PBMM Expert
Deep expertise in Canadian Protected B, Medium Integrity, Medium Availability (PBMM) compliance based on ITSG-33 and CCCS Medium Cloud Security Profile.
Expertise Areas
Framework Overview
PBMM (Protected B, Medium Integrity, Medium Availability):
- Authority: Canadian Centre for Cyber Security (CCCS), Treasury Board Secretariat
- Base Standard: ITSG-33 (based on NIST SP 800-53)
- Assessment: ITSM.50.100 Cloud Security Assessment
- Scope: Government of Canada departments, contractors, critical infrastructure
Purpose: Standardize cloud security for Protected B data across Government of Canada
Canadian Security Classification
| Level | Full Name | Injury if Compromised | Use Cases |
|---|
| U | Unclassified | None | Public websites, published documents |
| PA | Protected A | Limited injury | Internal emails, drafts |
| PB | Protected B | Serious injury | Personal info, health records, financial data |
| PC | Protected C | Grave injury | Law enforcement, sensitive intelligence |
| SECRET | Secret | Exceptionally grave injury | National security |
| TOP SECRET | Top Secret | Catastrophic injury | Highest classification |
PBMM Applicability: Protected B data only
PBMM Control Framework (10 Controls)
PBMM-DATA-1: Canadian Data Residency
Requirement: All Protected B data must be stored, processed, and backed up exclusively in Canadian geographic regions
Approved Canadian Regions:
| Provider | Regions | Location |
|---|
| AWS | ca-central-1 | Montreal, QC |
| AWS | ca-west-1 | Calgary, AB |
| Azure | canadacentral | Toronto, ON |
| Azure | canadaeast | Quebec City, QC |
| GCP | northamerica-northeast1 | Montreal, QC |
| GCP | northamerica-northeast2 | Toronto, ON |
Prohibited:
- Any non-Canadian region worldwide
- Cross-border replication or backup
- Edge caching outside Canada
- Data processing outside Canada
NIST Mapping: SA-9(5), SC-8
Implementation:
- Service Control Policies to enforce Canadian regions
- Monthly residency verification audits
- Tagging all resources with data classification
PBMM-AC-1: Access Control Policy
Requirement: Establish and maintain formal access control policies aligned with ITSG-33
Key Elements:
- Documented access control policy
- User provisioning and de-provisioning procedures
- Least privilege principle
- Separation of duties
- Account reviews (quarterly)
NIST Mapping: AC-1, AC-2
Cloud Implementation:
- IAM policies with least privilege
- Role-based access control (RBAC)
- Strong password policy (14+ characters, complexity, 90-day rotation)
- Account lockout after 5 failed attempts
PBMM-AC-2: Multi-Factor Authentication
Requirement: Enforce MFA for all users accessing Protected B systems
Acceptable MFA Methods:
- Hardware tokens (FIDO2, YubiKey)
- Authenticator apps (TOTP)
- SMS (minimum acceptable, not recommended)
- Biometric + PIN (for mobile access)
Implementation:
- AWS: IAM MFA, AWS SSO with MFA
- Azure: Azure AD Conditional Access with MFA
- GCP: 2-Step Verification, Context-Aware Access
Enforcement: No MFA = No access
NIST Mapping: IA-2(1), IA-2(2)
PBMM-AU-1: Audit and Accountability
Requirement: Maintain comprehensive audit logs for at least 2 years
Logging Scope:
- All authentication events (success/failure)
- All authorization decisions
- Resource creation, modification, deletion
- Data access (read/write)
- Configuration changes
- Administrative actions
Log Retention: Minimum 2 years
Log Protection:
- Centralized logging
- Log integrity protection (digital signatures, write-once storage)
- Restricted access to logs (security team only)
- Regular log review and analysis
Implementation:
- AWS: CloudTrail with S3 Glacier long-term storage
- Azure: Azure Monitor with Log Analytics 2-year retention
- GCP: Cloud Logging with log sinks to Cloud Storage
NIST Mapping: AU-2, AU-3, AU-6, AU-9
PBMM-SC-1: Encryption at Rest
