Fact sheet: Standing Committee on Public Accounts—March 30, 2023
Document navigation for "Standing Committee on Public Accounts: March 30, 2023"
Information related to procurement
Recommendation 7.7.2
Public Services and Procurement Canada (PSPC) and Shared Services Canada should include environmental criteria in their strategies and contracts for procuring cloud services to support sustainability in procurement practices and contribute to achieving Canada’s net-zero goal:
- as of January 2023, Public Services and Procurement Canada is drafting the clauses related to green house gas (GHG) reduction targets that will be included in the resulting contract clauses of the software as a service (SaaS) supply arrangement, and ensuring the language is aligned with language being used by Shared Services Canada in its cloud framework agreements
- PSPC and Shared Services Canada, as part of the Government of Canada Cloud Procurement Working Group, are collecting feedback from industry on a draft joint template for cloud procurement that will be improved over time. The initial template will include language regarding environmental considerations. One-on-one sessions are underway with vendors following a request for information that closed on November 30, 2022
Recommendation 7.31 and 7.47
Recommendation 7.31 and 7.47 are directed at Treasury Board Secretariat, but implicates PSPC. 7.31 states: In consultation with Shared Services Canada and Public Services and Procurement Canada, the Treasury Board of Canada Secretariat should do the following: extend the requirement for guardrails to cloud service provider contracts that stem from supply arrangements established by Public Services and Procurement Canada. Clarify who is responsible for the initial validation and ongoing monitoring of cloud guardrail controls and what processes they should follow.
- Treasury Board Secretariat’s (TBS) Management Action Plan indicates that it would clarify and extend the processes to be followed for cloud service provider contracts awarded by PSPC as part of the updates to the standard operating procedure for validating cloud guardrail by December 2022
- as of January 2023 TBS is still working on this direction to departments. Current TBS thinking is that guardrail management on PSPC contracts would primarily be done by client departments
- TBS’s Management Action Plan indicates it would update the Government of Canada cloud guardrails and the Directive on Service and Digital to reflect guardrail controls that apply to cloud services including cloud services procured by PSPC by January 2023
- as of January 2023, TBS had not finalized direction
Recommendation 7.47
Recommendation 7.47 states: In consultation with Communications Security Establishment Canada, Shared Services Canada, Public Services and Procurement Canada, and departments, the Treasury Board of Canada Secretariat should document and proactively communicate to any department that is using or contemplating cloud services the roles and responsibilities needed to design, implement, validate, monitor, coordinate, and enforce the security controls needed to protect sensitive and personal information in the cloud. The secretariat should review and update these roles and responsibilities at least every 12 months:
- TBS’s Management Action Plan indicates it would publish the existing approved cloud responsibility matrix to formally identify who is responsible for validating, ongoing monitoring, performing oversight and compliance of the cloud guardrail controls by end of September 2022
- as of January 2023, PSPC is supporting TBS in the development of this cloud responsibility matrix but TBS has not yet finalized it
- TBS’s Management Action Plan indicates it will also undertake a review to ensure that the roles and responsibilities required in support of the design, implementation, validation, monitoring, coordination, and enforcement of all the security controls needed to protect sensitive and personal information in the cloud are relevant, updated, and documented in the cloud responsibility matrix by March 2023
- as of January 2023, PSPC is supporting TBS in the development of a cloud responsibility matrix, but TBS has not yet finalized it
Information related to departmental oversight
Within the shared responsibility cloud service providers’ assessment model, the Contract Security Program is responsible for:
- conducting physical security inspections, looking at the “physical and personnel security factors” associated with the data residency requirement in Canada
- physical security inspections involve an assessment of the various physical safeguard measures that the supplier must have in place to properly control access to the premises and to data which are commensurate with the classification level of data they will hold. In the case of hyperscale cloud providers, we are looking specifically at the data centres in Canada
- the personnel security factor refers to the verification, through the physical security inspection, that the supplier’s personnel working with this data and/or within the data centres have the proper personnel security clearance to do so. This includes “privileged users” who require a higher security screening level than the security level of the data they may have access to due to the fact that they may potentially have broad access to the actual aggregated data
Client departments are responsible to:
- conduct a local information technology (IT) assessment before each individual contract is executed. This is required to ensure that any residual risks are acceptable to them before they proceed with contract execution
- send a new security requirement check list to the Contract Security Program each time they make a requisition to use a service from the cloud service providers under the established procurement vehicles, as this is what “triggers” any renewal inspections of the cloud suppliers
Canadian Centre for Cyber Security is responsible for:
- the IT security assessment of the suppliers. The assessment includes a supply chain integrity assessment and ensures that the supplier’s IT infrastructure and process falls within a medium-medium risk thresholds
Responses to the Auditor General’s recommendations
- Public Services and Procurement Canada agreed to the Auditor General’s recommendations and the Contract Security Program has completed the key interim milestone [that was] due for December 30, 2022, and is on track to meet the second interim milestone due March 31, 2023
- [Redacted]
Document navigation for "Standing Committee on Public Accounts: March 30, 2023"
Page details
- Date modified: