Contract Security Manual effective August 13, 2020

On this page

• Chapter 1: General introduction
  • 1.1 Overview
  • 1.2 Contract security administration
  • 1.3 Other security elements
  • 1.4 Publicity of security information
  • 1.5 Cost
  • 1.6 Additional information
• Chapter 2: Contracts with security requirements
  • 2.1 Overview
  • 2.2 Security requirements check list
  • 2.3 Pre-contract award
  • 2.4 Subcontracting
    • 2.4.1 Subcontracting simplification options
    • 2.4.2 Subcontracting to organizations outside Canada
• Chapter 3: Organization screening
  • 3.1 Overview
  • 3.2 Organization clearance
    • 3.2.1 Types of organization clearances
    • 3.2.2 Safeguards
    • 3.2.3 Reciprocal facility security clearances
  • 3.3 Foreign ownership, control or influence
  • 3.4 Site inspections
  • 3.5 Government of Canada security agreement
  • 3.6 Compliance and enforcement for private sector organizations with a security clearance
    • 3.6.1 Compliance with the requirements of the Contract Security Program
    • 3.6.2 Contract Security Program process for non-compliant organizations
    • 3.6.3 Suspension or revocation of an organization security clearance
• Chapter 4: Personnel screening
  • 4.1 Overview
  • 4.2 Personnel security screening
  • 4.3 Site access screening
• Chapter 5: Facility protection
  • 5.1 Overview
  • 5.2 Physical security
  • 5.3 External areas and perimeters
  • 5.4 Access control of secure zones
• Chapter 6: Handling and safeguarding information and assets
  • 6.1 Overview
  • 6.2 Secure environment
    • 6.2.1 Security level requirements
  • 6.3 Records management
    • 6.3.1 Retaining records
  • 6.4 Security markings
  • 6.5 Storage
  • 6.6 Use of computers
  • 6.7 Packaging and transmitting
  • 6.8 Transfer of information and assets
  • 6.9 Verbal and message communication
  • 6.10 Destruction of records
• Chapter 7: Information technology security
  • 7.1 Overview
  • 7.2 Planning
    • 7.2.1 Physical security
    • 7.2.2 Electronic information security
  • 7.3 Inspections
• Chapter 8: Visits to secure sites
  • 8.1 Overview
  • 8.2 Types of visit requests
  • 8.3 Mandatory prerequisites
  • 8.4 International visits
  • 8.5 Records of visits
  • 8.6 Urgent requests
  • 8.7 Amendments
  • 8.8 Unclassified Visits
  • 8.9 Visits requiring access to foreign Restricted information
• Chapter 9: International security
  • 9.1 Overview
    • 9.1.1 Canadian designated security authority
  • 9.2 Bilateral security instruments
  • 9.3 Foreign disclosure
  • 9.4 Protected information
  • 9.5 International alternative solutions
  • 9.6 Foreign classified information and assets
  • 9.7 Foreign information at the Restricted level
  • 9.8 Security requirements for contracts awarded to foreign organizations
  • 9.9 Program/project security instructions
• Chapter 10: International organizations
  • 10.1 Overview
  • 10.2 North Atlantic Treaty Organization
    • 10.2.1 North Atlantic Treaty Organization cooperative program with non-North Atlantic Treaty Organization allies
    • 10.2.2 North Atlantic Treaty Organization personnel security clearances
    • 10.2.3 Facility security clearances
    • 10.2.4 Handling classified North Atlantic Treaty Organization information
    • 10.2.5 Contracts
    • 10.2.6 Release of North Atlantic Treaty Organization classified information to contractors from non-North Atlantic Treaty Organization nations
  • 10.3 European Union
  • 10.4 European Space Agency
• Chapter 11: Joint Certification Program
  • 11.1 Overview
  • 11.2 Joint certification process
  • 11.3 Unclassified visits
• Annex A: Guidelines on company security officer and alternate company security officer responsibilities
  1. General responsibilities for company security officers and alternate company security officers
  2. Document safeguarding capability responsibilities
  3. Official contact with Public Services and Procurement Canada
  4. Security briefings
  5. Security awareness content
  6. Security violations, breaches and compromises
     1. Security incidents
     2. Security breaches
     3. Changes in behaviour
     4. Changes in circumstances
     5. Suspicious contacts and security incidents
     6. Organizational changes
     7. Classified contracts from foreign entities
  7. Reporting
  8. Contract Security Program compliance and enforcement guide
• Annex B: Guidelines for facility protection
  1. Physical security
  2. Types of secure zones
     1. Public zone
     2. Reception zones
     3. Operations zone
     4. Security zone
     5. High-security zone
  3. Elements of secure zones
  4. External areas and perimeters
     1. External perimeter
     2. Landscaping
     3. Parking lots
     4. Security lighting
     5. Doors, windows and other openings
     6. Emergency exits
  5. Security control centres
  6. Control of access to secure zones
     1. Reception
     2. Personnel identification
     3. Organizations must
     4. Guards
     5. Electronic access control
     6. Electronic intrusion detection
     7. Closed-circuit television
     8. Interior access controls
     9. Service spaces
• Annex C: Guidelines for safeguarding information and assets
  1. Secure environment
  2. Records management
     1. Records office security
  3. Security markings
     1. Protected and classified information
     2. Microforms
     3. Electronic storage material
  4. Storage
     1. Keys for containers
     2. Precautions
     3. Equipment
  5. Packaging and transmitting
• Annex D: Information technology security inspection process
  1. Initiation
  2. The on-site inspection
  3. Off-site inspections
     1. Telephone inspections
     2. Attestation process
  4. Post inspection
     1. Letter of recommendations
  5. Approval
  6. Changes to information technology systems after an information technology security inspection
• Annex E: Guidelines for requests for visits
  1. Requirements for requests for visits
     1. Domestic visits
        1. Canadian private sector organization to private sector organization visits
        2. Canadian private sector organizations to Canadian government visits
        3. Canadian government to Canadian private sector organization visits
     2. International visits
  2. Types of visits
  3. Responsibilities
     1. Host organization responsibilities
     2. Visiting organization responsibilities

1.1 Overview

This manual is a reference for organizations to understand the Government of Canada's security standards, procedures and international commitments for working on government contracts, projects and programs with security requirements.

It details the requirements that organizations must follow for safeguarding government information and assets provided to, or produced by, organizations registered in the CSP and to all contracts, Canadian or foreign, for which PSPC is responsible. Procedures are also provided for the same activities related to allied foreign governments contracting through PSPC, such as multinational ventures where Canada is a partner.

Organizations awarded a government contract with security requirements or with a legitimate need to access protected or classified information must be registered and security screened at the appropriate level through the CSP. Once registered, organizations must comply with the security requirements set out in this manual and with all other applicable security policies, standards and directives including, but not limited to the following:

1.2 Contract security administration

PSPC is authorized to administer contract security services by the Department of Public Works and Government Services Act and the Treasury Board Policy on Government Security (PGS), which includes the Standard on Security Screening, as well as the Policy on the CSP. These contract security services help safeguard protected, classified, as well as other sensitive Government of Canada and foreign information and assets. Included in the PGS is a Directive on Security Management, which provides detailed information on mandatory security controls, as well as the Directive on Identity Management, which provides details on managing identity in a manner that mitigates risks to personnel, organizational and national security. In accordance with the North Atlantic Treaty organization (NATO) policy and bilateral security instruments, the CSP is also responsible to oversee the safeguarding of foreign classified information in contracting.

1.3 Other security elements

Granting a reliability status or security clearance (hereafter referred to as security status and/or security clearance) to an organization or individual is confirmation that they are eligible to access, and requires them to safeguard, a certain level of information or assets when they have a need to know (recipient needs access to perform his or her official duties). This means organizations must comply with the requirements in the Security of Information Act, and the Personal Information Protection and Electronic Documents Act.

1.4 Publicity of security information

The following security criteria apply to organizations registered in the CSP and to all government contracts, projects or programs, Canadian or foreign, for which PSPC is responsible.

