Language selection

Government of Canada / Gouvernement du Canada

Search

Industrial Security Manual (for contracts dated before August 12, 2020)

For contracts entered into before August 12, 2020

This information has been replaced by the Contract Security Manual. For contracts dated before August 12, 2020, this superseded manual still applies.

The Industrial Security Manual is a guide for private sector organizations bidding and working on sensitive Government of Canada contracts. Organizations registered with the Contract Security Program must be compliant with the security requirements set out in this manual.

This manual is issued under the authority of, and pursuant to, the Department of Public Works and Government Services Act and the Treasury Board Policy on Government Security. It is designed to address all aspects of the requirements of Public Services and Procurement Canada's Contract Security Program. The program is mandated to ensure that security practices are established and maintained by private sector organizations with access to classified and protected government information and assets when under contract to the Government of Canada.

Every organization and individual provided with a security clearance under the Contract Security Program must be familiar with the contents of the Security of Information Act. This act identifies the penalties for mishandling classified information or communicating classified information to an unauthorized person.

In addition, when implementing the requirements of the program, consideration must always be given to the privacy of individuals as defined in the Privacy Act, and access to information in records as defined in the Access to Information Act.

On this page

Chapter 1: General introduction

100. Industrial Security Manual

1. General

The Industrial Security Manual (ISM) is produced for industry by the Industrial Security Sector (ISS) at Public Services and Procurement Canada (PSPC).

2. Scope

This manual is a simple reference which tells company security officers (CSOs) what they must know about Canadian government security standards and procedures and how to ensure that their organization meets these security requirements.

3. Application

This manual prescribes the procedures to be applied by Canadian-based organizations, for the safeguarding of government information and assets, provided to or produced by private organizations and where security is administered by the Contract Security Program (CSP) of PSPC. Procedures are also provided for the same activities related to allied foreign government departments and agencies contracting through, PSPC as in the case of multinational ventures where Canada is a partner.

4. Content

This manual is comprised of 12 chapters, each chapter being immediately followed by applicable referenced annexes. A resources section is included after the last chapter to enhance understanding of the manual. The section contains a glossary of terms as well as a short list of abbreviations and acronyms.

5. Format

Where applicable, chapters deal separately with classified and protected information and assets. Accordingly, the reader need only be concerned with that information which is clearly separated in one security category or the other.

101. Policy on Government Security

General

  1. The Policy on Government Security is issued by Treasury Board under authority derived from government decision and Section 7 of the Financial Administration Act.

    The policy objective is to "ensure that deputy heads effectively manage security activities within departments and contribute to effective government-wide security management."

    Federal contracts are subject to the provisions of this policy. PSPC is the designated lead department responsible for advice and guidance on security requirements in federal contracts for goods and services.

    The PSPC's CSP ensures the requisite security in the private sector. Specifically, the PSPC's CSP directors are responsible for ensuring the implementation and subsequent review of all security measures within Canadian-based industries (or other non-government organizations), in those instances where Canadian protected and classified or foreign classified information and assets is disseminated to the private sector, relative to a contract, agreement, or pre-contractual requirement involving PSPC.
  2. Many agencies assist PSPC's CSP in meeting this responsibility, including the Canadian Security Intelligence Service (CSIS), the Royal Canadian Mounted Police (RCMP), the Department of National Defence (DND) and their counterparts in foreign countries, as well as the Communications Security Establishment (CSE of DND)

102. Contract Security Program

Aim

  1. The aim of a security program is to prevent unauthorized disclosure, destruction, removal, modification or interruption of protected and classified information and assets. Achievement of this aim requires an organizational structure and administrative procedures which support four subsystems providing for:
    • physical security (location and design of accommodation and physical measures to prevent, detect and respond to unauthorized access)
    • information technology security (control of access to information used in electronic data processing or communicated electronically)
    • personnel security (personnel screening, education and sanctions)
    • foreign disclosure of information and assets as prescribed in bilateral memorandum of understanding and arrangements
  2. Personnel security screening determines the loyalty or reliability of persons for authorized access. These sub-systems are interrelated, so the effectiveness of a security program depends on the performance of all components
  3. PSPC's CSP is organized to provide details of all of the components of a security program in a coordinated manner. Organizations that are granted a designated organization screening (DOS) or a facility security clearance (FSC) under the PSPC's CSP shall implement security programs, on an appropriate scale

Application

PSPC's CSP provides guidance to Canadian industry and other organizations, to ensure the safeguarding of protected and classified information and assets in the custody or under control of private sector contractors or individuals, in order to prevent:

  1. a security breach or compromise of such information and assets
  2. disruption or destruction of services
  3. theft, misuse or abuse of property, which could hinder contract performance and could create a potential compromise of material

Scope

Within the contractor's environment, the PSPC's CSP includes security of:

  1. contractor's organization
  2. protected and classified information and assets released to a contractor
  3. goods or material being produced by a contractor under contract
  4. protected and classified information and assets during transmission
  5. protected and classified information processed electronically at a contractor's facilities
  6. the equivalent in non-commercial organizations such as universities

103. Appointment of the company security officer and alternates

The appointment of a company security officer (CSO) applies to all organizations that require a DOS or a FSC.

Minimum requirements for the appointment of a company security officer

As a minimum, a CSO must:

  1. be a Canadian citizen or a permanent resident and an employee of the organization
  2. be security screened to the reliability status level in the case of a DOS
  3. be security cleared to the level of the FSC. There are exceptions to this requirement for some North Atlantic Treaty Organization (NATO) and some Top Secret FSC. Please consult your field industrial security officer for further information
  4. report to a designated key senior official (KSO) on all security matters and should be located at the organization's Canadian headquarters to permit personal communication with the KSO on security matters

Appointment of a company security officer

The CSO shall be appointed by the chief executive officer or the designated KSO of the organization. To appoint a CSO, PSPC Annex 1-A: Corporate company security officer or company security officer security appointment and acknowledgement and undertaking form must be submitted to PSPC's CSP for approval. PSPC's CSP will not discuss security matters, nor will they release any material to a CSO until they are in receipt of and have approved the appointment specified in the above-mentioned form. The appointment only becomes official when a completed copy of this form has been returned to the organization.

Alternate company security officer (to carry out the duties of the company security officer in their absence)

The CSO should designate, from among the organization's appointed alternate company security officers (ACSO), one ACSO to carry out the duties of the CSO in their absence and shall advise PSPC's CSP of this choice accordingly. This ACSO shall be a Canadian citizen, an employee of the organization and shall be security screened or cleared to the same level as the CSO.

In the event that the CSO terminates employment with the organization, the designated ACSO will assume all responsibilities for industrial security. The organization must appoint a new CSO as soon as possible afterwards using PSPC Annex 1-A: Corporate company security officer or company security officer security appointment and acknowledgement and undertaking form. Failure to appoint a new CSO who is security screened or cleared to the appropriate level may result in the suspension of the organization's DOS or FSC.

Minimum requirements for the appointment of additional alternate company security officers

With the exception of a one person organization, it is a mandatory requirement that at least 1 ACSO be appointed at the organization's facility where the CSO is located, and at least 2 ACSOs be appointed at each additional facility of the organization where protected or classified information and assets are safeguarded.

As a minimum, the ACSO must:

  1. be a Canadian citizen or a permanent resident and employee of the organization
  2. be screened to the reliability status level in the case of a DOS
  3. be security screened to the reliability status level in the case of facility security clearance without classified document safeguarding capability (DSC)
  4. be security cleared to the level of the FSC in the case of a facility security clearance with classified DSC. There are exceptions to this requirement for some NATO and some Top Secret FSCs. Please consult your field industrial security officer (FISO) for further information
  5. report to the CSO on all security matters

Appointment of alternate company security officers

The CSO shall appoint the ACSOs of the organization. To appoint an ACSO, the PSPC Annex 1-B: Alternate company security officer security appointment and acknowledgement and undertaking form must be submitted for approval. PSPC's CSP will not discuss security matters, nor will they release any material to an ACSO until they are in receipt of and have approved the appointment specified in the above-mentioned form. The appointment only becomes official when a completed copy of this form has been returned to the organization.

104. Responsibilities of the company security officer

  1. In relation to a DOS or a FSC, the CSO is responsible for:
    1. reviewing the security requirements as defined in the contract security requirements checklist (SRCL) or contract security clauses and ensuring that all security requirements are adhered to
    2. obtaining approval from PSPC's CSP prior to subcontracting contracts with security requirements
    3. conducting updates and upgrades to security clearances in accordance with the required format and established time frames
    4. appointing, briefing and training all ACSO's
    5. appointing, from among the appointed ACSOs, 1 officer to be the company security officer in their absence
    6. identifying those employees who require access to protected and classified information, assets, or protected and classified work sites and ensuring that accurate and complete personnel security screening documentation is submitted for such employees
    7. for DOS, ensuring that all the CSOs and ACSOs are security screened to reliability status
    8. in the case of FSC, ensuring that all the organization's KSOs, CSO and alternates are cleared to the highest level of access required
    9. where necessary, arranging resolution of doubt interviews with employees
    10. ensuring that employees receive a security briefing upon notification of having been granted a security clearance or reliability status by completing the security screening certificate and briefing form
    11. ensuring that only personnel who have been security screened to the appropriate level and who have a need-to-know have access to protected and classified information and assets or controlled sites in accordance with contractual requirements
    12. maintaining a current list of security screened employees in accordance with chapter 2 of this manual
    13. ensuring that personnel security screening files are safeguarded properly
    14. ensuring the security screening certificate and briefing form is submitted in order to terminate the reliability status or security clearance of those employees who no longer require access to protected and classified information and assets or controlled sites in accordance with contractual requirements
    15. in coordination with client's security representatives, ensuring that employees working at client sites are briefed by the client concerning any relevant security requirements
    16. ensuring the proper completion of requests for visits
    17. informing PSPC's CSP of any changes in the organization's legal status or ownership and in the case of FSC, changes in the list of KSOs
    18. informing PSPC's CSP prior to any physical move or new construction which could affect the safeguarding of protected and classified information or assets
    19. documenting and reporting changes of circumstance or behaviour for personnel with regard to their security screening status as outlined in this manual
    20. documenting and reporting persistent or unusual contact from another individual, or attempts by another individual to obtain access to sensitive information, assets or a facility without proper authorization
  2. In relation to a DOS or a FSC with DSC, the CSO is also responsible for:
    1. preparing Annex 1-C: Security orders and ensuring that all personnel who have access to protected and classified information and assets have been briefed on their security responsibilities through the implementation of an effective security awareness program
    2. appointing, when required, an IT corporate security coordinator and designates
    3. appointing, when required, communication security (COMSEC) and alternate COMSEC custodians in accordance with the Industrial COMSEC Material Control Manual
    4. ensuring that all protected and classified information and assets are safeguarded and handled in accordance with the provisions of this manual
    5. ensuring that CSO inspections are conducted, at least annually, of all the organization's facilities that hold protected and classified information and assets and that records of these inspections are retained for at least 3 years
    6. providing, as a minimum, an annual inventory of protected and classified information and assets
    7. ensuring that all security violations are recorded and subsequently investigated
    8. ensuring that PSPC's CSP is immediately notified of any breach or compromise, and that a written report is submitted to PSPC's CSP as soon as possible. Investigation of breaches or instances of compromise shall be coordinated by PSPC's CSP
  3. To ensure that security issues are properly addressed and properly coordinated, it is necessary that the CSO be the official contact with PSPC's CSP . In most cases, the CSO will bring issues to PSPC's CSP by contacting the manager of the Industrial Security Operations Division. Communication with PSPC's CSP, whether written or oral, should be limited to the CSO and any ACSOs or the chief executive officer of the organization

