> <p class="fn-rtn"><a href="#fn9-rf"><span class="wb-inv">Return to footnote </span>9<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 10</dt> <dd id="fn10"> <p>Dukhovni, V. and Hardaker, W. <a href="https://datatracker.ietf.org/doc/html/rfc7672">SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS). Request for Comments (RFC) 7672</a>. Internet Engineering Task Force (IETF). October 2015.</p> <p class="fn-rtn"><a href="#fn10-rf"><span class="wb-inv">Return to footnote </span>10<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 11</dt> <dd id="fn11"> <p>Friedl, S., et al. <a href="https://datatracker.ietf.org/doc/html/rfc7301">Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension. Request for Comments (RFC) 7301</a>. Internet Engineering Task Force (IETF). July 2014.</p> <p class="fn-rtn"><a href="#fn11-rf"><span class="wb-inv">Return to footnote </span>11 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 12</dt> <dd id="fn12"> <p>Eastlake, D. and 3rd. <a href="https://datatracker.ietf.org/doc/html/rfc6066">Transport Layer Security (TLS) Extensions: Extension Definitions. Request for Comments (RFC) 6066</a>. Internet Engineering Task Force (IETF). January 2011.</p> <p class="fn-rtn"><a href="#fn12-rf"><span class="wb-inv">Return to footnote </span>12 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 13</dt> <dd id="fn13"> <p>Gutmann, P. <a href="https://datatracker.ietf.org/doc/html/rfc7366">Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). Request for Comments (RFC) 7366</a>. Internet Engineering Task Force (IETF). September 2014.</p> <p class="fn-rtn"><a href="#fn13-rf"><span class="wb-inv">Return to footnote </span>13 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 14</dt> <dd id="fn14"> <p>Bhargavan Ed, K., et al. <a href="https://datatracker.ietf.org/doc/html/rfc7627">Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension. Request for Comments (RFC) 7627</a>. Internet Engineering Task Force (IETF). September 2015.</p> <p class="fn-rtn"><a href="#fn14-rf"><span class="wb-inv">Return to footnote </span>14 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 15</dt> <dd id="fn15"> <p>Pettersen, Y. <a href="https://datatracker.ietf.org/doc/html/rfc6961">The Transport Layer Security (TLS) Multiple Certificate Status Request Extension. Request for Comments (RFC) 6961</a>. Internet Engineering Task Force (IETF). June 2013.</p> <p class="fn-rtn"><a href="#fn15-rf"><span class="wb-inv">Return to footnote </span>15 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 16</dt> <dd id="fn16"> <p>Ray, M. and Dispensa, S. <a href="https://datatracker.ietf.org/doc/html/rfc5746">Transport Layer Security (TLS) Renegotiation Indication Extension. Request for Comments (RFC) 5746</a>. Internet Engineering Task Force (IETF). February 2010.</p> <p class="fn-rtn"><a href="#fn16-rf"><span class="wb-inv">Return to footnote </span>16 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 17</dt> <dd id="fn17"> <p>Nir, Y., Josefsson, S. and Pegourie-Gonnard, M. <a href="https://datatracker.ietf.org/doc/html/rfc8422">Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier. Request for Comments (RFC) 8422</a>. Internet Engineering Task Force (IETF). August 2018.</p> <p class="fn-rtn"><a href="#fn17-rf"><span class="wb-inv">Return to footnote </span>17 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 18</dt> <dd id="fn18"> <p>Gillmor, D. <a href="https://datatracker.ietf.org/doc/html/rfc7919">Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)</a>. Request for Comments (RFC) 7919. Internet Engineering Task Force (IETF). August 2016.</p> <p class="fn-rtn"><a href="#fn18-rf"><span class="wb-inv">Return to footnote </span>18 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 19</dt> <dd id="fn19"> <p>Laurie, B., Messeri, E. and Stradling, R. <a href="https://datatracker.ietf.org/doc/html/rfc9162">Certificate Transparency Version 2.0. Request for Comments (RFC) 9162. Internet Engineering Task Force (IETF)</a>. December 2021.</p> <p class="fn-rtn"><a href="#fn19-rf"><span class="wb-inv">Return to footnote </span>19 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 20</dt> <dd id="fn20"> <p>Laurie, B., Langley, A. and Kasper, E. <a href="https://datatracker.ietf.org/doc/html/rfc6962">Certificate Transparency. Request for Comments (RFC) 6962</a>. Internet Engineering Task Force (IETF). June 2013.</p> <p class="fn-rtn"><a href="#fn20-rf"><span class="wb-inv">Return to footnote </span>20 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 21</dt> <dd id="fn21"> <p>Kaufman, C. and et al. <a href="https://datatracker.ietf.org/doc/html/rfc7296">Internet Key Exchange Protocol Version 2 (IKEv2). Request for Comments (RFC) 7296</a>. Internet Engineering Task Force (IETF). October 2014.</p> <p class="fn-rtn"><a href="#fn11-rf"><span class="wb-inv">Return to footnote </span>21 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 22</dt> <dd id="fn22"> <p>Hoffman, P. and Snell, J. <a href="https://datatracker.ietf.org/doc/html/rfc7396">JSON Merge Patch. Request for Comments (RFC) 7396</a>. Internet Engineering Task Force (IETF). October 2014.</p> <p class="fn-rtn"><a href="#fn22-rf"><span class="wb-inv">Return to footnote </span>22 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 23</dt> <dd id="fn23"> <p>Eronen, P. and Tschofenig, H. <a href="https://datatracker.ietf.org/doc/html/rfc5998">An Extension for EAP-Only Authentication in IKEv2. Request for Comments (RFC) 5998</a>. Internet Engineering Task Force (IETF). September 2010.</p> <p class="fn-rtn"><a href="#fn23-rf"><span class="wb-inv">Return to footnote </span>23 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 24</dt> <dd id="fn24"> <p>Nir, Y. and Smyslov, V. <a href="https://datatracker.ietf.org/doc/html/rfc8019">Protecting IKEv2 Implementations from Distributed Denial-of-Service Attacks. Request for Comments (RFC) 8019</a>. Internet Engineering Task Force (IETF). November 2016.</p> <p class="fn-rtn"><a href="#fn24-rf"><span class="wb-inv">Return to footnote </span>24 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 25</dt> <dd id="fn25"> <p>Smyslov, V. <a href="https://datatracker.ietf.org/doc/html/rfc7383">Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation. Request for Comments (RFC) 7383</a>. Internet Engineering Task Force (IETF). November 2014.</p> <p class="fn-rtn"><a href="#fn25-rf"><span class="wb-inv">Return to footnote </span>25 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 26</dt> <dd id="fn26">26 <p>Sheffer, Y. and Tschofenig, H. <a href="https://datatracker.ietf.org/doc/html/rfc5723">Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption. Request for Comments (RFC) 5723</a>. Internet Engineering Task Force (IETF). January 2010.</p> <p class="fn-rtn"><a href="#fn26-rf"><span class="wb-inv">Return to footnote </span>26 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 27</dt> <dd id="fn27"> <p>Kent, S. and Seo, K<a href="https://datatracker.ietf.org/doc/html/rfc4301">. Security Architecture for the Internet Protocol. Request for Comments (RFC) 4301</a>. Internet Engineering Task Force (IETF). December 2005.</p> <p class="fn-rtn"><a href="#fn27-rf"><span class="wb-inv">Return to footnote </span>27 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 28</dt> <dd id="fn28"> <p>Kent, S<a href="https://datatracker.ietf.org/doc/html/rfc4303">. IP Encapsulating Security Payload (ESP). Request for Comments (RFC) 4303</a>. Internet Engineering Task Force (IETF). December 2005.</p> <p class="fn-rtn"><a href="#fn28-rf"><span class="wb-inv">Return to footnote </span>28 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 29</dt> <dd id="fn29"> <p>McGrew, D. and Hoffman, P. <a href="https://datatracker.ietf.org/doc/html/rfc7321">Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)</a>. Request for Comments (RFC) 7321. Internet Engineering Task Force (IETF). August 2014.</p> <p class="fn-rtn"><a href="#fn29-rf"><span class="wb-inv">Return to footnote </span>29 <span class="wb-inv"> referrer</span></a></p> </dd> <dt id="fn30-dt">30</dt> <dd id="fn30"> <p>Viega, J. and McGrew, D. <a href="https://datatracker.ietf.org/doc/html/rfc4106">The Use of Galois Counter Mode (GCM) in IPSec Encapsulating Security Payload. Request for Comments (RFC) 4106</a>. Internet Engineering Task Force (IETF). June 2005.</p> <p class="fn-rtn"><a href="#fn11-rf"><span class="wb-inv">Return to footnote </span>30 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 31</dt> <dd id="fn31"> <p>Ylonen, T. and Lonvick, C., Ed. <a href="https://datatracker.ietf.org/doc/html/rfc4251">The Secure Shell (SSH) Protocol Architecture. Request for Comments (RFC) 4251</a>. Internet Engineering Task Force (IETF). January 2006.</p> <p class="fn-rtn"><a href="#fn31-rf"><span class="wb-inv">Return to footnote </span>31 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 32</dt> <dd id="fn32">32 <p>Ylonen, T. and Lonvick, C., Ed. <a href="https://datatracker.ietf.org/doc/html/rfc4252">The Secure Shell (SSH) Authentication Protocol. Request for Comments (RFC) 4252</a>. Internet Engineering Task Force (IETF). January 2006.</p> <p class="fn-rtn"><a href="#fn32-rf"><span class="wb-inv">Return to footnote </span>32 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 33</dt> <dd id="fn33"> <p>Ylonen, T. and Lonvick, C., Ed. <a href="https://datatracker.ietf.org/doc/html/rfc4253">The Secure Shell (SSH) Transport Layer Protocol. Request for Comments (RFC) 4253</a>. Internet Engineering Task Force (IETF). January 2006.</p> <p class="fn-rtn"><a href="#fn33-rf"><span class="wb-inv">Return to footnote </span>33 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 34</dt> <dd id="fn34"> <p>Ylonen, T. and Lonvick, C., Ed. <a href="https://datatracker.ietf.org/doc/html/rfc4254">The Secure Shell (SSH) Connection Protocol. Request for Comments (RFC) 4254</a>. Internet Engineering Task Force (IETF). January 2006.</p> </dd> <dt>Footnote 35</dt> <dd id="fn35"> <p>Igoe, K. and Stebila, D. <a href="https://datatracker.ietf.org/doc/html/rfc6187">x509.v3 certificates for Secure Shell Authentication. Request for Comments (RFC) 6187</a>. Internet Engineering Task Force (IETF). March 2011.</p> <p class="fn-rtn"><a href="#fn35-rf"><span class="wb-inv">Return to footnote </span>35 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 36</dt> <dd id="fn36"> <p>Bellare, M., Kohno, T. and Namprempre, C. <a href="https://datatracker.ietf.org/doc/html/rfc4344">The Secure Shell (SSH) Transport Layer Encryption Modes. Request for Comments (RFC) 4344</a>. Internet Engineering Task Force (IETF). January 2006.</p> <p class="fn-rtn"><a href="#fn36-rf"><span class="wb-inv">Return to footnote </span>36 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 37</dt> <dd id="fn37"> <p>Harrington, D., Presuhn, R. and Wijnen, B. <a href="https://datatracker.ietf.org/doc/html/rfc3411">An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks. Request for Comments (RFC) 3411</a>. Internet Engineering Task Force (IETF). December 2002.</p> <p class="fn-rtn"><a href="#fn37-rf"><span class="wb-inv">Return to footnote </span>37 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 38</dt> <dd id="fn38"> <p>Case, J., et al. <a href="https://datatracker.ietf.org/doc/html/rfc3412">Message Processing and Dispatching for the Simple Network Management Protocol (SNMP). Request for Comments (RFC) 3412</a>. Internet Engineering Task Force (IETF), December 2002.</p> <p class="fn-rtn"><a href="#fn38-rf"><span class="wb-inv">Return to footnote </span>38 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 39</dt> <dd id="fn39"> <p>Levi, D., Meyer, P. and Stewart, B. <a href="https://datatracker.ietf.org/doc/html/rfc3413">Simple Network Management Protocol (SNMP) Applications. Request for Comments (RFC) 3413</a>. Internet Engineering Task Force (IETF). December 2002.</p> <p class="fn-rtn"><a href="#fn39-rf"><span class="wb-inv">Return to footnote </span>39 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 40</dt> <dd id="fn40"> <p>Blumenthal, U. and Wijnen, B. <a href="https://datatracker.ietf.org/doc/html/rfc3414">User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). Request for Comments (RFC) 3414</a>. Internet Engineering Task Force (IETF). December 2002.</p> </dd> <dt>Footnote 41</dt> <dd id="fn41"> <p>Wijnen, B., Presuhn, R. and McCloghrie, K. <a href="https://datatracker.ietf.org/doc/html/rfc3415">View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP). Request for Comments (RFC) 3415</a>. Internet Engineering Task Force (IETF), December 2002.</p> <p class="fn-rtn"><a href="#fn41-rf"><span class="wb-inv">Return to footnote </span>41 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 42</dt> <dd id="fn42"> <p>Presuhn, R., et al. <a href="https://datatracker.ietf.org/doc/html/rfc3416">Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP). Request for Comments (RFC) 3416</a>. Internet Engineering Task Force (IETF). December 2002.</p> <p class="fn-rtn"><a href="#fn42-rf"><span class="wb-inv">Return to footnote </span>42 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 43</dt> <dd id="fn43"> <p>Presuhn, R., et al. <a href="https://datatracker.ietf.org/doc/html/rfc3417">Transport Mappings for the Simple Network Management Protocol (SNMP). Request for Comments (RFC) 3417</a>. Internet Engineering Task Force (IETF). December 2002.</p> <p class="fn-rtn"><a href="#fn43-rf"><span class="wb-inv">Return to footnote </span>43 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 44</dt> <dd id="fn44"> <p>Presuhn, R., et al. <a href="https://datatracker.ietf.org/doc/html/rfc3418">Management Information Base (MIB) for the Simple Network Management Protocol (SNMP). Request for Comments (RFC) 3418</a>. Internet Engineering Task Force (IETF). December 2002.</p> <p class="fn-rtn"><a href="#fn44-rf"><span class="wb-inv">Return to footnote </span>44 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 45</dt> <dd id="fn45"> <p>Hardaker, W. <a href="https://datatracker.ietf.org/doc/html/rfc6353">Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP). Request for Comments (RFC) 6353</a>. Internet Engineering Task Force (IETF). July 2011.</p> <p class="fn-rtn"><a href="#fn45-rf"><span class="wb-inv">Return to footnote </span>45 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 46</dt> <dd id="fn46"> <p>Harrington, D., Salowey, J. and Hardaker, W. <a href="https://datatracker.ietf.org/doc/html/rfc5592">Secure Shell Transport Model for the Simple Network Management Protocol (SNMP). Request for Comments (RFC) 5592</a>. Internet Engineering Task Force (IETF). June 2009.</p> <p class="fn-rtn"><a href="#fn46-rf"><span class="wb-inv">Return to footnote </span>46 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 47</dt> <dd id="fn47"> <p>Blumenthal, U., Maino, F. and McCloghrie, K. <a href="https://datatracker.ietf.org/doc/html/rfc3826">The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model. Request for Comments (RFC) 3826</a>. Internet Engineering Task Force (IETF). June 2004.</p> <p class="fn-rtn"><a href="#fn47-rf"><span class="wb-inv">Return to footnote </span>47 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 48</dt> <dd id="fn48"> <p>Canadian Centre for Cyber Security. <a href="/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">User authentication guidance for information technology systems (ITSP.30.031) v3</a>. April 2018.</p> <p class="fn-rtn"><a href="#fn48-rf"><span class="wb-inv">Return to footnote </span>48 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 49</dt> <dd id="fn49"> <p>Canadian Centre for Cyber Security. <a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a>. September 2019.</p> <p class="fn-rtn"><a href="#fn49-rf"><span class="wb-inv">Return to footnote </span>49 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 50</dt> <dd id="fn50"> <p>Harrington, D. and Hardaker, W. <a href="https://datatracker.ietf.org/doc/html/rfc5591">Transport Security Model for the Simple Network Management Protocol (SNMP). Request for Comments (RFC) 5591</a>. Internet Engineering Task Force (IETF). June 2009.</p> <p class="fn-rtn"><a href="#fn50-rf"><span class="wb-inv">Return to footnote </span>50 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 51</dt> <dd id="fn51"> <p>Schaad, J., Ramsdell, B. and Turner, S. <a href="https://datatracker.ietf.org/doc/html/rfc8551">Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification. Request for Comments (RFC) 8551</a>. Internet Engineering Task Force (IETF). April 2019.</p> <p class="fn-rtn"><a href="#fn51-rf"><span class="wb-inv">Return to footnote </span>51 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 52</dt> <dd id="fn52"> <p>Schaad, J., Ramsdell, B. and Turner, S. <a href="https://datatracker.ietf.org/doc/html/rfc8550">Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Certificate Handling. Request for Comments (RFC) 8550</a>. Internet Engineering Task Force (IETF). April 2019.</p> <p class="fn-rtn"><a href="#fn52-rf"><span class="wb-inv">Return to footnote </span>52 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 53</dt> <dd id="fn53"> <p>Turner, S. and Brown, D. <a href="https://datatracker.ietf.org/doc/html/rfc5753">Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS). Request for Comments (RFC) 5753</a>. Internet Engineering Task Force (IETF). January 2010.</p> <p class="fn-rtn"><a href="#fn53-rf"><span class="wb-inv">Return to footnote </span>53 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 54</dt> <dd id="fn54"> <p>Turner, S., et al. <a href="https://datatracker.ietf.org/doc/html/rfc5756">Updates for RSAES-OAEP and RSASSA-PSS Algorithm Parameters. Request for Comments (RFC) 5756</a>. Internet Engineering Task Force (IETF). January 2010.</p> <p class="fn-rtn"><a href="#fn54-rf"><span class="wb-inv">Return to footnote </span>54 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 55</dt> <dd id="fn55"> <p>Schaad, J. <a href="https://datatracker.ietf.org/doc/html/rfc4056">Use of the RSASSA-PSS Signature Algorithm in Cryptographic Message Syntax (CMS). Request for Comments (RFC) 4056</a>. Internet Engineering Task Force (IETF). June 2005.</p> <p class="fn-rtn"><a href="#fn55-rf"><span class="wb-inv">Return to footnote </span>55 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 56</dt> <dd id="fn56"> <p>Turner, S. and Schaad, J. <a href="https://datatracker.ietf.org/doc/html/rfc5752">Multiple Signatures in Cryptographic Message Syntax (CMS). Request for Comments (RFC) 5752</a>. Internet Engineering Task Force (IETF). January 2010.</p> <p class="fn-rtn"><a href="#fn56-rf"><span class="wb-inv">Return to footnote </span>56 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 57</dt> <dd id="fn57"> <p>Housley, R. <a href="https://datatracker.ietf.org/doc/html/rfc3560">Use of the RSAES-OAEP Key Transport Algorithm in Cryptographic Message Syntax (CMS). Request for Comments (RFC) 3560</a>. Internet Engineering Task Force (IETF). July 2003.</p> <p class="fn-rtn"><a href="#fn57-rf"><span class="wb-inv">Return to footnote </span>57 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 58</dt> <dd id="fn58"> <p>Rescorla, E. <a href="https://datatracker.ietf.org/doc/html/rfc3218">Preventing the Million Message Attack on Cryptographic Message Syntax. Request for Comments (RFC) 3218</a>. Internet Engineering Task Force (IETF). January 2002.</p> <p class="fn-rtn"><a href="#fn58-rf"><span class="wb-inv">Return to footnote </span>58 <span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 59</dt> <dd id="fn59"> <p>Canadian Centre for Cyber Security. <a href="/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017">Preparing your organization for the quantum threat to cryptography (ITSAP.00.017)</a>. February 2021.</p> <p class="fn-rtn"><a href="#fn59-rf"><span class="wb-inv">Return to footnote </span>59 <span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></section></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6022" about="/en/news-events/cse-calls-canadian-organizations-critical-infrastructure-providers-strengthen-defences-third-anniversary-russias-invasion-ukraine" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Communications Security Establishment Canada (CSE) and its Canadian Centre for Cyber Security (Cyber Centre) are urging Canadian organizations to remain vigilant and strengthen their protection against malicious cyber threats as the three-year mark of Russia’s full-scale invasion of Ukraine approaches.</p> <p>In the past three years, the Cyber Centre has observed pro-Russia cyber actors targeting organizations in countries, including Canada, that have provided support to Ukraine. This activity has included cyber campaigns targeting critical infrastructure and distributed denial-of-service (DDoS) attacks on government and business websites.</p> <p>The Cyber Centre recommends that operators of Internet-connected operational technology (OT) devices be aware of potential threats and remain cautious, as these systems are easily discoverable and vulnerable to cyber threats. Russian state cyber actors may use low-complexity brute force techniques, such as Mitre Att&amp;ck’s T1110, to exploit exposed OT devices. Operators should implement appropriate measures to defend against these types of threat.</p> <p>Critical infrastructure operators and Canadian organizations should also prepare for potential disruptions and website defacements, as well as be aware of threats from cyber actors aligned with Russian interests. The Cyber Centre has previously reported the rise of ideologically driven, pro-Russia non-state cyber groups conducting malicious activity against perceived enemies. These groups are less sophisticated than state-sponsored actors but act autonomously, leading to unpredictability and a higher tolerance for risk.</p> <h2>Recommended actions</h2> <ul><li>Adopt the Cyber Centre’s <a href="/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit">Cross-Sector Cyber Security Readiness Goals</a></li> <li>Review and implement the Cyber Centre’s guidance on: <ul><li><a href="/en/guidance/website-defacement-itsap00060">website defacement</a></li> <li><a href="/en/guidance/distributed-denial-service-attacks-prevention-and-preparation-itsap80110">distributed denial-of-service attacks</a></li> </ul></li> <li>Consult the Cyber Centre’s <a href="/en/guidance/top-10-it-security-actions-protect-internet-connected-networks-and-information-itsm10089">top 10 security actions to protect Internet-connected networks and information</a> paying specific attention to the following topics: <ul><li>Consolidate, monitor and defend Internet gateways</li> <li>Segment and separate information</li> <li>Isolate web-facing applications</li> </ul></li> <li>Read the joint guidance on: <ul><li><a href="/en/news-events/joint-guidance-principles-operational-technology-cyber-security">principles of operational technology cyber security</a></li> <li><a href="/en/news-events/joint-guidance-defending-operational-technology-operations-against-ongoing-pro-russia-hacktivist-activity">defending operational technology operations against ongoing pro-Russia hacktivist activity</a></li> </ul></li> <li>Consult the Cyber Centre’s <a href="/en/guidance/security-considerations-industrial-control-systems-itsap00050">security considerations for industrial control systems</a>, paying specific attention to the following topics: <ul><li>Isolate the system</li> <li>Manage access and privileges</li> </ul></li> <li>Take note of the Cyber Centre’s alert on <a href="/en/alerts-advisories/distributed-denial-service-campaign-targeting-multiple-canadian-sectors">distributed denial-of-service campaigns targeting multiple Canadian sectors</a></li> <li>Review perimeter network systems to determine if any suspicious activity have occurred</li> <li>Report any cyber incidents to the Cyber Centre</li> </ul><p>The Cyber Centre continues to share valuable cyber threat information throughout the year with Canadian critical infrastructure and government partners via protected channels. We also actively monitor the cyber threat environment in Canada and globally. We encourage any Canadian organizations who believe they may have been targeted by cyber threat activity to contact the Cyber Centre by email at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> or by phone <a href="tel:18332923788">1-833-CYBER-88</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="695" about="/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>February 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.00.017</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>February 2025 | Awareness series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsap.00.017-en.pdf">Preparing your organization for the quantum threat to cryptography – ITSAP.00.017 (PDF, 335 KB)</a></p> </div> <p class="mrgn-tp-md">Cryptography is an effective way to protect the confidentiality and integrity of information and to protect IT systems from threat actors. Quantum computing threatens to break much of the cryptography we currently use. Quantum computers will use quantum physics to process information and solve problems that are impractical to solve using current computing capabilities.</p> <p>Existing quantum computers are not powerful enough to break cryptography. However,  a threat actor could take advantage of a sufficiently powerful quantum computer in the future to decrypt and read sensitive information or access systems. Organizations will need to update their IT systems so they are safe from the quantum threat.</p> <section><h2 class="text-info">On this page</h2> <ul><li><a href="#affected">How cyber security is affected</a></li> <li><a href="#transition">Post-quantum cryptography transition</a></li> <li><a href="#organization">What your organization can do</a></li> <li><a href="#alternative">Alternative quantum-safe solutions</a></li> <li><a href="#efforts">Cyber Centre efforts</a></li> <li><a href="#learn">Learn more</a></li> </ul></section><h2 class="text-info" id="affected">How cyber security is affected</h2> <p>Your organization’s cyber security is at risk as quantum computing advances. Although quantum computers cannot break cryptography now, a sufficiently powerful device could be available as early as the 2030s.