Having a security status or clearance is not a secret in and of itself, but there is an expectation of good judgment regarding sharing that information. Security status or clearance information must be adequately safeguarded to mitigate the risk that cleared organizations might become targets for security infiltration or terrorism activity.

• Organizations must not make public any specific information about their security status or clearance in any advertising or promotional activities such as on the organization's website, in videos, social media or photos
• Employees of organizations must not make public their level of security status or clearance on business cards, curriculum vitae, or the Internet, including social media, as this could draw attention to the security status of the organization for which they work
• Any enquiries received by organizations concerning their security status should be directed to contact the Contract Security Program's client service centre

General information about a contract can be released as this is already public knowledge, however organizations must:

• get clarification and/or written approval from the contracting authority before releasing information related to a contract
• not make public any specific information about the security requirements of a government contract

Protected or classified information cannot be made public or advertised in any manner.

1.5. Cost

PSPC does not charge applicants a fee to process organizational screenings and personnel security screening applications. As such, organizations registered in PSPC's CSP are prohibited from charging fees to their sub-contractors and employees to obtain security clearances.

1.6 Additional information

Organizations can learn how to meet the requirements in this manual by visiting the PSPC's Security requirements for contracting with the Government of Canada website.

2.1 Overview

A contract contains security requirements when access to any of the following is required:

• Canadian protected or classified information, assets or sites
• Canadian, NATO or foreign classified information, assets or sites

The requirements may also include contract promotion, pre-contract enquiries and negotiations. Clauses containing the security requirements are written into federal government contracts. Any amendments or extensions to a PSPC contract with security requirements must be provided to the CSP by email at tpsgc.ssicontrats-isscontracts.pwgsc@tpsgc-pwgsc.gc.ca.

The CSP must also receive the following items by email at tpsgc.dgsssiprojetintl-dobissintlproject.pwgsc@tpsgc-pwgsc.gc.ca:

• any awards of contracts or subcontracts with security requirements from NATO or foreign entities
• any amendments or extensions to contracts with security requirements involving NATO or foreign entities

2.2 Security requirements check list

At the beginning of the procurement process, the project authority completes a Security requirements check list form (TBS/SCT 350-103) outlining the security requirements in a contract. This is part of the bid solicitation documents. The contracting authority ensures that all requirements, approved security clauses and supplementary remarks are included in the contract documentation. These are legally binding.

Organizations should not sign a contract until they understand the implications and potential cost of the security requirements. Once the contract is signed, the organization must give a copy of the security requirements of the contract and the security requirements check list (SRCL) form to its company security officer (CSO). Please see Section 3.2 Organization clearance. The CSO must make sure that all security requirements are met throughout the lifecycle of the contract and before accessing protected and/or classified information.

2.3 Pre-contract award

The CSP will begin the organization security screening process upon receipt of a complete and valid request from the contracting authority. Before the contract is awarded, parts of the screening process must be completed, such as the designated organization screening and facility security clearance. Other requirements, such as Information Technology Security, production capability and communication security (COMSEC) are typically met after awarding the contract but before starting work.

If the contract has a document safeguarding capability (DSC) requirement, work on the contract at the supplier's location cannot start until the full inspection process is completed. Please see Section 3.4 Site inspections.

2.4 Subcontracting

The prime contractor is the organization that wins the bid to work on a contract for the Government of Canada, a foreign government or an international organization. This prime contractor hires the subcontractor to work on a specific part of the contract. The subcontractor is not an employee of the prime contractor's organization and must be security screened with the CSP. The prime contractor must contact the Contract Security Program for approval before awarding a subcontract with security requirements to a subcontractor and the CSP's approval is required for each successive level of subcontracting.

To request approval, the prime contractor must submit a completed SRCL to obtain security clauses for the subcontract. If the subcontractor is not already security-cleared, the prime contractor must also submit a Request for private sector organization screening form to the CSP to sponsor the organization. The CSP and the prime contractor will ensure the subcontractor meets the security aspects of the intended subcontract and/or obtains the appropriate security screening. The subcontract can be awarded after the CSP provides the prime contractor with:

• the approval letter
• a signed copy of the SRCL
• security clauses that must be inserted into the subcontract

The prime contractor must provide a copy of the subcontract to the CSP once awarded. The subcontractor cannot start until the subcontract is awarded and their organization has been granted the required security status or clearance.

Learn more about the subcontracting security requirements.

3.1 Overview

To be screened by the CSP, a Canadian organization must either:

• meet the eligibility criteria for organization screening
• be sponsored by a Government of Canada approved source

This source must be one of the following:

• a federal government procurement, security or project officer
• an eligible organization who is:
  • already screened with the CSP
  • working on an active contract
  • has a requirement to subcontract
• a foreign national or designated security authority

By obtaining a security clearance with the CSP, the organization agrees with the Government of Canada to:

• meet the security requirements of this manual and any other security requirements in a federal government contract awarded to the organization
• allow PSPC, or other government authority at the request of PSPC, to conduct security inspections at any time
  • please see Section 3.4 Site inspections
• cover all security related costs

Pre-contract negotiations, involving protected or classified information and assets, cannot start before an organization has been security screened through the CSP, unless specified by the contracting authority. This also applies when a security-cleared organization wishes to award a subcontract with security requirements to another organization.

3.2 Organization clearance

There are 3 types of organization clearances:

• a provisional security clearance
• a designated organization screening (DOS)
• a facility security clearance (FSC)

A provisional security clearance is a temporary clearance approved for a specific solicitation process for organizations requiring access to sensitive information prior to responding to a solicitation with security requirements. It allows an organization to obtain personnel security screening for individuals who are part of their bid preparation team.

As for a DOS or an FSC, it is not awarded in perpetuity; it is granted to organizations for a specific contract or subcontract, and to organizations that bid on federal government solicitations with security requirements with a complete Application for registration (AFR) form. A DOS or an FSC allows an organization to obtain personnel security screening for their employees at the required level as indicated in the awarded contract or subcontract.

If an organization needs to possess or store protected or classified information and assets, an additional safeguard capability authorization is required. Please see Subsection 3.2.2 Safeguards.

During the organization screening process, certain individuals in the organization must be security screened. Please see Chapter 4: Personnel screening. These individuals include:

• key senior officials (KSO)
  • an individual owner as well as any officer, director (of the board), executive and/or partner
  • in a position of control or influence over an organization
• company security officer (CSO)
  • appointed by the chief executive officer or the designated KSO
  • reports to KSOs on security matters
• alternate company security officer (ACSO)
  • appointed by the CSO to be the CSO's back up
  • assumes any specific duties the CSO requires
• corporate company security officer (CCSO)
  • appointed by the chief executive officer or the designated KSO when an organization has one or more security assessed subsidiaries in Canada
  • has a requirement to oversee government contract security matters for the entire corporation
  • does not replace the requirement to have a CSO at each security assessed subsidiary

The security officers must be employed by the organization or a KSO, be physically located in Canada and be a Canadian citizen ^{Footnote 1}.

The CSO and CCSO must be security screened at least at the security level of the organization. The ACSO can be security screened at the level of the organization or lower, depending on its location and specific roles and responsibilities in regards to the other security officers.

The CCSO, CSO and ACSO must sign the security appointment, acknowledgement and undertaking form that describes their responsibilities. Information about these responsibilities can also be found in Annex A: Guidelines on company security officer and alternate company security officer responsibilities.

3.3 Foreign ownership, control or influence

A foreign ownership control or influence (FOCI) evaluation assesses the degree of authority, ownership, control or influence that foreign interests may have over a Canadian organization. This helps determine and mitigate the risk that unauthorized third parties may exert undue influence over a Canadian organization to access government classified information and assets.

FSCs do not exempt an organization from further evaluation. In addition, having a Confidential, Secret or Top Secret clearance does not exempt an organization from a FOCI evaluation, if it is required. The FOCI evaluation is generally triggered by the type of information being accessed. A FOCI evaluation must be done for contracts involving access to NATO, foreign or COMSEC classified information or assets, or as directed by the CSP.