105. Corporate company security officer

  1. When a facility-cleared Canadian parent organization own one or more cleared subsidiaries in Canada, a corporate company security officer (CCSO) should be appointed to oversee government industrial security matters for the entire corporation. The CCSO shall be a Canadian citizen, be employed by the organization and shall report to a designated KSO of the organization on all security matters. The appointment of a CCSO does not replace the requirement to have a CSO at each cleared subsidiary holding protected and classified information or assets
  2. The CCSO shall be appointed by the chief executive officer or the designated KSO of the parent organization. To appoint a CCSO, the PSPC Annex 1-A: Corporate company security officer or company security officer security appointment and acknowledgement and undertaking form must be submitted for approval. The appointment only becomes official when a completed copy of this form has been returned to the organization
  3. In order that the duties of the CCSO are carried out during their absence from the corporation, and unless it is otherwise agreed to by PSPC's CSP , the CCSO shall designate one CSO as the alternate CCSO and shall advise PSPC's CSP accordingly

Chapter 1 Annexes

Chapter 2: Security screening, Part I—Reliability status

200. General

1. According to the Policy on Government Security, individuals who may have access to protected information or assets must have a reliability status.

When individuals may have access to classified information, assets or sites, refer to Part II—Personnel security clearances.

Note

  1. reliability screening is the process which must be completed before the individual can be granted their reliability status. A reliability status is the result of the reliability screening process
  2. reliability screening information is collected on the Personnel security screening form. The instructions contained in this chapter supplement and take precedence over the generic instructions attached to the form
  3. mandatory electronic fingerprints are a requirement of the security screening process. For more information, please consult Mandatory electronic fingerprints

201. Reliability status

1. A reliability status is mandatory for individuals when the duties or tasks of a position or contract require access to protected information and assets, regardless of the duration of an assignment. Personnel who hold a valid personnel security clearance are not required to undergo an additional reliability screening (refer to the detailed instructions in section 203. Pre-screening requirements.

2. The reliability screening is composed of the following elements:

  1. surname (maiden name) and given name(s)
  2. verification of date of birth
  3. verification of address for the last 5 years
  4. verification of educational and professional qualifications or trade certification or accreditation
  5. verification of employment history
  6. assessment of performance reliability and personal character by checking with previous employers and identified references
  7. written declaration concerning any conviction for a criminal offence for which a pardon has not been granted
  8. law enforcement inquiry (criminal record check including mandatory electronic fingerprints)
  9. personal financial inquiry (if required)
  10. other checks, as determined by Public Services and Procurement Canada (PSPC) depending on the particular requirements specified in the contract
  11. resolution of doubt (ROD) interview (if required) for cause

Note

The company security officer (CSO) or alternate company security officer (ACSO) is responsible for parts a. to f. (above) and must ensure that all submitted information is both accurate and complete.

3. Reliability screening documentation may only be submitted to PSPC's Contract Security Program (CSP) by the CSO or ACSO.

4. Organizations have the sole jurisdiction and responsibility for the engagement and termination of an employee. They are also responsible for determining and justifying an employee's need for access to protected information, assets or sites.

5. An organization may only submit reliability screening documentation on behalf of persons who have started employment with that organization or who are under contract to start work within 60 days.

6. A reliability status is valid for a 10 year period from the date of issue, unless rescinded for cause, or will terminate when:

  1. the employee leaves the organization on whose behalf the reliability status was granted
  2. access to protected information, assets or controlled sites is no longer required
  3. the organization's participation in the Contract Security Program lapses or is cancelled

7. The CSO or ACSO is responsible to complete the Security screening certificate and briefing form, either:

  • after briefing the applicant who has been granted a reliability status by PSPC
  • when terminating a reliability screening request or an existing reliability status on behalf of an applicant or employee

Note 2

  1. protected information can be recognized by the "PROTECTED" marking which must appear on all such documentation
  2. an individual must be the age of majority in order to be processed for a reliability status or the signature of a parent or guardian must be provided (some provinces have different age of majority requirements. Refer to "Instructions" attached to the Personnel security screening form, for the correct requirement)
  3. the criminal code, section 748 (3) states that no person convicted of an offence under section 121 (frauds on the government), section 124 (selling or purchasing office), or section 418 (selling defective stores to Her Majesty), has, after that conviction, the capacity to contract with Her Majesty or to receive any benefits under a contract between Her Majesty and any other person or to hold office under Her Majesty unless a pardon has been granted (this effectively prohibits granting of a reliability status to any such individual)

202. Access to protected information, assets or sites

A reliability status does not in itself give a right of access to protected information assets or sites. It gives organizations the authority to allow access to protected information, assets or sites to persons holding a reliability status, on a need-to-know basis, and subject to any restrictions that may be imposed in the contractual or pre-contractual documentation. Access to protected information, assets or sites is not permitted before granting the necessary reliability status. Persons with a personnel security clearance may only have access to protected information, assets or sites on a need-to-know basis.

203. Pre-screening requirements

Background verifications

  1. The CSO or ACSO must ensure that the applicant can provide sufficient information to permit government authorities to conduct a background inquiry covering the last 5 years. In cases where this requirement cannot be met or the applicant has resided outside Canada during the past 5 years, PSPC's CSP must be consulted for further instructions prior to the submission of the forms
  2. The CSO or ACSO is directly responsible to verify the identity of an applicant using 2 or more of the official documentation listed below. The CSO or ACSO must undertake the verification either themselves or they must be responsible to ensure that an approved employee of the organization has conducted such verification and has obtained copies of the documentation to confirm the background or identity of the applicant

    Note

    Please note that the implementation of the new identity verification requirement has been postponed to a later date. In the meantime, we will provide additional guidance to company security officers to assist them with this new requirement.