</p> <p>Cryptography secures information and IT systems in two main ways: encryption and authentication.</p> <h3>Potential impact on encryption</h3> <p>Encryption protects the confidentiality of information being transmitted or stored on a device, such as a smartphone or USB drive. Threat actors can store encrypted information now to decrypt in the future when a sufficiently powerful quantum computer exists. Therefore, encrypted information with a long lifespan could be at risk<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup>. This immediate threat is called the “Harvest Now, Decrypt Later (HNDL)” threat.</p> <!– IMAGE EN –> <div class="panel panel-default mrgn-tp-lg"> <div class="panel-body"> <figure><figcaption class="mrgn-bttm-md"><strong>Figure 1: Interception of encrypted information and storing it for future decryption</strong></figcaption><img alt="Figure 1 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/itsap.00.017-fig1-fr_0.png" /><details class="brdr-tp brdr-rght brdr-bttm brdr-lft mrgn-bttm-sm"><summary>Long description – Figure 1: Interception of encrypted information and storing it for future decryption </summary><p>The figure shows a threat actor intercepting encrypted information and storing it over time to decrypt in the future, when sufficiently powerful quantum computers exist.</p> </details></figure></div> </div> <h3>Potential impact on authentication</h3> <p>Authentication protects the integrity of information, ensuring it has not been altered while in transit or in storage and that it has originated from the correct source. Threat actors could use a sufficiently powerful quantum computer to impersonate trusted systems (for example, an app store or trusted vendor) to deliver fake software updates or gain access to systems of interest. Additionally, they could forge certificates used by secure websites, potentially allowing them to direct legitimate traffic to their invalid sites.</p> <p>Figure 2 demonstrates how threat actors could use powerful quantum computers to impersonate trusted systems to deliver fake software updates and gain access to systems of interest.</p> <!– END IMAGE EN –><!– IMAGE EN –> <div class="panel panel-default mrgn-tp-lg"> <div class="panel-body"> <figure><figcaption class="mrgn-bttm-md"><strong>Figure 2: Use of powerful quantum computers for impersonation </strong></figcaption><img alt="Figure 2 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/itsap.00.017-fig2-en.png" /><details class="brdr-tp brdr-rght brdr-bttm brdr-lft mrgn-bttm-sm"><summary>Long description – Figure 2: Use of powerful quantum computers for impersonation </summary><p class="mrgn-tp-md">As shown in Figure 2, the phone blocks malware as it does not contain a valid certificate. However, when an update is signed by a valid certificate and presented to the phone, it accepts and installs it. If a quantum computer can help forge the certificate and that certificate is then used to sign malware, the phone would not know to block it, and the malware would be successfully installed.</p> <p>Unlike confidentiality, integrity will only be at risk when a sufficiently powerful quantum computer is available.</p> </details></figure></div> </div> <!– END IMAGE EN –> <h2 class="text-info" id="transition">Post-quantum cryptography transition</h2> <p>A cryptographic algorithm is quantum-safe if it is secure against a quantum computer-enabled attack. Post-quantum cryptography (PQC) refers to algorithms that are designed to be quantum-safe but that can be run on a conventional computer.</p> <p>PQC includes algorithms that establish keys for encryption and digital signature schemes for authentication. These are intended to be interoperable with existing communication protocols, software, and networks.</p> <p>To achieve quantum safety, we recommend that organizations transition existing cyber security solutions to use PQC. Many software vendors and cloud service providers are already planning to support PQC in their systems and products. Organizations should confirm PQC roadmaps with vendors and investigate how to transition any custom IT solutions.</p> <p>However, before PQC solutions can be adopted, the standards for PQC algorithms and the Internet communication protocols that incorporate them need to be finalized. Vendor products implementing these standards should also be validated and certified. The U.S. National Institute of Standards and Technology (NIST) published its initial set of standards for PQC algorithms in August 2024. Organizations such as the Internet Engineering Task Force (IETF) are expected to provide protocol support shortly.</p> <div class="panel panel-default mrgn-tp-lg"> <div class="panel-body"> <figure><figcaption class="mrgn-bttm-md"><strong>Figure 3: Post-quantum cryptography progression </strong></figcaption><img alt="Figure 3 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/itsap-00.017-en-fig-3.png" /><details class="brdr-tp brdr-rght brdr-bttm brdr-lft mrgn-bttm-sm"><summary>Long description – Figure 3 </summary><p class="mrgn-tp-md">This figure describes the timeline of the PQC progression. During the preparation stage, PQC progression includes standardization and certification program updates, as well as protocol and vendor support. Once certified products are released, organizations are encouraged to leverage those products and to start the PQC transition.</p> </details></figure></div> </div> <h2 class="text-info" id="organization">What your organization can do</h2> <p>We recommend that your organization take the following steps to help manage the risks associated with quantum computing advancements and to plan the transition to PQC.</p> <ul><li>Identify systems (internal and client-facing), applications, gateways and supporting security components that will need to be cryptographically transitioned <ul><li>Supporting security components can include <ul><li>public key infrastructure (PKI)</li> <li>web servers</li> <li>authorization frameworks</li> <li>authentication directories</li> <li>protected domain name system (DNS)</li> </ul></li> <li>Pay close attention to custom systems and to software developed in-house or provided by smaller vendors</li> <li>This effort is generally called developing a cryptographic inventory</li> </ul></li> <li>Identify legacy systems that cannot be transitioned or replaced and develop a risk-managed approach to protect them. An example of a solution would be tunnelling traffic through a PQC-protected virtual private network</li> <li>Evaluate the sensitivity and lifespan of your organization’s information to identify information that may be at risk (as part of ongoing risk assessment processes). This will help you prioritize the transition work</li> <li>Review your IT lifecycle management and develop plans to transition to PQC when available</li> <li>Budget for potentially significant software and hardware updates (including support staff) as the timeframe for necessary replacement approaches</li> <li>Educate yourself and your teams on the emerging quantum threat and future quantum technologies</li> <li>Ask your vendors about their plans to implement PQC or to include PQC in future updates to determine if your organization will need to acquire new hardware or software</li> <li>Ensure that your vendor is using standardized, validated cryptography, such as possessing Federal Information Processing Standards (FIPS) accreditation</li> <li>Leverage a cryptographic inventory to become cryptographically agile and allow for easier changes to cryptography in deployed systems. For more information refer to <a href="https://www.cyber.gc.ca/en/guidance/guidance-becoming-cryptographically-agile-itsap40018">Guidance on becoming cryptographically agile (ITSAP.40.018)</a></li> <li>Update and patch systems frequently</li> </ul><h2 class="text-info" id="alternative">Alternative quantum-safe solutions</h2> <p>The Cyber Centre recommends migrating to standardized PQC as the best option for organizations to achieve quantum safety. There are alternative quantum-safe solutions, described below, that could provide further cryptographic assurances when combined with PQC. However, these alternatives can significantly increase operational complexity and implementation costs. This means that they might not be feasible replacements for some organizations’ current cryptographic systems. Furthermore, these alternatives lack security accreditation options based on recognized standards.</p> <p><strong>Symmetric key establishment</strong> (SKE) requires secret cryptographic keys to be pre-shared among all users (endpoints) via an out-of-band mechanism, as opposed to a key establishment mechanism such as in PQC. In large networks, an online trusted central authority establishes pairwise secret keys. The secure distribution of pre-shared keys and trust in a central authority are limitations to SKE adoption.</p> <p><strong>Quantum key distribution</strong> (QKD) exploits the physics of light to establish a secret key between nodes in a network. Nodes require dedicated quantum hardware and direct (fibre-optic or free-space) connection. With current technology, inter-node distances are limited to a few hundred kilometres in optical fibre. Moreover, typical user endpoints (for example, phones, laptops, modems) cannot support QKD-node functionality. Assessing the robustness of QKD systems is a challenge, and international standards bodies are working to develop QKD standards.</p> <p>Organizations considering the use of alternative quantum-safe solutions should perform their own cost-benefit analyses. For most organizations, the easiest and most cost-effective path to becoming quantum-safe is to implement PQC that supports cryptographic agility.</p> <h2 class="text-info" id="efforts">Cyber Centre efforts</h2> <p>As the technical authority on cryptography in the Government of Canada, the Cyber Centre is taking the following actions to help make Canada quantum safe:</p> <ul><li>advising all levels of government, critical infrastructure and other sectors on the quantum threat and the steps to be taken to prepare for the transition to PQC</li> <li>taking a lead role in the PQC transition for Government of Canada IT systems in collaboration with other government departments</li> <li>working with NIST and other partners to evaluate the security of candidate PQC algorithms and updating product certification programs, such as the Cryptographic Module Validation Program (CMVP), to test PQC implementations.</li> <li>participating in international standards bodies to ensure standards for Internet communication protocols (for example, TLS and IPsec) meet the cryptographic security and privacy needs of Canadians</li> <li>working with vendors to encourage them to adopt NIST-recommended PQC in commercial products and to create tools to support the PQC transition.</li> </ul><h2 class="text-info" id="learn">Learn more</h2> <ul><li><a href="/en/guidance/guidance-becoming-cryptographically-agile-itsap40018">Guidance on becoming cryptographically agile (ITSAP.40.018)</a></li> <li><a href="/en/guidance/addressing-quantum-computing-threat-cryptography-itse00017">Addressing the quantum computing threat to cryptography (ITSE.00.017</a>)</li> <li><a href="/en/cyber-centre-celebrates-new-nist-post-quantum-standards">Cyber Centre celebrates new NIST post-quantum standards</a></li> <li><a href="https://csrc.nist.gov/Projects/post-quantum-cryptography">Post-Quantum Cryptography</a></li> <li><a href="/en/tools-services/cryptographic-module-validation-program-cmvp">Cryptographic Module Validation Program (CMVP)</a></li> <li><a href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP.40.111)</a></li> <li><a href=" /en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062</a>)</li> <li><a href="https://www.canada.ca/en/treasury-board-secretariat/news/2024/05/government-of-canadas-enterprise-cyber-security-strategy.html">Government of Canada’s Enterprise Cyber Security Strategy</a></li> </ul><aside class="wb-fnote" role="note"><h3 id="References">References</h3> <dl><dt id="fn1-dt">Footnote 1</dt> <dd id="fn1"> <p>Lifespan refers to the timeframe for which information held by an organization requires protection (for example, to protect privacy or intellectual property).</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote </span>1<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></div> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="676" about="/en/guidance/virtual-private-networks-itsap80101" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>February 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.80.101</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>February 2025 | Awareness series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <p>A virtual private network (VPN) is a secure connection that can allow remote access to a corporate network. A <abbr title="virtual private network">VPN</abbr> acts as a tunnel to send and receive data securely and to allow users to interact and work as though they are onsite. This publication introduces some of the considerations when an organization is looking to use <abbr title="virtual private network">VPN</abbr> technologies for business purposes.</p> <h2>On this page</h2> <ul><li><a href="#how">How <abbr title="virtual private networks">VPNs</abbr> work</a></li> <li><a href="#types">Types of <abbr title="virtual private networks">VPNs</abbr></a></li> <li><a href="#protocols">Protocols</a></li> <li><a href="#choosing">Choosing a <abbr title="virtual private network">VPN</abbr></a></li> <li><a href="#risks">Risks of using a <abbr title="virtual private network">VPN</abbr></a></li> <li><a href="#protecting">Protecting your data when using a <abbr title="virtual private network">VPN</abbr></a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="how">How <abbr title="virtual private networks">VPNs</abbr> work</h2> <p>A <abbr title="virtual private network">VPN</abbr> conceals incoming and outgoing data through a secure tunnel. A <abbr title="virtual private network">VPN</abbr> tunnel encrypts the data being transmitted between 2 parties over an untrusted network, such as the Internet.</p> <h2 class="text-info" id="types">Types of <abbr title="virtual private networks">VPNs</abbr></h2> <p>There are various types of <abbr title="virtual private networks">VPNs</abbr> your organization can consider.</p> <ul><li><strong>Gateway-to-gateway:</strong> Used to connect 2 networks by creating a <abbr title="virtual private network">VPN</abbr> over a public network and securing traffic between them. This type of <abbr title="virtual private network">VPN</abbr> is typically used to connect remote office sites</li> <li><strong>Host-to-gateway (remote access):</strong> Used to provide remote access to an enterprise network, such as from a remote worker’s laptop</li> <li><strong>Host-to-host:</strong> Used to connect a host to a specific resource on an enterprise network or another specific host</li> <li><strong>Third-party privacy:</strong> Used to secure a connection from a public access point, such as an airport or hotel Wi-Fi hotspot, to a third-party <abbr title="virtual private network">VPN</abbr> provider. The provider then redirects the user’s traffic to make it appear to originate from the third party’s network</li> </ul><h2 class="text-info" id="protocols">Protocols</h2> <p>The protocols most widely used for <abbr title="virtual private networks">VPNs</abbr> are Internet Protocol Security (IPsec) and Transport Layer Security (TLS).</p> <p>It is recommended that <abbr title="Internet Protocol Security">IPsec</abbr> be used for <abbr title="virtual private network">VPN</abbr> access as a primary consideration. <abbr title="Internet Protocol Security">IPsec</abbr> is an open standard, meaning that anyone can build a client or server which will work with other <abbr title="Internet Protocol Security">IPsec</abbr> implementations.</p> <p><abbr title="Transport Layer Security">TLS</abbr> <abbr title="virtual private networks">VPNs</abbr> often use custom, non-standard features to tunnel traffic via <abbr title="Transport Layer Security">TLS</abbr>. Using custom or non-standard features can expose your organization to additional risk, even when the <abbr title="Transport Layer Security">TLS</abbr> parameters used by products are secure.</p> <h2 class="text-info" id="choosing">Choosing a <abbr title="virtual private network">VPN</abbr></h2> <p>Before choosing a <abbr title="virtual private network">VPN</abbr>, your organization should assess its business needs and capabilities and weigh the risks. As noted, the 2 most common protocols, <abbr title="Internet Protocol Security">IPsec</abbr> and <abbr title="Transport Layer Security">TLS</abbr>, determine how data is sent, received and secured.</p> <p><abbr title="Internet Protocol Security">IPsec</abbr> has 2 optional modes, transport mode or tunnel mode, depending on your organization’s needs and capability to configure either option.</p> <ul><li>In transport mode, the original <abbr title="Internet Protocol">IP</abbr> header is retained and only the payload data within the original <abbr title="Internet Protocol">IP</abbr> packet is encrypted. This mode is less complex than tunnel mode and is used for direct communication between 2 hosts within an established secure <abbr title="Internet Protocol Security">IPsec</abbr> tunnel</li> <li>In tunnel mode, the entire original <abbr title="Internet Protocol">IP</abbr> packet is encapsulated within a new <abbr title="Internet Protocol">IP</abbr> packet. A new <abbr title="Internet Protocol">IP</abbr> header is added on top of the original packet <ul><li>This mode is useful for protecting traffic between different networks or for connecting distant branches securely</li> <li>Tunnel mode is commonly used for business <abbr title="virtual private networks">VPNs</abbr></li> </ul></li> </ul><p>An <abbr title="Internet Protocol Security">IPsec</abbr> <abbr title="virtual private network">VPN</abbr> client is built into many operating systems and no additional products are required to deploy a <abbr title="virtual private network">VPN</abbr>. However, some third-party networks restrict or block <abbr title="Internet Protocol Security">IPsec</abbr> traffic, so your mobile devices may be unable to create the <abbr title="virtual private network">VPN</abbr> connection.</p> <p>A <abbr title="Transport Layer Security">TLS</abbr>-based <abbr title="virtual private network">VPN</abbr> solution may be clientless and accessed via a web browser. In this configuration, it’s important to have strict security restrictions on the server since <abbr title="Transport Layer Security">TLS</abbr> in a web browser is designed for accessing websites via HTTPS. This configuration also exposes a public web interface and may have a greater risk of split tunnelling.</p> <p><abbr title="Transport Layer Security">TLS</abbr> <abbr title="virtual private networks">VPNs</abbr> that use a third-party client and server will rarely interoperate. Your organization will need to use both from the same vendor. While <abbr title="Transport Layer Security">TLS</abbr> is a standardized protocol, how it is used to create a <abbr title="virtual private network">VPN</abbr> is not.</p> <p>Your organization should assess its specific business needs before choosing a <abbr title="virtual private network">VPN</abbr> protocol framework.</p> <h2 class="text-info" id="risks">Risks of using a <abbr title="virtual private network">VPN</abbr></h2> <p>The security provided by a <abbr title="virtual private network">VPN</abbr> solution depends on proper configuration and consistent use of the <abbr title="virtual private network">VPN</abbr> within your organization. Before purchasing a <abbr title="virtual private network">VPN</abbr> solution, your organization should ensure it aligns with your security policies and the standards presented in this publication. The <abbr title="virtual private network">VPN</abbr> solution must also align with the intended needs of your organization as this can affect which <abbr title="virtual private network">VPN</abbr> to choose.</p> <p>Your organization may have increased levels of risk due to the following circumstances:</p> <ul><li>A <abbr title="virtual private network">VPN</abbr> may not be able to provide the desired level of security should misconfigurations occur or if cryptographic modules lacking <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program">Cryptographic Module Validation Program certification (CMVP)</a> are accepted or applied <ul><li>A <abbr title="Cryptographic Module Validation Program certification">CMVP</abbr> ertificate is a joint validation program between the U.S. National Institute of Standards and Technology and the Canadian Centre for Cyber Security</li> <li>This program gives federal agencies a security metric to help them acquire appropriate equipment</li> </ul></li> <li>Threat actors can attack vulnerabilities within <abbr title="virtual private networks">VPNs</abbr>, which can lead to exploitations that can gain access and capture sensitive data <ul><li>Examples of such attacks are <ul><li>credential harvesting</li> <li>remote code execution on the <abbr title="virtual private network">VPN</abbr> device</li> <li>weakening and possible hijacking of the traffic sessions</li> </ul></li> <li>Outdated systems can increase the risk of vulnerabilities</li> <li>You should make sure to use the latest patches and versions to ensure the system is up to date and working at optimal levels</li> </ul></li> <li>Certain practices like split tunnelling can negate the security of the <abbr title="virtual private network">VPN</abbr> <ul><li>Split tunnelling allows you to divide your network traffic and route certain data through an encrypted <abbr title="virtual private network">VPN</abbr> tunnel and other data through an open network</li> <li>This allows for possible bridging between the open Internet and the secure tunnel, putting your data at risk</li> <li>Your organization should avoid split tunnelling as much as possible</li> </ul></li> </ul><p>Remember that a <abbr title="virtual private network">VPN</abbr> does not provide security against users clicking on a malicious link or downloading malicious content.</p> <h2 class="text-info" id="protecting">Protecting your data when using a <abbr title="virtual private network">VPN</abbr></h2> <p>Your organization should assess the type and value of data being sent and accessed through a <abbr title="virtual private network">VPN</abbr> to understand the associated risks. You should implement clear policies for employees using a <abbr title="virtual private network">VPN</abbr> to remotely access corporate servers.</p> <p>We strongly recommended that configuration of either <abbr title="Internet Protocol Security">IPsec</abbr> or <abbr title="Transport Layer Security">TLS</abbr> be done in accordance with <a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a>.</p> <p>When using a <abbr title="virtual private network">VPN</abbr> solution, your organization should consider the following industry standards:</p> <ul><li>Restrict external access to the <abbr title="virtual private network">VPN</abbr> device by port and protocol <ul><li>For <abbr title="Internet Protocol Security">IPsec</abbr> <abbr title="virtual private networks">VPNs</abbr>, allow only UDP ports 500 and 4500 and encapsulate security payload (transport mode)</li> <li>For <abbr title="Transport Layer Security">TLS</abbr> <abbr title="virtual private networks">VPNs</abbr>, allow only TCP port 443 or other necessary ports and protocols. Limit additional ports and protocols as much as possible</li> </ul></li> <li>Patch the web interface regularly if using <abbr title="Transport Layer Security">TLS</abbr> <abbr title="virtual private networks">VPNs</abbr></li> <li>Use a forced <abbr title="virtual private network">VPN</abbr> to align with your organization’s security posture and capabilities, where possible <ul><li>A forced <abbr title="virtual private network">VPN</abbr> or forced tunnelling is when an organization sends all its data through <abbr title="virtual private network">VPN</abbr> encryption</li> <li>This includes Internet browsing and remote access and is a safer method than split tunnelling</li> </ul></li> <li>Activate multi-factor authentication (MFA) and use phishing-resistant factors such as <ul><li>an application authenticator</li> <li>biometrics</li> <li>hard tokens</li> </ul></li> <li>Require employees to utilize a privileged access workstation when accessing sensitive accounts (administrator or privileged users) if using a <abbr title="virtual private network">VPN</abbr></li> <li>Use enterprise-managed controls to ensure employees use a <abbr title="virtual private network">VPN</abbr> when connected to any network that does not leverage your organization’s security capabilities, such as public Wi-Fi</li> <li>Protect and monitor access to and from the <abbr title="virtual private network">VPN</abbr> in use. Your <abbr title="virtual private network">VPN</abbr> capabilities should include the use of common security practices such as <ul><li>intrusion prevention systems (logging and monitoring)</li> <li>web application firewalls</li> <li>network segmentation</li> </ul></li> <li>Implement application-layer encryption to the data before it is sent over a <abbr title="virtual private network">VPN</abbr>, when there are concerns as to the sensitivity of the data</li> </ul><h2 class="text-info" id="learn">Learn more</h2> <p>For additional information, we also recommend you review guidance from our partner organizations, which has been leveraged here. Specifically, from the National Cyber Security Centre (UK), as well as a joint document from the U.S. National Security Agency and Cybersecurity and Infrastructure Security Agency.