The existence of foreign ownership, control or influence does not, in itself, prohibit an organization from holding an FSC. Each case is assessed individually based on the particular risk profile associated with the goods or services being procured to the government or foreign government client. In cases of an adverse assessment, the CSP will discuss with the organization and the client department whether certain measures can reduce the risk to an acceptable level by the CSP and the client department.

A FOCI evaluation must generally be completed before access to sensitive information, assets or sites is granted. The determination of FOCI risks is contract specific and remains valid during the contract as long as the degree of potential foreign control or influence of the organization does not change. Re-evaluations are conducted when a new FOCI requirement is identified or when the factors at the time of the evaluation change (for example, a new ownership or corporate restructuring).

3.4 Site inspections

Site inspections are a key component of the security screening process. An organization must allow the CSP field industrial security officer (FISO) to inspect all relevant facilities or sites to ensure that existing security measures protect information and assets.

Scheduled and unscheduled access by the CSP security inspectors is a normal condition of a contract with security requirements.

During the inspection, the FISO will also assess:

• potential targets or risks for physical attacks
• intrusion detection systems
• physical security zones
• how information and assets are handled

The organization cannot hold or store protected or classified information associated with the contract until the inspection process is completed and the CSP has notified it in writing that the DSC has been granted.

Inspections may be conducted at any time while the organization is security-cleared with the CSP. Inspection timeframes vary based on:

• the contracts
• the security levels
• the length of time an organization needs to comply with the CSP security requirements
• the organization's history of compliance with the CSP

Learn more about site inspections.

3.5 Government of Canada security agreement

Before an organization receives a provisional security clearance, a DOS or an FSC, a KSO must complete and sign a security agreement with the Government of Canada. The security agreement outlines the terms and conditions of the organization's security clearance as well as grounds for the suspension or revocation of the organization's security clearance. After signing the agreement, the organization agrees to abide by all security requirements of the CSP. This agreement is signed as part of the security screening process.

3.6 Compliance and enforcement for private sector organizations with an organization clearance

Private sector organizations have an obligation to maintain compliance with the requirements of the CSP at all times throughout the performance of procurement instruments^{Footnote 3} that contain security requirements.

4.1 Overview

To obtain a security clearance with the CSP, an organization must have its personnel security screened. This begins with its:

• key senior officials (if required)
• corporate company security officers (if required)
• company security officers (CSO)
• alternate company security officers (ACSO)

Once the organization's screening is complete, the provisional security clearance, designated organization screening or facility security clearance is granted. Please see Subsection 3.2.1 Types of organization clearances. The CSOs and ACSOs can submit screening requests for personnel in their organization who have a legitimate requirement to access protected or classified information, assets and work sites as part of an active solicitation process, contract, subcontract or lease.

Learn more about who is eligible for a personnel security screening.

An employee is a person employed by the company for wages or salary as part of the payroll. However, under specific conditions, it can include subcontractor resources; these resources would fall within the first subcontracting option. Please see Subsection 2.4.1 Subcontracting simplification options. This security screening must be completed before granting access to protected or classified information, assets or work sites.

4.2 Personnel security screening

There are different levels of personnel security screening. These are determined by the identified security requirements of a contract or subcontract. Organizations must get the required security screening for personnel who require access to protected or classified information, assets or work sites. Individuals cannot access protected or classified information or assets until they have the required reliability status, Secret security clearance, or Top Secret security clearance.

4.3 Site access screening

Site access screening is another type of screening. It may be conducted for individuals external to government who do not access sensitive information, but who access restricted or controlled government facilities or areas within those facilities.

There are 2 types of site access screening:

• screening for site access status assesses an individual's honesty and reliability, it requires a verification of
  • an individual's identity
  • a law enforcement enquiry
• screening for site access clearance assesses an individual's loyalty to Canada and their reliability as it relates to that loyalty, it requires a verification of
  • an individual's identity
  • a law enforcement enquiry
  • a security assessment

Individuals cannot access sensitive sites or facilities without the site access status or site access clearance.

5.1 Overview

Properly protecting a facility means having a system of physical security that detects and responds to actual or attempted unauthorized access using physical, procedural and psychological barriers.

Given enough time, almost any physical security measure can be compromised. Therefore, protective measures must be based on the time required for a response unit or person to arrive at the scene. The CSP can help develop a facility protection plan, which will form part of an overall effective security program.

An organization that has a DOS or FSC, with an additional capability authorization, such as DSC (Subsection 3.2.2 Safeguards) must protect its facility from compromise and unauthorized access.

Organizations must effectively use restricted zones by implementing appropriate security procedures such as:

• storing and treating information and assets in the appropriate security zones
• controlling access to classified information in a document registry
• ensuring that all individuals working in security zones are security assessed to the appropriate level
• segregating information sufficiently so that only those individuals with a need to know will be able to access the information
• escorting visitors
• securing protected and classified information and assets when leaving the work area
• using precautions when discussing protected or classified information
• placing equipment, such as containers and shredders, where they can be used without leaving protected and classified information and assets unattended
• preparing and handling Protected C information and assets in a security zone or, if required, in a high-security zone
• physical security zones in accordance with the federal Directive on Security Management

5.2 Physical security

Organizations should consult the CSP at an early stage when building, buying, leasing or renovating facilities for which a site clearance will be required. Physical security systems must comply with provincial and municipal regulations and codes, such as fire, construction and electrical.

5.3 External areas and perimeters

PSPC's CSP will also assist with the specific requirements for external areas and perimeters such as:

• fences and free-standing walls
• landscaping and parking lots
• external security lighting
• access doors; windows; other perimeter openings
• emergency exits

An organization with DSC may need a security control centre at each site to monitor and control the security equipment and systems. It can be operated by the facility, by a commercial agency under contract, or a combination to provide full-time coverage. The security monitoring system must have the capability to operate independently of other facility monitoring systems.

5.4 Access control of secure zones

Organizations must use established entry points to channel employees and visitors, verify identities and stop a visitor from entering until properly recorded and accompanied by an employee. A number of measures must be taken to control access to secure zones such as:

• personnel identification
• guards
• electronic access control
• electronic intrusion detection
• closed-circuit television
• interior access controls
• service spaces

The organization cannot access, possess, handle or store protected and classified information at the site until the CSP has notified it in writing that the required security level has been granted.

Further details about these requirements and what the field industrial security officer will be reviewing during the site inspection are in Annex B: Guidelines for facility protection.

6.1 Overview

When an organization is authorized under the CSP to possess and store protected or classified information and assets (Subsection 3.2.2 Safeguards), it must have an asset security system that:

• identifies management and employee responsibilities
• defines assets requiring safeguards
• establishes a document registry, which includes maintaining an inventory, reporting and handling security incidents, and maintaining a threat and risk assessment
• details proper personnel and physical security measures

Access to protected and classified information and assets must be limited to persons who have the appropriate security level and who have a need to know.

These requirements also apply to any foreign classified and NATO classified information, in addition to other NATO requirements (Chapter 10.2: North Atlantic Treaty Organization). The safeguarding principles outlined in this chapter for classified information apply to foreign or domestic government information, as well as to NATO, European Union and European Space Agency classified information.

Improper handling and safeguarding of protected and classified information and assets could result in the suspension or revocation of an organization's DOS or FSC, or an employee's reliability status or security clearance, depending on the situation. Revocation or suspension of a DOS or FSC may result in the loss of any government contract requiring the organization to hold a security screening status.

The following sections provide an overview of each requirement for safeguarding protected and classified information and assets. Annex C: Guidelines for safeguarding information and assets provides further details on these requirements and should be read in conjunction with this chapter. These measures apply to any information that is copied or translated, which retains the security categorization level of the original information. Specific instructions on whether information can be copied or translated may be provided in the contract or in bilateral security instruments.

6.2 Secure environment

In an office environment, organizations must use restricted zones to safeguard information and assets. Appropriate security procedures ensure that information and assets are accessed only by persons authorized at the appropriate security level and with a need to know; that it is not left unattended; and that it is recorded, stored and disposed of properly. (Annex C: I. Secure environment)

6.3 Records management

Organizations must have a suitable location, called a registry, to receive, distribute and store protected and classified information and assets.

