NCSI FULFILMENT PERCENTAGE
Version 15 Oct 2024
STRATEGIC CYBERSECURITY INDICATORS
-
1. CYBERSECURITY POLICY 15/15 100%1515 100%
-
1.1. High-level cybersecurity leadership 333
Requirements
CriteriaThe country has appointed governmental leadership responsible for cybersecurity at the national level.
Accepted referencesLegal act, national strategy, official statutes or terms of reference, or official website
Evidence
https://laws-lois.justice.gc.ca/eng/acts/C-35.3/page-1.html
The Communications Security Establishment according to Article 15 of the Communications Security Establishment Act S.C. 2019, c. 13, s. 76
• What is measured: This indicator identifies whether responsibility for cybersecurity has been formally assigned at the highest governmental or political level. Ideally, this should be assigned permanently through legislation or national strategy to a position or institution exercising the country’s executive power with a governmental mandate, such as the cabinet, a government minister, or a ministry.
• Importance: Without clearly identified political leadership at the highest level, cybersecurity does not get represented in political decision-making. A lack of representation in turn leads to a lack of government ownership, accountability, and appropriate resources.
• Evidence: Legal act or policy document assigning high-level political responsibility for cybersecurity.
-
1.2. Cybersecurity policy development 333
Requirements
CriteriaThere is a competent entity in the central government to whom responsibility is assigned for national cybersecurity strategy and policy development.
Accepted referencesLegal act, official statute or terms of reference, or official website
Evidence
https://www.pm.gc.ca/en/mandate-letters/2021/12/16/minister-public-safety-mandate-letter
PM Trudeau issued a mandate in 2021 for the Minister of Public Safety “to develop and implement a renewed National Cyber Security Strategy” in collaboration with several other cabinet ministers.
• What is measured: This indicator measures the presence of a specifically designated and empowered entity within the central government that holds national-level responsibility for leading and directing cybersecurity policy development. The same entity may lead national cybersecurity strategy development and oversee its implementation and periodic review. The indicator does not consider institutions whose mandate is limited to cybersecurity legislation or policy within a limited domain (e.g. a single ministry), without a lead role and mandate among stakeholders.
• Importance: While cybersecurity policymaking is not an exclusive competence and a broad range of stakeholders should be involved in the process, a permanent body that is equipped and responsible for leading and overseeing cybersecurity policy development should be tasked with ensuring the coherence and sustainability of the national approach. Among others, such a body can ensure the effective implementation and sustainability of the national cybersecurity strategy.
• Evidence: A dedicated government entity or unit, with terms of reference established by a legal act or national strategy.
-
1.3. Cybersecurity policy coordination 333
Requirements
CriteriaThe country has a regular official format for cybersecurity policy coordination at the national level.
Accepted referencesLegal act, official statute or terms of reference, or official website
Evidence
The Canadian Security Telecommunications Advisory Committee (CSTAC) allows the private and public sectors to exchange information and to collaborate strategically on current and evolving issues that may affect the telecommunications infrastructure, including cyber security threats.
• What is measured: This indicator checks for the presence of an official mechanism that regularly engages relevant intragovernmental, public, and private actors in cybersecurity policy coordination and cooperation. Such mechanisms may take various forms, such as permanent committees, councils, or working groups.
• Importance: Cybersecurity policy development and implementation involve multiple stakeholders, each responsible for their own area of governance and activities but working toward common goals over an extended period of time. Thus, there is a constant need for up-to-date inter-agency/whole- of-society communication, organisation, and coordination of efforts. Such coordination and cooperation formats should include stakeholders from the public and private sectors as well as civil society.
• Evidence: A legal act endowing the coordination body or format with the relevant responsibility. Secondary sources such as official websites where such responsibility is cited may also be considered.
-
1.4. National cybersecurity strategy 333
Requirements
CriteriaThe central government has established a national-level cybersecurity strategy defining strategic cybersecurity objectives and measures to improve cybersecurity across society.
Accepted referencesValid official document
Evidence
https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg/index-en.aspx
National Cyber Security Strategy
• What is measured: This indicator tracks the existence of a high-level national strategic document that outlines the country’s agenda, objectives, and priorities with regard to improving the nation’s cybersecurity, resilience, and related interests. A national cybersecurity strategy typically addresses topics such as clarifying the roles and responsibilities of various government institutions and other actors with regard to cybersecurity, protecting the country’s critical information infrastructure and other important assets, prevention and management of cyber incidents, cybersecurity awareness raising and education, fighting cybercrime, and national and international cooperation. It considers various tools and mechanisms for strengthening cybersecurity: technological and organisational measures, risk management, legislation, and capacity building. The ‘Guide to Developing a National Cybersecurity Strategy” provides a comprehensive overview of what constitutes successful cybersecurity strategies around the globe.
• Importance: A national cybersecurity strategy, formally adopted at the highest level, signifies a country’s willingness to treat cybersecurity as a national priority. More specifically, a national cybersecurity strategy communicates a commitment to intentionally and systematically developing a country’s cybersecurity by identifying the priorities and objectives of various stakeholders and aligning them.
• Evidence: A high-level official document containing the country’s cybersecurity objectives and priorities as described above, regardless of its title (strategy, policy, policy framework). The cybersecurity strategy may be a structural part of another national strategy (e.g. a Cyberspace Strategy or Digital Agenda, National Security Strategy, or other) if the necessary substantive elements are present. It must be currently valid and publicly available in order to be accepted.
-
1.5. National cybersecurity strategy action plan 333
Requirements
CriteriaThe central government has established an action plan to implement the national cybersecurity strategy.
Accepted referencesCurrent official document, legal act, or official statement
Evidence
https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg-2019/index-en.aspx
National Cyber Security Action Plan (2019-2024)
• What is measured: This indicator tracks the existence of an action plan (also known as an implementation plan or implementation matrix) to ensure the implementation of the national cybersecurity strategy. The plan should contain concrete steps on how to achieve the desired goals, including specific tasks, entities responsible for the execution of these tasks, and relevant timelines. The action plan should also set forth the financial and other resources necessary to implement the strategy. Preferably, the strategy should define performance indicators or metrics against which implementation progress may be tracked, and a clearly defined accountability mechanism, such as regular implementation reviews.
• Importance: An action plan translates the national cybersecurity strategy priorities and objectives into concrete initiatives to be implemented, allocates the human and financial resources necessary for implementation, and establishes timeframes and metrics. An action plan thereby establishes a clear and actionable outline for the effective implementation of the strategy.
• Evidence: The action plan must be currently valid and be no more than five years old to be accepted. Secondary evidence, such as an official statement, minutes of a government session, or press release, can be accepted if the action plan is not a publicly releasable document. For action plans integrated into the cybersecurity strategy, the same criteria apply.
-
-
2. GLOBAL CYBERSECURITY CONTRIBUTION 6/6 100%66 100%
-
2.1. Cyber diplomacy engagements 333
Requirements
CriteriaThe government contributes to international or regional cooperation formats dedicated to cybersecurity and cyber stability. (The indicator is limited to strategic-level cooperation; operational-level incident response cooperation and cross-border law enforcement cooperation are addressed separately under other indicators.)
Accepted referencesOfficial website of the organisation or cooperation format, official statement or contribution
Evidence
OSCE
- OSCE – Permanent Council Decision No. 1106, Initial set of OSCE Confidence–Building Measures to reduce the risks of conflict stemming from the use of information and communication technologies
- Permanent Council Decision No. 1202 – OSCE confidence-building measures to reduce the risks of conflict stemming from the use of information and communication technologies.
Background information:
• What is measured: This indicator assesses the commitment of the country to engage in dialogue on international cybersecurity and stability in regional and international fora. This may include bilateral or multilateral platforms and multistakeholder cooperation formats, and involve topics such as the development and furtherance of cyber norms and CBMs, international law, capacity building, or fighting cybercrime. Some relevant examples include participating in discussions at the United Nations Open-Ended Working Group (OEWG) and the Ad Hoc Committee on Cybercrime and submitting statements or contributions; contributing to the Organisation for Security and Co-operation in Europe’s (OSCE) efforts on CBMs; contributing to the cybersecurity efforts of organisations such as the African Union, the Association of Southeast Asian Nations (ASEAN), the Organisation of American States (OAS), or to the Shanghai Cooperation Organisation’s efforts on cooperation in the field of ensuring international information security, and to other such initiatives; membership in the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), the Global Forum of Cyber Expertise (GFCE), the Paris Call, and similar groups or initiatives. The indicator is limited to strategic-level cooperation; operational-level incident response cooperation and cross-border law enforcement cooperation are addressed separately under NCSI capacity areas 9-12.
• Importance: Whereas national security remains the competence of governments, it is generally acknowledged that international cooperation is vital for reaching and maintaining a high level of security of information and communication technologies (ICTs) with the aim of enhancing international security and stability.