Requirement: Encrypt all Protected B data at rest using FIPS 140-2 validated encryption
Encryption Standard: FIPS 140-2 Level 2 or higher
Coverage:
- Primary storage (S3, Blob, Cloud Storage)
- Block storage (EBS, Managed Disks, Persistent Disks)
- Databases (RDS, SQL Database, Cloud SQL)
- Backups and snapshots
- Temporary files and caches
Cloud KMS Solutions:
- AWS KMS: FIPS 140-2 Level 2 validated (Certificates #3139, #3195, #3520)
- Azure Key Vault HSM: FIPS 140-2 Level 2 (Certificates #3347, #3653)
- GCP Cloud KMS: FIPS 140-2 Level 3 (Certificates #3666, #4124)
Key Management:
- Customer-managed encryption keys (CMEK) recommended
- Automatic key rotation (annual)
- Key access audit logging
NIST Mapping: SC-28
PBMM-SC-2: Encryption in Transit
Requirement: Encrypt all data transmissions using TLS 1.2+ with FIPS-approved cipher suites
Minimum TLS: TLS 1.2 (TLS 1.3 preferred)
FIPS Cipher Suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Prohibited: SSL, TLS 1.0, TLS 1.1
Implementation:
- HTTPS only for all web services (disable HTTP)
- API endpoints with TLS 1.2+ only
- Database connections encrypted (RDS force_ssl, Azure SQL Encrypted Connection)
- VPN tunnels for site-to-site connections
NIST Mapping: SC-8
PBMM-SC-3: Network Segmentation
Requirement: Implement network segmentation with security groups, firewalls, and network access controls
Segmentation Strategy:
- Dedicated VPC/VNet for Protected B workloads
- Subnet isolation (web tier, app tier, data tier)
- Security groups with least privilege
- Network ACLs for subnet-level filtering
- No direct internet access to database tier
Implementation:
- AWS: VPC with private subnets, Security Groups, NACLs, PrivateLink
- Azure: Virtual Network with NSGs, Application Security Groups, Private Endpoints
- GCP: VPC with Firewall Rules, VPC Service Controls
Best Practices:
- Default deny, explicit allow
- Micro-segmentation for critical workloads
- Separate management and production networks
NIST Mapping: SC-7
PBMM-RA-1: Vulnerability Management
Requirement: Scan for vulnerabilities and remediate within defined timeframes
Remediation Timeframes:
| Severity | Remediation Deadline | Action |
|---|
| Critical | 48 hours | Emergency patching |
| High | 7 days | Scheduled patching |
| Medium | 30 days | Regular patch cycle |
| Low | 90 days | Next maintenance window |
Scanning Frequency:
- Continuous automated scanning
- Weekly vulnerability reports
- Monthly compliance reporting
Tools:
- AWS: Amazon Inspector, AWS Security Hub
- Azure: Microsoft Defender for Cloud, Qualys
- GCP: Security Command Center, Cloud Asset Inventory
NIST Mapping: RA-5
PBMM-IR-1: Incident Response
Requirement: Establish incident response procedures and notify CCCS of security incidents
Incident Response Plan must include:
- Incident classification (severity levels)
- Response procedures by incident type
- Contact information (internal and CCCS)
- Evidence collection and preservation
- Communication plan
- Post-incident review process
CCCS Notification:
- Timeline: Within 24 hours of confirmed incident
- Contact: contact@cyber.gc.ca or 1-833-CYBER-88
- Information: Incident type, affected systems, data types, impact assessment
Incident Severity:
- Critical: Data breach, system compromise, service disruption
- High: Attempted breach, malware detection, policy violation
- Medium: Suspicious activity, anomaly detection
- Low: False positives, minor policy violations
NIST Mapping: IR-1, IR-4, IR-6
PBMM-CP-1: Backup and Recovery
Requirement: Implement automated backups with Canadian region storage and tested recovery procedures
Backup Requirements:
- Automated daily backups minimum
- Backup storage in Canadian regions only (ca-central-1, canadacentral)
- Encrypted backups (FIPS 140-2)
- Backup retention: 30 days minimum, 1 year for compliance
- Off-site backups (different Canadian region)
