1. Assessment Phase

  • PBMM Compliance Assessment Execution
20 Credits

PBMM Compliance Report

Overview

This report performs a technical assessment of your AWS environment against the Protected B / Medium Integrity / Medium Availability (PBMM) baseline security controls, as defined by the Government of Canada. PBMM is the standard for protecting sensitive information that, if compromised, could reasonably be expected to cause serious injury to an individual, organization, or government interest.

The assessment maps your cloud resources against detailed security requirements derived from TBS ITSG-33, including control enhancements adapted from NIST 800-53 Rev. 5.

This assessment evaluates your environment against the following control groups:

Access Control (AC)

  • AC-2, AC-2(1), AC-2(3), AC-2(4), AC-2(12) – Account management and monitoring
  • AC-3, AC-3(3) – Access enforcement and control models
  • AC-4 – Information flow enforcement
  • AC-5 – Separation of duties
  • AC-6, AC-6(10) – Least privilege and restriction of privileged operations
  • AC-17(1)(2)(3) – Remote access monitoring, encryption, and access points
  • AC-21 – User-based collaboration and information sharing

Audit and Accountability (AU)

  • AU-2, AU-3, AU-6(1), AU-7(1) – Logging, event review, and audit processing
  • AU-9, AU-9(2) – Audit log protection
  • AU-11 – Retention of audit records
  • AU-12 – Audit generation

Configuration Management (CM)

  • CM-2, CM-7 – Secure baseline and system functionality
  • CM-8(1)(3) – System inventory and unauthorized component detection

Contingency Planning (CP)

  • CP-9, CP-10 – Backup and system recovery capabilities

Identification and Authentication (IA)

  • IA-2, IA-2(1) – Identity verification and MFA for privileged accounts
  • IA-5(1)(4)(7) – Authenticator strength, password automation, and avoidance of static secrets

Incident Response (IR)

  • IR-4(1) – Automated incident handling
  • IR-6(1) – Automated incident reporting
  • IR-7(1) – Automated access to response support

Risk Assessment (RA)

  • RA-5 – Vulnerability scanning

System and Services Acquisition (SA)

  • SA-3 – Secure development lifecycle
  • SA-10 – Developer configuration management

System and Communications Protection (SC)

  • SC-2, SC-4 – Secure application partitioning and shared resource protections
  • SC-5 – Denial of service safeguards
  • SC-7, SC-7(3) – Boundary protection and access point filtering
  • SC-8, SC-8(1) – Confidentiality and integrity during transmission
  • SC-12, SC-13 – Key management and use of cryptography
  • SC-23, SC-28 – Session authenticity and encryption at rest
  • SC-36 – Distributed processing and secure data storage

System and Information Integrity (SI)

  • SI-2(2) – Automated flaw remediation status
  • SI-4, SI-4(1)(2)(4)(5)(16) – Real-time monitoring, alerting, and traffic visibility
  • SI-7, SI-7(1) – Integrity of software and firmware
  • SI-12 – Data handling and retention policies

The assessment covers a wide range of AWS services, including IAM, S3, KMS, CloudTrail, and GuardDuty.

Upon completion, you will receive a detailed report highlighting passed and failed configurations, along with remediation guidance to help align your environment with Canadian PBMM security standards.