• Evidence: Formalised engagement in cybersecurity¬-oriented organisations or fora and/or in an international organisation with a specific unit or format dedicated to cybersecurity, and/or other established cyber-specific formats. Mere membership in an international organisation that deals with cybersecurity among an array of other topics is not sufficient.
-
2.2. Commitment to international law in cyberspace 111
Requirements
CriteriaThe country has an official position on the application of international law, including human rights, in the context of cyber operations.
Accepted referencesOfficial document or statement, international indexes
Evidence
Canada supports the rules-based international order (RBIO), grounded in respect for international law. Canada considers that the RBIO extends to moderating State behaviour in cyberspace.
• What is measured: This indicator assesses the commitment of the country to uphold the rules-based international order in cyberspace. The indicator takes into account the country’s official statements in the context of international law and cyber operations as well as joining relevant multilateral treaties. Importantly, the country should demonstrate commitment to its international obligations, including human rights obligations, in the online environment.
• Importance: International law forms the foundation for stability and predictability among states in cyberspace as it reflects common views of acceptable state behaviour. The UN GGE as well as OEWG have affirmed that international law, in particular the Charter of the United Nations, is applicable and essential to maintaining peace, security, and stability in the ICT environment. In particular, the UN Universal Declaration on Human Rights guides states to protect human rights and fundamental freedoms online as well as offline.
• Evidence: Documented official statements made on behalf of the state. Examples of such commitment are sharing the country’s views on the interpretation of international law in the context of the UN GGE or OEWG processes, and officially publishing a domestic interpretation or statements made in response to breaches of international obligations. Publications by reputable international human rights observers (e.g. Freedom House).
-
2.3. Contribution to international capacity building in cybersecurity 222
Requirements
CriteriaThe country has led or supported cybersecurity capacity building for another country in the past three years.
Accepted referencesOfficial website or project document
Evidence
The Canadian Armed Forces (CAF) offers cyber defence support to Latvia through Operation REASSURANCE and to Ukraine via Operation UNIFIER. Additionally, the CAF is engaging in cyber cooperation with partners in the Indo-Pacific region under Operation HORIZON, as part of Canada's broader Indo-Pacific Strategy.
Agreement on security cooperation between Canada and Ukraine, see Sections IV.D.2; IV.D.4.ii
• What is measured: This indicator assesses the readiness of the country to finance, organise, or otherwise contribute to capacity building project(s) targeted at specific countries or a group of countries. Capacity building may address issues in both the public and the private sector, and focus on technical, organisational, policy, strategic and/or legal matters. The support may, for example, involve direct funding or organising/co-organising capacity building projects or events.
• Importance: A secure and stable cyberspace relies on each country’s ability to prevent and mitigate the impact of malicious cyber incidents. Such abilities depend on a wide array of capabilities in the technical, strategic, policy, and legal domains. Capacity building activities address the development of national institutions, policies, skills, and human resources. Importantly, CBMs support countries’ adherence to international law as well as to the implementation of cyber norms.
• Evidence: The activity must have the financial and/or organisational contribution of the country and evidence of the event(s) or programme(s) must be publicly available.
-
-
3. EDUCATION AND PROFESSIONAL DEVELOPMENT 6/10 60%610 60%
-
3.1. Cyber safety competencies in primary education 002
Requirements
CriteriaPrimary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.
Accepted referencesOfficial curriculum or official report
Evidence
• What is measured: Primary education should set the ground rules for safe, responsible, and ethical online behaviour. This can be established through national curricula that introduce cyber/computer safety and cyber/computer hygiene at the primary education levels. The scope of this indicator includes cybersecurity competencies in the public education system, that is, the most accessible form of primary education available in the country.
• Importance: Through early training on secure online behaviour and ways to safeguard the ICT devices that children use, the younger generation can grow up to become safe and responsible online users and be better prepared to face the challenges of cyberspace. Especially because children are exposed to ICT early on through the inclusion of computer skills, programming, robotics, etc. in general education, it is important that such training also involve security skills.
• Evidence: The evidence must demonstrate an established practice, such as specific or integrated curricula intended for long-term use. Sporadic events such as one-time guest lectures do not qualify.
-
3.2. Cyber safety competencies in secondary education 002
Requirements
CriteriaSecondary education curricula in the public education system include cyber safety (online safety, computer safety) competencies.
Accepted referencesOfficial curriculum or official report
Evidence
• What is measured: Like the previous indicator, this one considers the inclusion of cybersecurity skills in national general education curricula, but the focus here is on secondary-level education. The relevant curricula should address cyber/computer safety and cyber/computer hygiene as a part of the secondary education available in the public education system, that is, the most accessible form of secondary education available in the country.
• Importance: As students become more exposed to the online environment and grow into more experienced users, their cybersecurity knowledge and practical skills should grow appropriately.
• Evidence: The evidence must demonstrate an established practice, such as specific or integrated curricula at the secondary education level. Sporadic events such as one-time guest lectures do not qualify.
-
3.3. Undergraduate cybersecurity education 222
Requirements
CriteriaAt least one undergraduate education programme is available in the country to train students in cybersecurity.
Accepted referencesAccredited study programme
Evidence
Bachelor's Degree in Information Technology - Networking and Information Technology Security at the University of Ontario Institute of Technology
• What is measured: The indicator measures the availability of undergraduate cybersecurity or equivalent (ICT security, electronic information security) education at the national level – that is, a bachelor’s degree, vocational training, or equivalent. It acknowledges both distinct cybersecurity programmes and the integration of cybersecurity into undergraduate ICT education.
• Importance: A cybersecurity programme at the undergraduate level should provide the knowledge and skills necessary to build safer ICT systems, as well as teach how to defend against and manage cyberattacks and incidents. Theoretical knowledge should be supported by practical studies, such as labs or practice lessons.
• Evidence: Both national curricula focused on cyber/computer security, and curricula with distinct cybersecurity modules count as evidence. Curricula with a single cybersecurity course will not be accepted as evidence.
-
3.4. Graduate cybersecurity education 333
Requirements
CriteriaAt least one cybersecurity education programme is available in the country at the graduate level.
Accepted referencesAccredited study programme
Evidence
Master's Degree in Information Technology Security at the University of Ontario Institute of Technology
• What is measured: The indicator measures the availability of graduate cybersecurity or equivalent (ICT security, electronic information security) education in the country – that is, a master’s degree or equivalent. It acknowledges both distinct cybersecurity programmes and the integration of cybersecurity into graduate ICT education.
• Importance: A graduate (master’s-level) cybersecurity programme trains students in subjects such as computer security, cybersecurity governance and risk management, networking and infrastructure, and information security analysis and monitoring from the individual system-level perspective or that of large, mission-critical networks. Such cybersecurity graduate programmes are typically designed for students with a technical background (computer science, mathematics, or others), but they can also be cybersecurity programmes designed for students with an undergraduate degree in a non-technical discipline.
• Evidence: Both national curricula focused on cyber/computer security, and curricula with distinct cybersecurity modules count as evidence. Curricula with a single cybersecurity course will not be accepted as evidence.
-
3.5. Association of cybersecurity professionals 111
Requirements
CriteriaA professional association of cybersecurity specialists, managers, or auditors exists in the country.
Accepted referencesOfficial website
Evidence
https://engage.isaca.org/torontochapter/home
ISACA Toronto Chapter
• What is measured: An established and functioning association of professionals in cybersecurity, (electronic) information security, or the equivalent. For example, associations that promote international cybersecurity expert certifications (e.g. CISSP), such as ISACA country chapters or organisations of cybersecurity auditors, are recognised here. Their membership may include cybersecurity specialists, managers, and others. The index does not consider organisations that limit membership based on criteria other than professional qualification. In addition to specialist members, the organisation may have corporate members.
• Importance: As digital technologies advance, cyber threats and risks are constantly evolving, and cybersecurity professionals need to keep their knowledge and skills up to date. Professional associations for information security officers, IT auditors, and others are a widespread and valuable form of exchanging experience and best practices. The associations organise events for their members and for the general public and manage information exchange channels for members. There are also training and collaboration opportunities available via such associations that make membership a worthwhile investment for professionals who need to stay current with the developments in the field.
• Evidence: Website of the professional association that demonstrates the existence and activities of that association. Information published by a government authority that confirms these elements can also be considered.
-
-
4. CYBERSECURITY RESEARCH AND DEVELOPMENT 4/4 100%44 100%
-
4.1. Cybersecurity research and development programmes 222
Requirements
CriteriaA cybersecurity research and development (R&D) programme or institute exists and is recognised and/or supported by the government.
Accepted referencesOfficial programme or official website
Evidence
https://www.canada.ca/en/defence-research-development/services/science-technology-program.html#toc15
Research and Development of new cyber tools is one of Defence Research and Development Canada's priorities.
https://ised-isde.canada.ca/site/cyber-security-innovation-network/en
Cyber Security Innovation Network led by the National Cybersecurity Consortium (Update of the programme)
• What is measured: The indicator measures government engagement in cybersecurity research and development, demonstrated through formal recognition and/or public funding and support for a relevant research programme. The criterion is inclusive of both government and industry programmes, but in order to be considered for the purposes of national capacity, the involvement of formal governmental support is required, whether through a (co-)funding commitment, research grants, or cooperation agreement.