    Official documentation includes an employee's:

    1. current passport
    2. birth certificate
    3. baptismal certificate
    4. citizenship certificate or immigrant visa and record of landing document
    5. Canadian work permit or visa
    6. valid driver's license that has been issued in Canada which includes a laminated photograph
  3. The CSO or ACSO must be satisfied that the identity documents are physically verified, and that they match the individual, originate from an appropriate authority such as a vital statistics agency, immigration authority or jurisdictional authority in Canada and are the most current records available. The CSO or ACSO must also keep photocopies of each piece of identification in the employee's personnel security screening file for audit purposes
  4. When the CSO or ACSO submits a reliability screening request on behalf of themselves to PSPC's CSP, copies of 2 or more of the official documentation listed above, which confirms identity, must be attached to the reliability status application

Guidelines and instructions

The subject of the reliability screening must be properly identified through a preliminary verification as follows:

  1. date of birth: an applicant's date of birth may be verified using one or more of the official documents (refer to 203. Pre-screening requirements, section b)
  2. addresses: the applicant's address(es) for the last 5 years must be provided. The addresses must include apartment number, street number, street name (civic number, if appropriate), city, province, and/or state, postal code, country and (from and to) dates. Refer to instructions attached to the Personnel security screening form for guidance
  3. education and professional qualifications: these may be verified by official transcripts, diplomas, certificates from educational or professional institutions and/or originals of professional certification from municipal, provincial and federal licensing bodies, associations or institutions
  4. employment history: this may be verified by contacting previous employers to ascertain dates of employment, performance and reason for leaving employment
  5. character and employment references: these may be verified by contacting references provided by the applicant

Note

Only after a thorough preliminary verification has been completed, documented and retained by the CSO or ACSO (subject to audit by PSPC's CSP), may a request for a reliability screening be submitted to PSPC's CSP.

204. Procedures for requesting a reliability status

1. The following must be completed, submitted to PSPC's CSP and processed before the granting of a reliability status:

For more information about electronic fingerprints, refer to Mandatory electronic fingerprints.

2. For ease of processing, all forms must be completed and submitted electronically. If this system is unavailable, all forms must be typed or printed, using black ink and in block letters, when submitted manually. If any forms are illegible or incomplete, they will not be processed and will be returned to the applicant for completion.

For those organizations which are using an automated process, the applicant's hardcopy documentation, bearing original signatures, must be forwarded to PSPC's CSP on the same day as the electronic submission. Legible facsimiles are acceptable.

For more information, refer to How to complete the personnel screening, consent and authorization form.

Note

Instructions contained in this portion of the manual, supplement the generic instructions which are attached to each of the forms.

205. Security screening certificate and briefing form

The Security screening certificate and briefing form must be completed for the purposes of:

  1. briefing and acknowledgement
    • after a reliability status has been granted by PSPC, the CSO or ACSO must:
      • provide a comprehensive briefing to the employee about their security responsibilities
      • get, in writing, the acknowledgement of the employee to comply with the necessary requirements
  2. termination:
    the CSO or ACSO must complete and submit this form if an:
    • applicant terminates employment before receipt of a reliability status
    • employee granted a reliability status terminates employment with the organization

For more information, refer to How to complete the security screening certificate and briefing form.

Note

The CSO or ACSO is expected to place the original signed form in the individual's security file with the organization.

206. Transfer and duplication of reliability status between organizations

  1. The reliability status of an individual may be transferred between organizations, provided the following criteria have been met:
    1. the reliability status was not terminated more than 2 years ago
    2. the reliability status is not due for updating
    3. the individual has stated that there have been no changes in their personal history regarding criminal convictions
  2. The personnel screening form must be completed, as per a new request (refer to 204. Procedures for requesting a Reliability status. Procedures for requesting a reliability status of this chapter), but with the following differences in:
    1. section A. Place an "x" in the transfer box
    2. section B. Ensure to provide all the required details on line "Have you previously completed a Government of Canada security screening form?"
    3. section C. Leave blank all the boxes on lines 1 through 5. The individual, however, must sign and date the form in order to confirm the validity of the personal details in section B, above
  3. The reliability status of an individual may be duplicated among multiple organizations providing the following criteria have been met:
    1. reliability status is still valid
    2. reliability status is not due for updating
    3. organization requesting the duplication is registered and in good standing in the Contract Security Program

For more information, refer to duplicate requests under Section A—Administrative information of How to complete the personnel screening, consent and authorization form.

207. Inability to grant or denial of a reliability status

If it is not possible to get background information to cover the last 5 years or if significant adverse information arises during the process of a reliability screening, the applicant must be notified in person, unless the information is exempt from disclosure under the Privacy Act, and given an opportunity to explain the circumstances. After reviewing all relevant information and negative recommendations, should PSPC's CSP decide that the applicant does not meet the requirements for a reliability status, the applicant concerned must be so notified, in writing, of their rights of access to review and redress mechanisms.