</p> <ul><li><a href="https://www.ncsc.gov.uk/collection/device-security-guidance/infrastructure/virtual-private-networks">Virtual Private Networks</a> (National Cyber Security Centre)</li> <li><a href="https://www.google.com/url?sa=t&amp;source=web&amp;rct=j&amp;opi=89978449&amp;url=https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF&amp;ved=2ahUKEwjxxprK_eWHAxXtF1kFHbmKA3gQFnoECBsQAQ&amp;usg=AOvVaw3g0sPS0XCTT63X0sIFBzAp">Selecting and Hardening Remote Access Virtual Private Network Solutions (PDF, 414KB)</a> (National Security Agency and Cybersecurity and Infrastructure Security Agency)</li> <li><a href="/en/guidance/using-encryption-keep-your-sensitive-data-secure-itsap40016">Using encryption to keep your sensitive data secure (ITSAP.40.016)</a></li> <li><a href="/en/guidance/steps-effectively-deploying-multi-factor-authentication-mfa-itsap00105">Steps for effectively deploying multi-factor authentication (MFA) (ITSAP.00.105)</a></li> <li><a href="/en/guidance/wi-fi-security-itsp80002">Wi-Fi security (ITSP.80.002)</a></li> <li><a href="/en/guidance/guidance-using-tokenization-cloud-based-services-itsp50108">Guidance on using tokenization for cloud-based services (ITSP.50.108)</a></li> </ul></div> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6015" about="/en/news-events/joint-guidance-building-trust-artificial-intelligence-through-cyber-risk-based-approach" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the French Cyber Security Agency (ANSSI) in releasing joint guidance on a risk-based approach to support trusted artificial intelligence (AI) systems and secure <abbr title="artificial intelligence">AI </abbr> supply chains.</p> <p>AI impacts almost every sector, from defence to energy. While it presents many opportunities for organizations, threat actors can exploit vulnerabilities and jeopardize the use of <abbr title="artificial intelligence">AI </abbr> technology. Organizations and stakeholders need to assess the risks linked to their increased reliance on <abbr title="artificial intelligence">AI </abbr> and their rapid adoption of large language models (LLMs). Understanding and mitigating these risks is critical to fostering trusted <abbr title="artificial intelligence">AI </abbr> development and implementation.</p> <p><abbr title="artificial intelligence">AI </abbr> systems face the same cyber security threats as any other information system. However, there are <abbr title="artificial intelligence">AI </abbr>-specific risks, particularly those related to the central role of data in <abbr title="artificial intelligence">AI </abbr> systems, that pose unique challenges to confidentiality and integrity.</p> <p>Some of the main <abbr title="artificial intelligence">AI </abbr>-specific risks to consider are:</p> <ul><li><abbr title="artificial intelligence">AI </abbr> hosting and management infrastructure compromises</li> <li>supply chain attacks</li> <li>lateralization via interconnections between <abbr title="artificial intelligence">AI </abbr> systems and IT systems</li> <li>long-term loss of control over information systems</li> <li>malfunction in <abbr title="artificial intelligence">AI </abbr> system responses</li> </ul><p>Deployment of <abbr title="artificial intelligence">AI </abbr> systems can open new paths of attack for threat actors. Organizations must conduct an analysis to assess the risks, understand the <abbr title="artificial intelligence">AI </abbr> supply chain and identify the appropriate security measures.</p> <p>This joint guidance provides guidelines for <abbr title="artificial intelligence">AI </abbr> users, operators and developers, including:</p> <ul><li>adjusting the autonomy level of the <abbr title="artificial intelligence">AI </abbr> system to the risk analysis, business needs and criticality of the actions undertaken</li> <li>mapping the <abbr title="artificial intelligence">AI </abbr> supply chain</li> <li>tracking interconnections between <abbr title="artificial intelligence">AI </abbr> systems and other information systems</li> <li>continuously monitoring and maintaining <abbr title="artificial intelligence">AI </abbr> systems</li> <li>implementing a process to anticipate major technological and regulatory changes</li> <li>identifying new and potential threats</li> <li>providing training and raising awareness</li> </ul><p>This joint guidance also provides recommended actions, including:</p> <ul><li>prohibiting the use of <abbr title="artificial intelligence">AI </abbr> systems to automate critical actions</li> <li>ensuring <abbr title="artificial intelligence">AI </abbr> is appropriately integrated into critical processes with safeguards</li> <li>performing a dedicated risk analysis</li> <li>studying the security of each stage of the <abbr title="artificial intelligence">AI </abbr> system lifecycle</li> </ul><p>Read the full joint guidance <a href="https://cyber.gouv.fr/en/publications/building-trust-ai-through-cyber-risk-based-approach">Building trust in <abbr title="artificial intelligence">AI </abbr> through a cyber risk-based approach</a> to learn more.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6008" about="/en/news-events/five-eyes-publish-series-sound-alarm-cyber-security-threats-edge-devices" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the following international partners in releasing a series of complementary publications on cyber security for edge devices:</p> <ul><li>Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC)</li> <li>New Zealand’s National Cyber Security Centre (NCSC-NZ)</li> <li>United Kingdom’s National Cyber Security Centre (NCSC-UK)</li> <li>United States’ (U.S.) Cybersecurity and Infrastructure Security Agency (CISA)</li> <li>U.S. National Security Agency (NSA)</li> </ul><p>Edge devices refer to hardware or software tools that sit at the perimeter of networks, such as VPNs, firewalls and routers. These devices help facilitate and secure the connection between internal networks and external ones like the Internet.</p> <p>In the last year, cyber threats actors have increasingly exploited vulnerabilities in edge devices to compromise organizations worldwide. Canada and its Five Eyes partners have been warning about this threat since early 2024. Targeting edge devices has now become a tactic of choice for many cyber threat actors, including state-sponsored actors.</p> <p>This guidance series aims to inform organizations of the growing threat to edge devices and encourage swift implementation of appropriate measures to defend against it. It includes 4 publications, tailored to different audiences. This is the first time the Cyber Centre has written guidance jointly endorsed by its Five Eyes partners.</p> <h2>Security considerations for edge devices</h2> <p>This joint guidance developed by the Cyber Centre is a management publication that outlines the security considerations for commonly used edge devices. The publication provides recommendations for mitigating threats to virtual private networks, routers and firewalls.</p> <p>Read the joint guidance <a href="/en/guidance/security-considerations-edge-devices-itsm80101">Security considerations for edge devices</a>.</p> <h2>Mitigation strategies for edge devices: Executive guidance</h2> <p>This joint guidance developed by ACSC is an executive-level summary that consolidates key practices to effectively manage and secure edge devices.</p> <p>Read the joint guidance <a href="https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/network-hardening/securing-edge-devices/mitigating-strategies-edge-devices-executive-guidance">Mitigation strategies for edge devices: Executive guidance</a>.</p> <h2>Mitigation strategies for edge devices: Practitioner guidance</h2> <p>This joint guidance developed by ACSC expands on the previous one and provides a list of principle mitigation strategies to improve security and resilience against cyber threats.</p> <p>Read the joint guidance <a href="https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/network-hardening/securing-edge-devices/mitigation-strategies-edge-devices-practitioner-guidance">Mitigation strategies for edge devices: Practitioner guidance</a>.</p> <h2>Digital forensics and protective monitoring specifications for producers of network devices and appliances</h2> <p>This joint guidance developed by NCSC-UK helps network defenders secure their organization’s environments before and after a compromise. The publication outlines definitions for the minimum requirements for forensic visibility.</p> <p>Read the joint guidance <a href="https://www.ncsc.gov.uk/guidance/guidance-on-digital-forensics-protective-monitoring">Digital forensics and protective monitoring specifications for producers of network devices and appliances</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="5685" about="/en/guidance/security-considerations-edge-devices-itsm80101" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>February 2025</strong> </p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong> </p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.80.101</strong> </p> </div> <div class="hidden-lg hidden-md text-center"> <p><strong>February 2025 | Awareness series</strong> </p> </div> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>:  <a href="/sites/default/files/itsm-80-101.en_.pdf">Security considerations for edge devices (ITSM.80.101) (PDF, 211 KB)</a> </p> </div> <div class="clear-fix">  </div> <section><p>Edge devices are an important part of many enterprise computing systems. They allow connection across various devices that aid in productivity. However, as with many technologies they are not without their vulnerabilities. Edge devices require attention and diligence to keep data safe and secure. </p> <p>Cyber threat actors have increasingly exploited vulnerabilities in edge devices to compromise organizations worldwide. Targeting edge devices has now become a tactic of choice for many cyber threat actors, including state-sponsored actors. </p> <p>This publication provides organizations with an overview of cyber security considerations and threats relating to edge devices. It also includes examples, recommendations and mitigations that IT professionals can take to reduce the risk of compromise. </p> <p>This publication is part of a series of complementary publications on cyber security measures and mitigations for edge devices, developed with contributions from the following partnering agencies: </p> <ul><li>Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC)</li> <li>New Zealand’s National Cyber Security Centre (NCSC-NZ)</li> <li>United Kingdom’s National Cyber Security Centre (NCSC-UK)</li> <li>United States’ (U.S.) Cybersecurity and Infrastructure Security Agency (CISA)</li> <li>U.S. National Security Agency (NSA)</li> </ul></section><section><details class="mrgn-tp-md"><summary><h2 class="h3 text-info">Table of contents </h2> </summary><ul class="list-unstyled "><li><a href="#introduction">Introduction</a></li> <li><a href="#commonly">Commonly used edge devices</a> <ul><li><a href="#virtual">Virtual private network gateways</a></li> <li><a href="#firewalls">Firewalls </a></li> <li><a href="#routers">Routers</a></li> </ul></li> <li><a href="#considerations">Considerations for edge devices</a></li> <li><a href="#threats">Threats to edge devices</a> <ul><li><a href="#misconfigurations">Misconfigurations and mismanagement of edge devices </a></li> <li><a href="#vulnerability">Vulnerability exploitation </a></li> <li><a href="#denial">Denial of service and distributed denial of service attacks</a></li> <li><a href="#web">Web-based applications</a></li> <li><a href="#default">Default configuration settings</a></li> </ul></li> <li><a href="#examples">Examples of edge device compromises</a> <ul><li><a href="#fortinet">Fortinet, FortiOS (CVE-2024-21762; CVE-2022-42475) </a></li> <li><a href="#cisco">Cisco, Cisco IOS (CVE-2023-20198; CVE-2023-20273) </a></li> </ul></li> <li><a href="#mitigating">Mitigating threats to edge devices</a></li> <li><a href="#recommendations">Recommendations for edge device manufacturers</a></li> <li><a href="#information">Additional information</a></li> </ul><h2 class="h3">List of figures </h2> <ul class="list-unstyled"><li><a href="#fig1">Figure 1: Placement of edge devices</a></li> </ul></details></section><div class="clearfix">  </div> <h2 class="text-info" id="introduction">Introduction </h2> <p>Edge devices are network hardware or software components that bridge internally managed networks and external, untrusted networks such as the internet. These devices can connect corporate networks to the Internet and provide controlled connectivity to protected internal networks and enable traffic flow. </p> <p>The terms “boundary” and “perimeter” are also used to refer to the “edge” of a network. The edge of the network is a logical boundary set by administrators to separate internal networks from external networks where malicious actors have unfettered access. Its purpose is to channel all the traffic, whether inbound or outbound, to a device that applies security policies for the protection of the internal network. </p> <p>The network edge, boundary or perimeter has pathways to the internal network, where the internal services are hosted. All network edges require their own degree of security to not only keep data and the internal network safe, but also to protect the edge devices themselves from being exploited. </p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span> </div> <h2 class="text-info" id="commonly">Commonly used edge devices </h2> <p>This guidance on securing edge devices is limited to VPN, firewalls, and routers as these are the most commonly used edge devices. </p> <h3 id="virtual">Virtual private network gateways </h3> <p>A virtual private network (VPN) gateway is a secure connection between two points, such as your laptop and your organization’s network. A VPN acts as a tunnel that you can use to send and receive secure data across the edge of a network. The encrypted data is sent through a "tunnel" that protects it from threat actors. </p> <p>For more information, see our publication <a href=" /en/guidance/virtual-private-networks-itsap80101">Virtual private networks (ITSAP.80.101)</a>. </p> <h3 id="firewalls">Firewalls </h3> <p>Firewalls are security devices (physical or virtual) that control the data entering and exiting a network or security zone. They monitor and control data traffic based on a predefined set of rules. Firewalls are situated at the edge between the network and the user to provide essential security. They inspect traffic going through and either allow or deny connections from reaching their destination. It is important to configure firewalls with a default deny to block unknown traffic. </p> <p>For more information, see our publication <a href="/en/guidance/firewall-security-considerations-itsap80039">Firewall security considerations (ITSAP.80.039)</a>. </p> <h3 id="routers">Routers </h3> <p>Routers direct traffic between internal networks and the internet but do not provide the same security as a firewall. The router can direct packets based on routing rules that are either manually configured, dynamically learned from other devices, or both. Routers are essential for any network. It is important for routers to enforce isolation of network segments to minimize their attack surface, such as OT network segments. </p> <p>For more information, see <a href="/en/guidance/routers-cyber-security-best-practices-itsap80019">Router cyber security best practices (ITSAP.80.019)</a>. </p> <div class="panel panel-default mrgn-tp-lg"> <div class="panel-body"> <figure id="fig1"><figcaption class="mrgn-bttm-md"><strong>Figure 1 – Placement of edge devices </strong> </figcaption><img alt="Figure 1 – Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/itsap-80.102-en-figure-1.png" /><details class="brdr-tp brdr-rght brdr-bttm brdr-lft mrgn-bttm-sm"><summary><strong>Long description</strong> </summary> Figure 1 illustrates where an edge device is situated. In this case the VPN gateway and the external firewall are sitting on the network perimeter between external users and the organization’s network. The network can be accessed by a remote user (an employee, an external user, or a customer) through a client VPN. The traffic flows through the VPN gateway and the external firewall to enter the public access zone to reach the external website or mail service. An internal edge device, the internal firewall, sits at the edge between the organization’s public access zone and their operation zone, where their routine operations, systems, and servers reside. </details></figure></div> </div> <h2 class="text-info" id="considerations">Considerations for edge devices </h2> <p>Your organization requires your corporate devices to access web and email capabilities. This means allowing connectivity between the local network and the Internet. Your organization can secure these connections by using a security-focused edge device, like a firewall, VPN or router. These types of edge devices are built to resist and block malicious traffic coming from the Internet. </p> <p>Despite advancements in cyber security measures and better visibility of network infrastructures, edge devices are still at a significant risk of compromise. This is mainly due to vulnerabilities in edge devices and how the network (and gateway) architecture is configured.<a href="#_ftn1" name="_ftnref1" title="" id="_ftnref1"> </a> </p> <p>Some factors your organization should consider when evaluating the security of an edge device include: </p> <ul><li>how it is made (the responsibility of the manufacturer)</li> <li>how it is configured (a shared responsibility between the manufacturer, through vendor hardening guides and through the organization)</li> <li>when the most recent software, firmware, operating system, and security updates and patches were applied</li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span> </div> <h2 class="text-info" id="threats">Threats to edge devices </h2> <p>There are several ways in which edge devices can be compromised and leveraged by threat actors to gain access to your environment. A prominent vector is any device directly connected and used as a preventative and detective measure, such as a firewall. Threat actors will spend time and resources looking at all possible vectors to attempt to bypass boundary controls and protections in place. </p> <h3 id="misconfigurations">Misconfigurations and mismanagement of edge devices </h3> <p>Any misconfigured edge device components, such as a misconfigured router or VPN, can lead to a compromise. Configuration and security standards should be set by your organization and each device deployment must follow them. While this can be taxing on resources, you can alleviate some of the pressure by leveraging a centralized configuration management model. By doing so, your organization will be able to monitor and manage security devices across your environment from one point of control. </p> <p>We strongly recommend your organization’s administrators perform all security and configuration related tasks from a dedicated administrative workstation, like a privileged access workstation (PAW) or a secure access workstation (SAW). This will enhance your ability to monitor for potential threats and control the scale of a cyber incident should you be compromised. </p> <p>For more information on management and architectural zones, see ASD’s guidance on <a href="https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-administration/secure-administration">secure administration</a>. </p> <h3 id="vulnerability">Vulnerability exploitation </h3> <p>Threat actors focus their attention on the vulnerabilities of individual devices at the edge of the network. Edge devices are usually connected to the Internet and have public IP addresses that can be reached from anywhere. This makes edge devices particularly susceptible to exploitation as threat actors can leverage the Internet to identify and exploit vulnerabilities in these devices. </p> <p>Vulnerability exploitation occurs when threat actors leverage vulnerabilities that organizations may not be aware of or have not had the chance to address with updates or patches. Exploitation of known vulnerabilities occurs when threat actors leverage vulnerabilities that have patches available but not applied. </p> <p>Once zero-day threats leveraging unknown vulnerabilities are used and detected, responsible device manufacturers will release patches quickly. Your organization must keep abreast of released patches, fixes or device updates to mitigate known vulnerabilities. Your organization must have procedures in place to action updates and patches immediately, before threat actors can exploit known vulnerabilities. </p> <p>Your organization can also be vulnerable if you are not receiving notifications regarding security updates and patches. If a security update is left uninstalled, your device may be vulnerable to compromises. Ensure you configure automatic updates in your environment or designate a mandatory window of time in which updates must be installed. A vulnerability scanner should be used regularly to assist you in identifying missed patches or updates for vulnerabilities in the operating systems of Internet-facing network devices. This will help you mitigate against known vulnerabilities. </p> <h3 id="denial">Denial of service and distributed denial of service attacks </h3> <p>Denial of service (DoS) attacks look to impede the functionality of services and make networks unavailable. Distributed denial of service (DDoS) means that the threat actors use the many devices connected to the network to achieve their goal. </p> <p>To be effective, a DDoS attack requires leveraging multiple compromised devices, sometimes referred to as a botnet. Most DoS attacks involve flooding the victim with useless traffic, and a few exploit vulnerabilities specific to the targeted service. Small office, home office or personal Internet routers are popular devices for threat actors to compromise and leave dormant until they’re ready to scale up their attack. If these edge devices are not kept patched and updated, threat actors can exploit them to attack other networks. </p> <p>When the time comes, the malicious actor can trigger all the compromised devices to participate in the DDoS attack. This creates enough requests to slow down, cripple or completely bring down a network by overloading the edge device’s capability of defending itself. </p> <p>Though this will not entirely protect against DoS and DDoS attacks, we recommend keeping edge devices patched to make it more difficult for threat actors to identify and exploit vulnerabilities in edge devices to support these attacks. </p> <p>For more information on mitigating DDoS attacks, see <a href="/en/guidance/defending-against-distributed-denial-service-ddos-attacks-itsm80110">Defending against distributed denial of service (DDoS) attacks </a>. </p> <h3 id="web">Web-based applications </h3> <p>When connected to the Internet, your device can be exposed to intrusion attempts. For business and operational purposes, organizations often need to make a server accessible to the Internet. Such servers could include: </p> <ul><li>edge device management servers</li> <li>mail or web servers</li> <li>servers used to provide connectivity via mobile apps</li> <li>remote access servers</li> </ul><p>This functionality may appear desirable, but it adds additional risks that should be fully considered. The external-facing server is usually put on a separate network, a demilitarized zone (DMZ), that allows connections through the firewall to external networks. Exposed edge devices or external-facing servers may increase the threat surface. </p> <h3 id="default">Default configuration settings </h3> <p>Some edge networking companies have not moved away from the practice of setting default passwords. Credentials must be changed from their default settings to enhance security, as these default passwords can be easily discovered and exploited by threat actors. IT security teams must change default configuration settings on devices before deploying them to enhance security. </p> <p>We recommended that security teams create a baseline configuration document to use when configuring devices. This baseline should include disabling unneeded services, protocols and ports, and changing default usernames and passwords. </p> <p>Once deployed, edge devices and their security settings become the responsibility of administrator or operator. We recommend you consult the manufacturer manual and hardening guide included with your product or with external entities such as the <a href="https://www.cisecurity.org/cis-benchmarks">Center for Internet Security (CIS)</a> for additional configuration and hardening information. </p> <p>Some security settings can be locked and controlled at the administrative level, but at times, installation or implementation of security controls or settings can be left to an operator or end user that may not have deep technical understanding of cyber security. Operators and end users should review and follow available guidance on the acceptable configuration and use of edge devices provided by their organization and the manufacturer. </p> <p>While tailored cyber security and acceptable use policies can assist in mitigating user error attacks, we urge manufacturers to create environments that are user-error tolerant. Adhering to secure by design (SbD) principles will enhance the security of devices and assist users in deploying them more securely. </p> <p>We encourage manufacturers to follow SbD principles. By implementing SbD principles during the product design phase, manufacturers can significantly decrease the number of exploitable flaws before introducing them to the market for widespread use or consumption. SbD will also ensure products are delivered to consumers in the most secure configuration. </p> <p>For more information, see the recommendations for edge device manufacturers in this publication. </p> <h2 class="text-info" id="examples">Examples of edge device compromises </h2> <p>The following examples highlight the methods in which edge devices can be compromised and leveraged by threat actors. They also highlight some of the potential impacts of these types of compromises to organizations. </p> <h3 id="fortinet">Fortinet, FortiOS (CVE-2024-21762; CVE-2022-42475) </h3> <p>On February 8, 2024, Fortinet disclosed an out-of-band write vulnerability, CVE-2024-21762, that allows a threat actor to connect without providing valid user credentials and run arbitrary commands on the edge device itself. The vulnerability, which is a vendor vulnerability with SSL VPN functionality allowed, enables an unauthenticated threat actor to run arbitrary code via HTTP command. </p> <p>Furthermore, CISA reported in 2024 that malicious actors Volt Typhoon exploited CVE-2022-42475 in a network perimeter FortiGate 300D firewall that was not patched. The actors used this exploit to compromise a domain admin account stored inappropriately on the device. </p> <h3 id="cisco">Cisco, Cisco IOS (CVE-2023-20198; CVE-2023-20273) </h3> <p>Similar to the Fortinet incident described above, the root cause was the result of leveraging two separate vulnerabilities. The first vulnerability was leveraged to gain “privilege 15” access (administrative access) to create a new user account with a fixed password set by the attacker. Then, a separate vulnerability was allowed to persist within the web configuration interface. This created files on the flash drive to gain additional access and persistence so that restarting the device would not eliminate the backdoor access. </p> <p>The compromise was a zero-day vendor vulnerability that allowed a threat actor to perform privilege escalation via the web UI configuration interface of devices. We recommend that network management interfaces (NMIs) should not be directly exposed to the Internet.