Organizations must keep records of the dates, names and transactions of all classified information and assets indicating the receipt, distribution, creation, reproduction and destruction within the facility.

All records of protected/classified information and assets and all protected/classified information and assets must be available for inspection by the CSP FISO.

The use of secure registries and implementing proper procedures protects all information and assets. These procedures include treating the registry as a security zone, implementing measures that prevent unauthorized access, and opening, releasing and marking records with the appropriate level of security. (Annex C: II. Records management)

Organizations must keep records of foreign information and assets unless otherwise stipulated in the contract clauses.

6.4 Security markings

Protected and classified information must be appropriately marked using specific procedures and markings according to the level of sensitivity and the type of media, including microforms and electronic storage material.

Markings on international documentation is guided by international security memoranda of understanding, agreements or other international standards and guidelines (Annex C: III. Security markings). Contact the CSP by email: tpsgc.dgsssiprojetintl-dobissintlproject.pwgsc@tpsgc-pwgsc.gc.ca for advice and assistance.

6.5 Storage

As a minimum, when located in an approved operations zone, protected and restricted information and assets must be stored in locked containers, such as cabinets, safes, vaults and secure rooms, unless otherwise stipulated in contract clauses. Protected C, Secret and Top Secret information and assets must be stored in an approved security container in a security zone (Chapter 5.2: Physical security), in accordance with the RCMP Security Equipment Guide. Classified information at the Confidential level must be kept in an RCMP container, when located in an approved operations zone. When constructed to the specifications identified in the RCMP's Secure Storage Rooms Guide and located in the appropriate zones, protected or classified information and assets may be stored on open shelving in a secure room. The FISO will provide advice and must inspect and approve the rooms before use.

Organizations are permitted to purchase approved security equipment through the CSP. The CSO or ACSO should consult with the FISO by email: tpsgc.ssidie-issiid.pwgsc@tpsgc-pwgsc.gc.ca to determine the required equipment. After the FISO approves the order, the CSP will process the request, although the invoicing and delivery for the equipment is between the purchaser (the CSO) and the supplier. Examples of equipment available through this procedure are listed in Annex C: IV. Storage.

6.6 Use of computers

A computer, including portable computers, used for protected or classified information must not be removed from the organization without written permission from the CSO or ACSO. Computers used for protected or classified information must follow the security procedures for storage established by the organization, as well as transport and transmittal standards if it is removed from the organization. Further information about the informational technology security is available in Chapter 7: Information technology security.

6.7 Packaging and transmitting

When transmitting classified and protected information and assets, organizations must protect its security with proper packaging, maintain a record during transit and of delivery. Contact the CSP by email: tpsgc.ssidie-issiid.pwgsc@tpsgc-pwgsc.gc.ca for information.

Records of distribution, circulation and return within the facility must include receipt by signature of the persons involved. Persons who have access to classified information and assets must be briefed on their responsibilities for protecting it and any special restrictions concerning its use or further distribution.

Protected and classified information and assets must be packaged and transmitted in accordance with the RCMP's standards on transport and transmittal of protected and classified information and approved by the CSP for international transmittal. Hand carrying and/or bulk shipping specific protected and classified information and assets must follow specific procedures; the FISO will provide advice and assistance.

Organizations can submit their screening forms to the CSP by email since it is the organization's protected information, but if the information is protected in relation to contracts, then the protected information should be encrypted before emailing.

Organizations must have the prior approval of the Canadian Designated Security Authority before internationally transmitting protected or classified information or assets. For more information, contact the CSP by email: tpsgc.dgsssiprojetintl-dobissintlproject.pwgsc@tpsgc-pwgsc.gc.ca.

6.8 Transfer of information and assets

If an organization plans to transfer Protected and/or Classified information/assets from one site to another the organization must ensure the sites are cleared with DSC and information technology (if applicable) for that specific contract prior to transfer. Note this transfer can only be within Canada and does not include Top Secret, Protected C, COMSEC material or NATO and foreign classified information/assets. The organizations CSO and ACSOs must follow a CSP approved method of transportation for the exchange as well as account for and record the change in the document registry.

The CSP must approve removing and transporting of information and assets at Protected C and COMSEC material, as well as all NATO, foreign and Canadian classified information at Confidential or above. For more information, contact the CSP by email: tpsgc.dgsssiprojetintl-dobissintlproject.pwgsc@tpsgc-pwgsc.gc.ca.

6.9 Verbal and message communication

Unprotected telephones or facsimiles cannot be used to communicate information classified above restricted or designated above Protected A. The Communications Security Establishment will provide assistance to coordinate secure telephones or facsimiles.

6.10 Destruction of records

As identified in the contract clauses, protected and classified information and assets can either be returned to the client department, destroyed using an approved third party destruction company or the organization can shred onsite if they have an approved shredder. An organization's shredder will be inspected by the FISO during the DSC inspection if a company indicates that they will be shredding on site. A certificate of destruction is required for classified information.

The CSP does not normally retrieve protected or classified information unless stipulated in the contract, requested to do so or in certain cases where the DSC is being revoked.

All foreign classified Information must be destroyed in accordance with the contract clauses. Always validate with the CSP before destruction of foreign classified information. Foreign Restricted information and assets must also be destroyed in accordance with the requirements established in the contract clauses.

Protected and classified information and assets that have been authorized for destruction must be disposed of with the following requirements:

• by approved destruction equipment, or at a facility with DSC clearance authorized by the CSP
• be safeguarded according to the highest level of asset involved while awaiting, or in transit to, destruction
• kept separate from other information and assets awaiting destruction
• be monitored by an employee with a proper reliability status or security clearance, as applicable
• surplus copies and waste that could reveal protected and classified information must be protected to the appropriate level and should be promptly destroyed

7.1 Overview

When organizations are awarded Government of Canada contracts (both prime and sub-contracts) that require them to use their own information technology (IT) system(s) to store/process/create protected or classified information as indicated in the contract's security requirements check list (SRCL) (section C.11.D and/or section C.11.E), they must first get authorization from Public Services and the CSP.

The organization cannot use its IT system to store/process/create protected or classified information until the IT security inspection process, conducted by a CSP IT security inspector, is completed and formalized in an IT written approval letter from PSPC's CSP.

Organizations must not use an IT system in support of a contract to store/process/create protected or classified information before receiving authorization from the CSP; this will constitute a breach of one or more of the terms of the contract.

7.2 Planning

An IT security plan is an important step in safeguarding and controlling an organization's information system.

Organizations must maintain an IT security posture that respects and maintains the confidentiality, integrity, and availability of protected or classified electronic information for the duration of the time held.

The CSP IT security inspections are based on the policies and guidelines found in the Policy on Government Security, the Policy on Service and Digital, the Directive on Service and Digital, the North Atlantic Treaty Organization Security Policy (PDF) as appropriate, and other guidelines published by the Government of Canada, and on business best practices concepts.

7.3 Inspections

The CSP IT security inspections occur after a contract has been awarded with an IT requirement. The organization must first meet the physical security requirements (Chapter 5: Facility protection) and received a DSC at the level of the contract or higher.

Organizations must not store, process or create protected or classified information on their IT system(s) until the CSP has issued an IT written approval letter.

The CSP IT security inspections are performed to ensure that the residual risk to Government of Canada protected or classified information is low. Government departments and agencies have authorized the CSP, through memoranda of understanding and other means, to approve IT systems for storing/processing/creating protected or classified information where the residual risk, as evaluated by the IT security inspector, is low.

IT security inspections are specific to a particular contract, and only for the levels identified in the contract's SRCL. The IT written approval letter is only valid for the contract(s) inspected against, and is only valid for the duration of this/these contract(s).

As part of the inspection process, organizations may receive recommendations and/or suggestions for improving their overall IT security posture which, when implemented, will provide IT security inspectors with a level of confidence that the residual risk is low.

For information on how an IT security inspection is performed, see Annex D: Information technology security inspection process.

More information on IT security is available on the Information technology security requirements webpage.

8.1 Overview

For bid solicitation purposes, or during the course of a contract, security-cleared individuals may be required to visit a government or private sector organization in Canada or abroad, or an organization may be required to host visitors to their facilities. In these cases, a request for visit (RFV) must be submitted to and approved by the CSP.

In Canada, the CSP verifies that the organization requesting the visit has the required level of FSC; each of the proposed visitors has the required level of security clearance; and foreign disclosure limitations (Chapter 9.3: Foreign Disclosure), if any, are identified and strictly observed according to international security instruments.

An approved RFV authorizes access to classified information on an oral and visual basis only; it does not authorize removing classified material from the site. Organizations and individuals must strictly observe any access or disclosure limitations prescribed in the visit authorization.

The visitor's personnel security clearance level and need to know must be verified through official visit protocol before the host organization allows access to classified information or access to a controlled site.

PSPC representatives holding the appropriate level of personnel security clearance may visit organizations in an official capacity without notifying the organization in advance of their visit. The organization must verify PSPC personnel's valid Government of Canada credentials and level of clearance by contacting the Contract Security Program's client service centre before granting access to classified information. Personnel of the Communications Security Establishment (CSE) will also be afforded the same access for the purpose of conducting an inspection of information technology systems.

Procedures for processing RFVs are available on the Approval for visits to secure sites webpage.

8.2 Types of visit requests

There are different types of visit requests:

• a one-time visit is for a specified, continuous period of time up to one year, and it is not renewable. If the need for access is ongoing, a new request must be submitted at the end of the year for approval
• a recurring visit is for a series of visits over an extended period of time, normally up to one year. It is renewable on an annual basis, unless otherwise authorized by the CSP, that is, for a multi-year contract or major crown project
• an emergency request is used for an event of an urgent nature
• a project/program security instruction-specific visit. These are determined on a case-by-case basis

8.3 Mandatory prerequisites

All organizations submitting an RFV for access to classified information, must hold a valid FSC at or above the categorization level of the requested visit. In addition, each person involved must hold a personnel security clearance at or above the categorization level of the requested visit.

Foreign nationals, residing in Canada and employed by a cleared Canadian organization, must hold a Canadian personnel security clearance before the CSP will approve a visit to other countries or to other Canadian organizations as a representative/consultant of a Canadian organization.

Foreign nationals visiting a Canadian organization on an approved international visit request cannot be included in a Canadian visit request to another Canadian organization.

Guidelines for processing visits and the responsibilities for the visiting and host organizations are available in Annex E: Guidelines for requests for visits.

8.4 International visits

All international visits must be authorized through the Canadian Designated Security Authority (DSA) (Chapter 9.1.1: Canadian Designated Security Authority) using the Multinational Industrial Security Working Group request for visits form. Similarly, the Canadian DSA will process visit requests for Canadian organizations to NATO commands and agencies using the NATO international visit control procedures.

The requirements for processing international visits vary according to the specific bilateral security instrument. The CSP will notify Canadian organizations of applicable procedures if and when required.

8.5 Records of visits

Organizations must keep a record of all visitors to their facility who access classified information. A separate visitor log must be maintained for NATO visits listing the visitor's full name and organization, person visited, and the date of arrival and departure. The CSP representatives are not considered visitors and are not required to enter their names in visit logs.

Records of authorized visits that have taken place must be maintained by the host organization for a minimum period of two years and can be randomly inspected by the CSP during that period.

8.6 Urgent requests

Special procedures exist for processing urgent visit requests through official PSPC channels as a result of an invitation from a host organization. The requesting organization's CSO or ACSO must adequately justify the urgent requirement and provide all details (for example, urgent need to repair equipment whose non-serviceability is preventing the continuation of test trials, and thereby affecting the overall progress of a program or contract).

Contact the CSP by email at ssi-iss@tpsgc-pwgsc.gc.ca for information on submitting an urgent request.

8.7 Amendments

When submitting additions or deletions of visitors to approved visit requests, the organization must include the original approved the CSP visit identification number.

Generally, the purpose or period of a visit cannot be changed by an amendment submission, and a new request may be required. The CSO or ACSO should contact the CSP before submitting these types of amendments.

8.8 Unclassified Visits

For unclassified visits to United States (U.S.) Department of Defense (DOD) facilities, a visit approval using the Canada/U.S. Joint Certification Program (JCP) directly arranged visit (DAV) process may be required by Canadian organizations for access to certain establishments (Chapter 11: Joint Certification Program).

More information about visit requests is available on the Approval for visits to secure sites webpage.

8.9 Visits requiring access to foreign Restricted information

Requests for visits involving access to foreign Restricted information or assets must be done in accordance with procedures established in the contract clauses. Contact the Canadian DSA by email at dgsssiprojetintl-dobissintlproject@tpsgc-pwgsc.gc.ca for more information about these types of visits.

9.1 Overview

The Government of Canada must occasionally use foreign contractors and increasingly complex supply chains to access specialized skills and technologies. Similarly, Canadian contractors may be a supplier of an allied foreign government or international organization. The Government of Canada, allied governments and international organizations must ensure their respective sensitive information is adequately handled and safeguarded using common international standards when shared among themselves.

9.2 Bilateral security instruments

The Canadian DSA negotiates a number of bilateral security instruments (arrangements, memoranda of understanding, agreements) to facilitate the exchanging and safeguarding of protected and classified information and assets that have been provided to contractors. Consequently, the Canadian DSA identifies the security requirements to safeguard protected and classified information that a Canadian or foreign organization must abide by when it becomes involved in any stage of a contract covered by a bilateral security instrument.

In Canada, the DSA is responsible to negotiate bilateral security instruments that:

• enable Canadian industry to access classified contracts with foreign governments and international organizations
• allow Canadian industry to compete internationally and encourages foreign investment
• administer safeguarding measures for all pre-contracting phases, as well as projects, programs, contracts/subcontracts with foreign countries and international organizations related to the exchange of protected or classified information
• include provisions to define the scope; designate the security authority(ies) to administer and implement the instrument; define security classification level equivalencies of classified and protected information; define protection and handling of classified and protected information; define process to exchange security assurances; define how contract security requirements are transmitted; define process for visits of personnel and transportation of documents and freight; define loss or compromise of classified and protected information; and additional mitigation strategies

9.3 Foreign disclosure

Organizations must get approval from the Canadian DSA to exchange or transfer protected and classified information and assets with a foreign entity or to receive foreign government or international organization classified information. A foreign security assurance confirms that a foreign organization and its personnel meet the security requirements of a solicitation request, contract or subcontract. To obtain a foreign security assurance, organizations must contact the Canadian DSA by email at dgsssiprojetintl-dobissintlproject@tpsgc-pwgsc.gc.ca, who will determine if the information can be released to, and safeguarded by, the foreign organization or government. Please note that foreign disclosure reviews may take several months depending on the information to be disclosed.

Canadian industry transferring national or international information and assets to a foreign entity (government or private sector) must go through the Canadian DSA unless otherwise approved. Most government-to-government exchanges of information and assets use approved courier services. Therefore, organizations who have shipments must contact the Canadian DSA by email at dgsssiprojetintl-dobissintlproject@tpsgc-pwgsc.gc.ca for approval of the shipment. When these methods of transport would result in unacceptable delays to a contract/program/project, the CSO or ACSO can request an alternate method of transmission, such as hand carriage by an organization's employee from the Canadian DSA.

Information belonging to a third nation cannot be released to individuals holding foreign clearances without the prior written approval of the originating nation through the Canadian DSA. Therefore, disclosing national or international information to a foreign person employed by a Canadian organization must be first approved by the Canadian DSA and strictly controlled by the CSO or ACSO.

Disclosing information to foreign visitors is prohibited unless disclosure authority has been obtained from the CSP through an approved visit clearance (Chapter 8: Visits to secure sites) or other authorizing document.

The release of protected and classified information or assets to foreign countries and international organizations must comply with Canada's international bilateral security instruments and foreign legislation, and must be approved by the Canadian DSA.