208. Reliability status records

Safeguarding and disposal

  1. because of its sensitivity, reliability screening documentation containing personal information shall not be retained in an organization's personnel files but rather in a separate security file and safeguarded appropriately
  2. CSO or ACSO's must maintain a current listing of all employees who have been granted a reliability status for tracking, updating and auditing purposes
  3. In accordance with access to information guidelines issued by the Treasury Board Secretariat, reliability screening records, under the access to information bank, must be destroyed 2 years after an employee leaves the institution for which the reliability screening was conducted

Submission of reliability screening forms

A submission must include:

  1. 1 copy of the Personnel security screening form to initiate the reliability screening process
    • photocopies of this form with original signatures may be used
    • clear and legible facsimiles are acceptable
  2. either a copy of the electronic fingerprint service provider's receipt; or a copy of the fingerprint applicant request form so long as the 20-digit document control number (DCN) is included. For more information, refer to Mandatory electronic fingerprints
  3. 1 copy of Security screening certificate and briefing form when a reliability status is granted by PSPC, and subsequently at the time of termination. Photocopies of the form with original signatures may be used

Note

The form must be completed accurately with all required information or it will be returned.

Learn how to submit requests, forms and other documents for contract security.

209. Reports

Change of circumstances report

An employer or employee who becomes aware or has reasonable and probable grounds to suspect that circumstances, which prevailed when the applicant was granted a reliability status, have changed and may adversely affect that individual's reliability or trustworthiness, or who for any reason doubts the reliability or trustworthiness of such an individual or notices unusual behaviour that may be cause for security concern (like drug or alcohol misuse, sudden or marked changes in financial situation):

  1. must forward a complete report of the change of circumstances through their manager to the CSO or ACSO, who must forward it on to PSPC's CSP
  2. may deny that individual access to protected information and assets until the situation is resolved

Chapter 2: Security screening, Part II—Personnel security clearances

250. General

According to the Policy on Government Security, individuals who may have access to classified information, assets or sites must receive personnel security clearances.

Information

  1. Public Services and Procurement Canada (PSPC) is responsible for ensuring that all employees who are required or selected as key senior officials (KSOs) of Canadian organizations that are being processed for or have been granted a facility security clearance (FSC) by PSPC, hold a current personnel security clearance (PSC) at the appropriate level
  2. Chapter 2: Security screening, Part I—Reliability status details the procedures used to obtain the necessary reliability status, which is required before gaining authorized access to protected information, assets or sites. The current section, Part II—Personnel security clearances, details the personnel security clearances required before gaining authorized access to classified information, assets or sites
  3. All security screenings now use law enforcement inquiries (criminal record checks) which have a mandatory electronic fingerprint requirement. For more information, please consult Mandatory electronic fingerprints

Scope

The Policy on Government Security establishes personnel screening standards to ensure that only persons whose reliability and trustworthiness have been established, are granted access to protected information, assets or sites. It further guarantees that only those persons whose reliability, trustworthiness and loyalty to Canada has been established are granted access to classified information, assets or sites. Equally important, the same standards provide a framework and process for carrying out personnel security screening assessments that respect the rights of the individual who has consented to undergo any level of security screening.

Application

  1. Personnel security screenings are carried out according to the highest level of information and assets which will be accessed in the normal performance of assigned work duties or contracts and require an assessment of an individual's reliability, trustworthiness and loyalty
  2. Personnel security screening clearances are organized by:
    • levels of personnel security
      • Secret
      • Top Secret
    • information or asset access
      • Confidential: when compromise could reasonably be expected to cause injury to the national interest
      • Secret: when compromise could reasonably be expected to cause serious injury to the national interest
      • Top Secret: when compromise could reasonably be expected to cause exceptionally grave injury to the national interest
Note

The Government of Canada no longer uses the restricted classification. This classification may still be encountered in the form of "NATO RESTRICTED" or foreign and allied national restricted information or assets.

No individual is entitled, by virtue of rank or position, to have access to, knowledge of, or custody of classified information and assets. The individual must have the appropriate PSC level and an identified need-to-know. Access includes the opportunity to gain knowledge of information by visual or auditory means.

251. Organization's responsibilities relating to a personnel security clearance

  1. A PSC does not in itself give an employee the right to access classified information, assets or sites. It gives the organization the authority to allow an employee access to classified information, assets or sites, up to and including the classification level indicated in the security clearance authorization issued by the PSSD, on a need-to-know basis, and subject to any restrictions that may be imposed in contractual or pre-contractual documentation. Access to classified information, assets or sites is not permitted before receipt of the necessary PSC
  2. Personnel security screening documentation may only be submitted to PSPC's Contract Security Program (CSP) by the company security officer (CSO) or the alternate company security officer (ACSO)
  3. A non-Canadian citizen, who has been granted a Canadian PSC "with restrictions", may have access to classified information and assets which originates from their nation of citizenship, as well as to certain Canadian information and assets. Such individuals require approval by PSPC prior to being given access to third-nation information and assets. These individuals must not be given access to classified information and assets marked "For Canadian eyes only". Any questions concerning access privileges should be referred to the PSPC's CSP
  4. Under normal circumstances, an organization may not request a PSC for an employee at a higher level than the FSC. Certain exceptions are permitted for North Atlantic Treaty Organization (NATO) levels of clearance. Consult the responsible field industrial security officer (FISO) for specific guidance
  5. Organizations have the sole jurisdiction and responsibility for the engagement and termination of an employee. They are also responsible for determining and justifying an employee's need for access to classified information, assets or sites
  6. An organization may only submit personnel security screening documentation on behalf of individuals who have started employment with that organization or are under contract to start work within 60 days
  7. NATO clearance of control of secret material in an international command (COSMIC) Top Secret and a Canadian clearance of Top Secret are valid for a 5 year period only. NATO Secret and Canadian Secret are valid for a 10 year period from the date of issue unless rescinded for cause, and will terminate when:
    1. the individual leaves the employ of the organization on whose behalf the security clearance was granted
    2. the individual is transferred to another position where access to classified information, assets or sites is not required
    3. the organization's facility security clearance lapses or is cancelled
  8. The CSO or ACSO is responsible for initiating the renewal and termination of PSCs