<a href="#_ftn2" name="_ftnref2" title="" id="_ftnref2"> </a> In addition, your organization should review your architecture and determine whether a zero trust approach would be feasible. Robust architecture will help to mitigate this type of vulnerability. </p> <p>For an in-depth look at a VPN compromise, see the Cyber Centre’s report on <a href="/en/news-events/cyber-activity-impacting-cisco-asa-vpns">Cyber activity impacting CISCO ASA VPNs </a>. </p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span> </div> <h2 class="text-info" id="mitigating">Mitigating threats to edge devices </h2> <p>Your organization can reduce the risk of compromise to your edge devices by implementing the following mitigation recommendations: </p> <ul><li>Subscribe to security notifications from the device’s vendor and to advisories provided by the Cyber Centre</li> <li>Follow vendor hardening guides</li> <li>Install security patches on edge devices as quickly as possible after testing for reliability on a standby or test device <ul><li>Establish an automated or monitored patch management schedule to ensure patches are applied when they become available</li> </ul></li> <li>Enable centralized (off-device) logging and configure log levels to be as detailed as possible</li> <li>Use strong, phishing-resistant multi-factor authentication (MFA) for all administrative access to devices</li> <li>Alert on successful administrative log-ons, configuration changes and hardware changes</li> <li>Detect hardware changes using vendor-specific detection tools or commands</li> <li>Follow industry standard change management processes for all configuration changes of security <ul><li>Require two (or more) people to review a change before it can be implemented</li> </ul></li> <li>Deactivate any functionality that is not required</li> <li>Routinely review security rules for relevancy <ul><li>The more dynamic the network, the more frequent this review should be performed</li> </ul></li> <li>Maintain an inventory of edge devices and their respective support timelines <ul><li>Manage the lifecycle of any end-of-life (EoL) device and end-of-life service (EoSL) as any discovered vulnerability on a device will remain unpatched</li> <li>Periodically review which edge devices have an upcoming EOL date and plan to remove or replace them before EOL occurs</li> <li>Investigate and implement compensating controls for EoSL your organization is unable to remove</li> </ul></li> <li>Leverage centralized authentication with role-based access control to minimize the risks associated with local accounts and to help with access management <ul><li>Consider the risks associated with deploying authentication services and approaches within your environment<a href="#_ftn3" name="_ftnref3" title="" id="_ftnref3"> </a></li> </ul></li> <li>Use an out-of-band management network or administrative workstation that is physically separated from the operational data flow network <ul><li>Ensure the management of the network infrastructure devices can only come from an out-of-band management network</li> </ul></li> <li>Use a hardened host to reduce the risk of administrative credentials and MFA being exploited by a compromise of the local host</li> <li>Include edge device compromise as part of your organization’s incident response plan <ul><li>Conduct practice exercises to ensure the plan is effective and will allow your organization to identify, contain, remediate and recover with limited impact to your operations</li> <li>Consider vendor diversification when selecting vendors for edge device functions to reduce and mitigate the supply chain integrity threat surface</li> </ul></li> </ul><p>For more information on additional ways organizations can secure their devices, see the following publications: </p> <ul><li><a href="/en/guidance/network-security-logging-monitoring-itsap80085">Network security logging and monitoring (ITSAP.80.085)</a></li> <li><a href="/en/guidance/preventative-security-tools-itsap00058">Preventative security tools (ITSAP.00.058)</a></li> <li><a href="/en/guidance/how-updates-secure-your-device-itsap10096">How updates secure your device (ITSAP.10.096)</a></li> </ul><h2 class="text-info" id="recommendations">Recommendations for edge device manufacturers </h2> <p>The authors encourage all edge device manufacturers to make their products <a href="https://www.cisa.gov/securebydesign">secure by design</a> by including security considerations throughout the product design and development process, with the goal of reducing the prevalence of vulnerabilities in edge devices. Secure-by-design principles describe how manufacturers should improve security outcomes for their customers by taking ownership of the security of their products. </p> <p>For more information, manufacturers should review the joint guidance <a href="https://www.cisa.gov/resources-tools/resources/secure-by-design">Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software</a> (published by the Cyber Centre and international cyber security partners). </p> <p>For guidance for manufacturers to implement secure features by default in edge device products, see CISA’s <a href="https://www.cisa.gov/resources-tools/resources/secure-design-alert-security-design-improvements-soho-device-manufacturers">Secure by Design Alert: Security Design Improvements for SOHO Device Manufacturers</a>. </p> <p>We also encourage manufacturers to join CISA’s <a href="https://www.cisa.gov/securebydesign/pledge">Secure by Design Pledge</a>, which outlines specific goals for manufacturers to meet to make their products more secure, including goals to reduce the presence of vulnerabilities in their products and transparently report on vulnerabilities. </p> <h2 class="text-info" id="information">Additional information </h2> <p>This publication only addresses your organization’s corporate boundary security. For more information about protecting your organization and your remote workers, please see the following publications: </p> <ul><li><a href="/en/guidance/telework-security-issues-itsap10016">Security tips for organizations with remote workers (ITSAP.10.016)</a></li> <li><a href="/en/guidance/end-user-device-security-bring-your-own-device-byod-deployment-models-itsm70003">End user device security for Bring-Your-Own-Device (BYOD) deployment models (ITSM.70.003)</a></li> <li><a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">Known Exploited Vulnerabilities Catalog</a></li> <li><a href="https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages">CISA Tabletop Exercise Packages</a></li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span> </div> <aside class="wb-fnote" role="note"><h3 id="footnotes">Footnotes </h3> <dl><dt>Footnote 1 </dt> <dd id="fn1"> <p>Readers should note that, due to encryption, encoding and complex application protocols, boundary device enforcement alone is inadequate to protect internal systems and data from external threats. Organizations are encouraged to move from overreliance on boundary protections like edge devices by also implementing policy enforcement closer to the protected resources in the context of a zero trust architecture. For more information on implementing a zero trust architecture, see the Cyber Centre’s <a href="https://www.canada.ca/en/shared-services/corporate/publications/network-security-strategy.html">Network and Security Strategy</a> and <a href="/en/guidance/zero-trust-approach-security-architecture-itsm10008">A zero trust approach to security architecture</a>, the National Institute of Standards and Technology (NIST) <a href="https://csrc.nist.gov/pubs/sp/800/207/final">SP 800-207, Zero Trust Architecture</a>, and the Cybersecurity and Infrastructure Security Agency’s (CISA) <a href="https://www.cisa.gov/zero-trust-maturity-model">Zero Trust Maturity Model</a>. </p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote </span>1<span class="wb-inv"> referrer</span></a> </p> </dd> <dt>Footnote 2 </dt> <dd id="fn2"> <p>It is possible for vendors to harden their products so that they remain secure with NMIs exposed to the internet. This is a solved problem, and customers should demand vendors harden their devices to secure NMIs. </p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote </span>2<span class="wb-inv"> referrer</span></a> </p> </dd> <dt>Footnote 3 </dt> <dd id="fn3"> <p>Central authentication systems, such as Active Directory, increase an organization’s attack surface when edge device authentication is linked to the primary corporate identity store or when one Identity Provider (IDP) is used across multiple security zones. It is critical to segregate edge devices from an organization’s corporate AD forest or an equivalent authentication, authorization and accounting (AAA) solution. </p> <p>Although these risks are prevalent, central authentication systems also offer a range of security advantages, including fine-grained access control, device management plane isolation, and robust hardening of centralized authentication services. These measures can limit lateral movement risks and provide benefits like individual accountability, synchronized account revocation, efficient credential management, logging and anomaly detection. To effectively manage these risks, organizations should consider both the vulnerabilities and the security strengths of centralized authentication, and tailor their approach accordingly. </p> <p>Alternative AAA solutions beyond Active Directory may offer similar benefits while addressing specific vulnerabilities. For a detailed approach to secure centralized AAA configurations, refer to NSA’s Network Infrastructure Security Guide." </p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote </span>3<span class="wb-inv"> referrer</span></a> </p> </dd> </dl></aside><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span> </div> </div> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="5964" about="/en/news-events/joint-guidance-content-credentials-and-strengthening-multimedia-trust-generative-artificial-intelligence-era" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the United States’ (U.S.) National Security Agency (NSA) and the following international partners in releasing cyber security guidance on content credentials and strengthening multimedia integrity in the generative artificial intelligence (AI) era:</p> <ul><li>Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC)</li> <li>United Kingdom’s National Cyber Security Centre (NCSC-UK)</li> </ul><p>AI and machine learning tools are widely available. Threat actors can convincingly alter media and manipulate what people see and believe with minimal effort, low cost and high precision.</p> <p>Manipulated media makes verification difficult. As such, trusted and verifiable media metadata is critical to ensure trust and transparency in media and provide context about the media’s provenance.</p> <p>This joint guidance:</p> <ul><li>discusses how content credentials, especially durable ones, can protect the provenance of media</li> <li>raises awareness of the state of this solution</li> <li>provides recommended practices to ensure the preservation of provenance</li> <li>emphasizes the importance of widespread adoption of these recommended practices across the information ecosystem</li> </ul><p>Read the full joint guidance <a href="https://media.defense.gov/2025/Jan/29/2003634788/-1/-1/0/CSI-CONTENT-CREDENTIALS.PDF">Content Credentials: Strengthening Multimedia Integrity in the Generative AI Era (PDF)</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="662" about="/en/guidance/video-teleconferencing-itsap10216" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><!–pdf download–> <div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>January 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.10.216</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>January 2025 | Awareness series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <p>Video teleconferencing (VTC) applications can allow your organization to meet and work with employees, clients, and partners in different geographic locations. However, there are security and privacy risks that you should consider before selecting and implementing VTC applications. By identifying the threats and risks related to these tools, you can implement the appropriate security measures and best practices to protect your organization’s virtual work environment.</p> <h2>On this page</h2> <ul><li><a href="#benefits">Benefits of video teleconferencing applications</a></li> <li><a href="#risks">Risks of video teleconferencing applications</a></li> <li><a href="#threats">Threats to video teleconferencing applications</a></li> <li><a href="#organizationss">Security tips for organizations</a></li> <li><a href="#employees">Security tips for employees</a></li> <li><a href="#response">How to respond to an incident</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="benefits">Benefits of video teleconferencing applications</h2> <p>VTC applications can increase productivity and improve collaboration between your employees, clients, and partners. These applications are more engaging than phone calls and offer face-to-face interaction. Many of them have built-in collaboration tools, such as screen and file sharing, as well as recording capabilities. You can host meetings of various sizes without having the physical space to do so.</p> <p>There are many applications that are available for free or offer subscription options with a sliding fee scale, depending on the services that your organization needs.</p> <h2 class="text-info" id="risks">Risks of video teleconferencing applications</h2> <p>There are many VTC applications to choose from. Keep in mind that the security of your organization’s systems and information will be affected by how the vendor prioritizes security and how you use and secure these applications.</p> <p>Threat actors can take advantage of vulnerabilities and software flaws and use brute force attacks to steal information or gain access to private discussions. If sensitive information is discussed or shared on a VTC application, you may be at a higher risk of a data or privacy breach. This could jeopardize your organization’s reputation and relationships with clients and partners.</p> <p>Insecure bridging to external services is another risk of VTC applications. Many VTC services allow a telephone dial-in optiona form of bridging, for guest users. Even if the VTC application uses cryptography and good security practices, its security will be downgraded to the level of the external service. Sensitive or personal VTC content may be exposed when shared with an external service such as those providing translation or transcription.</p> <h2 class="text-info" id="threats">Threats to video teleconferencing applications</h2> <p>Threat actors target VTC applications to disrupt meetings, overload services, eavesdrop on calls and steal information. They use various methods to attack VTC applications, including the following:</p> <ul><li><strong>Brute-force attacks</strong>: A threat actor automatically scans a list of possible meeting IDs to try to connect. If successful, the threat actor can conduct <ul><li>meeting bombing by eavesdropping or disrupting the meeting by sharing inappropriate or explicit content</li> <li>screen scraping by collecting screen display data from a compromised system</li> </ul></li> <li><strong>Malware</strong>: A threat actor infects devices by sharing malicious attachments, links or applications</li> <li><strong>Phishing</strong>: A threat actor initiates a VTC by imitating a trusted contact</li> <li><strong>Insider threat</strong>: Personnel can accidentally or purposely compromise your organization’s VTC meetings, such as when an untrained employee mistakenly shares information like meeting credentials</li> </ul><p>Never share highly sensitive information over VTC applications. Use other methods if you need to share such information, such as secure encrypted messaging.</p> <h2 class="text-info" id="organizations">Security tips for organizations</h2> <p>To mitigate the risks associated with using VTC applications, your organization should take precautions when selecting, implementing and using the application.</p> <h3>Choosing the application</h3> <ul><li>Opt for vendors that can demonstrate that they abide by Canadian privacy laws to ensure your information is protected from unauthorized users and sharing</li> <li>Use existing and tested corporate solutions whenever possible</li> <li>Download applications from trustworthy vendors</li> <li>Select a VTC application with customizable security controls to meet your requirements and be aware that security controls may differ between free and paid versions</li> <li>Test the application before organizational use</li> </ul><h3>Securing the application</h3> <ul><li>Consider using a VTC solution that does not require participants to install software, such VTC web versions which do not require user updates</li> <li>Update default settings, as they are often less secure</li> <li>Activate security capabilities such as encryption and access control features</li> <li>Deactivate features you are not using, including file sharing, screen sharing, and transcript generators</li> <li>Ensure administrative privileges are restricted to those who require them</li> <li>Ensure end-user and conferencing devices are current with software updates and patches</li> <li>Deactivate unnecessary or unrequired services</li> <li>Where possible, activate device logging capabilities to help with incident response activities</li> <li>Use restricted end-user devices for collaboration and meetings when travelling or attending meetings outside trusted zones</li> </ul><h3>Securing your meetings</h3> <ul><li>Use a meeting passphrase or password</li> <li>Keep the meeting link and password private</li> <li>Ensure participants can only join the meeting if the host is present</li> <li>Use a waiting room for participants, if available</li> <li>Keep the number of meeting administrators or hosts to a minimum</li> </ul><h2 class="text-info" id="employees">Security tips for employees</h2> <p>Security training is an effective way to protect your organization from cyber threats and create a strong security culture. You should remind employees of the following security tips before they use VTC applications:</p> <ul><li>Use only corporate-approved VTC applications for work purposes</li> <li>Activate strong encryption protections on your Wi-Fi network to protect your communications</li> <li>Keep the meeting ID and password private</li> <li>Use strong passphrases for accounts</li> <li>Use multi-factor authentication if available</li> <li>Verify the domain and URL before avoid clicking on links</li> </ul><h2 class="text-info" id="response">How to respond to an incident</h2> <p>If you suspect any malicious activity on your VTC meetings:</p> <ol start="1" type="1"><li>stop the meeting</li> <li>identify the information at risk to determine if sensitive business or personal information was shared during the meeting</li> <li>change meeting IDs and passwords for any recurring or scheduled meetings</li> <li>report activity to the Cyber Centre by email at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a></li> </ol><h2 class="text-info" id="learn">Learn more</h2> <ul><li><a href="/en/guidance/rethink-your-password-habits-protect-your-accounts-hackers-itsap30036">Rethink your password habits to protect your accounts from hackers (ITSAP.30.036)</a></li> <li><a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a></li> <li><a href="/en/guidance/password-managers-security-itsap30025">Password managers: Security tips (ITSAP.30.025)</a></li> <li><a href="/en/guidance/steps-effectively-deploying-multi-factor-authentication-mfa-itsap00105">Steps for effectively deploying multi-factor authentication (MFA) (ITSAP.00.105</a>)</li> <li><a href="/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="/en/guidance/telework-security-issues-itsap10016">Security tips for organizations with remote workers (ITSAP.10.016)</a></li> <li><a href="/en/guidance/cyber-security-tips-remote-work-itsap10116">Cyber security tips for remote work (ITSAP.10.116)</a></li> </ul></div> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="5962" about="/en/news-events/joint-guidance-secure-demand-and-priority-considerations-operational-technology-owners-and-operators-when-selecting-digital-products" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the United States’ (U.S.) Cybersecurity and Infrastructure Agency (CISA) and the following international partners in releasing cyber security guidance on secure by demand and priority considerations for operational technology (OT) owners and operators when selecting digital products:</p> <ul><li>U.S. Department of Energy</li> <li>U.S. Environmental Protection Agency (EPA)</li> <li>U.S. Federal Bureau of Investigation (FBI)</li> <li>U.S. National Security Agency (NSA)</li> <li>U.S. Transportation Security Administration</li> <li>Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC)</li> <li>Directorate General for Communications Networks, Content and Technology, European Commission</li> <li>Germany’s Federal Office for Information Security (BSI)</li> <li>Netherland’s National Cyber Security Centre (NCSC-NL)</li> <li>United Kingdom’s National Cyber Security Centre (NCSC-UK)</li> </ul><p>Cyber threat actors can attack OT products with weaknesses such as weak authentication, shared software vulnerabilities, and limited logging. If your organization uses an <abbr title="operational technology">OT </abbr> product that has not been designed with secure by design principles or has these common weaknesses it can be difficult and costly to defend against compromise.</p> <p>As part of CISA’s Secure by Demand series, this joint guide aims to advise <abbr title="operational technology">OT </abbr> owners and operators on how to integrate security into their device procurement processes.</p> <p>This guide outlines key security elements that OT products should have, particularly industrial automation and control system products. The key elements include:</p> <ul><li>configuration management</li> <li>logging in the baseline product</li> <li>open standards</li> <li>ownership</li> <li>protection of data</li> <li>secure by default</li> <li>secure communications</li> <li>secure controls</li> <li>strong authentication</li> <li>threat modeling</li> <li>vulnerability management</li> <li>upgrade and patch tooling</li> </ul><p>By purchasing products with these key elements, your organization can mitigate risks from current cyber threats.</p> <p>Read the joint guidance <a href="https://www.cisa.gov/resources-tools/resources/secure-demand-priority-considerations-operational-technology-owners-and-operators-when-selecting">Secure by Demand: Priority Considerations for Operational Technology Owners and Operators When Selecting Digital Products</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="3281" about="/en/news-events/cses-evolved-security-review-program" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><section class="alert alert-warning"><h3>Notice of changes to the evolved Security Review Program</h3> <p>Please note that assurance testing of designated supplier products by CSE-qualified third-party laboratories has ceased as of December 2023. A list of reviewed versions is available upon request by email at <a href="mailto:tcrp@cyber.gc.ca">tcrp@cyber.gc.ca</a>. For the latest guidance related to designated suppliers, see the Government of Canada’s <a href="https://www.canada.ca/en/innovation-science-economic-development/news/2022/05/policy-statement–securing-canadas-telecommunications-system.html">policy statement on securing Canada’s telecommunications system</a>.</p> <p>The evolved Security Review Program (eSRP) is now called the <strong>Telecoms Cyber Resilience Program (TCRP</strong>). This program has been expanded to support Canadian mobile network operators in establishing secure and resilient 3G, 4G and 5G networks. By sharing threat and mitigation information, the TCRP aims to raise baseline security and address ongoing and emerging threats to the radio access network, core network, signaling network, transport network, supply chain and standards.