• Importance: Established research and development programmes can ensure that scientific knowledge results in actual prototypes, patents, products, and solutions. In particular, cooperation arrangements between the government, academia, and industry can ensure that the country’s strategic cybersecurity priorities are reflected in its research agenda, so that the country’s needs are sustainably met.
• Evidence: Official documents or other official references indicating fundamental or applied research and development programmes with a demonstrable government contribution.
-
4.2. Cybersecurity doctoral studies 222
Requirements
CriteriaAn officially recognised PhD programme exists accommodating research in cybersecurity.
Accepted referencesOfficial programme or official website
Evidence
https://ontariotechu.ca/programs/graduate/science/phd-computer-science/index.php
The PhD program in Computer Science focuses on applied research with the aim of producing highly trained researchers for industry and academia. There are four fields in the program: Digital Media, Information Science, Networks and IT Security, and Software Design.
https://cyber.cs.queensu.ca/program/
The cybersecurity specialization PhD consists of the four steps outlined in the School of Computing's PhD program, augmented with a specialization in cybersecurity. The four steps are breadth, topic proposal, comprehensive examination, and thesis.
• What is measured: The indicator recognises the availability of PhD study programmes that allow students to develop substantive knowledge in cybersecurity, and design, and conduct original, specialised research in cybersecurity. Research topics may range from technical matters (for example cryptography, computer and network security, or digital forensics) to relevant social sciences issues (for example strategic or behavioural issues). The PhD programme does not necessarily have to be limited to cybersecurity, broader ICT doctoral programmes are accepted if they produce cybersecurity graduates.
• Importance: A PhD programme provides a structured and sustained setting to develop talent and innovate beyond preparing the workforce for existing market needs. PhD students are trained in research methods and gain a deeper understanding of cybersecurity issues.
• Evidence: Officially accredited or otherwise officially recognised PhD programme that is focused on cybersecurity or produces cybersecurity degrees.
-
PREVENTIVE CYBERSECURITY INDICATORS
-
5. CYBERSECURITY OF CRITICAL INFORMATION INFRASTRUCTURE 12/12 100%1212 100%
-
5.1. Identification of critical information infrastructure 333
Requirements
CriteriaThere is a framework or a mechanism to identify operators of critical information infrastructure.
Accepted referencesLegal or administrative act
Evidence
https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/index-en.aspx
National Strategy for Critical Infrastructure
• What is measured: This indicator measures the presence of a legally established framework or mechanism to identify the information infrastructure component of CI or essential services. This objective may be addressed within the scope of defining critical sectors, infrastructure or services, or through a standalone mechanism for identifying CII. National legislation that is limited to contingency planning and disaster recovery without evident application to cybersecurity is not counted under this indicator.
• Importance: Certain sectors and services are commonly recognised to be essential to the normal functioning of society, the economy, and the state. These typically include energy production and supply, communications, financial services, healthcare, utilities, and others. A solid national framework for managing cyber risks to such critical sectors or services is built on the premise that such sectors/services/operators should first be identified, and then the information infrastructure components within them upon which service provision critically depends should be addressed. While not all information infrastructure within such critical sectors/infrastructure/services are necessarily critical to the continuity of the sector/infrastructure/service, certain assets are such that their loss or compromise could have a major detrimental impact on the availability or integrity of the actual CI or essential service. Therefore, governments must have an established methodical framework to address such risks.
• Evidence: The indicator recognises both legislation that foresees a CI identification process, or the designation of such infrastructure by an administrative act. In either case, it is required that such designation have cybersecurity implications for the infrastructure operator.
-
5.2. Cybersecurity requirements for operators of critical information infrastructure 333
Requirements
CriteriaOperators of critical (information) infrastructure are required to assess and manage cyber risks and/or implement cybersecurity measures.
Accepted referencesLegal act, or mandatory cybersecurity framework or standard
Evidence
https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32611§ion=procedure&p=G
The government sector in Canada is considered an area of critical infrastructure State-sponsored espionage and threats to critical infrastructure - Canadian Centre for Cyber Security but the federal government is not part of the legislative scope of the Telecommunications Act and others that influence cyber security. Policies are in place to require federal government departments and agencies under Treasury Board authorities to assess and manage cyber risk per Appendix G: Mandatory Procedures for Security Event Management Control (Directive on Security Management)- Canada.ca (linked above).
• What is measured: The indicator tracks whether operators that are critical/essential are required to take preventive and reactive measures to manage cybersecurity risks to their network and information systems. This could include an obligation to assess cyber risks and implement appropriate technical and organisational measures, according to international standards such as the ISO 27000 family, U.S. NIST framework, or other recognised regional or sectoral standards or best practices. It could also include an obligation to comply with nationally established cybersecurity requirements or standards. On the reactive side, incident notification and response requirements should be established; however, the mere existence of responsive requirements does not satisfy the criteria for this indicator. The criteria need not be applied to micro and small enterprises.
• Importance: The implementation of cybersecurity requirements for CII safeguards the continuity or undisrupted operation of CI and critical services that are essential for the normal functioning of the state and society. Making these requirements mandatory ensures that they are implemented consistently and that operators are accountable for the implementation.
• Evidence: Legislation or regulatory measures that foresee a mandatory cybersecurity standard for CII operators, or obligations to operators to assess and manage cyber risks. The regulation may be established in a standalone act or be explicitly addressed in a legal act imposing security and continuity requirements upon CI owners or operators.
-
5.3. Cybersecurity requirements for public sector organisations 333
Requirements
CriteriaPublic sector organisations are required to assess and manage cyber risks and/or implement cybersecurity measures.
Accepted referencesLegal or administrative act, mandatory cybersecurity framework or standard
Evidence
https://www.cyber.gc.ca/en/comsec
Certain agencies and contractors are required to adhere to specific cybersecurity guidelines (COMSEC):
- ITSD-08 provides […] minimum security requirements for the handling of COMSEC material
- ITSD-09 provides the minimum requirements for the ordering of cryptographic key[s]
“In addition to ITSDs, GC departments, enterprise services organizations, GC-sponsored Other Levels of Government (OLG) organizations, and GC-sponsored Canadian private sector companies requiring access to such COMSEC material must comply to both the Canadian Controlled Goods Program (CGP) and the United States (U.S.) International Traffic in Arms Regulations (ITAR).”
• What is measured: The indicator assesses the mandatory implementation of cybersecurity (or ICT security/information security) measures in the public sector. Such requirements may be defined directly in legislation, or they may refer to a national or widely recognised international cybersecurity standard. The obligation should at a minimum include mandatory cybersecurity measures applicable to the information infrastructure used in executing state functions and tasks (that is, legislative, administrative, and judicial powers), but may further include certification of products and services for procurement by state, municipal, local, and government authorities. The existence of mandatory cybersecurity measures for the public sector remains a distinct indicator due to the frequent practice of not including the government in the scope of CII/essential service operators. If the government falls under the same CII/essential service requirements, separate regulation is not required.
• Importance: When it comes to ensuring the state’s cybersecurity, it is of key importance that the state’s organs and entities adhere to a set of basic security requirements stemming from information security solutions, at least at the level required by a domestic legal act. The basis for ensuring information security at public sector institutions is adherence to national or widely recognised cyber/information security requirements and standards.
• Evidence: Legal or administrative act laying down cybersecurity requirements for public sector organisations, or a legal or administrative act explicitly including public sector services under the national cybersecurity requirements for CII, where these exist.
-
5.4. Competent supervisory authority 333
Requirements
CriteriaA competent authority has been designated and allocated powers to supervise the implementation of cyber/information security measures.
Accepted referencesLegal act or official website
Evidence
https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32603
The Secretary of the Treasury Board of Canada and the Chief Information Officer (CIO) of Canada are responsible for governing and managing IT, cyber security, and service delivery across the Government of Canada (Policy on Service and Digital Section 4.1). The Treasury Board’s responsibilities and powers are established in Section 7 of the Financial Administration Act.
Pursuant to Section 7 of the Financial Administration Act:7 (1) The Treasury Board may act for the Queen’s Privy Council for Canada on all matters relating to
- (a) general administrative policy in the federal public administration;
- (b) the organization of the federal public administration or any portion thereof, and the determination and control of establishments therein;
Policy on Service and Digital Section 4.1 – Enterprise governance, planning and reporting.
The Treasury Board is responsible for enforcing Government of Canada Departments compliance to the Enterprise IT\Cyber standards and requirements.
https://www.cyber.gc.ca/en/comsec
Incidents involving COMSEC must be reported to the National COMSEC Incident Office (NCIO), which is responsible for evaluating these incidents.