Note

  1. an individual must be the age of majority in order to be processed for a personnel security clearance or the signature of a parent or guardian must be provided (some provinces have different age of majority requirements). Refer to instructions attached to the personnel security screening form
  2. the criminal code, section 748 (3) states that no person convicted of an offence under section 121 (frauds on the government), section 124 (selling or purchasing office), or section 418 (selling defective stores to Her Majesty), has, after that conviction, the capacity to contract with Her Majesty or to receive any benefits under a contract between Her Majesty and any other person or to hold office under Her Majesty unless a pardon has been granted. This effectively prohibits granting of a PSC to any such individual

252. Pre-screening requirements

  1. When an individual is being considered for employment in areas where access to classified information, assets or sites will be required, the CSO or ACSO must first determine the reliability and trustworthiness of that individual
  2. In addition, the CSO or ACSO must ensure that the employee can provide sufficient information to permit government authorities to conduct a background enquiry covering the last 10 years. Enquiries may only be conducted in countries that have bilateral or reciprocal agreements with Canadian investigative authorities
  3. In cases where the 10 year requirement cannot be met, or an individual is not a Canadian citizen, or the individual has resided outside of Canada for more than a year, during the preceding 10 years, guidance should be sought from the PSPC's CSP, before the submission of screening documentation. This is particularly applicable to nationals of those countries from which reliable background information cannot be obtained
  4. After favorable findings, a request for a personnel security clearance may be submitted to the PSPC's CSP

    Note

    Please note that the implementation of the new identity verification requirement has been postponed to a later date. In the meantime, we will provide additional guidance to company security officers to assist them with this new requirement.

  5. The CSO or ACSO must verify the identity of an applicant by using 2 or more of the official documents listed below. The CSO or ACSO must undertake the verification either themselves or they must ensure that an approved employee of the organization has conducted such verification and has obtained copies of the documentation to confirm the background or identity of the applicant.
    Official documents for verification of the employee include:
    1. current passport
    2. birth certificate
    3. baptismal certificate
    4. citizenship certificate or immigrant visa and record of landing document
    5. Canadian work permit or visa
    6. valid driver's
  6. The CSO or ACSO is directly responsible to verify the identity of an applicant by using 2 instances of evidence of identity listed below (one of which must contain a photo). The CSO or ACSO must conduct the verification, or ensure that an approved employee of the organization has conducted such verification and has obtained copies of the documentation.

    The CSO or ACSO must be satisfied that the identity documents are physically verified, and that they match the individual, originate from an appropriate authority such as a vital statistics agency, immigration authority or jurisdictional authority in Canada and are the most current record available. The CSO or ACSO must also keep photocopies of each piece of identification in the employee's personnel security screening file for audit purposes.

  7. When the CSO or ACSO submit a security screening request on behalf of themselves to PSPC's CSP, copies of 2 or more of the above noted official documentation, which confirms identity, must be attached to the security clearance application
  8. Guidelines and instructions. The subject of the security screening must be properly identified through a preliminary verification using:
    1. surname (maiden name) and given name(s)
    2. date of birth: an applicant's date of birth may be verified using one or more of the above documents in section 252. Pre-screening requirements, article 5, of this chapter)
    3. addresses: the applicant's address(es) for the last 10 years must be obtained. The current address may only be included on the instructions attached to the personnel security screening form. The address on this form must include apartment number, street number, street name (civic number, if appropriate), city, province and/or state, postal code, country and the (from and to) dates. The applicant must include the full 10 years of detailed addresses
    4. education and professional qualifications: these may be verified by official transcripts, diplomas, certificates from educational or professional institutions and/or originals of professional certification from municipal, provincial or federal licensing bodies, associations or institutions
    5. employment history: this may be verified by contacting previous employers to determine dates of employment, performance and reason for leaving employment
    6. personal character and/or employment references: these may be verified by contacting references provided by the applicant

Note

Only after a thorough preliminary verification has been completed, documented and retained by the CSO or ACSO (subject to audit by PSPC staff), may a request for a security clearance be submitted to PSPC's CSP.

253. Procedures for requesting a personnel security clearance

  1. The following must be completed and processed before a personal security clearance (PSC) is issued:

    For more information about fingerprinting, refer to Mandatory electronic fingerprints.

    For ease of processing, all forms must be completed and submitted electronically. If this system is unavailable, all forms must be typed or printed, in block letters and using black ink. If any form is illegible, it will be returned to the sender.

  2. In those organizations which are using an electronic process, the applicant's hardcopy documentation bearing original signatures must be forwarded to the PSPC's CSP on the same day as the electronic submission

For more information, refer to How to complete the security clearance form (TBS/SCT 330-60E).

Note

  1. Requests at the Secret level (including NATO) must be completed every 10 years, unless required sooner for cause
  2. Requests at the level of Top Secret or COSMIC Top Secret must be completed every 5 years, unless required sooner for cause
  3. A Personnel security screening form must be completed and accompany the Security clearance form when the cyclical update process is required

254. Special cases

  1. PSPC's CSP will request the required information by letter or email when cases arise that require specific information, which is not provided on the Security clearance form or in the instructions attached to this form. This may occur in cases where nationals of countries, using other alphabets (such as Arabic, Hebrew, Japanese or Korean), require additional information or the completion of special forms
  2. An applicant of Chinese ethnic origin must use the Chinese characters appropriate to their origin, directly on the form. When the person concerned is unable to write such characters, a letter of explanation must be attached to the form
  3. For NATO security clearances, note that:
    1. Canadian nationals for whom a NATO clearance is requested will concurrently be granted a Canadian national clearance without further application
    2. in the case of non-Canadians, a NATO clearance does not include a right of access to Canadian classified information and assets; such access must be applied for separately. The CSO or ACSO shall indicate both requirements, if applicable, on the personnel security screening form
    3. a NATO security clearance for a national of another NATO member nation may only be granted by that nation, regardless of the length of time that the person has resided in Canada. Such clearance, when used in support of a visit request (VR) to a member nation outside Canada, other than the individual's own nation, is contingent upon the disclosure discretion of the member nation to be visited
    4. these countries are members of the NATO alliance: Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, North Macedonia, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, United Kingdom, and the United States