</p> </section><h2>About CSE and the Canadian Centre for Cyber Security</h2> <p>The Communications Security Establishment (CSE) is Canada’s national cryptologic agency, responsible for providing advice and guidance on all aspects of cyber security to Government of Canada departments and agencies. The launch of CSE’s Canadian Centre for Cyber Security (Cyber Centre) in 2018 helped the department build even stronger security partnerships between government and industry with the shared goal of raising the overall cyber security bar in Canada’s telecommunications sector.</p> <p>CSE’s Cyber Centre applies the full depth of its security experience and works with a range of partners, domestically and internationally, to continually find ways to increase the security of the telecommunication networks that Canada relies on.</p> <h2>Protecting Canada’s telecommunications critical infrastructure</h2> <p>CSE and its partners at Public Safety Canada (PS), Innovation, Science, and Economic Development (ISED) and the Canadian Security Telecommunications Advisory Committee (CSTAC) actively engage with Canadian telecommunications service providers (TSPs) and key equipment suppliers to help ensure the security of Canadian critical telecommunications infrastructure.</p> <p>Securing telecommunications networks from cyber threats protects the backbone for how Canadians communicate, work, and live online. Since 2013, CSE’s Security Review Program (SRP) has helped Canadian TSPs mitigate cyber security risks, including supply chain risks from designated equipment and services, such as Huawei and ZTE, in their 3G/4G/LTE networks.</p> <p>The SRP is a collaborative program between government and industry which, to date, has led to:</p> <ul><li>The restriction of designated products from use for sensitive functions in Canadian networks.</li> <li>The restriction of designated products from GC network contracts.</li> <li>The restriction on the use of outsourced managed services from designated providers in Canadian networks.</li> <li>Assurance testing in CSE qualified third-party laboratories for designated products used for less-sensitive functions in Canadian networks; and</li> <li>Annual architecture reviews to provide tailored technical advice and guidance to TSPs, resulting in year-over-year increases in the adoption of cyber security controls and best practices.</li> </ul><h2>5G and the evolution of CSE’s Security Review Program</h2> <p>Mobile networks have become an increasingly critical part of telecommunications infrastructure. 5G will provide the underlying infrastructure upon which new applications, services, and other critical infrastructure will depend.</p> <p>Given CSE’s mandate for cyber security and information assurance, the Cyber Centre will leverage and evolve the SRP (eSRP) to support Canadian TSPs in securing critical elements of Canada’s 5G networks and the broader telecommunications system. The eSRP will apply more broadly to help industry improve the cyber security and resilience of Canada’s telecommunications networks and consider risks from all key suppliers.</p> <p>The Cyber Centre will continue to take a collaborative approach that provides Canada with a strong, balanced, foundation of knowledge and expertise from both a GC and industry perspective, enabling TSPs to mitigate cyber threats and establish resilient telecommunications networks for the benefit of all Canadians.</p> <h2>eSRP: Program activities</h2> <p>The Cyber Centre will continue to work in partnership with TSPs to implement this program on a collaborative basis. Cooperative engagement with TSPs, as well as proactive outreach to key suppliers of products and services, allows for innovative and adaptable approaches to cyber security and resilience in the face of rapidly changing technology and emerging threats.</p> <p>The eSRP will continue with the same pillars of activity as the existing program, including restrictions on low-confidence products and services, deployment assessments, architecture reviews, and collaboration on cyber security controls to increase the resilience of telecommunications networks across Canada.</p> <p>New activities will include the following:</p> <ul><li>Engage key suppliers of critical telecommunications products and services, to establish <strong>new partnerships focused on building confidence</strong> in the products and services deployed in Canadian TSP infrastructure.</li> <li>Develop <strong>assurance activities or mitigation strategies</strong> for supplier equipment if there is an assessed cyber security gap.</li> <li>Share threat-related information and mitigation advice and guidance to support TSPs in establishing resilient telecommunications networks <strong>regardless of suppliers selected</strong>; and</li> <li>Collaborate with industry to develop robust cyber security controls <strong>regardless of suppliers selected</strong>.</li> </ul><h2>Additional information on program activities</h2> <h3>Supplier confidence assessments</h3> <p>The current SRP focuses on the supply chain risk posed by products and services from designated suppliers (e.g. Huawei). Going forward, the eSRP will engage all key suppliers present in the Canadian market to establish new partnerships focused on building confidence in the products and services deployed in Canadian telecommunications infrastructure.</p> <p>The program will apply rigorous new supplier assessment criteria to ensure that mitigation measures correspond to increasingly complex cyber security threats across the sector. The focus will be on suppliers that provide products and services used in the most critical areas of the telecommunications infrastructure, starting with, but not limited to, securing critical elements of Canada’s 5G networks, including the radio access network, the backhaul to the core network, and the core network for mobility services.</p> <p>These new supplier confidence assessments will allow for a tiered approach to assurance activities based on supplier confidence levels, where program requirements will decrease as supplier confidence increases. While the current third-party laboratory assurance testing will remain in place for certain low-confidence suppliers, the program will also develop novel assurance and mitigation strategies to address assessed cyber security gaps for supplier equipment.</p> <h3>TSP architecture reviews</h3> <p>As a result of CSE’s existing SRP, annual evaluations of Canadian telecommunications service providers’ architectures have shown year-over-year improvements in the adoption of cyber security best practices. The eSRP will continue these annual architecture reviews to identify security gaps and work collaboratively with TSPs to improve the overall security in the telecommunications sector.</p> <p>The eSRP will continue to collaborate with Canadian TSPs to propose cyber security best practices and baseline controls across their networks (e.g. <a href="https://www.ic.gc.ca/eic/site/smt-gst.nsf/eng/sf10719.html" rel="external">CSTAC Security Best Practices for Canadian TSPs</a>), for any equipment or service, not solely in relation to the presence of low-confidence supplier products.</p> <h3>Product deployment assessments</h3> <p>When a TSP proposes a new product, upgrades, or new functions to an existing product/service from a low-confidence supplier for use in Canada, CSE/Cyber Centre conducts a product deployment assessment, based on its unique and specialized understanding of the cyber threat landscape.</p> <p>A deployment assessment is ideally performed prior to, or early in the procurement process. The deployment assessment evaluates the cyber security risks in the product, the deployment context, and the controls proposed by the TSP. The risk mitigation measures recommended as part of the assessment will ensure, as per Canadian industry-defined standards, a baseline level of cyber security is present in TSP activities. It also provides multiple layers of recommended mitigations to offset risks in scenarios where equipment originating from a low-confidence supplier is proposed for deployment.</p> <p>The eSRP will expand assessments to consider the deployment of products from key suppliers, with a focus on the most important and sensitive areas of the telecommunications infrastructure. The deployment assessment identifies risks and provides recommended mitigations to ensure a resilient network/service.</p> <h3>Cyber resilience approach</h3> <p>In order to adapt to changes in technology in the telecommunications sector, particularly with the transition to 5G, the eSRP will expand its focus beyond the supply chain risk posed by certain suppliers to consider the overall cyber security and resilience of all critical elements of Canada’s telecommunications system.</p> <p>The program will promote a spectrum of activities that will promote resilience in the telecoms sector. It will continue its work on prevention and risk mitigation, enhance collaboration and governance mechanisms, build capacity to better understand risk, and increase competency in preparedness, detection, response, and forward-looking recovery planning. This will include an increased focus on threat briefings with links to recommended mitigations as well as collaborative industry workshops for capability development.</p> <h3>Canadian Telecoms Security Recommendations</h3> <p>The eSRP will create a catalogue of Canadian Telecoms Security Recommendations that contain technology reference architectures (e.g., 5G Non-Standalone and Standalone), sharing-threat related information for each architecture, and recommend cyber security controls to mitigate these threats.</p> <p>The eSRP will continue consultation with TSPs and CSTAC’s Canadian Telecom Cyber Protection (CTCP) Working Groups to ensure ongoing collaboration on security initiatives and awareness of threat related information. The Cyber Centre will also promote the adoption of global standards that recommend robust cyber security controls that lead to an increase in confidence and resilience in global telecommunications systems.</p> <h3>Implementation</h3> <p>CSE has already began increased collaboration within CSTAC’s various working groups to define reference architectures, threat models, and mitigations to be shared with all Canadian TSPs as industry-standard baseline requirements. We will continue to work with international partners to promote global standards that raise the common baseline for cyber security and increase confidence in global telecommunications systems.</p> <h2>Additional information</h2> <ul class="list-unstyled"><li><a href="https://www.canada.ca/en/innovation-science-economic-development/news/2022/05/statement-from-minister-champagne-on-telecommunications-security.html" rel="external">Statement from Minister Champagne on telecommunications security</a></li> <li><a href="https://www.canada.ca/en/innovation-science-economic-development/news/2022/05/policy-statement–securing-canadas-telecommunications-system.html" rel="external">Policy statement on telecommunications security</a></li> <li><a href="https://www.canada.ca/en/public-safety-canada/news/2022/06/government-introduces-new-legislation-to-protect-canadas-cyber-security0.html" rel="external">Public Safety news release on an <em>Act Regarding Cyber Security</em></a></li> <li><a href="https://www.canada.ca/en/public-safety-canada/news/2022/06/overview-of-the-proposed-changes-to-the-telecommunications-act.html" rel="external">ISED backgrounder on amendments to <em>Telecommunications Act</em></a></li> <li><a href="https://www.canada.ca/en/public-safety-canada/news/2022/06/protecting-critical-cyber-systems.html" rel="external">Public Safety background on critical cyber systems</a></li> <li><a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg/index-en.aspx" rel="external">National Cyber Security Strategy</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="5769" about="/en/guidance/recommended-cyber-security-contract-clauses-cloud-services-itsm50104" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>October 2024</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.50.104</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>October 2024 | Practitioner series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsm50104recommended-cyber-security-contract-clauses-cloud-services.pdf">Recommended cyber security contract clauses for cloud services – ITSM.50.104 (PDF, 555 KB)</a></p> </div> <!– intro section –> <section><h2 class="text-info">Foreword</h2> <p>This is an UNCLASSIFIED publication, issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information, email, or phone our Contact Centre at: <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a><br /><a href="tel:+16139497048">(613) 949-7048</a> or <a href="+18332923788">1-833-CYBER-88</a></p> </section><section><h2 class="text-info">Effective date</h2> <p>This publication takes effect on October 22, 2024.</p> </section><section><h2 class="text-info">Revision history</h2> <ol><li><strong>First release:</strong> October 22, 2024</li> </ol></section><section><h2 class="text-info">Overview</h2> <p>As more organizations move to cloud-based services and technologies, there is a growing need to identify supporting contract clauses and principles to ensure cyber security expectations are clearly understood and documented. Cyber security clauses and principles are important service components. They should be combined with foundational contract elements, such as service level agreements (SLAs), task orders, and governing standards.</p> <p>When combined, these contract elements and clauses provide a service framework to ensure your organization receives the services and solutions you expect and provide proper assurance that their data and identities are secure.</p> <p>This publication outlines common areas for cloud service contracts and procurement from a cyber security perspective for both government and non-government organizations The recommendations provided should be considered along with the main functional and legal aspects of service contracting when working with any cloud service provider (CSP).</p> </section><section><details class="mrgn-tp-md"><summary><h2 class="text-info h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#1">1. Introduction</a> <ul><li><a href="#1.1">1.1 Scope</a></li> <li><a href="#1.2">1.2 Guiding documents</a> <ul><li><a href="#1.2.1">1.2.1 Government resources</a></li> <li><a href="#1.2.2">1.2.2 Industry resources</a></li> <li><a href="#1.2.3">1.2.3 Recommended nomenclature</a></li> </ul></li> </ul></li> <li><a href="#2">2 General cyber security considerations</a> <ul><li><a href="#2.1">2.1 Main considerations</a> <ul><li><a href="#2.1.1">2.1.1 Data security and protection</a></li> <li><a href="#2.1.2">2.1.2 Data residency and sovereignty</a></li> <li><a href="#2.1.3">2.1.3 Supply chain integrity (SCI)</a></li> <li><a href="#2.1.4">2.1.4 Identity and access management, privileged access, and federation</a></li> <li><a href="#2.1.5">2.1.5 Incident response and management</a></li> <li><a href="#2.1.6">2.1.6 Cryptographic assurance and key management</a></li> <li><a href="#2.1.7">2.1.7 Endpoint devices and media security</a></li> <li><a href="#2.1.8">2.1.8 Network and communications security</a></li> <li><a href="#2.1.9">2.1.9 Continuous monitoring</a></li> <li><a href="#2.1.10">2.1.10 Secure development, testing, and validation</a></li> </ul></li> <li><a href="#2.2">2.2 Complimentary considerations</a> <ul><li><a href="#2.2.1">2.2.1 Privacy risks</a></li> <li><a href="#2.2.2">2.2.2 Personnel security</a></li> <li><a href="#2.2.3">2.2.3 Physical security</a></li> <li><a href="#2.2.4">2.2.4 Data retention and destruction</a></li> <li><a href="#2.2.5">2.2.5 Artificial intelligence</a></li> <li><a href="#2.2.6">2.2.6 Quantum threat</a></li> </ul></li> </ul></li> <li><a href="#3">3 Terms and conditions</a> <ul><li><a href="#3.1">3.1 Considerations</a> <ul><li><a href="#3.1.1">3.1.1 Trade secret protections (such as patented material and legal branding)</a></li> <li><a href="#3.1.2">3.1.2 Intellectual property</a></li> <li><a href="#3.1.3">3.1.3 Indemnification/limitation of liability</a></li> <li><a href="#3.1.4">3.1.4 Support</a></li> <li><a href="#3.1.5">3.1.5 Migration</a></li> </ul></li> </ul></li> <li><a href="#4">4. Conclusion</a></li> <li><a href="#5">5 Supporting content</a> <ul><li><a href="#5.1">5.1 List of abbreviations</a></li> <li><a href="#5.2">5.2 Glossary</a></li> <li><a href="#reference">References</a></li> </ul></li> </ul></details></section><section><h2 class="text-info">List of figures</h2> <p><a href="fig-1"><strong>Figure 1:</strong> Cloud shared responsibility model</a></p> </section><!– Main content starts here –><section><h2 class="text-info" id="1">1. Introduction</h2> <p>The guidance in this publication highlights important security considerations for your organization as you develop and review your cloud service contractual requirements with cloud service providers (CSPs). Your organization should manage the associated risks when contracting and relying on cloud services for your critical business processes. There can be gaps in the contract provisions if the cyber security components in a cloud service procurement model are managed through traditional means. These gaps can leave your organization unable to manage the complexities associated with modern cyber security services.</p> <p>While <abbr title="cloud service providers">CSPs </abbr> may present initial foundational service conditions and terms, your organization’s management team is responsible for demonstrating and validating that the terms and conditions of the contract address your organization’s business security needs. The terms and conditions should be adaptable for future modifications to safeguard the interest of your organization. The terms and conditions in the service contract should also provide your organization with the best possible business outcomes. Your organization must initiate proactive measures to ensure service provisions include cyber security mechanisms for identifying, communicating, mitigating, and preventing risks.</p> <p>This publication outlines common cyber security considerations for assessing cloud service contracts and procurement risks. It is recommended that these be considered along with the main functional and legal aspects of contracting when working with a <abbr title="cloud service provider">CSP </abbr>. These areas of consideration should also be applied when engaging other service providers such as a managed service provider (MSP), a managed security service provider (MSSP), service integrator (SI), or service orchestrator (SO).</p> <p>The clauses outlined in this publication are not to be considered legal advice. Rather, they offer context for your organization when considering cloud services and you are presented with terms and conditions from the potential service provider. This guidance can assist your organization in knowing what to consider or what questions to ask when moving to the cloud.</p> <!– Subsection 1 –> <div> <h3 id="1.1">1.1 Scope</h3> <p>This publication provides advice and guidance in the areas of cloud service contracting. In all cases, application of this guidance can fall both on your organization as the consumer, as well as on the service provider. The examples listed are not meant to be an exhaustive indication of best practice but do offer insight into clauses that have been used successfully by government and industry partners.</p> <p><strong>Disclaimer:</strong> The Communications Security Establishment and the Cyber Centre do not recommend or endorse the use of any particular contracting clause listed in this document. Information provided is only intended to be a source of examples of contract clauses that may be useful for cloud service contracting and is provided for informational purposes only.</p> </div> <!–** TOP OF PAGE ******–> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div> <h3 id="1.2">1.2 Guiding documents</h3> <p>In preparing this guidance, we have considered inputs from various reference documents and frameworks.</p> <div> <h4 id="1.2.1">1.2.1 Government resources</h4> <p>The following list provides references to related policies and guidance documents that were considered in the development of this publication:</p> <ul><li><a href="/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33">IT Security Risk Management: A Lifecycle Approach (ITSG-33)</a></li> <li><a href="/en/guidance/technology-supply-chain-guidelines-tscg-01">Technology Supply Chain Guidelines (TSCG-01)</a></li> <li><a href="https://www.tpsgc-pwgsc.gc.ca/esc-src/msc-csm/index-eng.html">PSPC Contract Security Manual</a></li> <li><a href="https://www.fedramp.gov/documents-templates/">FedRAMP Control – Specific Contract Clauses version 3.0</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final">NIST SP 800-171- Enhanced Security Requirements for Protecting Controlled Unclassified Information</a></li> <li><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-172.pdf">NIST SP 800-172 – Enhanced Security Requirements for Protecting Controlled Unclassified Information: Supplementary (PDF)</a></li> </ul></div> <div> <h4 id="1.2.2">1.2.2 Industry resources</h4> <p>Additionally, we have considered the following industry standards and frameworks:</p> <ul><li><a href="https://www.iso.org/standard/27001">ISO 27001:2022 – Information Security Management Systems</a></li> <li><a href="https://www.iso.org/standard/43757.html">ISO 27017:2015 – Guidelines for Information Security Controls</a></li> <li><a href="https://www.iso.org/standard/76559.html">ISO 27018:2019 – Information Technology – Security Techniques – Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds as PII Processor</a></li> <li><a href="https://cloudsecurityalliance.org/artifacts/security-guidance-v4">Cloud Security Alliance (CSA) Security Guidance for Critical Areas of Focus in Cloud Computing</a></li> </ul></div> <div> <h4 id="1.2.3">1.2.3 Recommended nomenclature</h4> <p>All resources indicated above provide various levels of detail and technical nomenclature in relation to cloud services. From a strictly contract perspective there are terms that will assist you in procuring cloud services based on “point in time” or “future need”. Section 2.1 lists the various forms of intention that your organization will need to consider based on the cloud services required. In some cases, your organization may need to be aware that some cloud services may need time to re-engineer or may have updated features in a roadmap. Your organization should consider your immediate needs and those that can be developed in stages or at a later time.</p> <p>Your organization should establish the mandatory and rated requirements your organization needs. Mandatory requirements are those that the provider ”must” have or ”shall” provide. When looking to rated requirements, your organization can look to the use of ”should”, “may”, or “consider” provisioning. These areas would also denote that the provider already has these elements in place. In those cases where services are on a roadmap or not yet in place, your organization will need to look for terms such as “will” or “capable of achieving” to indicate the future expectation.</p> </div> </div> </section><!–** TOP OF PAGE ******–><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="2">2 General cyber security considerations</h2> <p>In order to establish security expectations within enterprise cloud service contracts, the selected service model construct influences the choice of security services available. Understanding the shared responsibility model can provide clarity and information on security control options accessible to consumer organizations. For example, the management of access control mechanisms relies on the customer to implement and deploy system control functions as much as it depends on the <abbr title="cloud service providers">CSPs </abbr> to provide the underlying supporting infrastructure. These interactions are established within logical security, hardware and physical security, personnel security, and information technology (IT) security domains. These areas are then further defined utilizing specific contract language and references to a requisite security controls profile or overlay. Typically, references to <a href="https://www.cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33">ITSG-33</a>, <a href="https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final">NIST 800-53 Security and Privacy Controls for Information Systems and Organizations</a>, and other variants provide security control catalogues and references or suggestions to specific “security profiles.” The goal is to reduce the probability for risk events and reduce uncertainty with well-defined requirements in the overall management of the contract.</p> <div> <h3 id="2.1">2.1 Main considerations</h3> <p>There are several main areas your organization should focus on when reviewing cloud service models. Each area is incorporated into specific contract clause language. However, they are offered here as a point of consideration when looking at how to categorize and to determine what types of cloud services are required. The initial areas of consideration are:</p> <ul><li>assessment</li> <li>incident management</li> <li>key management</li> <li>endpoint protection</li> <li>remote management</li> <li>privileged access management</li> <li>cryptographic assurance</li> <li>data protection</li> <li>identity and access management</li> <li>secure development</li> <li>security testing and validation</li> <li>network and communications security</li> <li>federation</li> <li>information spillage</li> <li>logging and auditing</li> <li>continuous monitoring</li> <li>data sovereignty</li> <li>data residency</li> </ul><p>For further information on categorization and classification of service models, we recommend reviewing the Cyber Centre’s <a href="https://www.cyber.gc.ca/en/guidance/guidance-security-categorization-cloud-based-services-itsp50103">Guidance on the Security Categorization of Cloud-Based Services (ITSP.50.103)</a>.