To request approval for any of the above exchanges of information, or for more information, please contact the Canadian DSA by email at dgsssiprojetintl-dobissintlproject@tpsgc-pwgsc.gc.ca.

9.4 Protected information

Organizations must have written authorization from the Canadian DSA before releasing Canadian protected information and assets to other countries. The Canadian DSA will provide the level of safeguarding required for protected information and assets through contract security clauses or written instructions.

9.5 International alternative solutions

In some cases, when there is no bilateral security instrument covering protected information, customized international alternative solutions may be used to help safeguard Canadian protected information handled abroad during Government of Canada contracting.

With international alternative solutions, the Government of Canada may award contracts and subcontracts at Protected A or Protected B levels to suppliers located in a limited set of countries with appropriate security and privacy legislation and framework; similarly, Canadian organizations may consider certain foreign suppliers in their bids and subcontracts. The suitability of an alternative solutions approach is always considered on a case-by-case basis and is at the exclusive discretion of PSPC's CSP.

More information on whether international alternative solutions are possible is available on the International alternative solutions webpage.

9.6 Foreign classified information and assets

Foreign government and international organization classified information or assets that are Confidential, Secret or Top Secret must be safeguarded in the same manner as Canadian classified information and assets of an equivalent level as defined in the respective bilateral security instrument, unless advised otherwise by the Canadian DSA (Chapter 6: Handling and safeguarding information and assets). Security measures to handle and safeguard foreign classified information are stipulated in the contract clauses.

9.7 Foreign information at the Restricted level

The Restricted classification no longer exists in Canada, however many allied governments and international organizations still use this classification and Canada is obligated to safeguard it consistent with bilateral security instruments. Industries awarded a foreign government contract at the Restricted classification must contact the Canadian DSA by email at dgsssiprojetintl-dobissintlproject@tpsgc-pwgsc.gc.ca for further guidance as the security measures will normally be included in their contract clauses from the foreign DSA. Organizations must also comply with the following additional safeguarding procedures:

• the Canadian DSA must approve the release of foreign Restricted information to any government, person or institution of another country
• access to Restricted information must only be given to individuals who require access in connection with a government or multinational program/project/contract
• the CSO or ACSO must inform all recipients of foreign Restricted information and assets of their responsibility for safeguarding the information and assets
• to avoid confusion, organizations must indicate the country of origin of foreign Restricted information and assets, along with the classification, for example, Restricted (Italy)

9.8 Security requirements for contracts awarded to foreign organizations

In addition to the requirements specified in (Chapter 2: Contracts with security requirements), when awarding contracts, including subcontracts, to organizations outside of Canada holding a valid facility security clearance (FSC) in their nation (foreign contractor), organizations are required to:

• get the Canadian DSA approval for the contract and/or sub-contract; and
• include security requirements clauses in the contract and security classification guidance for the Canadian information, provided by the CSP

9.9 Program/project security instructions

To enable the exchange of information and assets required by governments and industry for multinational cooperative programs, nations participating the program or project may agree to use practices and procedures that differ from the requirements in this manual and from bilateral security instruments. In such cases, these requirements, practices and procedures will be detailed in a Program/Project Security Instruction approved by all participants. For Canada, the Canadian DSA will approve it.

10.1 Overview

Canadian organizations working on contracts requiring access to classified information and assets belonging to international organizations must safeguard that information at the equivalent Canadian security level specified in the respective bilateral security instrument, including the additional requirements written into the contract.

The Canadian DSA will assist a Canadian organization under contract with a foreign government or international organization by identifying the detailed requirements that must be met.

10.2 North Atlantic Treaty Organization

Canada is a member of the NATO, an alliance of 31 member countries.

As a member of NATO, Canada follows security regulations related to classified NATO information, which is circulated within and by NATO. This includes information released by member nations into the NATO alliance, as well as information originated in the organization itself.

10.3 European Union

In accordance with the bilateral security instrument between Canada and the European Union (EU), Canadian contractors may have access to EU classified information, through contracts awarded by EU member states or the EU Commission. Canadian contractors must advise the Canadian DSA if they receive a contract for EU classified information and assets. The Canadian DSA is responsible to oversee the organization's compliance with the security requirements for all EU classified information identified in the contract. For guidance on safeguarding EU classified information, contractors must contact the Canadian DSA by email at dgsssiprojetintl-dobissintlproject@tpsgc-pwgsc.gc.ca.

10.4 European Space Agency

In accordance with the bilateral security instrument between Canada and the European Space Agency (ESA), Canadian contractors may have access to ESA classified information, through contracts awarded by ESA member states or the ESA. Canadian contractors must advise the Canadian DSA if they receive a contract for ESA classified information and assets. The Canadian DSA is responsible to oversee the organization's compliance with the security requirements for all ESA classified information identified in the contract. Contracts including ESA Restricted information will contain detailed clauses for appropriately safeguarding this information. For guidance on safeguarding ESA classified information, contractors must contact the Canadian DSA by email at dgsssiprojetintl-dobissintlproject@tpsgc-pwgsc.gc.ca.

11.1 Overview

The U.S./Canada JCP was established in 1985 to allow contractors of each country to apply for access to DOD/Department of National Defence (DND) unclassified militarily critical technical data (MCTD), on an equally favorable basis, in accordance with the U.S. DOD Directive 5320.25 “Withholding of Unclassified Technical Data and Technology from Public Disclosure”, and Canadian Technical Data Control Regulations (TDCR) pursuant to the Defence Production Act.

Contractors must be certified under the JCP to be eligible to bid on or receive a contract involving access to unclassified MCTD under the control of DOD or DND. Participation in the JCP is limited to contractors who are located in Canada or the U.S.

The JCP is managed by the U.S./Canada Joint Certification Program Office (JCPO) located at Battle Creek, Michigan under the administration of Defense Logistics Agency. The JCP certification establishes the eligibility of Canadian or U.S. contractors to:

• receive unclassified MCTD, under the control of DOD or DND
• bid on defence-related contract opportunities whose specifications involve unclassified militarily critical technical data that are releasable only to certified organizations
• attend gatherings restricted to certified JCP contractors, such as:
  • symposia
  • program briefings
  • meetings designed to publicize advance requirements of contracting agencies
  • pre-solicitation, pre-bid, pre-proposal and pre-award conferences and workshops
• arrange unclassified visits directly with:
  • other JCP certified Canadian and U.S. contractors
  • DOD and DND military facilities

11.2 Joint certification process

To become a certified contractor, an organization must agree to abide by the terms and conditions listed on the militarily critical technical data agreement—DD form 2345 (PDF), complete and submit the DD form 2345 along with all supporting documentation to the U.S./Canada JCPO for verification.

Once accepted by the JCPO, the DD form 2345 constitutes an agreement with the organization and the JCP that unclassified MCTD will not be further distributed to unauthorized individuals. If a contractor violates the provisions of the agreement, its certification for access to unclassified militarily critical technical data may be revoked.

11.3 Unclassified visits

Once certified through the JCP, Canadian contractors can request unclassified directly arranged visits with other certified defence contractors or military facilities in Canada and the U.S. They must make arrangements directly with the point of contact at the industry facility or the military installation under valid certification. The security official at the facility or the commander of the installation retains final approval authority for any visit and may deny it for security or operational reasons.

More information about how to request a directly arranged visit is available on the JCP website.

Find out more information on the Government of Canada's Joint Certification Program webpage or contact the U.S./Canada Joint Certification Program.