• What is measured: The indicator tracks whether a cybersecurity regulator/competent authority has been esblished with a relevant mandate and enforcement powers. Its constituency may include operators of esstaential services/CI, public sector organisations, or a broader range of actors. In any case, a cybersecurity supervising system to monitor essential services should be established, and critical (information) infrastructure operators should regularly provide evidence of the effective implementation of cybersecurity measures. The supervisory competence should be concentrated in the cybersecurity authority and not be decentralized among sectoral authorities performing supervision in their respective sectors.
• Importance: Cyber threats are universal and do not differ significantly between different essential sectors and services. In addition, the cross-sectoral impact of cyber threats, as well as the cross-sectoral dependencies of CII are more pronounced and potentially time-critical than in traditional critical sectors. A national supervisory system to oversee the implementation of cybersecurity measures is more mature if the respective competence is concentrated in a single supervisory authority and not dispersed between sectoral regulators.
• Evidence: The indicator does not require a distinct cybersecurity regulatory body per se but the presence of supervisory powers over the implementation of cybersecurity measures. Regular supervision means that supervisory activities, including audits or similar assessments, are conducted at least once every three years.
-
-
6. CYBERSECURITY OF DIGITAL ENABLERS 6/12 50%612 50%
-
6.1. Secure electronic identification 002
Requirements
CriteriaA national electronic identification solution exists that allows for officially recognised and secure electronic identification of natural and/or legal persons.
Accepted referencesLegal act, nationally recognised identification scheme, or official website
Evidence
• What is measured: A nationally recognised solution that allows for the secure and reliable identification of individuals in online transactions. Such a solution must, at the minimum, be available for interaction with public sector organisations with the possibility to be adopted in the private sector. The index does not take into account eIDs that do not cover the majority of the population or are, by design, only limited to certain sectors or services.
• Importance: In legal transactions, it is important to securely identify the parties. Traditionally, this is done by relying on identity documents issued by the government. In online transactions, equivalent assurances can be provided through a secure digital identity, that is, a certificate that can be definitely associated with a specific person. The best method to uniquely identify a natural or legal person is by a nationally recognised unique, population-wide identifier. Such an identifier may be created during the population registration process, or another identifier (such as a social security number or a taxpayer account identifier) may be extended to the whole population. From an interoperability perspective, it is important that eID uses the same identifier that is used in identity documents. For eID to have legally binding significance, its issuance must be regulated by law, assuring equivalent protection to what is assured for passports or other identity documents. The protection of cryptographic keys or other security features must be guaranteed by law. The availability of secure eID also reduces the likelihood of crimes related to online identity theft.
• Evidence: The evidence must establish the legal recognition and availability of a national (nationwide) eID solution. A legal act, nationally recognised identification scheme, or official website demonstrating the required elements is suitable evidence.
-
6.2. Electronic signature 222
Requirements
CriteriaA nationally recognised and publicly available solution exists to issue secure and legally binding electronic signatures.
Accepted referencesLegal act or official website
Evidence
https://laws-lois.justice.gc.ca/eng/acts/p-8.6/page-5.html#h-417528
Personal Information Protection and Electronic Documents Act (PIPEDA) specifies treatment of electronic signatures in various contexts (sections 36, 39, 42, 44, 45, 46) and creates a legal framework for evaluating the validity of electronic signatures (section 43).
• What is measured: A software or service to issue secure electronic signatures, which are generated using a digital certificate and cryptographically bound to the document through public key infrastructure (PKI), are publicly available and legally accepted by the country without their use being limited to specific sectors or purposes. The use of up-to-date secure cryptography is required to accept the signature as legally binding.
• Importance: Like with a signature on paper, it must be possible to verify individuals’ declarations of intent in cyberspace to trust and consider them valid. For this, the concerned procedure must be regulated by law and the electronic signature must be given protection and legal consequences equivalent to those given to paper signatures. For the subsequent verification of the validity of the electronic signature of the signed document, it must be possible to verify at the time of signing the validity of the certificate used for signing. For the claimed signing time to be reliable, it is important to have a trustworthy time service that issues the timestamp attached to the document with the signature. The requirements for the trust service (such as certificate validity check and time stamping) must be provided by law.
• Evidence: The evidence must establish the legal recognition and availability of electronic signatures. A legal act or official website demonstrating the required elements would be suitable.
-
6.3. Trust services 002
Requirements
CriteriaTrust services (e.g. digital certificates, timestamps, private key management service) are regulated, at least for use in the public sector.
Accepted referencesLegal act or official website
Evidence
• What is measured: Regulations lay down minimal security and liability obligations (including, but not limited to, accepted cryptographical parameters) for trust service providers and their services, as well as the process and conditions for supervision and liability. Established requirements should be applicable to the trust services that are provided on the market (e.g. digital certificates, timestamps, private key management service, or others), at least where these are used in the public sector and public sector services.
• Importance: Trust services are based on cryptography. The evolution of hacking technologies may mean that algorithms become weak over time and need to be replaced. Where the provision and use of trust services are widespread in society, the renewal of technical systems related to algorithms affects a very large number of parties. Therefore, to maintain the reliability of trust services, organisational and technical requirements must be established in national legislation to determine which cryptographical algorithms and cybersecurity mechanisms are allowed.
• Evidence: The evidence must establish the legal regulation and recognition for trust services provided in the country. A legal act or official website demonstrating the required elements would be suitable.
-
6.4. Supervisory authority for trust services 002
Requirements
CriteriaAn independent authority has been designated and given the power to supervise trust services and trust service providers.
Accepted referencesLegal act or official website
Evidence
• What is measured: The state must have a designated authority that oversees the reliability of trust services throughout its lifecycle. This includes authorisation to launch a service into the market and supervision over compliance with existing requirements throughout the period of operation. Regulations must either set requirements for trust service providers or assign this mandate to a competent institution or authority. This may be a supervisory body, a technical regulatory authority, or a similar institution. The powers of the supervisory body must stem from and be specified in a legal act.
• Importance: A duly authorised supervisory authority is a necessary guarantor for the reliability of trust services throughout their lifecycle. The role of the supervisory authority is to oversee that both the organisation providing the trust service and the services themselves comply with existing requirements.
• Evidence: The evidence must establish the presence of a legal act that defines a supervisory authority together with its tasks and supervisory mandate.
-
6.5. Cybersecurity requirements for cloud services 222
Requirements
CriteriaRequirements are established for the secure use of cloud services in government and/or public sector organisations.
Accepted referencesLegal or administrative act, cybersecurity framework or standard
Evidence
Government of Canada Cloud Security Risk Management Approach and Procedures
Managing the risks to Government of Canada data when using cloud services - ITSM.50.109
https://www.cyber.gc.ca/en/guidance/guidance-cloud-security-assessment-and-authorization-itsp50105
Guidance on cloud security assessment and authorization - ITSP.50.105
• What is measured: This indicator tracks the emerging trend of establishing secure use requirements or principles for the use of cloud services. Such security requirements should, at the minimum, extend to the use of cloud services in the government sector.
• Importance: The use of cloud computing for collaboration is growing in prevalence among both governments and businesses. To ensure the confidentiality, integrity, and availability of data and applications stored on the cloud, security measures must be implemented to protect them from cyber threats.
• Evidence: A legal act, government guideline, or similar that defines cybersecurity requirements or principles, applicable as mandatory at least for governmental institutions.
-
6.6. Supply chain cybersecurity 222
Requirements
CriteriaRequirements are established to identify and manage cybersecurity risks through the ICT supply chain.
Accepted referencesLegal act or official website
Evidence
https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32611
Government of Canada’s DSM Appendix F describes the mandatory requirements that have to be part of government contracting and procurement of ICT. The DSM is mandatory for “All departments named in Schedule I, divisions or branches of the federal public administration set out in column I of Schedule I.1, corporations named in Schedule II, and portions of the federal public administration named in schedules IV and V of the Financial Administration Act (FAA), unless excluded by specific acts, regulations or Orders in Council.”, per section 6.1 of Canada’s Policy on Government Security.
• What is measured: This is a new indicator of the NCSI, appraising whether controls and processes are enforced to manage potential cyber risks to the supply chain. ‘Supply chain’ involves the whole cycle of design, development, production, deployment, and support for products, services, or processes. These could involve, for example, regular supply chain audits, risk assessments and management, and/or specific requirements for suppliers based on their risk profiles. Supply chain attacks are malicious activities at any location in the supply chain (technology development, engineering and manufacturing development, production and deployment, and operation and support). The relevant security mechanisms should be established at least for operators of essential services and/or public sector organisations, and preferably also for their third-party providers and vendors.
• Importance: In order to ensure the continuity of essential services and infrastructure, it is important that the technology comes from a reliable manufacturer and that risk management processes and measures are in place to ensure that the technology used to provide the essential service is not manipulated by a potentially malicious actor.
• Evidence: The criterion accepts national-level and sector-based standardisation and certification schemes, as well as other cyber/information security measures. It is deliberately designed to be broad, to allow the recognition of all countries that have addressed this issue in law.