</p> <!–** TOP OF PAGE ******–> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div> <h4 id="2.1.1">2.1.1 Data security and protection</h4> <p>Data security represents a core service expectation within the cloud service model. To ensure maximum effectiveness of data security controls, your organization should implement a layered service approach. Service contracts should define <abbr title="cloud service providers">CSPs </abbr> responsibilities on your data and their limitations with respect to intellectual property rights on your organizational data, inferred data, or constructed data. Contractual agreements should differentiate between data at rest, data in transit, processing, and storage. Security requirements around encryption protections, approved geographical repositories, limitations on transit flows, and access control measures should be documented. Mitigation measures implemented to reduce or eliminate risks associated with data retrieval and destruction processes should be documented as well. You should review data residency policies and service choices as they relate to your specific business regulatory environment. Some services and data centres may not reside in Canada which can have an impact on your organization’s ability to protect data in accordance with legislative or regulatory requirements.</p> <p>Risks associated with emerging technologies are also a growing concern. You should consider limiting the impact of such technologies, like artificial intelligence (AI), machine learning, and quantum computing on your data. Address potential risks through proactive contract clauses that mandate specific procedures, exclusions, or restraints to be followed when using your data.</p> <p><strong>Example clause structure and language</strong></p> <p>The contractor must:</p> <ul><li>Implement encryption of data at rest for the cloud services hosting the organization’s data where the encryption of data at rest remains in effect, uninterrupted, and active at all times, even in the case of equipment or technology failure, in accordance with cryptographic protection recommended by the Cyber Centre in <a href="https://www.cyber.gc.ca/en/guidance/guidance-cloud-service-cryptography-itsp50106">Guidance on Cloud Service Cryptography (ITSP.50.106)</a>.</li> <li>Transmit the organization’s data in a secure manner providing the ability for the organization to implement encryption for data in transit for all transmissions of its data, in accordance with cryptographic protection and network and communications security as recommended by the Cyber Centre.</li> <li>Take appropriate measures to ensure that its personnel do not have standing or ongoing access rights to the organization’s data and that access is restricted to <abbr title="cloud service providers">CSPs </abbr> personnel with a need-to-know, including resources that provide technical or customer support, based on appropriate approval.</li> <li>Report intended or accidental violations to data protection and cryptographic mechanisms to the customer organization, providing documentation and evidence on planned action or action taken to redress the situation.</li> <li>Support cryptographic agility such that the protection of data in transit or at rest can remain current with cryptographic protection recommendations from <abbr title="Communications Security Establishment">CSE </abbr> and the Cyber Centre, including the use of new standards to mitigate the quantum computing threat. For more information, see <a href="https://www.cyber.gc.ca/en/guidance/guidance-becoming-cryptographically-agile-itsap40018">Guidance on Becoming Cryptographically Agile (ITSAP.40.018)</a>.</li> </ul><p><strong>References</strong></p> <ul><li><a href="https://canada-ca.github.io/cloud-guardrails/EN/06_Protect-Data-at-Rest.html">GC Cloud Guardrails – Protection of data-at-rest</a></li> <li><a href="https://canada-ca.github.io/cloud-guardrails/EN/07_Protect-Data-in-Transit.html">GC Cloud Guardrails – Protection of data-in-transit</a></li> </ul></div> <div> <h4 id="2.1.2">2.1.2 Data residency and sovereignty</h4> <p>Contractual clauses specifying data sovereignty and residency requirements should be documented for all forms of data and cloud services within required regulatory environments. Contracts should mandate the <abbr title="cloud service provider">CSP </abbr> to inform the customer in scenarios where organizational data is moved to an unapproved region. Data outflows from cloud platforms are often designed to be expensive, while incentives exist to facilitate data inflows to a <abbr title="cloud service provider">CSP </abbr>’s platform. Avoid contractual models which expose your organization to lock-in risks and design agreements which guarantee access to your organization’s data within a reasonable cost structure.</p> <p>The contractor must store and protect your organization’s data, at rest, including data in backups or maintained for redundancy purposes. This includes the ability to isolate data in Canada in approved data centres. An approved data centre should:</p> <ul><li>meet specific security requirements and certifications identified by your organization’s regulatory requirements</li> <li>ensure that a specific customer’s data cannot be found on physical media</li> <li>employ encryption to ensure that no data is written to disk in an unencrypted form, in accordance with cryptographic protection as recommended by the Cyber Centre</li> </ul><p><strong>Example clause structure and language </strong></p> <p>The contractor must:</p> <ul><li>Take appropriate measures to prevent the transmission of organizational data outside of agreed service and geographical regions except when organizational approval is received.</li> <li>Provide the capability and tools to extract all information including, system configurations, activity logs, and object and file storage information such that the organization can validate the location and activity record for its data.</li> </ul><p><strong>References </strong></p> <ul><li><a href="https://canada-ca.github.io/cloud-guardrails/EN/05_Data-Location.html">GC Cloud Guardrails – Data location</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/guidance-cloud-security-assessment-and-authorization-itsp50105">Guidance on cloud security assessment and authorization (ITSP.50.105)</a></li> </ul></div> <div> <h4 id="2.1.3">2.1.3 Supply chain integrity (SCI)</h4> <p>Supply chain risks pertain to the activities of threat actors to exploit supply chain vulnerabilities in an effort to compromise the integrity of one or more system components to achieve their broad objectives. For organizations to protect against such threats, contractual agreements must consider supply chain security, to the extent or capability of the organization, including threats from points of manufacturing, transportation, integration, and operation. As part of the cloud service procurement process, your organization should conduct supply chain risk assessments and request that <abbr title="cloud service providers">CSPs </abbr> provide information on their supply chain risk management plans, ownership information, subsidiary relationships, and third-party relationships. Should there be a concern with the release of such information or indication as to who the <abbr title="cloud service providers">CSP </abbr>’s suppliers are, discussions on third-party assurance through a mutually agreed entity is recommended. Your organization can also consider using the Cyber Centre’s <a href="https://www.cyber.gc.ca/en/tools-services/harmonized-tra-methodology">Harmonized Threat Risk Assessments (HTRA)</a> methodology or the Analytical Software for Threat Assessment (ASTRA) tool to conduct threat risk assessments (TRA) and evaluate potential risks associated with their projects.</p> <p><strong>Example clause structure and language</strong></p> <p>The contractor must agree to:</p> <ul><li>Provide information required for the customer to conduct a supply chain security assessment, including information on ownership structure, corporate registration, investors and management executives, suppliers, sub-contractors, sub-processors, third-party relationships, and any other information required for such assessment.</li> <li>Support the supply chain security assessment by providing information related to equipment, firmware, software, or any other systems as required.</li> <li>Maintain a supply chain risk management (SCRM) plan that describes the <abbr title="cloud service provider">CSP </abbr>’s approach to SCRM and demonstrates how the contractor’s approach will reduce and mitigate supply chain risks.</li> <li>Implement and maintain safeguards to mitigate supply chain threats and vulnerabilities to IT services in order to maintain confidence in the security of the sources of information systems and the IT components used to provide services.</li> </ul><p><strong>References</strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/cyber-supply-chain-approach-assessing-risk-itsap10070">Cyber supply chain: An approach to assessing risk (ITSAP.10.070)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/supply-chain-threats-and-commercial-espionage">Supply chain threats and commercial espionage</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/contracting-clauses-telecommunications-equipment-and-services-tscg-01l">Contracting clauses for telecommunications equipment and services (TSCG-01L) </a></li> <li><a href="https://www.iso.org/standard/82905.html">ISO/IEC 27036 – Cyber security – Supplier relationships (Parts 1 to 4) </a></li> </ul></div> <!–** TOP OF PAGE ******–> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div> <h4 id="2.1.4">2.1.4 Identity and access management, privileged access, and federation</h4> <p>Cloud-based identity and access management (IAM) models expose unique security challenges due to their shared responsibility service structure. How user accounts, system services and entities are identified, authenticated, and how their permission rights are managed may require coordination of multiple partners (customer, <abbr title="cloud service provider">CSP </abbr> and identity provider (IDP)). Contract clauses used to manage services should clearly delineate account management responsibilities for all parties. Service contracts should document mitigations against unauthorized non-privileged or privileged user or system access. Federation of identities and credentials should be restricted to within agreed trust frameworks. Unauthorized third-party access (user or system) to your organization’s data or cloud instance should be restricted. Service agreements should mandate access logging, and retention periods should be sufficient to facilitate audit and incident response activities. Service contracts should address <abbr title="cloud service provider">CSP </abbr> obligations with respect to application backdoors or unauthorized system-based access (APIs).</p> <p><strong>Example clause structure and language</strong></p> <p><strong>Identity and access management</strong></p> <p>The contractor must provide the ability for your organization to support secure access to cloud services including, but not limited to configuring:</p> <ul><li>phishing-resistant multi-factor authentication (MFA) in accordance with <a href="https://www.cyber.gc.ca/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">User Authentication Guidance for Information Technology Systems (ITSP.30.031)</a> using GC-approved credentials</li> <li>role-based and behaviour-based access</li> <li>access controls on objects in storage</li> <li>granular authorization policies to allow or limit access</li> </ul><p>The contractor must have the ability to establish organization-wide defaults to manage tenant-wide policies.</p> <p><strong>Privileged access management </strong></p> <p>The contractor shall make use of secure and trusted endpoint devices to perform its system administration functions such as a dedicated administrative privileges workstation designed with restricted configurations, system functionality, and security controls.</p> <p><strong>Federation</strong></p> <p>The contractor shall ensure that federation of authentication mechanisms, including corporate identity and attribute information are protected in accordance with the current NIST Digital Identity Standard <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-4.ipd.pdf">NIST SP 800-63-4 Digital Identity Guidelines: Federation and Assertions (PDF)</a> or the Cyber Centre’s <a href="https://www.cyber.gc.ca/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3">ITSP.30.031</a>.</p> <p><strong>References</strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/top-10-it-security-actions-no3-managing-controlling-administrative-privileges-itsm10094">Top 10 IT Security Actions: No. 3 managing and controlling administrative privileges (ITSM.10.094)</a></li> <li><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-4.ipd.pdf">Digital Identity Guidelines – NIST Special Publication 800-63-4</a></li> </ul></div> <div> <h4 id="2.1.5">2.1.5 Incident response and management</h4> <p>Contractual clauses managing incident response activities must implement a risk-based approach. They must consider potential service outages and expected service recovery targets, especially as they impact industry regulations and reporting requirements. Your organization should consider clauses mandating incident information disclosure to assist with assessing the impact, severity, and materiality of an incident which may require regulatory notification and oversight. Some examples of these types of clauses can include:</p> <ul><li>notifications when a service is affected</li> <li>disclosure of any known vulnerabilities and associated patches</li> <li>provision of log information to an entities SOC team for ingestion</li> </ul><p>Additional features or the disclosure of specific information on the service is a consideration for your organization’s security and monitoring needs and capabilities.</p> <p>Regulated entities, as well as critical infrastructure organizations offering services supporting critical national services, with impact on national security or public safety may require additional oversight. A service disruption can have wider national security and human safety implications. Effective incident response capabilities require coordination among many internal and external entities. Your contractual agreements must clearly define responsibilities for all stakeholders.</p> <p>Example clause structure and language</p> <p>The contractor must:</p> <ul><li>Establish and maintain a security operations centre (SOC) capability that operates within your organization’s defined time of operation and service model, such as 24/7 service coverage.</li> <li>Establish and maintain a cyber incident response team that can be deployed by the CSP within your organization’s expected service targets.</li> </ul><p><strong>References</strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/managing-risks-government-canada-data-when-using-cloud-services-itsm50109">Managing the risks to Government of Canada data when using cloud services (ITSM.50.109)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/itsp50104-guidance-defence-depth-cloud-based-services">Guidance on defence in depth for cloud-based services (ITSP.50.104)</a></li> </ul></div> <div> <h4 id="2.1.6">2.1.6 Cryptographic assurance and key management</h4> <p>Access to sensitive cryptographic materials and keys should be restricted. Secrets such as cryptographic keys, database credentials, APIs, and certificates represent sensitive components that require extensive oversight. The lifecycle of these components and how they are managed and deployed should be captured in the service contracts. Cryptographic processes should use the latest FIPS-validated or Cyber Centre-approved cryptographic algorithms. The security of a CSP’s master keys also impacts the safety of organization-specific keys linked to your services.</p> <p><strong>Example clause structure and language</strong></p> <p>The contractor must:</p> <ul><li>Ensure that cryptographic operations and the protection of critical security parameters (e.g. cryptographic keys) are performed in cryptographic modules certified by the <a href="https://www.cyber.gc.ca/en/tools-services/cryptographic-module-validation-program-cmvp">Cryptographic Module Validation Program (CMVP)</a>. The cryptographic module should be configured and operated in an approved mode in accordance with the CMVP-published security policy.</li> <li>Ensure that the CSP master key or root keys used for deriving other keys are generated and managed through secure and approved FIPS 140-validated processes for key generation, distribution, storage, and lifecycle management.</li> </ul><p><strong>References</strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/guidance-cloud-service-cryptography-itsp50106">Guidance on cloud service cryptography (ITSP.50.106)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information (ITSP.40.111)</a></li> </ul></div> <!–** TOP OF PAGE ******–> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div> <h4 id="2.1.7">2.1.7 Endpoint devices and media security</h4> <p>The resilience of the cloud infrastructure is dependent on the reliability of device components and associated software services. Where possible, service contracts should address the resilience of device components supporting critical service functions. Service agreements should address the reliability, resilience, performance, and operational targets on hardware and software components. Agreements should address access restrictions to removeable media, destruction procedures, media transport, and distribution limitations.</p> <p><strong>Example clause structure and language</strong></p> <p>The contractor must:</p> <ul><li>Implement, manage, and monitor security-hardened endpoints with active host-based protections to prevent against malware, attacks, and misuse in accordance with industry-recognized configuration guidelines such as those found in <a href="https://csrc.nist.gov/pubs/sp/800/123/final">NIST 800-123 Guide to General Server Security</a> , the <a href="https://www.cisecurity.org/cis-benchmarks">Center for Internet Security (CIS) benchmarks</a>, or an equivalent standard approved by the organization in writing.</li> <li>Securely erase, purge, dispose, or destroy resources, such as equipment, data storage, files, and memory or devices that may contain your organization’s data and ensure that previously stored data cannot be re-instantiated from systems or devices.</li> <li>Design and implement operational measures to ensure software, hardware and network communications systems support redundant and resilient services to withstand disruptions, hardware failures, and destructive cyber events.</li> <li>Ensure digital and non-digital media containing organizational data is protected by cryptographic mechanisms to protect the confidentiality and integrity of this information.</li> </ul><p><strong>References</strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/securely-configure-devices">Securely configure devices</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-security-home-and-office-secure-your-devices-computers-and-networks-itsap00007">Secure your devices, computers, and networks (ITSAP.00.007)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/using-your-mobile-device-securely-itsap00001">Using your mobile device securely (ITSAP.00.001)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/how-updates-secure-your-device-itsap10096">How updates secure your device (ITSAP.10.096)</a></li> </ul></div> <div> <h4 id="2.1.8">2.1.8 Network and communications security</h4> <p>Communication systems (wireless or wired) extend the capability of cloud platforms to process data and provide on-demand network and computing resources. As data moves from one point to the other, network paths, network devices, the control plane, and interconnectivity with other services require protections against vulnerabilities and cyber attacks. Cloud computing platforms require trusted network components, secure communication paths, and governance models to deliver trusted services. Customer organizations must ensure trusted communication system requirements are included in service arrangements with CSPs.</p> <p><strong>Example clause structure and language</strong></p> <p>The contractor must:</p> <ul><li>Provide the capability to establish secure connections to its platform, including protecting the confidentiality, integrity, and availability, such as using Transport Layer Security (TLS) for data-in-transit encryption and mutual TLS support to verify the identity of clients and services.</li> <li>Provide the ability for your organization to implement dedicated or private connections to its data centres and support for sensitive workloads that may require such connections.</li> <li>Provide tools and capabilities to assess the effectiveness of security controls and provide visibility into the enforcement of security controls across the data transit path using technologies such as activity logs and reporting.</li> <li>Validate the security posture and uniquely identify and authenticate requests before establishing a network connection to the customer organization’s tenant or cloud resources.</li> </ul><p><strong>References</strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/cloud-network-security-zones-itsp80023">Cloud network security zones (ITSP.80.023)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/guidance-cloud-security-assessment-and-authorization-itsp50105">Guidance on cloud security assessment and authorization (ITSP.50.105)</a></li> </ul></div> <div> <h4 id="2.1.9">2.1.9 Continuous monitoring</h4> <p>Continuous monitoring of the state and security of the cloud service is essential. Managing logs, monitoring network traffic, and monitoring application service components are just a few of the related activities. Activity logs, system logs, audit logs, and events logs are examples of crucial components required for conducting monitoring and analytics to assess and validate in the cloud. Monitoring performance metrics should also be included as part of the periodic reporting capabilities.</p> <p><strong>Example clause structure and language</strong></p> <p>The contractor must:</p> <ul><li>Actively and continuously monitor threats and vulnerabilities to cloud service infrastructure, applications and services and, your organization’s data.</li> <li>Conduct regular vulnerability scans and penetration testing of the contractor infrastructure and service locations, with the aim of identifying deficiencies and remediations to prevent unauthorized access to sensitive information, circumvention of access controls and privilege escalation, and exploitation of vulnerabilities to gain access to systems or information.</li> <li>Log and detect audit events such as (i) successful and unsuccessful account login attempts, (ii) account management, (iii) object access and policy change, (iv) privilege functions and process tracking, (v) system events, and (vi) deletion of data.</li> <li>Implement protections to prevent service exhaustion attacks through security measures such as denial of service protections.</li> </ul><p><strong>References</strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/network-security-logging-monitoring-itsap80085">Network security logging and monitoring (ITSAP.80.085) </a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/cyber-security-considerations-consumers-managed-services-itsm50030">Cyber security considerations for consumers of managed services (ITSM.50.030) </a></li> </ul></div> <!–** TOP OF PAGE ******–> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div> <h4 id="2.1.10">2.1.10 Secure development, testing, and validation</h4> <p>The management of the software and system development lifecycle affects several cloud service components. The service contract must establish or describe secure management of software lifecycle, including the management of vulnerabilities, patch management cycle, and open-source software security.</p> <p><strong>Example clause structure and language</strong></p> <p>The contractor must:</p> <ul><li>Provide relevant information on known security vulnerabilities relating to systems owned or controlled that may require your organization’s action to successfully resolve or protect against such vulnerability.</li> <li>Manage and apply security-related patches and updates in a timely and systematic manner to mitigate vulnerabilities and remedy any publicly reported issues in the cloud services or libraries used by the cloud services and provide advance notices of patches in accordance with agreed upon service-level commitments.</li> </ul><p><strong>References</strong></p> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/top-10-it-security-action-items-no2-patch-operating-systems-and-applications-itsm10096">Top 10 IT security action items: No.2 patch operating systems and applications (ITSM.10.096)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/automatically-patch-operating-systems-and-applications">Automatically patch operating systems and applications</a></li> </ul></div> </div> <!–** TOP OF PAGE ******–> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div> <h3 id="2.2">2.2 Complimentary considerations</h3> <p>Complimentary considerations serve as additional cloud service baseline requirements and supporting security principles.</p> <div> <h4 id="2.2.1">2.2.1 Privacy risks</h4> <p>Your organization may have concerns about the potential impact on privacy and risks related to breaches of organizational data in the cloud. You should consider the privacy issues and the impact on the security of your organization’s data. To determine your necessary privacy protections, your organization should review the service provider’s management controls (policies and procedures) and technical controls. An independent assessment of privacy controls and their effectiveness should also be considered. Privacy impact assessments should be considered throughout the cloud service lifecycle to ensure related risks are being properly managed.