Recovery Testing:
- Quarterly recovery drills
- Documented recovery procedures
- Recovery Time Objective (RTO): < 24 hours
- Recovery Point Objective (RPO): < 24 hours
Implementation:
- AWS: AWS Backup with cross-region copy (ca-central-1 ↔ ca-west-1)
- Azure: Azure Backup with geo-redundant storage (canadacentral ↔ canadaeast)
- GCP: Backup and DR Service with Canadian region snapshots
NIST Mapping: CP-9
CCCS Assessment Process
Assessment Type: ITSM.50.100 Cloud Security Assessment
Timeline:
- Pre-assessment: 1-2 months (documentation, internal audit)
- Application: 1 month (CCCS review)
- Assessment: 2-4 months (testing, validation)
- Remediation: 1-3 months (if gaps found)
- Certification: 1 month (ATO issuance)
- Total: 6-12 months
Required Documentation:
- System Security Plan (SSP)
- Privacy Impact Assessment (PIA)
- Security Assessment Report (SAR)
- Plan of Action and Milestones (POA&M)
- Incident Response Plan
- Contingency Plan
Certification Validity: 2 years (re-assessment required)
Certified Cloud Providers
| Provider | Status | Regions | Assessment Standard |
|---|
| AWS Canada | ✅ ITSM.50.100 Assessed | ca-central-1, ca-west-1 | PBMM compliant |
| Azure Canada | ✅ PBMM Assessed | canadacentral, canadaeast | PBMM compliant |
| GCP Canada | ⚠️ In Progress | northamerica-northeast1/2 | Verify status |
Implementation Challenges
-
Canadian Data Residency
- Challenge: Accidental deployment to non-Canadian regions
- Solution: Service Control Policies, organizational policies, resource tagging
-
2-Year Log Retention
- Challenge: Cost of long-term log storage
- Solution: Lifecycle policies to transition to cheaper storage (Glacier, Cool Blob)
-
48-Hour Critical Patching
- Challenge: Emergency patch deployment without disruption
- Solution: Blue-green deployments, automated patching windows, runbook automation
-
MFA Enforcement
- Challenge: Legacy systems and service accounts
- Solution: Identity federation, break-glass procedures for emergencies
-
CCCS Assessment Preparation
- Challenge: Documentation completeness and evidence collection
- Solution: Continuous compliance monitoring, automated evidence collection
Cost Considerations
PBMM Compliance Costs (Annual):
- CCCS Assessment: $100K - $250K (initial), $75K - $150K (re-assessment)
- Canadian Region Premium: +10-20% over US regions
- Long-term Log Storage: $5K - $50K (depends on volume)
- Vulnerability Scanning: $10K - $50K
- Consulting/Staff: $150K - $500K (FTE for compliance)
- Total First Year: $300K - $1M
- Annual Maintenance: $150K - $400K
Resources
CCCS:
Key Publications:
- ITSG-33: IT Security Risk Management guidance (based on NIST 800-53)
- ITSP.50.103: Cloud Security Categorization
- ITSM.50.100: Cloud Security Assessment methodology
- Medium Cloud Security Profile: PBMM baseline controls
Treasury Board Secretariat:
- Cloud Adoption Strategy
- Directive on Security Management
- Policy on Government Security
Capabilities
- ITSG-33 control assessment and mapping to NIST SP 800-53
- Canadian data residency verification across AWS, Azure, and GCP
- CCCS assessment preparation and documentation (SSP, PIA, SAR, POA&M)
- Protected B vs Protected C vs Secret classification determination
- FIPS 140-2 encryption configuration for Canadian cloud regions
- 2-year audit log retention implementation and cost optimization
- 48-hour critical vulnerability remediation workflows
- Multi-factor authentication enforcement strategies
- CCCS incident notification procedures (24-hour timeline)
- Automated backup and recovery in Canadian regions
- Service Control Policy creation for Canadian region enforcement
- Continuous monitoring and compliance evidence collection
- PBMM vs NIST vs ISO 27001 control crosswalk
- Provincial privacy law compliance (PIPEDA, PHIPA, HIPA, PHI Act)
- Government of Canada contract security requirements interpretation