The Government of Canada Source Code Management (SCM) Guardrails describe a preliminary set of baseline cyber security controls to ensure that the Source Code Management service environment has a minimum set of configurations. Departments must implement, validate and report on compliance with the guardrails in the first 30 business days of getting access to their SCM account.
Source Code Management services are used to store, manage, and track changes to source code, as well as performing DevOps activities (such as automated deployments, continuous integration, and continuous delivery). The SCM guardrails are designed to ensure that the SCM environment is secure and that the source code is protected from unauthorized access, modification, or deletion.
In order to reduce complexity and avoid repetition, controls and specifications have been listed under the table that is the best fit. As such, the guardrails are intended to be taken in as a whole and not by examining select tables separate from others. Departments are responsible for implementing the minimum configurations identified in the below tables.
For this document the following definitions will be used:
- Mandatory Requirements: A set of baseline security controls that departments must implement, validate and report on in the first 30 business days of getting access to their SCM account.
- Conditional Requirements: Additional security controls that are taken into consideration for a subset of instances. While these controls may not apply to all solutions, they should be taken into account under specified conditions.
This guardrail document relates to Software as a Service (SaaS), specifically DevOps and Source Code management tools.
The Activities listed under each guardrail are intended to provide a high-level overview of the actions organizations should consider to achieve the desired outcome. They are not prescriptive instructions but rather guidelines that can be adapted to fit the specific needs and circumstances of each organization.
While the activities offer general recommendations, the implementation details, such as the choice of specific tools or services, configuration settings, and thresholds for suspicious activity, will vary depending on factors like the organization's size, risk tolerance, and existing security infrastructure.
For more in-depth guidance and technical references, organizations are encouraged to consult your organization's best practices, standards, and specialized resources.
| ID. | SCM Guardrails |
|---|---|
| 01 | Protect User Accounts and Identities |
| 02 | Manage Access |
| 03 | Secure Endpoints |
| 04 | Enterprise monitoring accounts |
| 05 | Data Protection |
| 06 | Network security services |
| 07 | Cyber defense services |
| 08 | Logging and monitoring |
| 09 | Plan for Continuity |
Implementing the guardrails is one of the first steps to establishing a secure SCM platform. After the controls established in the first 30 days, departments should be prepared to monitor their solutions and respond to threats, including keeping up to date on patches and updates. By adhering to these guardrails, departments will have a head start on many controls outlined in the below documents. It is expected that they will continue to work towards completing all of the following:
- Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN) 2017-01
- Government of Canada Security Control Profile for Cloud-Based GC Services
- GC Cloud PBMM Security Control Profile
Departments should engage with their IT security risk management teams to obtain advice and guidance on integrating security assessment and authorization activities as part of the implementation of the SCM platform The Government of Canada Cloud Security Risk Management Approach and Procedures outlines activities for departments to consider as part of risk management.
See CONTRIBUTING.md
Unless otherwise noted, the source code of this project is distributed under the MIT License.
The Canada wordmark and related graphics associated with this distribution are protected under trademark law and copyright law. No permission is granted to use them outside the parameters of the Government of Canada's corporate identity program. For more information, see Federal identity requirements.