The government of Canada has specific Controlled Goods Program (CGP) Cloud Solutions requirements for individuals or organizations that possess or transfer controlled goods and associated technical data. Technical data includes drawings, blueprints, software, or technical documentation that could be used or adapted for military or space end use. Cloud service providers that provide storage or processing and/or processing of technical data associated with controlled goods must register with the Controlled Goods Program.
This requirement makes it a requirement for storage of data on servers located in Canada unless licensing requirements have been met through Global Affairs Canada.
Responsibility for Data Security
Organizations registered in the CGP are responsible for determining what cloud solutions are appropriate for their applications. As such, it vital that monitoring and regular risk assessments be taken to ensure that adequate and appropriate security controls are in place. Guidance for conducting these risk assessments can be found at Guidance on Cloud Security Assessment and Authorization.
When selecting a cloud service provider, organizations should understand what security controls are provided. They should then assess requirements for any additional security controls to mitigate any residual risk of unauthorized access to data.
Restriction of Access
The underlying purpose of data security is to restrict access of data to individuals who have been security assessed as detailed in section 15 of the CGP. Organizations should ensure that data stored on the cloud is made available through secure connections such as Virtual Private Networks (VPN) or Transport Layer Security (TLS). Dual authentication mechanisms and proper password policies should be employed in conjunction with these solutions.
Controlled goods technical data stored on the cloud should by encrypted. The Government of Canada recommends U.S. Federal Information Processing Standard (FIPS) 140-2 for appropriate end-to-end encryption. The use of phishing resistant authentication controls are also recommended.
Export Compliance Security Plan
A documented security program is required for organizations registered in the CGP. These security plans should include specific information relating to data storage. This includes, the security employed by the cloud provider, additional controls implemented by the organization’s information security management team, and any other measures or processes incorporated to manage residual risks.
Differences in Canadian and U.S. Requirements
These cloud service requirements contrast with requirements in the United States for the International Traffic in Arms Regulations (ITAR). The current ITAR requirements (§ 120.54) allow for storage of unclassified ITAR technical data on foreign servers if end to end encryption compliant with the U.S. National Institute of Standards and Technology (NIST) requirements.
CVG Strategy Export Compliance and Information Security Expertise
Export Compliance Expertise
Navigating international import and export laws can be extremely challenging for organizations. This is especially the case for those whose products are defense related. CVG Strategy export compliance experts have over a decade of experience in assisting businesses establish and maintain export compliance programs.
CVG Strategy has helped companies comply with both U.S. and Canadian regulations. We can answer your export compliance questions to keep your organization in compliance to regulations. We can also provide essential training to ensure that your team is up to date on ever changing export laws.
CVG Strategy is committed to helping businesses protect information by helping them establish effective cybersecurity programs. We know that viable solutions include all stakeholders in an enterprise. They include people, policies, procedures, risk analysis, incident responses, and an internal auditing process that yields constant improvement.
CVG Strategy provides cybersecurity consulting and training for large and small organizations. We can create the documentation and provide the essential training to establish your ISMS and guide you through certification audits.