255. Security screening certificate and briefing form

The Security screening certificate and briefing form must be completed and forwarded to PSPC's CSP for the following purposes:

  1. briefing and acknowledgement
    • after a security clearance has been granted by PSPC, the CSO or ACSO must:
      • provide a comprehensive briefing to the employee about their future security responsibilities
      • get, in writing, the acknowledgement of the employee to comply with all the necessary requirements
  2. termination:
    • the CSO or ACSO must complete and submit this form if an:
      • applicant terminates employment before receipt of a reliability status
      • employee granted a reliability status terminates employment with the organization

For more information, refer to How to complete the security screening certificate and briefing form (TBS/SCT 330-60E)..

Note

The CSO or ACSO is expected to place the original signed form in the individual's security file with the organization.

256. Transfer and duplication of security clearances between organizations

A security clearance of an individual may be transferred between organizations, provided the following criteria have been met:

  1. the security clearance was not terminated more than 2 years ago
  2. the security clearance is not due for updating
  3. the individual has stated that there have been no changes in their personal history regarding criminal convictions, marital status or cohabitation

The following must be completed to transfer and duplicate security clearances between organizations:

  • personnel security screening form
    • If required or requested, one of either:
      • electronic fingerprint service provider's receipt
        • fingerprint applicant request form (must include the 20-digit document control number (DCN))

For more information, refer to Mandatory electronic fingerprints.

The form must be completed as per a new request (refer to section 253. Procedures for requesting personnel security clearances of this chapter) but with the following differences, in:

  1. section A: Place an "X" in the Transfer box
  2. section B: Ensure to provide all the required details on the line "Have you previously completed a Government of Canada security screening form"
  3. section C: Leave all boxes blank on lines 1 through 5. The individual, however, must sign and date the form in order to confirm the personal details in section B, above

Note

When a security clearance is to be transferred to PSPC from the Department of National Defence (DND) as a result of a request from an organization, and the level of the clearance requires fingerprints (for example: COSMIC (NATO) Top Secret or Top Secret), a new set of fingerprints must be provided to PSPC's CSP at the same time as the transfer request is submitted because DND does not transfer fingerprint records.

The security clearance of an individual may be duplicated among multiple organizations providing the following criteria have been met:

  • the security clearance is still valid
  • the security clearance is not due for updating
  • the organization requesting the duplication is registered and in good standing in the Contract Security Program

For more information, refer to duplicate requests under Section A—Administrative information of How to complete the personnel screening, consent and authorization form (TBS/SCT 330-60E).

Note 2

Individuals will retain their security clearance even if it is a higher level than the organizational clearance held by the organization requesting the duplication, until the next update cycle. When the clearance is due to be updated, the individual's security clearance level will be reassessed based on their current needs.

257. Inability to grant or denial of security clearance

If it is not possible to get background information to cover the last 10 years or if significant adverse information arises during the process of a security clearance, the applicant must be notified by the CSO or ACSO, unless the information is exempt from disclosure under the Privacy Act), and given the opportunity to explain the circumstances.

After reviewing the security assessment, if the deputy minister, PSPC denies the granting of a PSC, PSPC's CSP must:

  • notify the applicant of the decision, in writing, along with information relating to their right of appeal
  • inform the president or chief executive officer of the individual's organization of the deputy minister's decision

258. Personnel security clearance records

Safeguarding and disposal

  1. Because of the sensitivity, security-screening documentation containing personal information must not be retained in the organization's personnel files, but rather in a separate security file and safeguarded appropriately
  2. The CSO or ACSO must maintain a current listing of all employees who have been granted a security clearance for tracking and updating purposes
  3. In accordance with access to information guidelines issued by the Treasury Board Secretariat, security clearances under access to information bank personnel security clearance, shall be destroyed 2 years after an employee leaves the institution for which the security clearance was conducted

Submission of Personnel security screening forms (manual process)

A submission must include:

  1. 1 copy of the personnel security screening form to initiate the process of a security clearance or to advise of a change of marital status
  2. 1 copy of the security clearance form for requests at the classified level (Secret, Top Secret or COSMIC Top Secret)
  3. a copy of either the:
    • electronic fingerprint service provider's receipt
      • fingerprint applicant request form (must include the 20-digit document control number (DCN))

Refer to Mandatory electronic fingerprints for more information.

Note

Photocopies of the above-mentioned forms with original signatures may be used as required. Clear, legible facsimiles are acceptable.

Learn how to submit requests, forms and other documents for contract security.

259. Reports

Change of circumstances and behaviour report

An employer or employee who becomes aware or has reasonable and probable grounds to suspect that circumstances, which prevailed when the individual was granted a PSC, have changed and could adversely affect that person's reliability, trustworthiness or loyalty, or who for any reason doubts the reliability, trustworthiness or loyalty of a person or notices unusual behaviour that may be cause for security concern (like drug or alcohol misuse, sudden or marked changes in financial situation):

  1. must forward a complete report of the change of circumstances through their manager to the CSO or ACSO, who must forward it on to PSPC's CSP
  2. may deny that individual access to sensitive information and assets until the situation is resolved

Chapter 3: Facility security clearances, Part I—Designated organization screening (protected)

300. General

1. A designated organization screening (DOS) is an administrative determination that an organization is eligible, from a security viewpoint, for access to protected information and assets of the same or lower level as the clearance being granted.

