Protected B Compliance in 2026: The Minimum Viable Security Posture

What Is Protected B?

In the Government of Canada's information security classification framework, Protected B refers to information that, if compromised, could cause serious injury to an individual, organization, or government. This includes personal information (such as Social Insurance Numbers, medical records, and financial data), commercially sensitive information, and certain operational details of government programs.

Protected B is not a classified designation — it sits below Confidential, Secret, and Top Secret in the hierarchy. However, it is the most commonly encountered security designation in federal contracts, particularly in IT professional services, application development, and data management engagements. If your firm does contract work with the Government of Canada, you will almost certainly encounter Protected B requirements.

The Evolving Security Landscape

ITSG-33 and the Security Control Framework

The primary technical reference for Protected B IT security is ITSG-33, the IT Security Risk Management: A Lifecycle Approach, published by the Canadian Centre for Cyber Security (CCCS), which operates under the Communications Security Establishment (CSE). ITSG-33 defines a catalogue of security controls organized into families, similar in structure to international frameworks but tailored specifically for the Government of Canada.

For contractors handling Protected B information, ITSG-33 specifies controls across multiple domains:

• Access control: Who can access Protected B data and under what conditions
• Audit and accountability: Logging and monitoring requirements for systems processing Protected B information
• System and communications protection: Encryption requirements for data at rest and in transit
• Identification and authentication: How users and systems are authenticated before accessing Protected B data
• Physical and environmental protection: Requirements for facilities where Protected B data is accessed or stored

Cloud-Specific Requirements

The Government of Canada's adoption of cloud computing has introduced additional complexity for Protected B compliance. The GC Cloud Security Risk Management Approach defines the requirements for cloud service providers and contractors who deploy solutions in cloud environments that handle Protected B data.

Key cloud-specific requirements include:

• Data residency: Protected B data must remain within Canada unless specific exemptions are obtained. This means using Canadian data centre regions and ensuring that data is not replicated to foreign locations, even for backup or disaster recovery purposes.
• Cloud broker model: Many departments acquire cloud services through Shared Services Canada's cloud brokering arrangement. Contractors must understand how their solutions interact with the GC cloud broker model and comply with its requirements.
• CSP assessment: Cloud service providers used for Protected B workloads must have undergone a GC assessment. Currently, a limited number of CSPs have been assessed and approved for Protected B workloads in the GC context.

Supply Chain Security

The Government of Canada has increased its focus on supply chain security for IT products and services. The Direction on the Use of IT Supply Chain Integrity measures imposes requirements on contractors regarding the provenance and integrity of IT products used in government systems.

For Protected B environments, this means:

• Maintaining documentation on the origin of software components, including open-source libraries
• Ensuring that development and deployment pipelines are secured against tampering
• Being prepared to demonstrate supply chain integrity measures during security assessments

The Minimum Viable Security Posture for Contractors

Personnel Security

All contractor personnel who will access Protected B information must hold, at minimum, a valid Reliability Status security clearance issued by PSPC's Contract Security Program (CSP). Key requirements include:

• Clearances must be active and current — expired or "in process" clearances are not sufficient
• Personnel must be briefed on their security obligations specific to the Protected B designation
• Your firm must have a Designated Organization Screening (DOS) or be sponsored by a company that does

Physical Security

If your personnel will access Protected B information at contractor-owned facilities (as opposed to government premises), those facilities must meet specific physical security requirements:

• Controlled access to areas where Protected B information is accessed or stored
• Secure storage for physical Protected B documents (approved security containers)
• Clean desk policies and procedures for handling Protected B material
• Visitor control procedures

IT Security — On-Premise

For contractor-owned IT systems that process Protected B information:

• Encryption: Protected B data must be encrypted at rest using approved algorithms (currently AES-256 or equivalent). Data in transit must be protected using TLS 1.2 or higher.
• Network segmentation: Systems processing Protected B data should be segmented from general corporate networks.
• Endpoint protection: Workstations accessing Protected B data must have current endpoint protection, including anti-malware, host-based firewalls, and full disk encryption.
• Logging and monitoring: Security event logging must be enabled, with logs retained for a minimum period as specified by the contracting department.
• Patch management: A documented patch management process with defined timelines for applying critical security patches.

IT Security — Cloud

For cloud-based solutions handling Protected B data, the additional cloud-specific requirements noted above apply. Your cloud environment must:

• Use a GC-assessed cloud service provider
• Ensure data residency in Canada
• Implement the ITSG-33 security controls applicable to the cloud deployment model (IaaS, PaaS, or SaaS)
• Maintain separation of GC data from other tenants at the application, data, and network layers

Incident Response

Your firm must have a documented security incident response plan that addresses Protected B data breaches. This plan must include:

• Procedures for detecting and containing security incidents
• Notification requirements — the contracting department and CCCS must be notified within specified timelines
• Procedures for preserving evidence
• Post-incident review and remediation processes

Common Compliance Gaps

Based on our experience working with GC contractors, the most common Protected B compliance gaps include:

1. Expired security clearances: Personnel clearances that lapsed without timely renewal
2. Inadequate encryption: Using outdated encryption protocols or failing to encrypt data at rest
3. Missing data residency controls: Allowing cloud services to replicate or cache data outside Canada
4. Incomplete logging: Failing to implement comprehensive security event logging
5. No documented incident response plan: Having informal processes rather than a documented, tested plan

The Cost of Compliance

Protected B compliance is not free. Firms should budget for:

• Security clearance processing fees and processing time (often four to eight months for new Reliability Status applications)
• Infrastructure upgrades to meet encryption, segmentation, and logging requirements
• Cloud services in Canadian regions (which often carry a price premium)
• Ongoing compliance monitoring and maintenance
• Periodic security assessments and audits

These costs should be factored into your bid pricing for any GC contract that involves Protected B data. Firms that underprice their security compliance commitments risk margin erosion or, worse, non-compliance that can result in contract termination and damage to their GC contracting reputation.

Building a Sustainable Protected B Practice

Protected B compliance is not a one-time checkpoint — it is an ongoing operational commitment. The firms that manage it most effectively treat it as a core business capability rather than a project-specific burden. They invest in standing security infrastructure, maintain current clearances for their resource pool, and build compliance costs into their standard rate structures.

As the Government of Canada continues to strengthen its security requirements for contractors, the firms that have already established a robust Protected B security posture will have a significant competitive advantage in winning and delivering federal contracts.