</p> </div> <div> <h4 id="2.2.2">2.2.2 Personnel security</h4> <p>Your organization should confirm that personnel screening and criminal background checks are being completed for CSP employees as part of your contractual engagement. The CSP should provide evidence of personnel screening policies, security controls, and a compliance regime. Details of the personnel security clearances must be clearly documented, and procedures must be put in place to manage personnel transfer and termination. For employee role transitions, changes to credentials and authenticators should be executed in a timely manner. Non-disclosure agreements should be in place for CSP employees with access to organizational business data.</p> </div> <div> <h4 id="2.2.3">2.2.3 Physical security</h4> <p>Due to the nature of the cloud service model, physical security considerations are not often prioritized within service agreements. The security requirements for your organizational data remains the same wherever it may reside (on-premises or in the cloud). Contractual agreements must address physical security requirements to support your assets and data within the CSP’s infrastructure. Contractual clauses should emphasize physical restrictions regarding your data and sensitive corporate information.</p> <p>Data confidentiality security controls, such as encryption or other data transformation mechanisms, do not change the classification of your data. Ensure that your physical security requirements can support all data and assets it handles. Physical access to your organization’s data or resources should be restricted to authorized personnel. Contract agreements should address physical security of communications infrastructure, prevention of modification, and tampering of assets. Ensure that security monitoring evaluates the effectiveness of physical security measures and that access logs to physical sites are maintained and audited periodically.</p> </div> <!–** TOP OF PAGE ******–> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div> <h4 id="2.2.4">2.2.4 Data retention and destruction</h4> Data retention and destruction security requirements should be defined to ensure the organization, <abbr title="cloud service provider">CSP </abbr>, and other third-party service providers understand their obligations with respect to data retention periods, data handling processes, and destruction processes. Your organization should ensure contractual documents define parameters on acceptable media types, data retention length, media protection controls, sanitization or destruction mechanisms, and destruction verification methods. These parameters should be aligned with the classification of data being protected. Data retention and destruction requirements should apply to all forms of data, including structured and unstructured forms. Periodic assessments should be scheduled to validate that contractual obligations are being met. For more information, see <a href="https://www.cyber.gc.ca/en/guidance/it-media-sanitization-itsp40006">IT Media Sanitization (ITSP.40.006)</a>.</div> <div> <h4 id="2.2.5">2.2.5 Artificial intelligence</h4> <p>Artificial intelligence (AI) and machine learning tools are driving innovative capabilities and altering how system applications and services are delivered. These present unique threats and challenges, particularly with growth in the use of large language models (LLM) and generative <abbr title="Artificial intelligence">AI </abbr>. Organizations may need to pay attention to the security and privacy implications of <abbr title="Artificial intelligence">AI </abbr>-based solutions within their value chain. <abbr title="Artificial intelligence">AI </abbr> is being used to develop new services and these solutions are being trained with business data. Unauthorized <abbr title="Artificial intelligence">AI </abbr> tools accessing your confidential and operational data presents significant business and privacy risks. Service contracts should address limitations and restrictions related to <abbr title="Artificial intelligence">AI </abbr> tools accessing your data.</p> </div> <div> <h4 id="2.2.6">2.2.6 Quantum threat</h4> <p>Cryptography is an effective way to protect the confidentiality and integrity of information and to defend IT systems from cyber threat actors. Quantum computing threatens to break much of the cryptography we currently use. Quantum computers will use quantum physics to efficiently process information and solve problems that are impractical to solve using current computing capabilities. Quantum computers that are available now are not powerful enough to break cryptography, but the technology is advancing quickly and could be available by the 2030s. However, threat actors can steal encrypted information now and hold on to it until a sufficiently powerful quantum computer is available to decrypt, read, or access the information, even well after the information was created.</p> <p>To manage the risks associated with quantum computing advancements, your organization should evaluate the sensitivity of the information being shared with your vendor and determine its lifespan to identify information that may be at risk, which can be incorporated as part of your ongoing risk assessment processes. Additionally, your organization should discuss whether the contracting organization has plans to address the quantum threat. Contract agreements should specify that the contractor must keep their cryptographic processes up to date in accordance with the Cyber Centre’s guidance <a href="https://www.cyber.gc.ca/en/guidance/addressing-quantum-computing-threat-cryptography-itse00017">Addressing the quantum computing threat to cryptography (ITSE.00.017)</a>.</p> </div> </div> </section><!–** TOP OF PAGE ******–><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="3">3 Terms and conditions</h2> <p>From a security perspective, contract elements must be prescriptive and conform to recognized frameworks and approaches in order for the <abbr title="cloud service provider">CSP </abbr> to establish how they address and maintain the security posture as indicated by your organization. In many cases, reliance on a given provider’s terms and conditions as outlined in a contract or end user licensing agreement (EULA) can be considered as acceptable. However, for some organizations with specific needs or for those that are bound by regulated authorities, negotiation between legal teams using some of the example clauses noted in this guidance may be required. In all cases, where possible seek legal advice if there are any specific areas of concern.</p> <div> <h3 id="3.1">3.1 Considerations</h3> <p>Your organization should consider and discuss the following items with legal counsel and the provider.</p> <div> <h4 id="3.1.1">3.1.1 Trade secret protections (such as patented material and legal branding)</h4> <p>If your organization has regulatory requirements or has partnerships or joint venture considerations, you should ask how this type of information is separated or further secured within the main tenancy. This will assist you in identifying information that can be easily flagged and separated from general information orders or when a legal hold is indicated. Any terms and conditions must also clearly stipulate that placement of this information within the service provider does not denote a release by your organization to have, hold, or use such information, and that it remains the property of your organization.</p> </div> <div> <h4 id="3.1.2">3.1.2 Intellectual property</h4> <p>As with trade secrets, intellectual property does not hold official registration like a patent, but it does have direct bearing on your organization’s purpose or mandate and will need further measures to tag, identify, and secure. Any terms and conditions must also clearly stipulate that placement of this information within the service provider does not denote a release by your organization to have, hold, or use such information and that it remains the property of your organization.</p> </div> <div> <h4 id="3.1.3">3.1.3 Indemnification/limitation of liability</h4> <p>In all cases of contracting a certain level of liability is required and must be clearly outlined between parties. Cloud offers a new dynamic in this regard. Attention to how the provider accomplishes “security of the cloud” and describes it within the terms and conditions is very important. It must be noted where the line of responsibility comes into play for “security in the cloud” as this is your organization’s responsibility. Depending on whose tenancy is being used, this may become more complex when contracting a managed service provider, service or system integrator, or service orchestrator. A further description of tenancy ownership is detailed in section 3.2.</p> </div> <!–** TOP OF PAGE ******–> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div> <h4 id="3.1.4">3.1.4 Support</h4> <p>The model of support can be of interest or concern to regulated organizations. Typically, <abbr title="cloud service providers">CSPs </abbr> are “global” in nature and will indicate that a “follow the sun” approach is used to gain coverage worldwide, 24/7, 365 days a year. This means that all service coverage is distributed across multiple global locations that cover a specific time zone. For any organization that has regulations as to where support or contracted resources can reside, discussion with the provider is recommended.</p> </div> <div> <h4 id="3.1.5">3.1.5 Migration</h4> <p>While it is always the intention of an organization to gain a trusted partner, there may come a time when movement of your information to a different provider is considered or possibly necessary. In this matter, initial review and questions regarding migration of information at the outset of the contract would be considered and discussed with the provider. Specific actions to request information on are:</p> <ul><li>ingress and egress charges for the movement of data</li> <li>time allotments for migration activities once this is indicated to the primary provider</li> <li>length of time data is present in the tenancy once information has been migrated</li> </ul><p>Note: Data sanitization or removal as per the Cyber Centre’s guidance <a href="https://www.cyber.gc.ca/en/guidance/it-media-sanitization-itsp40006">IT Media Sanitization (ITSP.40.006)</a> is not applicable within the cloud. Rather, use crypto shredding and provider attestation that indicates to what level of assurance the data is overwritten.</p> </div> </div> <!–** TOP OF PAGE ******–> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <div> <h3 id="3.2">3.2 Tenancy ownership</h3> <p>As mentioned earlier, there are specific distinctions as to who provides or may be responsible for “security of the cloud” and “security in the cloud.” There is also the stipulation of where your organization “hosts” your information. This can be done in two specific ways:</p> <ul><li>hosting within your own tenancy (owned/controlled)</li> <li>being hosted within a provider’s tenancy</li> </ul><p>Your organization must understand the difference between a <abbr title="cloud service provider">CSP </abbr> and an <abbr title="managed service provider">MSP </abbr>. The main difference is found in the control exerted over the data and process and by whom. In an <abbr title="managed service provider">MSP </abbr>, the consumer dictates the technology and operating procedures. According to the <abbr title="managed service provider">MSP </abbr> Alliance, <abbr title="managed service providers">MSPs </abbr> typically have the following distinguishing characteristics:</p> <ul><li>some form of network operation centre (NOC) service</li> <li>some form of help desk service</li> <li>ability to remotely monitor and manage all or a majority of the objects for the customer</li> <li>ability to proactively maintain the objects under management for the customer</li> <li>capacity to deliver these solutions with some form of predictable billing model, where the customer knows with great accuracy what their regular IT management expense will be</li> </ul><p>With a <abbr title="cloud service provider">CSP </abbr>, the service provider dictates both the technology and the operational procedures being made available to the consumer. This means the <abbr title="cloud service provider">CSP </abbr> is offering some or all of the components of cloud computing through a software as a service (SaaS), infrastructure as a service (IaaS), or platform as a service (PaaS) model.</p> <!– create a sub footnote –> <p>To establish the areas of responsibility more clearly, figure 1 provides a more granular description of the shared responsibility model.</p> <div class="panel panel-default col-md-12"> <div class="panel-body"> <figure><figcaption class="mrgn-bttm-md" id="fig-1"><strong>Figure 1: Cloud shared responsibility model </strong></figcaption><img alt="Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/itsm.50.104-fig-1-e.jpg" /><details class="brdr-tp brdr-rght brdr-bttm brdr-lft mrgn-bttm-sm"><summary>Long description – Cloud shared responsibility model </summary><p>Your CSP’s managed security controls provide security of the cloud and protect the CSP’s SaaS, PaaS, and IaaS product offerings. These controls help ensure:</p> <ul><li>isolation and virtualization of the cloud infrastructure</li> <li>security of the management plane</li> <li>self-service portals and application program interfaces (APIs)</li> <li>mechanisms which protect the cloud from physical and network threats</li> </ul><p>CSPs are also responsible to provide your organization with key security capabilities including:</p> <ul><li>data encryption at rest</li> <li>identity and access management</li> <li>secure key management</li> <li>multi-factor authentication</li> </ul><p>Your organization is responsible for managed security controls that provide security in the cloud. Examples of security controls protecting cloud workloads include the following:</p> <ul><li>web application gateways</li> <li>network security groups</li> <li>availability groups</li> <li>storage encryption and tokenization</li> <li>network security appliances</li> <li>security baseline hardening</li> <li>configuration of CSP provided key security features and capabilities</li> </ul><p>CSP and cloud consumer management responsibilities will vary based on the selected cloud service model.</p> </details></figure></div> </div> <p><strong>Figure Caption:</strong> Figure 1 represents the sharing of responsibilities between a cloud consumer organization and the <abbr title="cloud service provider">CSP </abbr>, breaking down the responsibilities in accordance with the cloud deployment model selected. Whether your organization and <abbr title="cloud service provider">CSP </abbr> agree to an Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS) deployment model, you will have a mix of responsibilities solely for your organization, solely for the <abbr title="cloud service provider">CSP </abbr>, and responsibilities shared between your organization and the <abbr title="cloud service provider">CSP </abbr>.<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup></p> <div> <h4 id="3.2.1">3.2.1 Organization (consumer) owned or controlled tenancy</h4> <p>When it comes to tenancy ownership or control, the organization contracts directly with the main <abbr title="cloud service provider">CSP </abbr>, including for any <abbr title="Platform as a Service">PaaS </abbr> or <abbr title="Software as a Service">SaaS </abbr> applications. In this context, your organization is therefore in direct control of the configuration of the tenancy and the requisite areas as noted in the shared responsibility model depending on what solution has been designed. One area of contrast is whether your organization contracts with an <abbr title="managed service provider">MSP </abbr> or an <abbr title="Managed security service provider ">MSSP </abbr> that has access to your organization’s administrative plane. While your organization owns and controls the tenancy, you provide the ability through your contract to the <abbr title="managed service provider">MSP </abbr> or <abbr title="Managed security service provider ">MSSP </abbr> to then administer the tenancy on your organization’s behalf. The extent of administrative control is dependent on your organization’s intent. A key distinction between this arrangement or tenancy being hosted by another entity is that your organization maintains control and areas of liability will be negotiated.</p> </div> <div> <h4 id="3.2.2">3.2.2 Managed service provider and managed security service provider</h4> <p>The context of “being hosted” in a provider’s tenancy or instance changes the dynamic of what your organization, as the consumer, may still be responsible for. Some of these areas of responsibility include identity and access control, and the data that is placed in the environment. The remainder becomes the responsibility or liability of the entity hosting the organization. The additional steps your organization can take beyond what has already been discussed is to establish whether your data is separated via logical or cryptographic measures. In the past, separate hardware configurations (server) were an option, but cloud environments do not offer this capability, unless a “bare metal” option is offered. This increases some complexities in the governance of your organization’s operations, but it does alleviate the configuration and maintenance elements of the tenancy.</p> </div> </div> </section><!–** TOP OF PAGE ******–><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="4">4 Conclusion</h2> <p>The use of cloud services can provide a great amount of flexibility and agility to your organization. There are many as-a-service offerings which have matured over the years, easing the transition to the cloud. As has been demonstrated in this guidance, there are areas of concern and questions that should be explored by your organization prior to, during, and after exiting a cloud environment. This guidance has been provided for general knowledge and guidance for any organization looking to begin their cloud journey and looking to sidestep pitfalls in the use of cloud technologies. As indicated, this is not to be taken as legal advice.</p> <p>Overall, the key message is to work with your selected <abbr title="cloud service provider">CSP </abbr> to ensure common understanding of your engagement and to inquire and establish what can be done to meet your organization’s specific needs.</p> <h2 class="text-info" id="5">5 Supporting content</h2> <div> <h3 id="5.1">5.1 List of abbreviations</h3> <dl class="dl-horizontal"><dt>AI</dt> <dd>Artificial Intelligence</dd> <dt>API</dt> <dd>Application Programming Interface</dd> <dt>ASTRA</dt> <dd>Analytical Software for Threat Assessment</dd> <dt>CIS</dt> <dd>Centre for Internet Security</dd> <dt>CMVP</dt> <dd>Cryptographic Module Validation Program</dd> <dt>CSP</dt> <dd>Cloud Service Provider</dd> <dt>FIPS</dt> <dd>Federal Information Processing Standard</dd> <dt>HTRA</dt> <dd>Harmonized Threat Risk Assessment</dd> <dt>IaaS</dt> <dd>Infrastructure as a Service</dd> <dt>IAM</dt> <dd>Identity Access Management</dd> <dt>IDP</dt> <dd>Identity Provider</dd> <dt>IT</dt> <dd>Information technology</dd> <dt>LLM</dt> <dd>Large Language Models</dd> <dt>MFA</dt> <dd>Multi-factor Authentication</dd> <dt>MSP</dt> <dd>Managed Service Provider</dd> <dt>MSSP</dt> <dd>Managed Security Service Provider</dd> <dt>NIST</dt> <dd>National Institute of Standards and Technology</dd> <dt>NLP</dt> <dd>Natural Language Processing</dd> <dt>PaaS</dt> <dd>Platform as a Service</dd> <dt>SI</dt> <dd>Service Integrator</dd> <dt>SO</dt> <dd>Service Orchestrator</dd> <dt>TLS</dt> <dd>Transport Layer Security</dd> <dt>TRA</dt> <dd>Threat Risk Assessment</dd> </dl></div> <div> <h3 id="5.2">5.2 Glossary</h3> <dl class="dl-horizontal"><dt>Artificial intelligence</dt> <dd>A subfield of computer science that develops intelligent computer programs to behave in a way that would be considered intelligent if observed in a human (e.g. solve problems, learn from experience, understand language, interpret visual scenes).</dd> <dt>Authentication</dt> <dd>The process of verifying an identity claimed by or for a system entity.</dd> <dt>Authorization</dt> <dd>Access privileges granted to a user, program, or process.</dd> <dt>Cloud computing</dt> <dd>The use of remote servers hosted on the Internet. Cloud computing allows users to access a shared pool of computing resources (such as networks, servers, applications, or services) on demand and from anywhere.</dd> <dt>Contract</dt> <dd>A legally enforceable contract is a deliberate agreement (intention to create legal relations) constituted by, and unconditional acceptance of, an outstanding offer (offer of acceptance) involving a reasonably precise set of terms (certainty of terms) between two or more competent parties (capacity) that is supported by mutual consideration (consideration) to do some legal act voluntarily (legality of purpose).</dd> <dt>Quantum computing</dt> <dd>A quantum computer can process a vast number of calculations simultaneously. Whereas a classical computer works with ones and zeros, a quantum computer will have the advantage of using ones, zeros and “superpositions” of ones and zeros.</dd> <dt>Threat and risk assessment</dt> <dd>A process of identifying system assets and how these assets can be compromised, assessing the level of risk that threats pose to assets, and recommending security measures to mitigate threats.</dd> </dl></div> </section><!–** TOP OF PAGE ******–><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><aside class="wb-fnote" role="note"><h2 class="text-info" id="reference">References</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>The official (ISC)2 Guide to the CCSP CBK, 2016, Domain 1 Architectural Concepts and Design Requirements Domain, p4.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></section></div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="5926" about="/en/guidance/targeted-manipulation-irans-social-engineering-and-spear-phishing-campaigns" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><section><div class="row"> <div class="col-md-12"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-tp-md mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/cyber-iran-social-engineering-spear-phishing-campaigns-e.pdf">Targeted manipulation: Iran’s social engineering and spear phishing campaigns (PDF, 545 KB)</a></p> </div> <h2 class="text-info">About this report</h2> <p>This report advises on the threat from social engineered spear phishing campaigns by Iranian state-sponsored actors. It is intended for experts and professionals that work in fields that may be of strategic interest for Iran, cyber security professionals, and the general reader with an interest in cyber security. For guidance on technical mitigation of these threats, consult the <a href="/en/guidance">Canadian Centre for Cyber Security’s (Cyber Centre) guidance</a> or contact the Cyber Centre.</p> <p>Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be distributed without restriction. You can find more information on the Traffic Light Protocol at the <a href="https://www.first.org/tlp/">Forum of incident response and security teams website</a>.</p> <h3 class="text-info">Contact</h3> <p>For follow-up questions or issues please contact the Cyber Centre at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>.</p> <h3 class="text-info">Assessment base and methodology</h3> <p>The key judgements in this assessment rely on reporting from multiple sources, both classified and unclassified. The judgements are based on the knowledge and expertise in cyber security of the Cyber Centre. Defending the Government of Canada’s information systems provides the Cyber Centre with a unique perspective to observe trends in the cyber threat environment, which also informs our assessments. The Communications Security Establishment’s foreign intelligence mandate provides us with valuable insight into adversary behaviour in cyberspace. While we must always protect classified sources and methods, we provide the reader with as much justification as possible for our judgements.</p> <p>Our judgements are based on an analytical process that includes evaluating the quality of available information, exploring alternative explanations, mitigating biases and using probabilistic language. We use terms such as “we assess” or “we judge” to convey an analytic assessment. We use qualifiers such as “possibly”, “likely”, and “very likely” to convey probability.</p> <p>The assessments and analysis are based on information available as of <strong>February 2, 2024</strong>.</p> <h3 class="text-info">Estimative language chart</h3> <div class="panel panel-default col-md-12"> <div class="panel-body"> <figure><p class="mrgn-bttm-lg">The chart below matches estimative language with approximate percentages. These percentages are not derived via statistical analysis, but are based on logic, available information, prior judgements, and methods that increase the accuracy of estimates.</p> <img alt="Long description immediately follows" class="img-responsive center-block mrgn-bttm-lg" src="/sites/default/files/images/tarp-language-chart-transparent-e.png" /><details class="brdr-tp brdr-rght brdr-bttm brdr-lft mrgn-bttm-sm"><summary>Long description – Estimative language chart </summary><ul class="list-unstyled mrgn-tp-md"><li>1 to 9% Almost no chance</li> <li>10 to 24% Very unlikely/very improbable</li> <li>25 to 39% Unlikely/improbable</li> <li>40 to 59% Roughly even chance</li> <li>60 to 74% Likely/probably</li> <li>75 to 89% Very likely/very probable</li> <li>90 to 99% Almost certainly</li> </ul></details></figure></div> </div> <h2 class="text-info">Key judgements</h2> <ul class="lst-spcd"><li>We assess that Iranian cyber threat actors continue to be particularly sophisticated in social engineering and in using it to enhance their spear phishing capabilities.