Changes to the Policy on Service and Digital policy instruments – three new mandatory configurations

From: Chief Information Officer of the Government of Canada

To: Deputy Heads, Departmental Chief Information Officers and Chief Security Officers

Subject: Changes to the Policy on Service and Digital policy instruments

Message:

Colleagues,

I would like to take this opportunity to thank you for your continued collaboration in establishing enterprise-wide, integrated approaches to the governance, planning and management of cyber security in the Government of Canada (GC). As deputy heads, you are accountable for ensuring that “cyber security requirements and appropriate risk-based measures are applied continuously in an identify, protect, detect, respond, and recover approach to protect information systems and services.” Further, the timely completion and submission of your annual Departmental Plan for Service and Digital (DPSD) provides:

• a data-driven approach to measuring compliance to minimum baseline security configurations set forth under the Policy on Service and Digital
• an assessment of departmental cyber maturity
• facilitates the identification of departmental cyber security risks

In that context, the Office of the Chief Information Officer (OCIO) regularly adjusts its policy suite under the Policy on Service and Digital to address emerging cyber security needs. The Canadian Centre for Cyber Security’s National Cyber Threat Assessment 2023–2024 highlights a significant rise in the number and sophistication of cyber threat actors who take advantage of dependencies on Internet-connected technologies to conduct malicious activities. Given the increasing sophistication and frequency of cyber attacks, the GC must remain vigilant and strengthen its defences when required.

To that end, I am pleased to announce 3 new mandatory configuration requirements under Appendix G: Standard on Enterprise Information Technology Service Common Configurations of the Directive on Service and Digital. These new requirements advance the minimum baseline for GC cyber security as follows:

• Printer Configuration Requirements outline the minimum security baseline for printers as specialized endpoint devices that store and process data
• Public Key infrastructure (PKI) Configuration Requirements establish a consistent approach for PKI technology, replacing the outdated Guideline on the Management of Public Key Infrastructure in the Government of Canada
• Electronic Signatures (e-Signatures) Configuration Requirements facilitate a digital approach for signatures in support of the GC’s day-to-day business activities

In addition to these new requirements, updates were made to the Guideline on Service and Digital to support departments and agencies in meeting the expectations for cyber security.

These new cyber security policy instruments are expected to be implemented by August 16, 2023. Compliance will continue to be tracked through the DPSD. A longer transition period may be warranted for some organizations, and if so, I urge your officials to contact my team at ZZTBSCYBERS@tbs-sct.gc.ca to set a path forward.

I encourage you to share these updates with designated officials and colleagues across your organization. My team will continue working with departments and agencies to support the implementation of the Policy on Service and Digital.

Should you have any questions, please contact: ServiceDigital-ServicesNumerique@tbs-sct.gc.ca.

Catherine Luelo (She / Her / Elle)
Deputy Minister and Chief Information Officer of Canada
Government of Canada