Things to know
The Government of Canada’s security framework is set out in the Policy on Government Security.
The government’s guide for organizations on federal government security standards and procedures is the Industrial Security Manual. Organizations registered with the Contract Security Program must be compliant with the security requirements set out in the manual.
The security requirements associated with a contract are identified in the security requirements checklist (SRCL) issued with bid solicitation documents and subsequent contract, and are contained in one or more security clauses included in the contract document itself.
Security requirements vary depending upon the applicable data classification. The Government of Canada has adopted a data classification system with eight levels of security: Protected, Protected A, Protected B, Protected C, Classified, Confidential, Secret and Top Secret.
Security clearances fall into two general categories: (i) “organization” clearances, and (ii) “personnel” clearances. Government procurement documents and resulting contracts identify the specific security clearances that a supplier (and its applicable permitted subcontractors) are required to have.
The Treasury Board Secretariat has issued a Direction for Electronic Data Residency that requires all sensitive electronic data under government control, that has been categorized as Protected B, Protected C or is Classified, to be stored in an approved computing facility located within the geographic boundaries of Canada or within government premises located abroad, such as a diplomatic or consular mission. This does not mean that the country of origin of IT service providers must be Canada, as long as these service providers can ensure storage of data within boundaries or premises as described above.
All Protected B, Protected C and Classified Government of Canada electronic data in transit must be encrypted when in transit outside of Government of Canada-controlled Operations and Security Zones within Canada or internationally.
Additional policy requirements are set out in the Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN).
Things to do
- Take steps as an organization to understand and prepare for compliance with the government of Canada security requirements, including required certifications in order to carry out the targeted work.
- Review procurement documents carefully to understand the classification of the information being processed to ensure that technical security requirements, data residency and certification requirements are in place or can be implemented prior to receiving any Government of Canada information under the contract.