I. General responsibilities for company security officers and alternate company security officers

When the organization holds a DOS or a FSC, the CSO and alternate company security officer (ACSO) sign an acknowledgement and undertaking form that provides a list of their obligations. Except where indicated, the CSO and ACSO are responsible for:

1. appointing, briefing and training all ACSOs (CSO responsibility)
2. designating one appointed ACSO to be the CSO in their absence (CSO responsibility)
3. reviewing the security requirements in the contract SRCL or contract security clauses and ensuring that all requirements are followed
4. obtaining approval from the CSP before awarding a subcontract with security requirements
5. submitting personnel security screening requests for all ACSOs KSOs to the highest level of access required
6. submitting personnel security screening requests for employees of their organization who require access to protected and classified information, assets, or worksites
7. verifying the identities of employees through evidence of identity and validating details related to date of birth, address, education, professional qualifications, employment history, travel and personal character references
8. coordinating subject interviews with employees, when required
9. submitting requests for personnel security screening updates and upgrades, when required
10. conducting security briefings for employees after they receive a security clearance or reliability status and completing the Security screening certificate and briefing form
11. briefing employees on their responsibility to protect NATO classified information and having them sign the acknowledgement form provided by the CSP and return the signed forms by email
12. retaining signed briefing forms in the employee's file
13. limiting access to protected and classified information, assets or worksites to only personnel who have the proper security screening and who have a need-to-know
14. maintaining an up-to-date list of security screened CSOs, ACSOs, KSOs and employees
15. safeguarding personnel security screening files
16. submitting the Security screening certificate and briefing form to terminate the reliability status or security clearance of employees who no longer require access to protected and classified information, assets or worksites
17. coordinating with client's security representative to brief employees working at client sites on any relevant security requirements
18. completing requests for visits
19. informing the CSP of any changes in the organization's legal status, corporate structure, ownership and changes to the list of KSOs
20. promptly informing the CSP before any physical move or new construction
21. documenting and reporting to the CSP any changes of circumstance or behaviour of security screened personnel and ACSOs (Chapter 4: Security screening of this manual)
22. documenting and reporting to the CSP any persistent or unusual contact or attempts from another individual to gain access to sensitive information, assets or a facility without proper authorization
23. ensuring that approved visits are properly logged
24. promptly informing the CSP of any classified contracts and sub-contracts from and to foreign entities
25. promptly informing the CSP following any damage to classified information and assets
26. completing essential training offered by the CSP, which includes training in a virtual classroom setting, online videos and pre-recorded webinars

II. Document safeguarding capability responsibilities

In addition to the above responsibilities, if the organization also has DSC, the CSO and ACSO are also responsible for:

1. preparing security orders and briefing all personnel who have access to protected and classified information and assets on their security responsibilities by implementing an effective security awareness program
2. appointing, when required, an information technology corporate security coordinator
3. coordinating with the CSE to appoint, when required, COMSEC and alternate COMSEC custodians
4. ensuring that all protected and classified information and assets are safeguarded and handled according to the provisions of the CSM (Chapter 6: Handling and safeguarding information and assets of this manual) and contract-specific clauses
5. annually updating the inventory of protected and classified information and assets
6. notifying the CSP of all security violations for direction before investigating
7. notifying the CSP immediately of any significant incident or compromise, and submitting a written report. Investigations of breaches or compromises will be coordinated by the CSP
8. establishing a registry to log and control access to classified information
9. briefing hand-carriage couriers as per the courier certificates provided by the CSP

III. Official contact with Public Services and Procurement Canada

The CSO is the official contact with the CSP to address and coordinate security issues. Communication with the CSP, whether written or oral, should be limited to the CSO, ACSO(s), or the chief executive officer of the organization.

IV. Security briefings

To ensure proper security in the organization, the CSO works closely with management, from the top down, to conduct a security education and aftercare program. Inadequate security may result in the loss of an organization's DOS or FSC and the cancellation of contracts involving protected or classified information and assets.

The CSO and security staff are not solely responsible for an organization's security. Managers and supervisors, at all levels, and KSOs are responsible for their own personal security measures in addition to ensuring that proper security procedures are followed by all employees in the organization. The CSP recommends that performance assessments include a measure of the individual's security effectiveness, just as they include other organizational assessments.

An initial security briefing, reinforced by an ongoing security education and awareness program, is essential to maintaining an effective security program. Ultimately, the success of a security program depends on the employees of the organization. Procedures, regulations and physical safeguards are more effective if employees are fully aware of their individual responsibilities and the importance of the security requirements, along with the necessity for these security requirements.

The Security screening certificate and briefing form, which each person reads and signs when receiving their reliability status or security clearance, is an acknowledgement of their responsibilities. The signing of the form must be accompanied by a briefing from the CSO, detailing the individual's specific responsibilities and duties regarding security in the facility holding a DOS or FSC. The completed and signed form must be kept in the employee's personnel file.

New employees, even though not yet security-screened and therefore prohibited from knowledge of or access to protected and classified information, assets, and secure sites, should be given a security briefing appropriate to their duties. Security in the private sector includes requirements for corporate security, as well as safeguarding government protected and classified information and assets.

V. Security awareness content

Each organization's security education and awareness program must be tailored to the situation and needs of the specific facility holding a DOS or FSC with a DSC. The organization is required to develop a document that guides and directs employees on the security measures to be implemented in the organization. It should be based on the CSM; however, the organization should not reproduce the CSM in its entirety. The security orders should be developed for the specific facility holding the DOS or FSC.

VI. Security violations, breaches and compromises

Organizations must establish a procedure to identify and investigate suspected or confirmed security incidents, breaches or compromises. Any incidents must be recorded on a completed Security incident report form for security officers, ensuring no classified information is included, and emailed to the CSP: ssidsicdieenquetes-isscisdiidinvestigations@tpsgc-pwgsc.gc.ca.

CSOs are also responsible for recording any changes in behaviour or circumstances related to individual employees, or a suspicious contact from another person. These instances must be properly recorded and reported to the CSP. Any changes in behavior of your screened personnel must be promptly reported by email: spac.dgsssidessn-dobissnssid.pspc@tpsgc-pwgsc.gc.ca. Consult reporting security incidents and changes in circumstances and behavior for more information.

The CSO can prevent security incidents by creating awareness in the organization by:

• reminding employees of their security responsibilities, and of any security concerns, threats and risks
• conducting regular checks to make sure employees are respecting security procedures and practices
• increasing employee awareness through security awareness orientation and training
• sharing information on the organization's security procedures and best practices

VII. Reporting

All clearance holders must report known or suspected security incidents to the CSO. If the CSO believes a security breach has taken place, they are responsible for:

• reporting it to the program
• completing a written report of the security concern, ensuring no classified information is included
• suspending access to sensitive information and assets until the program has completed the investigation

Upon receiving an incident report, the CSO must immediately conduct a preliminary inquiry to determine all of the circumstances and report the incident to the CSP within 24 hours. If the results of the preliminary inquiry indicate a suspected or actual breach of information and assets, the CSO must immediately notify the CSP. The CSP will conduct an investigation of the incident to determine the cause and recommend corrective measures and controls for the CSO to implement to prevent or minimize the possibility of future similar incidents.

Records should be kept by the organization for a period of 2 years following the incident and are subject to inspection by the CSP FISO.

Learn more about Reporting security incidents and changes in circumstances and behaviours.

At a minimum, the CSO or ACSO must report the following situations to the CSP:

• unusual or persistent contact or any attempt by an unfamiliar individual to access information, assets or facilities
• planned or unplanned contact with embassy or foreign government officials, foreign officials or foreign nationals in Canada or outside Canada, when such contact is outside of regular duties
• actual or potential security breaches or concerns

VIII. Contract Security Program compliance and enforcement guide

The CSP will conduct assessments of organizations in cases of non-compliance and for security breaches and/or violations as indicated above.

I. Physical security

Organizations holding a DSC must establish an appropriate number of progressively restrictive zones to control access to protected and classified information and assets.

II. Types of secure zones

The first 2 types of zones listed below (public zone and reception zone) are not considered secure for safeguarding protected and classified information and assets. Their main purpose is to set up an initial base from which other secure zones can be developed.