-
-
7. CYBER THREAT ANALYSIS AND AWARENESS RAISING 9/12 75%912 75%
-
7.1. Cyber threat analysis 333
Requirements
CriteriaA government entity has been assigned the responsibility for national-level cybersecurity and/or cyber threat assessments.
Accepted referencesLegal act, statute, or official website
Evidence
https://laws-lois.justice.gc.ca/eng/acts/C-35.3/page-1.html#h-1170355
The Communications Security Establishment (CSE) according to Article 17 b). of the Communications Security Establishment Act S.C. 2019, c. 13, s. 76
Additional information about the mandate of the CSE available here.• What is measured: This indicator assesses the capacity and practice of conducting national-level cyber threat and trend assessments. The assessments may, for example, be compiled by an established government entity or unit (such as a department or an agency) or an interagency joint task force. Whether a centralised or distributed approach is followed, the inputs of various sources should be consolidated into a national-level threat picture, and the outcome should assess the cyber threat and cybersecurity status at the national level, covering all sectors.
• Importance: National cyber threat assessments and reports enable consistent characterisation of cyber threats and risks and allow the identification of trends and changes in the activities of malicious actors, new vulnerabilities, or key technological developments impacting national resilience. Information about cyber incidents, threats, and vulnerabilities is analysed and aggregated to provide timely and actionable information to government planning and decision-making entities.
• Evidence: An established unit that has been assigned the task of analysing cyber threat information, or a legal or administrative act assigning the relevant responsibility to an existing body.
-
7.2. Public cyber threat reports 333
Requirements
CriteriaPublic cyber threat reports and notifications are issued at least once a year.
Accepted referencesOfficial website, official social media channel, or public report
Evidence
CSE Annual Report 2023 and 2022
https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessments
National Cyber Threat Assessments
• What is measured: This indicator tracks the practice of sharing cyber threat awareness, including both timely cyber threat notification and forward-looking insights, anticipating how changes in the cyber landscape may affect public and private institutions.
• Importance: No single organisation can defend against cyber threats on its own; it is vital that the public and private sectors work together to be aware of and understand the challenges they face. To support public threat awareness, the government should regularly publish public cyber threat reports or notices. The purpose is to inform the public about significant cyber incidents, major threats and/or vulnerabilities, and to give insight into trends. Such reports and notices may also alert the public to current cyberattack campaigns or systemic vulnerabilities. By sharing timely information, the government can motivate organisations to work together to prevent cyber incidents and achieve safer cyberspace.
• Evidence: Regular public threat notifications and reports, social media posts, and so on by, for example, the national computer security incident response team (CSIRT) or computer emergency response team (CERT), or another relevant authority count as evidence. To be recognised in the NCSI, such reports should be issued at least once a year.
-
7.3. Public cybersecurity awareness resources 333
Requirements
CriteriaPublic authorities provide publicly available cybersecurity advisories, tools, and resources for users, organisations, and ICT and cybersecurity professionals.
Accepted referencesOfficial website, public advisories
Evidence
Centre for Cyber Security:
- Advisories: https://www.cyber.gc.ca/en/alerts-advisories
- Tools: https://www.cyber.gc.ca/en/tools-services
- Education: https://www.cyber.gc.ca/en/education-community
RCMP (education resources): https://www.rcmp-grc.gc.ca/en/cyber-safety
Get Cyber Safe: https://www.getcybersafe.gc.ca/en
• What is measured: This indicator recognises the ready availability of public cybersecurity awareness resources such as cybersecurity guidance and advisories. These could be public awareness raising campaigns promoting cyber hygiene or dedicated websites with information, guidelines, and tips on how to keep data and assets safe online. They could be targeted at the general public or also address specific target groups such as cybersecurity professionals and small or medium enterprises.
• Importance: Cybersecurity ultimately depends on the skills of each user and asset owner to act responsibly in the online environment. The purpose of public cybersecurity resources, therefore, is to empower individuals, businesses, and civil society actors to improve their cybersecurity and protect their assets online.
• Evidence: A dedicated public website or readily available public cyber hygiene resources.
-
7.4. Cybersecurity awareness raising coordination 003
Requirements
CriteriaThere is an entity with the clearly assigned responsibility to lead and/or coordinate national cybersecurity awareness activities.
Accepted referencesLegal act, official document, or official website
Evidence
• What is measured: This indicator appraises a systematic approach to cybersecurity awareness through a clear allocation of cybersecurity awareness coordination tasks: providing direction, coordinating actions, and monitoring the implementation of cybersecurity awareness activities.
• Importance: A clearly assigned coordination and oversight role for cybersecurity awareness activities facilitates more effective and efficient awareness raising. In addition to providing direction, coordinating actions, and monitoring the implementation of awareness activities, the lead agency can identify the stakeholders to be involved in the development and implementation of the awareness activities, clarify the roles of different stakeholders, address gaps or duplications, and manage expectations throughout the process. Whether a centralised or a more distributed model is used, all parties involved should have a clear understanding of their respective roles and responsibilities so that accountability and progress can be ensured.
• Evidence: A legal act, statute, or other official document outlining the responsibilities and accountability for coordinating cybersecurity awareness.
-
-
8. PROTECTION OF PERSONAL DATA 4/4 100%44 100%
-
8.1. Personal data protection legislation 222
Requirements
CriteriaThere is a legal act for personal data protection that is applicable to the protection of data online or in digital form.
Accepted referencesLegal act
Evidence
https://laws-lois.justice.gc.ca/eng/acts/p-8.6/page-1.html
Personal Information Protection and Electronic Documents Act (PIPEDA)
• What is measured: The presence of a national law that sets out the principles of data processing, the rights of the individual (data subject) with regard to their data, and the obligations and liability of data controllers and processors. The applicability of the data protection law to the digital/online environment must either be stated explicitly or established through its inclusive nature that allows individuals the protection of their data processed online.
• Importance: The right to privacy is a fundamental human right that countries must protect and promote, regardless of the platform or medium where the data is processed, and regardless of who – state authorities or commercial service providers – is processing the personal data. Security assurances, including a legal basis for data processing, should be defined in legislation that provides the conditions and procedures for processing personal data as well as the liability for violations.
• Evidence: Personal data protection legislation that applies to data processing by both government and private sector actors in the digital/online environment.
-
8.2. Personal data protection authority 222
Requirements
CriteriaAn independent public supervisory authority has been designated and allocated powers to supervise personal data protection.
Accepted referencesLegal act or official website
Evidence
Office of the Privacy Commissioner of Canada
https://laws-lois.justice.gc.ca/eng/acts/p-8.6/page-1.html
The Personal Information Protection and Electronic Documents Act (PIPEDA) designates the “Privacy Commissioner” appointed under section 53 of the Privacy Act as responsible for receiving or initiating complaints (section 11), investigating those complaints (section 12), and auditing the PI management practices of organizations (section 18).
• What is measured: The country should appoint and equip a public supervisory authority to make sure that its data protection laws are applied and enforced consistently when it comes to online data processing.
• Importance: An independent authority overseeing data processors’ compliance with personal data protection requirements is an essential component of individuals’ rights to privacy and data protection. National legislation should provide a legal basis for the supervisory authority and define its role, duties, and supervisory powers.
• Evidence: A data protection authority with oversight and enforcement powers allocated by law. The mandate must apply to oversight over data processing by both government and private sector actors in the digital/online environment.
-
RESPONSIVE CYBERSECURITY INDICATORS
-
9. CYBER INCIDENT RESPONSE 14/14 100%1414 100%
-
9.1. National incident response capacity 333
Requirements
CriteriaThere is a CERT designated with nationwide responsibilities for cyber incident detection and response.
Accepted referencesLegal act or official website
Evidence
https://www.cyber.gc.ca/en/about-cyber-centre
The Canadian Centre for Cyber Security, as CERT-CA, is the National CSIRT (Computer Security Incident Response Team), and the Government of Canada CIRT (Computer Incident Response Team).
• What is measured: The indicator tracks the presence of a national CSIRT/CERT/CIRT in the country. In line with the Carnegie Mellon University definition, the NCSI acknowledges as national CSIRTs those CERTs that are designated by a country or economy to have specific responsibilities regarding the cyber protection of the country or economy. Such national CSIRTs can be located inside or outside the government but must be specifically recognised by the government as having nationwide powers and responsibility. The IETF Request for Comments 2350 specifies what is expected of CSIRTs. A CSIRT should clearly define its constituency and publish information about its services and communication channels. Services provided by a CSIRT can be divided into two broad categories: real-time activities directly related to their main task of incident response and proactive activities in support of the incident response task. The basic tasks of a CSIRT include monitoring cyber incidents at the national level, providing early warnings, alerts, announcements and information to relevant stakeholders about risks and incidents, responding to incidents, and participating in the CSIRT networks.
• Importance: A well-functioning national CSIRT is central to the national-level capacity to prevent, detect, respond to and mitigate cyber incidents and manage cyber risks. CSIRTs should have sufficient technical and organisational capabilities to carry out these tasks and should be able to participate in international cooperation networks. National CSIRTs act as focal points and coordinate incident response at the national and international levels. Many CSIRTs also help protect their country’s government networks and CII.
• Evidence: A legal act designating the role of a national CSIRT, official governmental website or official website of the national CSIRT, or website of a recognised international CSIRT forum such as the Forum of Incident Response and Security Teams (FIRST) or the Task Force on Computer Security Incident Response Teams (TF-CSIRT).
-
9.2. Incident reporting obligations 333
Requirements
CriteriaOperators of critical information infrastructure and/or government institutions are obliged to notify the designated competent authorities about cyber incidents.
Accepted referencesLegal act or official website
Evidence
Section 2.3.1.2 of the GC SEMP outlines reporting requirements. The GC SEMP states: “GC organizations must report all cyber security incidents to the Cyber Centre, who act as the central point of contact for cyber security incident reporting for the GC.“ (See Appendix D for reporting procedures)
Section 2.3.1.3 of the GC SEMP speaks to law enforcement reporting. The GC SEMP indicates that: “In most cases, a cyber incident is a cybercrime. In addition to reporting to the Cyber Centre, departments and agencies are expected to report cyber incidents directly to the Police of Jurisdiction (e.g., RCMP or Military Police). (See Appendix D for reporting procedures).
https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/fdrl-cbr-ncdnt-rspns-pln-2023/index-en.aspx
Section 4 of the Federal Cyber Incident Response Plan (FCIRP) addresses reporting and information sharing. Aligning with the GC SEMP, the FCIRP states that “It is highly recommended and expected that all cyber security incidents that GC stakeholders become aware of, especially those that could negatively affect the national interest, be reported to the Cyber Centre. ... If a cyber security incident has occurred, in addition to reporting to the Cyber Centre, non-GC organizations are, and should be, encouraged to report directly to the RCMP, CSIS, and/or local law enforcement.“
https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32611
Appendix G (section G.2.3) of Canada’s Directive on Security Management (DSM) describes incident reporting obligations. The DSM is mandatory for “All departments named in Schedule I, divisions or branches of the federal public administration set out in column I of Schedule I.1, corporations named in Schedule II, and portions of the federal public administration named in schedules IV and V of the Financial Administration Act (FAA), unless excluded by specific acts, regulations or Orders in Council.”, per section 6.1 of Canada’s Policy on Government Security.
• What is measured: The indicator assesses whether a legal obligation exists to require certain critical sectors and organisations to notify the relevant government authority about significant cyber incidents. The obligation may extend to operators of CI/CII, digital service providers, essential services, government institutions, and other relevant actors. Such notifications are usually addressed to the national CSIRT or a national cybersecurity authority.
• Importance: Mandatory incident notification serves both responsive and preventive aims. It allows the national CSIRT to know when, where, and how to respond most effectively. It also enables the CSIRT to fulfil its threat awareness and analysis responsibilities, and provide alerts or preventive and mitigation guidance to potentially affected parties. To facilitate timely and informative incident reporting, the national CSIRT or another relevant authority could publish official criteria, guidelines, and tools. The law should also define confidentiality assurances to the notifying and affected parties, as appropriate.
• Evidence: Legislation that foresees mandatory reporting of significant cyber incidents, applicable at least for CII operators and/or government entities.
-
9.3. Cyber incident reporting tool 222
Requirements
CriteriaA publicly available official resource is provided for notifying competent authorities about cyber incidents.
Accepted referencesOfficial website
Evidence
https://www.cyber.gc.ca/en/incident-management
Different forms for individuals vs organizations.
• What is measured: The indicator tracks the practice of providing a widely accessible way to notify the national CSIRT, law enforcement, or other competent body about cyber incidents. The use of the tool does not need to be limited to mandatory incident reporting by operators of CII and government authorities.
• Importance: The ready, round-the-clock availability of an online incident reporting tool facilitates timely and informative incident reporting to the national CSIRT. It is important to ensure the confidentiality and integrity of information submitted over this channel and to communicate such assurances clearly when information is submitted. The authorities should follow up on any submissions as required.
• Evidence: An official website with incident reporting functionality.
-
9.4. Single point of contact for international cooperation 333
Requirements
CriteriaThe government has designated a single point of contact for international cybersecurity cooperation.
Accepted referencesLegal act or official website
Evidence
https://www.cyber.gc.ca/en/about-cyber-centre
The Canadian Centre for Cyber Security is the primary federal government point of contact on cyber security operational matters for external partners, including for incident response and coordination.
• What is measured: The country should have a designated national single point of contact (SPOC) to be available for liaising with international counterparts on issues related to cyber incident management and vulnerability information sharing. The SPOC coordinates with other affected countries in the event of a cross-border cyber incident. The role may be assigned to an existing authority, such as the national CSIRT.
• Importance: SPOCs simplify coordination and communication when dealing with cross-border threats and incidents, especially where several countries and multiple national authorities are involved in threat mitigation or incident resolution. For example, the SPOC may consult and cooperate with the relevant national law enforcement and data protection authorities where appropriate and in accordance with national law. Any relevant national authority or the CSIRT can entrust the SPOC to forward incident information to other national SPOCs. To carry out their tasks effectively, the SPOCs should have adequate technical, financial, and human resources.
• Evidence: A legal act or official website establishing an entity as the national SPOC for cyber incident coordination.
-
9.5. Participation in international incident response cooperation 333
Requirements
CriteriaThe national cyber incident response team (CSIRT/CERT/CIRT) participates in international or regional cyber incident response formats.
Accepted referencesOfficial website or official document
Evidence
https://csirtamericas.org/en/member_teams
CSIRT Americas
https://www.first.org/members/map#country%3ACA
FIRST
• What is measured: This indicator assesses the country’s membership and participation in international cooperation formats focusing on handling security vulnerabilities and cyber incident responses. The relevant organisations include FIRST, TF-CSIRT, AfricaCERT, CSIRTAmericas, OIC-CERT, or other regional CSIRT organisations operating at the global level and in other regions.
• Importance: Membership in international and regional incident response organisations allows the national CSIRT to respond to security incidents more rapidly and effectively, cooperate and coordinate with other global and regional members on incident prevention, and facilitate information-sharing. These organisations may also offer additional services and resources to their members.
• Evidence: Website or other documents by the relevant CSIRT umbrella organisations confirming the membership of the country’s national CSIRT.
-
-
10. CYBER CRISIS MANAGEMENT 7/9 78%79 78%
-
10.1. Cyber crisis management plan 222
Requirements
CriteriaThe government has established a crisis management plan for large-scale cyber incidents.
Accepted referencesLegal act or official website
Evidence
Government of Canada Cyber Security Event Management Plan (GC CSEMP)
This document complements other GC plans and protocols including:- Federal Emergency Response Plan (FERP)
- Federal Cyber Incident Response Plan (FCIRP)
- Significant Event Information Sharing Protocol (SEISP)
• What is measured: The indicator measures the existence of a national-level crisis plan for handling large-scale cyberattacks, incidents, or significant threats. This plan may be a separate cyber crisis-specific document, or cyber aspects may be integrated into a more comprehensive crisis plan. In either case, the plan should consider the specifics of cyber incidents and assign key roles regarding the crisis management authority, parties involved, and their responsibilities.
• Importance: Cyber crises differ from traditional crisis scenarios in that they can be expected to affect several sectors either directly or through secondary spill-over effects. A cyber crisis also requires the involvement and coordination of specific capabilities from a range of parties: technical knowledge and skills to analyse the threat vectors and methods involved; situational awareness, cyber intelligence, and analysis capabilities; support to restore affected assets; international coordination network; and public and international communication.
• Evidence: A formally adopted crisis plan addressing national-scale events. Organisational crisis plans or crisis plans limited to a specific sector generally do not suffice. Where the plan or parts of it are classified, public evidence must at least confirm the existence of a valid crisis plan.
-
10.2. National cyber crisis management exercises 333
Requirements
CriteriaRegular interagency cyber crisis management exercises or crisis management exercises with a cyber component are arranged at the national level at least every other year.
Accepted referencesExercise document, official website, or press release
Evidence
https://www.publicsafety.gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/cy-phy-xrcs-en.aspx
Cyber-Physical (Cy-Phy) Exercise Program 2023
• What is measured: The indicator checks for the practice of regular interagency crisis management exercises in which response to a large-scale cyber incident is practiced. Such exercises may be wholly concentrated on cybersecurity, or they may be comprehensive exercises that involve cyber components in their training scenarios. Cyber crisis exercises may be held in various forms and at different levels. Exercises can test strategic decision-making, operational processes, or both. A tabletop exercise involves key personnel discussing simulated scenarios in an informal setting. This type of exercise is also used to assess plans, policies, and procedures. Exercises can also practice technical and operational aspects in a hands-on environment, with participants practicing incident mitigation techniques and cooperation.
