Things to know
The Government of Canada’s security framework is set out in the Policy on Government Security.
The government’s guide for organizations on federal government security standards and procedures is the Contract Security Manual. Organizations registered with the Contract Security Program must be compliant with the security requirements set out in the manual.
The security requirements associated with a contract are identified in the security requirements checklist (SRCL) issued with bid solicitation documents and subsequent contract, and are contained in one or more security clauses included in the contract document itself.
Security requirements vary depending upon the applicable data classification. The Government of Canada has adopted a data classification system with eight levels of security: Protected, Protected A, Protected B, Protected C, Classified, Confidential, Secret and Top Secret.
Security clearances fall into two general categories: (i) “organization” clearances, and (ii) “personnel” clearances. Government procurement documents and resulting contracts identify the specific security clearances that a supplier (and its applicable permitted subcontractors) are required to have.
The Treasury Board Secretariat has issued a Directive on Service and Digital that addresses the location of government data. In the case of cloud services, government departments are required to ensure that computing facilities located within the geographic bounders of Canada or within the premises of a Government of Canada department located abroad be identified and evaluated as a principal delivery option for all sensitive electronic information and data under government control that has been categorized as Protected B, Protected C or is Classified. The Guideline on Service and Digital indicates that the departmental CIO is responsible for approving departmental decisions to store data outside Canada.
All Protected B, Protected C and Classified Government of Canada electronic data in transit must be encrypted when in transit outside of Government of Canada-controlled Operations and Security Zones within Canada or internationally.
Additional policy requirements are set out in the Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN).
Things to do
- Take steps as an organization to understand and prepare for compliance with the government of Canada security requirements, including required certifications in order to carry out the targeted work.
- Review procurement documents carefully to understand the classification of the information being processed to ensure that technical security requirements, data residency and certification requirements are in place or can be implemented prior to receiving any Government of Canada information under the contract.