</li> <li>We assess that Iranian cyber threat actors customize and enhance the effectiveness of their social engineering campaigns by developing compelling personas, building rapport with targets over longer periods of time and using enticing, highly emotive content related to timely geopolitical issues or traumatic events.</li> <li>We assess that Iranian cyber threat actors prioritize their social engineering and spear phishing efforts against experts that have information considered to be of political, economic or military intelligence value to Iran.</li> </ul></div> </div> </section><section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul><li><a href="#intro">Introduction</a></li> <li><a href="#iran-approach">Iran’s approach to sophisticated social engineering campaigns</a></li> <li><a href="#outlook">Outlook</a></li> <li><a href="#further-reading">Further reading</a></li> <li><a href="#fn">Footnotes</a></li> </ul></details></section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <section><div class="row"> <div class="col-md-12"> <h2 class="text-info" id="intro">Introduction</h2> <p><strong>We assess that Iranian cyber threat actors are particularly sophisticated in social engineering and in using it to enhance their spear phishing capabilities.</strong> Iranian actors support their spear phishing operations through techniques such as creating compelling personas, using enticing or emotive lures, and building rapport with their targets over long periods of time. Iranian social engineering efforts focus on using professional interactions on social media platforms to gain information about organizations related to Iran’s political, economic and military interests, particularly in the aerospace, energy, defence, security and telecommunications sectors.<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> Iranian actors use social engineering and spear phishing operations against softer targets like personal email and social media accounts as a method of collecting information from, or gaining access to, even hardened government and organizational networks.</p> <section class="panel panel-primary"><header class="panel-heading"><h3 class="panel-title">What is social engineering?</h3> </header><div class="panel-body"> <p>Social engineering is the attempt to manipulate a person into doing something that is not in their best interests like divulging information (e.g. login credentials, sensitive information, etc.).</p> <p>There are 5 features that make social engineering successful:</p> <ul><li>Reciprocity: People feel obligated to discharge previous perceived debts</li> <li>Authority: People respond to authority figures</li> <li>Scarcity: People value things they perceive as scarce</li> <li>Consistency: People act to maintain their social image</li> <li>Social proof: People tend to trust people they perceive as similar to themselves</li> </ul><p>Cyber threat actors leverage social media sites to feign legitimacy and deceive victims to enable spear phishing operations.</p> </div> </section></div> </div> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <section><div class="row"> <div class="col-md-12"> <h2 class="text-info mrgn-tp-lg" id="iran-approach">Iran’s approach to sophisticated social engineering campaigns</h2> <p>We assess that Iranian cyber threat actors customize and enhance the effectiveness of their social engineering campaigns by developing compelling personas, building rapport with targets over longer periods of time and using enticing, highly emotive content related to timely geopolitical issues or traumatic events.</p> <div class="col-md-6 col-md-offset-3"> <div class="panel panel-default"> <div class="panel-body"> <h3 class="text-center h4"><strong>Figure 1: The social engineered spear phishing process</strong></h3> <div class="col-md-12"><img alt="" class="img-responsive center-block" src="/sites/default/files/images/cyber-pub-icon1-ef.jpg" width="100px" /><p class="text-center">Actors construct false persona on multiple social media sites</p> </div> <div class="col-md-12"><img alt="" class="img-responsive center-block" src="/sites/default/files/images/cyber-pub-icon2-ef.png" width="100px" /><p class="text-center">Persona interacts with the target, often building trust and relating on shared interests</p> </div> <div class="col-md-12"><img alt="" class="img-responsive center-block" src="/sites/default/files/images/cyber-pub-icon3-ef.png" width="100px" /><p class="text-center">Actors send malicious link or file and/or attempt to compromise device</p> </div> </div> </div> </div> </div> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <h3>Creating compelling personas</h3> <p>Iranian cyber threat actors create and employ fake personas to build relationships with their targets and establish trust. They typically develop professional relationships or relationships around the targets’ interests. Personas allow for a curated and interactive approach to establishing trust and legitimacy with targets, especially when more individuals’ “professional and social selves” are now online and not as distinguishable from their “offline selves”. We assess that Iranian cyber threat actors very likely use attractive female personas to manipulate their targets.<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup> Further, we assess that Iranian cyber threat actors likely leverage previously compromised and spoofed email accounts to add a perceived legitimacy to their personas and for subsequent lures.</p> <p>Iranian cyber threat actors have used fake personas to target individuals from a wide variety of professional fields including:</p> <ul><li>defence contractors</li> <li>aerospace employees</li> <li>energy sector employees</li> <li>journalists</li> <li>academics</li> <li>researchers</li> <li>activists</li> <li>politicians</li> <li>diplomats</li> <li>civil society groups<sup id="fn1a-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup><sup id="fn2a-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup><sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup></li> </ul><h4>Case study 1: Aerobics instructor from Liverpool or Iranian social engineer?</h4> <p>An Iranian cyber threat actor used a false persona to pose as an aerobics instructor and personal trainer named Marcella Flores. The false persona established a months-long relationship with the employee of an aerospace defence contractor.</p> <p>The false persona nursed the digital relationship over multiple corporate and personal communication platforms. The persona then delivered malware to the target’s machine through a malicious Excel spreadsheet that appeared to be a benign “Diet Survey” document.<sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup></p> <h4>Case study 2: Mia Ash</h4> <p>Mia Ash was a fake persona used by Iranian cyber threat actors to target organizations in the Middle East from 2016 to 2017. Ash claimed to be a 30-year-old British professional photographer. Her profile was built using stolen pictures, likely from an Instagram account of a legitimate photographer. She had a presence on Facebook, Blogger and LinkedIn.</p> <p>The persona used LinkedIn to contact an employee at a targeted organization and exchanged messages with the target about their professions, photography and travels, after which she encouraged the target to add her on Facebook. Correspondence continued via WhatsApp, email and Facebook. After a few weeks, she sent a malicious Excel document for a photography survey, encouraging the target to open it at work using their corporate email. Threat actors likely leveraged the persona to gain access to a targeted organization because the initial phishing campaign was unsuccessful.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <div class="row"> <div class="col-md-12 mrgn-tp-md"> <section class="panel panel-primary"><header class="panel-heading"><h5 class="panel-title">Repeat use of personas</h5> </header><div class="panel-body"> <p>Iranian actors will often use personas multiple times which likely demonstrates a sustained effort in the development of these personas and their networks.<sup id="fn2b-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup> The following examples demonstrate how Iranian actors reuse personas to achieve their objectives.</p> <ul><li><strong>Female Persona A</strong> <ul><li><strong>Winter 2020:</strong> Iranian actors used Persona A to conduct a social engineering operation against a U.S. person.</li> <li><strong>Summer 2020:</strong> Actors used Persona A again to conduct spear phishing and social engineering operations against multiple individuals, using scholarly and news-themed emails where the targets were directed toward malicious documents via links or attachments.</li> </ul></li> <li><strong>Female Persona B</strong> <ul><li><strong>Spring 2020:</strong> Iranian cyber threat actors used Persona B to befriend a foreign national on LinkedIn. The cyber threat actors later compromised the target’s device and exfiltrated sensitive personal information and content from the device.</li> <li><strong>Summer 2020:</strong> Iranian cyber threat actors used Persona B to impersonate a recruiter to target an employee of a U.S. cleared defence contractor and obtained target’s resume. The persona was also active on LinkedIn, making several connections to personnel of various companies.</li> </ul></li> <li><strong>Female Persona C</strong> <ul><li><strong>Summer 2022 to summer 2023:</strong> Iranian actors used the Persona C on Facebook to conduct a social engineering campaign against a Defense Industrial Base employee. Persona C shared a website with the employee based around a shared hobby.</li> <li><strong>Spring 2023:</strong> Iranian actors used Persona C to target several employees of Defense Industrial Base Companies, based on their company affiliation on Facebook. Persona C claimed to be conducting research and sent targets a questionnaire.</li> </ul></li> <li><strong>Female Persona D</strong> <ul><li><strong>Winter 2021 to fall 2022:</strong> Iranian actors targeted a Europe-based defence sector employee using Persona D on a career-oriented social networking site. After establishing trust, communications moved to email, where the persona sent a malicious document and encouraged the target to add information.</li> <li><strong>Spring 2023:</strong> Iranian actors almost certainly used Persona D to target a specific personal email account with a spear phishing email encouraging the victim to open the malicious link and then enter a provided password.</li> </ul></li> <li><strong>Female Persona E</strong> <ul><li><strong>Fall 2022 to fall 2023:</strong> Iranian actors used Persona E across multiple social media platforms posing as a journalist questioning targets on human rights issues in Iran. The persona’s likely intention was to send malicious files to the target.</li> <li><strong>Summer to fall 2023:</strong> Iranian actors used multiple personas (including Persona E) in a combined spear phishing and social engineering operation targeting employees in the nuclear sector.</li> </ul></li> </ul></div> </section></div> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <h4>Targeting emotional vulnerabilities and building trust: Operations around traumatic events</h4> <div class="col-md-6 mrgn-tp-sm pull-right"> <section class="panel panel-primary"><header class="panel-heading"><h5 class="panel-title">Targeting veterans with post-traumatic stress disorder (PTSD)</h5> </header><div class="panel-body"> <p>In 2020, Iranian cyber threat actors conducted a PTSD-themed social engineering campaign against defence contractors and government officials using a fictitious psychologist LinkedIn persona. The persona was seeking inquiries from military service members suffering from PTSD as a result of combat experience. The actor solicited targets into visiting probable malicious links and into providing work-related contact information.</p> </div> </section></div> <p class="mrgn-tp-0">Iranian cyber threat actors use personas to develop trust with a target by sharing their concerns around major traumatic events and tragedies. For example, Iranian cyber threat actors had reportedly run an Israel-Hamas war-themed campaign creating a fake website for the “Bring Them Home Now” movement, which calls for the return of Israeli hostages held by Hamas, where the website would eventually lead to downloading a malicious payload.</p> <p>In October 2022, after the death of Mahsa Amini and ensuing protests in Iran, Iranian cyber threat actors used a false Twitter (now X) persona, Sara Shokouhi, to conduct a spear phishing campaign targeting female protestors, political activists and human rights researchers inside and outside of Iran. The persona reached out to victims, purportedly on behalf of the U.S. Atlantic Council think tank, to gain trust and build rapport with victims over several weeks after which it attempted to either steal credentials or deploy malware on their computer or mobile device.<sup id="fn5-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup></p> <h4>Offering false professional opportunities and collaboration</h4> <p>Iranian cyber threat actors appeal to shared professional interests, offering to collaborate with the target, gaining more trust and access to information throughout the process. For many fields, including academia, journalism, research, activism and NGOs, online collaboration is considered routine. Targets in these professions are valuable not only for their knowledge, but also for their networks of contacts and the places and people that they may have access to.</p> <h5>Job opportunities</h5> <p>Iranian cyber threat actors have run many operations using personas posing as recruiters and employees of companies from the countries in which their targets were located to offer targets prospective job opportunities. These operations typically target U.S. defence contractors in the Middle East and subcontractors associated with larger defence <span class="nowrap">companies.<sup id="fn2c-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup></span></p> <h5>Think tanks and research institutes</h5> <p>Iranian actors impersonated the president of the U.S.-based Middle East Institute and contacted Iranian and non-Iranian activists asking to establish a partnership with the target and collaborate in the target’s area of expertise. After building trust with the target over correspondence, actors invited them to participate in a virtual meeting, sending a malicious link to steal the target’s credentials.<sup id="fn6-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup></p> <h5>Conferences</h5> <p>In a 2021 operation to gather strategic insights on relations with Tehran, Iranian cyber threat actors masqueraded as scholars from the University of London’s School of Oriental and African Studies (SOAS) organizing a conference. Personas targeted experts in foreign policy, journalism, and academics specializing in Middle East politics. They established relationships and communicated with targets eventually leading them to a conference registration link hosted on a compromised website.<sup id="fn2d-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup></p> <p>Iranian cyber threat actors reportedly targeted Human Rights Watch staff members, journalists and human rights activists using WhatsApp, claiming to be from a Lebanon-based think tank, inviting recipients to a conference. The actor impersonated an individual who had previously worked at the think tank and used a similar format to the think tank’s previous invitations.<sup id="fn2e-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup><sup id="fn3a-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup></p> <h5>Media and expertise</h5> <p>Iranian cyber threat actors have used journalistic personas on multiple occasions to conduct intrusion or influence operations against targets. Reporting in 2020 indicates that Iranian actors developed fake personas that spoofed real journalists from major news entities including the New York Times, CNN and The Wall Street Journal. Actors would engage with victims driving them to encrypted chat platforms like WhatsApp, eventually moving to fake video conferences where presumably the victim would continue to be compromised.<sup id="fn3b-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup></p> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <section><div class="row"> <div class="col-md-12"> <h2 class="text-info mrgn-tp-lg" id="outlook">Outlook</h2> <p>The post-Covid-19 pandemic tendency for corporations and organizations to move more activities online, such as conferences, recruitment, training and public talks is likely providing, and will continue to provide, Iranian cyber threat actors (and others) more opportunities to conduct social engineering operations.</p> <p>Advances in AI technology, such as synthetically created images and voice, could enable Iranian cyber threat actors to create more convincing online personas. In early February 2024, Iranian actors interrupted television streaming services in the UAE using a deepfake newsreader delivering a report on the war in Gaza.<sup id="fn7-rf"><a class="fn-lnk" href="#fn7"><span class="wb-inv">Footnote </span>7</a></sup></p> <p>Given Iranian cyber threat actors’ tendencies to appeal to those interested or involved in current events, these social engineering techniques could be combined with Iran’s cyber-enabled information operations. Iranian cyber threat actors have employed information operations during the Covid-19 pandemic<sup id="fn8-rf"><a class="fn-lnk" href="#fn8"><span class="wb-inv">Footnote </span>8</a></sup> and increased such operations since the onset of the Israel-Hamas war in October 2023. Iranian information operations have increasingly targeted international audiences, particularly those in the West.<sup id="fn9-rf"><a class="fn-lnk" href="#fn9"><span class="wb-inv">Footnote </span>9</a></sup> We assess that Iran could likely combine these information operations with social engineering campaigns to target individuals or organizations concerned about the conflict.</p> <p>Iran continues to strengthen its operational capacity for social engineering through procuring the infrastructure required to conduct sophisticated social engineering campaigns, establishing new vectors of communication with targets, building networks of personas and training.</p> </div> </div> </section><section><div class="row"> <div class="col-md-12"> <h2 class="text-info mrgn-tp-lg" id="further-reading">Further reading</h2> <p>The Cyber Centre regularly publishes advice and guidance to help Canadians and Canadian organizations protect themselves against common cyber threats. This includes some of the threats outlined in this assessment such as spear phishing and social engineering.</p> <p>Please refer to the following online resources for more information and for useful advice and guidance:</p> <ul><li><a href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks – ITSAP.00.101</a></li> <li><a href="/en/guidance/spotting-malicious-email-messages-itsap00100">Spotting malicious email messages – ITSAP.00.100</a></li> <li><a href="/en/guidance/social-engineering-itsap00166">Social engineering – ITSAP.00.166</a></li> <li><a href="/en/guidance/how-identify-misinformation-disinformation-and-malinformation-itsap00300">How to identify misinformation, disinformation, and malinformation – ITSAP.00.300</a></li> <li><a href="/en/guidance/artificial-intelligence-itsap00040">Artificial Intelligence – ITSAP.00.040</a></li> <li><a href="/en/guidance/preventative-security-tools-itsap00058">Preventative security tools – ITSAP.00.058</a></li> </ul></div> </div> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <div class="clearfix"> </div> <aside class="wb-fnote" role="note"><h2 id="fn">Footnotes</h2> <dl><dt>1</dt> <dd id="fn1"> <p>Emil Sayegh. <a href="https://www.forbes.com/sites/emilsayegh/2023/03/28/inside-the-shadowy-world-of-iranian-cyber-espionage-group-apt33/">Inside the Shadowy World of Iranian Cyber Espionage Group APT 33</a>. Forbes. March 28, 2023; Collin Anderson and Karim Sadjadpour. <a href="https://carnegieendowment.org/research/2018/01/irans-cyber-threat-espionage-sabotage-and-revenge">Iran’s Cyber Threat: Espionage, Sabotage and Revenge. Carnegie Endowment for International Peace</a>. January 1, 2018.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote </span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>2</dt> <dd id="fn2"> <p>INSIKT Group. <a href="https://www.recordedfuture.com/research/social-engineering-remains-key-tradecraft-for-iranian-apts">Social Engineering Remains Key Tradecraft for Iranian APTs</a>. Recorded Future. March 30, 2022.</p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote </span>2<span class="wb-inv"> referrer</span></a></p> </dd> <dt>3</dt> <dd id="fn3"> <p>Human Rights Watch. <a href="https://www.hrw.org/news/2022/12/05/iran-state-backed-hacking-activists-journalists-politicians">Iran: State-Backed Hacking of Activists, Journalists, Politicians</a>. December 5, 2022</p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote </span>3<span class="wb-inv"> referrer</span></a></p> </dd> <dt>4</dt> <dd id="fn4"> <p>Joshua Miller, Michael Raggi, and Crista Giering. <a href="https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media">I Knew You Were Trouble: TA456 Targets Defence Contractor with Alluring Social Media Persona</a>. Proofpoint. July 28, 2021.</p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote </span>4<span class="wb-inv"> referrer</span></a></p> </dd> <dt>5</dt> <dd id="fn5"> <p>Ravie Lakshmanan. <a href="https://thehackernews.com/2023/03/iranian-hackers-target-women-involved.html">Iranian Hackers Target Women Involved in Human Rights and Middle East Politics</a>. The Hacker News. March 09, 2023.</p> <p class="fn-rtn"><a href="#fn5-rf"><span class="wb-inv">Return to footnote </span>5<span class="wb-inv"> referrer</span></a></p> </dd> <dt>6</dt> <dd id="fn6"> <p>CERTFA Lab. <a href="https://blog.certfa.com/posts/charming-kitten-can-we-wave-a-meeting/">Charming Kitten: “Can we Have a Meeting?”: Important puzzle pieces of Charming Kitten’s cyber espionage operations</a>. September 8, 2022.</p> <p class="fn-rtn"><a href="#fn6-rf"><span class="wb-inv">Return to footnote </span>6<span class="wb-inv"> referrer</span></a></p> </dd> <dt>7</dt> <dd id="fn7"> <p>Dan Milmo. <a href="https://www.theguardian.com/technology/2024/feb/08/iran-backed-hackers-interrupt-uae-tv-streaming-services-with-deepfake-news">Iran-backed Hackers Interrupt UAE TV Streaming Services with Deepfake news</a>. The Guardian. February 8, 2024.</p> <p class="fn-rtn"><a href="#fn7-rf"><span class="wb-inv">Return to footnote </span>7<span class="wb-inv"> referrer</span></a></p> </dd> <dt>8</dt> <dd id="fn8"> <p>Mark Dubowitz and Saeed Ghasseminejad. <a href="https://ctc.westpoint.edu/irans-covid-19-disinformation-campaign/">Iran’s Covid-19 Disinformation Campaign. Combatting Terrorism Centre Sentinel</a>. Vol 13, Issue 6. June 2020.</p> <p class="fn-rtn"><a href="#fn8-rf"><span class="wb-inv">Return to footnote </span>8<span class="wb-inv"> referrer</span></a></p> </dd> <dt>9</dt> <dd id="fn9"> <p>Microsoft Threat Intelligence. <a href="https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/iran-surges-cyber-enabled-influence-operations-in-support-of-hamas">Iran surges cyber-enabled influence operations in support of Hamas</a>. February 26, 2024.</p> <p class="fn-rtn"><a href="#fn9-rf"><span class="wb-inv">Return to footnote </span>9<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="5782" about="/en/news-events/executive-summary-and-updated-joint-guidance-choosing-secure-and-verifiable-technologies" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC), and the following international partners in releasing updated cyber security guidance on obtaining secure digital products or services:</p> <ul><li>New Zealand’s National Cyber Security Centre (NCSC-NZ)</li> <li>Republic of Korea National Intelligence Service (NIS) and NIS’ National Cyber Security Centre (NCSC-Korea)</li> <li>United Kingdom (UK) National Cyber Security Centre (NCSC-UK)</li> <li>United States’ Cybersecurity and Infrastructure Security Agency (CISA)</li> </ul><p>To protect users’ privacy and data from cyber threats, organizations must ensure they are choosing secure and verifiable technologies. When obtaining and operating digital products or services, organizations are responsible for evaluating suitability, security and associated risks.</p> <p>This guidance includes 2 publications.</p> <h2>Choosing secure and verifiable technologies: Executive summary</h2> <p>This joint executive summary intends to summarize and inform senior leaders on the items they should consider during the procurement of digital products and services.</p> <p>Read <a href="https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/cyber-supply-chains/choosing-secure-and-verifiable-technologies-executive-guidance">Choosing secure and verifiable technologies: Executive summary</a>.</p> <h2>Choosing secure and verifiable technologies (version 2)</h2> <p>This updated joint guidance informs organizations of secure-by-design considerations for the procurement of digital products and services. It aims to assist organizations in making better-informed information and communication technology procurement assessments and decisions.</p> <p>This joint guidance also signals to manufacturers the key security questions and expectations they can anticipate from their customers, ideally resulting in increased development of secure technologies.</p> <p>Read <a href="https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/cyber-supply-chains/choosing-secure-and-verifiable-technologies">Choosing secure and verifiable technologies (version 2)</a>.</p> </div> </div> </div> </div> </div> </article>