• Importance: Cyber exercises improve readiness to respond to and contain ongoing crises. These exercises also help reduce the likelihood that a cyber incident will escalate into a full-blown national crisis. In order to ensure that crisis plans are realistic and that those charged with various crisis management roles are up to the task, regular joint exercises should be held to test and improve cyber crisis plans and processes, and to practice cooperation with other parties. Cyber crisis exercises should engage the country’s political leadership, CI/CII/essential service providers, and organisations that have cybersecurity responsibilities. Ideally, such exercises also involve private sector actors such as CII operators.
• Evidence: An official document or confirmation verifying an interagency cyber crisis management exercise or a national-level crisis management exercise with a cyber component in the past two years.
-
10.3. Participation in international cyber crisis exercises 222
Requirements
CriteriaThe country participates in an international cyber crisis management exercise at least every other year.
Accepted referencesExercise document/website or press release
Evidence
https://www.cisa.gov/cyber-storm-viii-national-cyber-exercise
Canada participated in Cyber Storm VIII (in 2022), as per the final report (Page 26).
• What is measured: In an international cyber crisis management exercise, relevant government authorities from more than one country are jointly involved in preparation and execution. The purpose of international crisis exercises is to test and train cross-border cooperation. As with the previous indicator, such exercises may be wholly focused on cybersecurity or have a cyber component integrated into a broader training scenario. The exercise may be a bilateral or multilateral event or conducted in the framework of a regional or international organisation. Exercises delivered by one country or international organisation to another country with the aim of only testing the national processes within that country are not considered in the scope of this indicator.
• Importance: International exercises are important learning tools for countries for practicing compatibility of crisis management procedures and cross-border cooperation. They are a useful tool from which countries with little or no crisis experience can draw knowledge and gain lessons and insights from those who have undergone such events. As cyber threats are growing more complex and severe, participating in international cyber crisis exercises serves as a means for building better, more rapid responses.
• Evidence: An official document or confirmation verifying participation in the planning and/or execution of an international (bilateral, multilateral, or regional) cyber crisis management exercise or a crisis management exercise with a cyber component in the past two years.
-
10.4. Operational crisis reserve 002
Requirements
CriteriaA mechanism for engaging reserve support has been established to reinforce government bodies in managing cyber crises.
Accepted referencesLegal act or official website
Evidence
• What is measured: Operational reserves or quick reaction forces may be arranged in different ways: as a special (volunteer) unit, emergency response network, government reserve, or arrangements for assistance from the private sector. The fundamental matter is that the engagements must be formalised.
• Importance: A large-scale incident tests any country’s routine resources, and assistance beyond its own capacities can significantly help resolve a crisis. The option to count on the operational support of a crisis reserve of cybersecurity professionals gives the country additional volume, network, and skills when dealing with a cyber crisis. To ensure that the activities of such a reserve during a crisis are lawful and effective, its tasks and the procedure for calling on its assistance must be established beforehand.
• Evidence: A legal act or official website demonstrating the existence of a formal basis to engage reserve support.
-
-
11. FIGHT AGAINST CYBERCRIME 16/16 100%1616 100%
-
11.1. Cybercrime offences in national law 333
Requirements
CriteriaCybercrime offences are defined in national legislation.
Accepted referencesLegal act
Evidence
https://laws-lois.justice.gc.ca/eng/acts/C-46/index.html
Criminal Code (R.S.C., 1985, c. C-46):
- Section 184 pertains to interception
- Section 342.1 pertains to access
- Section 342.2 pertains to devices
- Section 430(1.1) pertains to interference
• What is measured: The indicator tracks whether the following cybercrime offences are criminalised in national law: intentional access without right to a computer system (by infringing security measures) (illegal access); intentional interception by using technical means of non-public transmission of computer data without right (illegal interception); intentional damaging, deletion, deterioration, alteration or suppression of computer data without right (data interference); intentional serious hindering without right of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering, or suppressing computer data (system interference); and intentional commission of specific acts of a preparatory nature involving certain devices or accessing data to be used to commit the cybercrime offences referred to above (misuse of devices). The NCSI addresses cybercrime offences or cyber-enabled offences targeting computer systems and data. Other computer-related or cyber-dependent offences are beyond the scope of the NCSI.
• Importance: A legal basis to prevent and fight against cybercrime is a fundamental part of the national cybersecurity framework, needed to ensure an effective criminal justice response. As a point of reference, the NCSI relies on the Budapest Convention on Cybercrime, which is currently the only legally binding international instrument on cybercrime, has a global effect, and is also considered a standard for capacity building.
• Evidence: Official legislative act, whether it is a distinct cybercrime act or provisions in a comprehensive penal code.
-
11.2. Procedural law provisions 333
Requirements
CriteriaLegislation defines the powers and procedures for cybercrime investigations and proceedings and for the collection of electronic evidence.
Accepted referencesLegal act
Evidence
https://laws-lois.justice.gc.ca/eng/acts/C-46/index.html
Criminal Code (R.S.C., 1985, c. C-46):
- Section 487(2.1) pertains to search and collection of electronic evidence
- Section 487.014 pertains to the production of electronic evidence
- Sections 487.012 and 487.0194 pertain to preservation of electronic evidence
The Protecting Canadians from Online Crime Act amends the Criminal Code on procedural power.
Royal Canadian Mounted Police Act (1985) includes provisions on searching of computers and digital evidence handling.
Evidence Act (2010) includes provisions on electronic documents, computer systems and search and seizure of evidence.• What is measured: National procedural law that, at the minimum, addresses investigative and prosecutorial powers and measures related to cybercrime, and the collection and handling of electronic evidence for investigating and prosecuting crimes. Such provisions should comprise the criminal justice measures needed for cybercrime investigation, including measures to preserve or secure computer data (preservation order); produce or obtain computer data (production order); seize, secure, search, or access computer systems, computer data, and storage media, as well as to issue orders to obtain necessary information (search and seizure); and collect traffic data, intercept content, and compel service providers to collect and record data transmitted by means of a computer system in real time (real-time interception).
• Importance: While substantive law provisions criminalize acts regarded as cybercrime, procedural law measures are needed to start a criminal investigation and to collect or obtain computer data that can be used as electronic evidence in criminal proceedings. Without proper powers and measures to obtain and use electronic evidence, it is not possible to investigate cybercrime, identify potential suspects, and bring them to justice. Effective and successful cybercrime investigations are a prerequisite to providing restitution to the victims, either in the form of compensation for damages suffered or recovery of property.
• Evidence: The relevant procedural provisions may be contained in a separate (cybercrime) act or clearly integrated into a comprehensive code of criminal procedure. Generic clauses are not acceptable unless they also cover computer systems and computer data.
-
11.3. Ratification of or accession to the Convention on Cybercrime 222
Requirements
CriteriaThe country has ratified or acceded to the Council of Europe (CoE) Convention on Cybercrime.
Accepted referencesLegal act on Convention ratification or accession, website of the CoE Treaty Office
Evidence
https://www.coe.int/en/web/conventions/full-list?module=signatures-by-treaty&treatynum=185
Entry into force: 01/11/2015
• What is measured: Ratification of or accession to the CoE Convention on Cybercrime (the Budapest Convention).
• Importance: The Budapest Convention is currently the only legally binding international instrument on cybercrime. It addresses criminal offences committed against computer systems as well as computer-related offences, child pornography, and infringements of copyright and related rights. In addition to substantive law, the Convention also provides for procedural law measures to address computer data or electronic evidence, and a legal basis for international cooperation. It also contains a series of procedural powers, including to search computer systems and intercept computer data. The main objective of the Convention is to pursue a common criminal policy aimed at protecting society against cybercrime, especially by adopting the appropriate legislation and fostering international cooperation. The Budapest Convention is open for accession to all countries. As of September 2022, there were 67 members, with twelve more in the accession process, representing all continents. The signing and ratification of the Convention, or, in the case of non-member states, acceding to the Convention, provides further legal basis and mechanisms for international cooperation among state parties, including the use of the 24/7 point-of-contact network. Therefore, participation in the Convention notably strengthens a country’s possibilities to fight cybercrime. Other regional cybercrime conventions (e.g. African Union, Arab League) lack equivalent mechanisms and are therefore not tracked by the NCSI.
• Evidence: National legal act on the ratification or accession to the Convention or official data published by the CoE Treaty Office counts as evidence.
-
11.4. Cybercrime investigation capacity 333
Requirements
CriteriaLaw enforcement has a specialised function and capacity to prevent and investigate cybercrime offences.