III. Elements of secure zones

• Signs can be used to define secure zones and must include the term operations zone, security zone or high-security zone. Care must be taken in certain cases that the signage does not draw unwanted attention to a specific area or zone
• The physical elements of a secure zone may vary. A security zone could also be an enclosed office to prevent unauthorized seeing or hearing of information
• The definition of secure zones may vary according to the period of use during the day or week. For example, a reception zone during public access hours may be defined as an operations zone during restricted access hours, such as on weekends and at night
• Physical security is more effective if measures, such as barriers, are adapted to normal operations as much as possible. Properly locating and segregating secure zones helps ensure functional use as well as control access
• Access to secure zones must be limited to employees who are security screened at the appropriate level and to properly escorted visitors

IV. External areas and perimeters

V. Security control centres

An organization granted a DOS or FSC with DSC may require a security control centre at each cleared site to monitor and control the status of security equipment and systems such as:

• electronic access controls
• intrusion detection systems
• duress alarms
• closed-circuit television systems
• emergency communications systems
• fire alarms
• elevators

A security control centre may be operated by the facility, by a commercial agency under contract, or a combination of the 2, to provide full-time coverage. The security monitoring system must have the capability to operate independently of other facility monitoring systems.

VI. Control of access to secure zones

I. Secure environment

Organizations must effectively use restricted zones in an office environment to safeguard information and assets. Information about the types of secure zones is in Annex B: Guidelines for facility protection. Appropriate security procedures include:

• respecting the need-to-know principle, having mechanisms to ensure that the proper personnel security clearances are in place, and respecting zone perimeters
• escorting visitors
• securing information and assets when leaving the work area
• discussing information only when in the appropriate zone and with individuals who have a need-to-know and appropriate security screening
• locating equipment, such as shredders, that can be used without leaving information and assets unattended
• performing regular security audits
• preparing and handling Protected C information and assets in a security zone or, if recommended in a threat and risk analysis, in a higher security zone
• storing personnel security screening documentation containing personal information in a separate security file as protected information, not in the organization's general personnel files
• safeguarding Protected B completed personnel security clearance questionnaires pending transmittal to the CSP and any adverse information regarding an individual

Contracts for statistical studies or surveys involving confidentiality, or other contracts for the collection of personnel information, will contain additional protection provisions.

II. Records management

Organizations must have a suitable location, such as a registry, to receive, distribute record and store protected and classified information and assets.

Organizations must keep records of the dates, names and transactions associated with all classified information and assets indicating the receipt, distribution, creation, reproduction and destruction within the facility. Organizations may keep records of all foreign Restricted information and assets if the requirement is included in the contract clauses.

All records of classified information and assets and all classified information and assets must be available for inspection by the CSP FISO.

III. Security markings

Protected and classified information must be appropriately marked using the following guidelines:

• the size of the letters must be larger than those used in the text of the document
• all materials (background information) used in preparing the documents must indicate the category
• covering or transmittal letters, forms, or circulation slips must indicate the highest level of category or designation of the attachments
• in addition to marking individual pages, documents must be appropriately marked on the outside of both the front and back covers
• every sheet of loose pages must be marked
• images such as charts, maps and drawings must be marked near the margin or title block with the marking clearly visible when the document is folded
• security markings should include the applicable designation and the date at which declassification or downgrading is to occur, if it is determined at the time the information is created or collected

IV. Storage

As a minimum, protected A and B information and assets must be stored in a locked container such as cabinets, safes, vaults and/or secure rooms when located in an approved operations zone. Protected C information and assets and all classified information must be stored in an approved security container consistent with the RCMP Security Equipment Guide, when located in an appropriate approved zone (secret, top secret, Protected C minimum security zone). Protected or classified information and assets may be stored on open shelving in a secure room, only after inspection and approval by the CSP.

Foreign classified information must be stored separate from other forms of foreign or domestic classified and protected information. Protected and classified information and assets must not be stored in the same container as negotiable or attractive assets.

V. Packaging and transmitting

When transmitting protected and classified information and assets, organizations must safeguard its security during transmission with proper packaging, maintain a record while it's in transit and of its delivery. Contact the CSP by email at tpsgc.ssidie-issiid.pwgsc@tpsgc-pwgsc.gc.ca for information.

Records of distribution, circulation and return within the facility must include a signed receipt by the persons involved. Persons who have access to classified information and assets must be briefed on their responsibilities for protecting it and any special restrictions concerning its use or further distribution.

Protected and classified information and assets must be packaged and transmitted in a manner consistent with the RCMP's Transport and Transmittal Standards of protected and classified information. This includes hand carrying and/or bulk shipping specific protected and classified information and assets. The CSP FISOs can provide specific instructions.

For any international document transfer, including hand carriage, you must contact the CSP by email at dgsssiprojetintl-dobissintlproject@tpsgc-pwgsc.gc.ca for guidance and approval.

I. Initiation

During the initiation phase of an IT security inspection, the CSP IT security inspector will contact the organization's CSO to discuss the upcoming inspection.

As part of the initiation phase, the organization will be expected to complete an IT security inspection checklist describing the IT system(s) it intends to use to store/process/create the protected and/or classified information associated with the contract. This checklist is not a pass/fail exercise, but serves as the key discussion tool for the on-site portion of the inspection. The scope of this document should only include a description of the IT system(s) to be used for storing/processing/creating protected or classified information associated with the contract. The CSO is expected to provide the completed IT security checklist and any supporting documentation to the IT security inspector within 30 days of receiving it.

Additionally, during the initiation phase of the inspection, if there is requirement for an on-site inspection, the IT security inspector will schedule a date and time for the inspection with the CSO.

II. The on-site inspection

During the on-site portion of the inspection, the IT security inspector will meet with the organization and evaluate its IT security posture for storing/processing/creating protected or classified information in support of the contract(s) for which inspections have been assigned.

The CSO or alternate company security officer (ACSO) must attend the on-site IT security inspection. If the CSO or ACSO is not an IT administrator for the IT systems being inspected, the CSP highly recommends that the organization has an IT administrator familiar with the system(s) attend the inspection. Additionally, it may be beneficial for the organization and the inspector to have a business expert, knowledgeable of the duties performed in support of the contract, available to answer questions.

During the on-site inspection, the IT security inspector will:

• review the questions and responses provided on the IT security checklist and any supporting material
• validate that any requirements of the contract as described in an IT technical requirements document (if existing within the contract) have been met
• perform a walk-around of the IT system(s) in place for storing/processing/creating protected or classified information
• ask to speak with personnel associated with contractual activities if required

During this inspection, the IT security inspector notes any findings where the organization may not be in compliance with the requirements of the contract, of the CSP, or of best business practices. For each finding, the inspector will make one or more recommendations to improve the IT security posture. These recommendations are made to the CSO during the inspection, as well as in a letter of recommendations following the inspection (Section IV. A: Letter of recommendations).

III. Off-site inspections

Where the inspection history and contractual requirements allow, the CSP IT security inspectors may perform off-site inspections. These inspections are performed in two ways:

• As a telephone inspection with the requirement for an on-site follow-up, or
• Through an attestation process

IV. Post inspection

Two conclusions can result from an IT security inspection:

• The organization is fully compliant with the requirements of the contract and the CSP, resulting in an approval letter (Section V. Approval), or
• The organization is not fully compliant and recommendations have been made. Recommendations are made verbally to the CSO during the inspection and followed up with a letter of recommendations

V. Approval

When an inspection has no findings and therefore no recommendations, or when an organization has provided a response to the letter of recommendations indicating its IT security posture has been upgraded to align with the specific contract security requirements, the CSP provides an IT approval letter to the organization and to the client department/client organization. The IT approval letter is only valid for the contract(s) inspected against, and is only valid for the duration of this/these contract(s).

The IT approval letter does not authorize the organization to use its IT system(s) for storing/processing/creating protected or classified information for any other contract.

An organization must not use an IT system to store/process/create protected or classified information before receiving authorization from the CSP or it will be in breach of one or more of the terms of the contract.

VI. Changes to information technology systems after an information technology security inspection

As noted in the IT approval letter, if an organization makes significant modifications to the inspected IT system(s), the CSP may suspend approval of these systems until re-inspected.

Organizations must notify the CSP if they intend to significantly modify the inspected IT system(s) over the course of a contract. The CSP will evaluate the modifications and determine whether to perform an inspection of the modified system(s).

I. Requirements for requests for visits

There are different requirements for obtaining approval for RFVs, depending on the category.

II. Types of visits

III. Responsibilities