Accepted referencesLegal act or official website
Evidence
https://www.rcmp-grc.gc.ca/en/combatting-cybercrime
National Cybercrime Coordination Centre (NC3)
https://www.rcmp-grc.gc.ca/en/royal-canadian-mounted-police-cybercrime-strategy
• What is measured: The purpose of this indicator is to assess the organisational capacity of the country to enforce cybercrime laws. Units with clear competencies and jurisdiction over cybercrime investigations, such as a Cybercrime or High-Tech Crime Unit, are considered to meet the criteria. The presence of a central specialised unit does not preclude additional local or regional units or officers.
• Importance: Cybercrime investigations as well as criminal investigations involving electronic evidence require specialised skills and knowledge. Cybercrime investigations and the analysis of objects containing electronic evidence also require specific analytical training and knowledge of digital forensics. Officers working in such units should have received specialised training that enables them to conduct investigations and use measures to obtain computer data. Specialised units also need to have the necessary powers to use more intrusive procedural measures such as search and seizure, and, in particular, real-time interception of communications (computer data) that might not be available to all units.
• Evidence: Official recognition of a specialised cybercrime unit; a legal act, bylaw, or statute of the unit. Evidence of specialised cybercrime investigative staff serving within a broader unit (e.g. High-Tech or technology crime) is also accepted.
-
11.5. Digital forensics capacity 222
Requirements
CriteriaLaw enforcement has a specialised function and capacity for digital forensics.
Accepted referencesLegal act, statute, official document, or official website
Evidence
https://www.rcmp-grc.gc.ca/on/prog-serv/dfs-scn-eng.htm
Digital Forensics Services (DFS)
• What is measured: This indicator considers the digital forensics capacity of law enforcement. Digital forensics is an area of forensic science that aims to obtain digital evidence, analyse it, and present it in court. Its scope includes computer, mobile, network, and malware forensics. The NCSI assesses whether a designated authority or digital forensic laboratory is responsible for handling, extracting, and analysing digital evidence and conducting digital forensics examinations for criminal justice purposes. Since law enforcement is a state prerogative, private investigative entities are outside the scope of this indicator.
• Importance: Almost any type of modern crime leaves electronic evidence or computer data that can serve as evidence in court proceedings; often it will be the only lead that law enforcement authorities and prosecutors can pursue and collect.
• Evidence: Proof of the existence of a specialised unit or specialised staff serving within a broader unit (e.g. high-tech or technological crime forensics laboratory) is accepted as evidence.
-
11.6. 24/7 contact point for international cybercrime 333
Requirements
CriteriaThe government has designated an international 24/7 point of contact for assistance on cybercrime and electronic evidence.
Accepted referencesOfficial website, legal act or statute
Evidence
https://rm.coe.int/cyber-list-of-competent-authorities-july-2023/1680ac0d0f
National Cybercrime Coordination Centre (NC3) of the Royal Canadian Mounted Police
• What is measured: This indicator assesses whether a point of contact has been established for criminal justice purposes that is operational 24 hours a day, seven days a week, regardless of where this entity is located (for example, police, prosecutor's office, or another authority).
• Importance: Electronic evidence is often stored in foreign jurisdictions. Therefore, criminal investigations often require a cross-border/international request to obtain electronic evidence from other countries, including evidence held by multinational service providers. As cybercrime can be of transborder nature and electronic evidence could be located in any country, it is also necessary to ensure that a point of contact is available and operational outside office hours. In urgent or emergency situations, another country might need to consult with the national point of contact. A 24/7 point of contact can also be used to quickly contact other countries to send requests and exchange information. Contact points can be used to transmit requests to obtain, preserve, and secure computer data, as well as for other forms of international cooperation and mutual assistance. Countries may also rely on other existing units or points of contact for 24/7 international cybercrime cooperation, such as Interpol.
• Evidence: Officially appointed 24/7 point of contact for international cybercrime, including those designated in the framework of the Budapest Convention, Interpol, or other international cooperation formats in criminal matters.
-
-
12. MILITARY CYBER DEFENCE 6/6 100%66 100%
-
12.1. Military cyber defence capacity 222
Requirements
CriteriaArmed forces have designated units responsible for the cybersecurity of military operations and/or for cyber operations.
Accepted referencesLegal act, statute, other official document or official website
Evidence
The Canadian Armed Forces has military cyber capacities (as indicated additionally in this job posting for a Cyber Operator).
• What is measured: This indicator examines whether the country’s armed forces (or other government-sponsored and militarily arranged organisations tasked with territorial defence) have designated entities that relate either to cyber operations or to the cybersecurity of military operations, with the corresponding tasks and mandates. Such entities can be organised as a distinct branch, service, or joint force, with their tasks usually involving ICT infrastructure operations, defensive and/or offensive cyberspace operations, cyber intelligence operations, and providing cyber advice to military commanders and units. This indicator considers command-level responsibility, without assessing the organisation’s actual capacity to direct and control cyber operations in its own right.
• Importance: Military cyber defence is an important component of overall national defence capacity against existential external threats, including those enabled or amplified by cyberspace.
• Evidence: Official evidence of the existence of cyber units and their tasks as defined in the criteria.
-
12.2. Military cyber doctrine 222
Requirements
CriteriaThe tasks, principles, and oversight of armed forces for military cyber operations are established by official doctrine or legislation.
Accepted referencesLegal act, official doctrine, or official website
Evidence
Together, Strong, Secure, Engaged (2017) and Our North: Strong and Free (2024) directed DND/CAF to maximise Canada’s effectiveness in cyberspace and to improve the CAF ability to conduct cyber operations by developing the following initiatives.
- SSE Initiative 65 - Improve cryptographic capabilities, information operations capabilities, and cyber capabilities to include: cyber security and situational awareness projects, cyber threat identification and response, and the development of military-specific information operations and offensive cyber operations capabilities able to target, exploit, influence, and attack in support of military operations.
- SSE Initiative 87 - Protect critical military networks and equipment from cyber-incident by establishing a new CMA Program that will incorporate cyber security requirements into the procurement process.
- SSE Initiative 88 - Develop offensive cyber capabilities and employ them against potential adversaries in support of government-authorized military missions.
- SSE Initiative 89 - Grow and enhance the Cyber Force by creating a new CAF Cyber Operator occupation to attract Canada’s best and brightest talent and significantly increasing the number of military personnel dedicated to cyber functions.
- SSE Initiative 90 - Use Reserve personnel with specialized skill sets to fill elements of the CAF Cyber Force.
- ONSF Initiative - Establish a Canadian Armed Forces Cyber Command.
ONSF Initiative - Stand up a joint Canadian cyber operations capability with the Communications Security Establishment, integrating the unique strengths of each organization into a unified team that will conduct active/offensive cyber operations in support of Canadian interests.
• What is measured: The role or tasks, principles, and oversight of the military regarding planning and conducting cyber operations are defined in legislation or official doctrine. These documents establish a common, authorised framework to guide and set lawful boundaries for the military as it pursues national security objectives. Legislation or doctrine may include subjects such as the purpose, goals, uses, and authorisation related to the use of cyber capabilities. Military doctrines may be fully or partially public, or access-restricted. To be considered by the NCSI, public evidence of their existence and of the presence of key components (tasks and oversight) is required.
• Importance: Public doctrine stimulates lawfulness, predictability, and responsible behaviour by the armed forces engaging in cyber operations.
• Evidence: Legal act, official doctrine, or official confirmation of their existence, with some details on the key components of these documents. A military strategy that does not define mandatory principles on the operational level does not qualify as evidence.
-
12.3. Military cyber defence exercises 222
Requirements
CriteriaArmed forces have conducted or participated in a cyber defence exercise or an exercise with a cyber defence component in the past three years.
Accepted referencesOfficial website or official document
Evidence
CAF Cyber Forces participated in Exercise Locked Shields in April 2024.
Participated in defensive Hunt Forward Operations with Latvia and the US in 2023
https://www.cybercom.mil/Media/News/Article/3256645/us-cyber-command-2022-year-in-review/
Participated in US-led Cyber Flag 22 (as part of the ‘Five Eyes’)
• What is measured: Engagement in both domestic and international exercises that practice the cyber defence tasks and responsibilities of the armed forces. The NCSI does not consider the particular type or level of the cyber defence exercise: these may be technical live-fire cyber defence exercises; strategic-level decision-making exercises; integrated technical-operational, cyber-kinetic, or civil-military exercises; military exercises with a cyber component; a crisis exercise with a military cyber component; or other.
• Importance: Cyber defence exercises are an important mechanism for testing, improving, and practicing procedures and the skills needed to manage large-scale crisis scenarios, including civil-military cooperation.
• Evidence: Official website or official document, including exercise document, website, or press release. The exercise must have taken place within the past three years.
-
Information Disclaimer
The information provided on the NCSI website is based on publicly available evidence materials. The appearance in the index and subsequent ranking is commensurate to the existence and public availability of such information. The NCSI links to third party websites and information. The NCSI and eGA are not responsible for the accuracy or completeness of third party website information.
What can I do to improve my country's data in NCSI?
Become a data contributor Update a specific indicator with evidence data
CONTRIBUTORS
Intern at e-Governance Academy