Where an organization requires access to classified information and assets, refer to Part II—Facility security clearances (classified) of this chapter.

2. A DOS is required before an organization can be awarded contracts that have protected information or asset requirements.

  1. The company security officer (CSO) or alternate company security officer (ACSO) must be security screened to reliability status as part of the DOS
  2. For access to Protected C information or assets, the following additional security requirements may apply:
  3. The identification and the assessment of ownership may be conducted when an organization has a requirement to have Protected C document safeguarding capability (DSC). DSC authorizes an organization to store and handle protected information or assets at their work sites. The parent organization, if applicable, must also possess a DOS at the same level or it may be excluded from access to the Protected C information or assets held by the subsidiary organization.

3. Reliability screening requests for other employees may be submitted concurrently with those of KSOs. However, they will not be authorized prior to the establishment of the DOS.

4. A DOS is based on an assessment of the following elements:

  1. the organization is not under adverse foreign influence (if applicable)
  2. the completion of reliability checks, as needed
  3. a PSPC review of the security measures for the care and custody of protected information and assets (when required)

5. PSPC's CSP will notify the organization in writing as to whether a DOS has been granted.

6. In cases where KSOs must be security screened, the CSO must maintain a current list of all KSOs and submit a copy to the PSPC's CSP each time the list is amended. The list must designate, by name and title, those KSOs who possess a reliability status and those being security screened for reliability status.

301. Care and custody of protected information and assets

The contractor's facility must meet the physical and administrative security requirements necessary for the performance of the work to be performed under the contract before a DOS with DSC will be granted.

Refer to Chapter 4: Facility safeguarding and Chapter 5: Handling and safeguarding of classified and protected information and assets of this manual. Specific guidance will also be provided by the field industrial security officer or the PSPC's CSP.

302. Pre-contractual negotiations

Pre-contractual negotiations involving protected information and assets may not be initiated with the organization until a DOS has been granted. This is also applicable where a cleared organization wishes to subcontract to another non-government organization.

303. Government of Canada security agreement

Prior to being granted a DOS, the organization must enter into an agreement with the Canadian government, whereby the cleared organization undertakes to:

  1. abide by the provisions of this manual, and such other security requirements as may form part of a contract awarded to the organization
  2. permit PSPC's CSP, or other government authorities at the request of PSPC, to enter their premises at any time for the purpose of conducting security inspections
  3. not seek reimbursement from the government for security costs, except as provided for in a contract

Refer to Annex 3-G: Public Services and Procurement Canada security agreement in this chapter.

304. Types of designated organization screening

1. There are 3 types of DOS:

a. Personnel assigned (PA)
This is the most basic type of DOS. It normally applies to those organizations involved in contracts for services as opposed to goods. A PA DOS will involve reliability checking of the organization's CSO and employees, and in certain cases, the KSOs. There is no requirement to evaluate the physical security status of the organization's facilities. A PA DOS does not authorize the organization to possess or store protected information and assets within its facilities.
b. Document safeguarding capability (DSC)
This type of DOS involves the security screening of the organization's CSO and employees, and, in certain cases, the KSOs. In addition, the physical security of the organization's facilities is assessed to ensure they meet the requirements for the safeguarding of protected government information and assets. A DSC for DOS will authorize the organization to possess and store protected information and assets at their facility.
c. Production (PROD)
This type of DOS includes the same elements of a DSC DOS. In addition, the security of the manufacturing, repairing, modifying or otherwise working on protected components or items is assessed to ensure they meet the government security requirements.

2. Each DOS may be authorized at one of the following levels: Protected A, Protected B or Protected C.

305. Status of designated organization screening

Organizations must refer to PSPC's CSP any requests from other organizations, other government departments or other governments to confirm their DOS.

306. Period of validity

1. A DOS granted by PSPC is not awarded in perpetuity. A DOS is granted for the performance of a specific contract, or on the basis of registration where it appears a firm may receive a contract award. A DOS lapses on completion of the last protected contract and/or confirmation that registration is not renewed. PSPC will advise the organization in writing when the DOS is about to be terminated, and will be given the opportunity to show cause for DOS continuation.

2. PSPC's CSP may suspend or revoke a DOS if the organization fails to maintain the required security standards.

307. Site clearances within an organization

1. A DOS is not site-specific. The head office of an industry organization is granted registration number “00.” Other sites will only be registered if there is a DSC requirement. Should other sites, belonging to the same organization, require a DOS with DSC, the other sites will be numbered consecutively (for example, “01,” “02,” “03,” and so on).

2. The CSO of a head office may submit applications for personnel security screenings for employees at all sites of the organization located within Canada.

Note: In those cases where an organization only has a requirement to safeguard protected personnel security clearance records to satisfy section 208. Reliability status records or section 258. Personnel security clearance records of chapter 2 of this manual, it is not necessary to establish site clearances at the locations where these records are kept. Organizations must ensure that such records are safeguarded in containers suitable for protected information. These containers may be subjected to inspection by field industrial security officers of PSPC's CSP.

Chapter 3 part I annexes

Chapter 3: Facility security clearances, Part II—Facility security clearance (classified)

350. General

1. A facility security clearance (FSC) is an administrative determination that an organization is eligible, from a security viewpoint, for access to classified and protected information and assets of the same or lower classification level as the clearance being granted.

Where an organization requires access to only protected information and assets, refer to Part I: Designated organization screening (protected) of this chapter.

2. An FSC is required before an organization can be awarded contracts that have classified information or asset requirements.

Certain individuals must be cleared in connection with an FSC. These individuals are referred to as key senior officials (KSOs). They include the company security officer (CSO), owners, officers, directors (of the board), executives and partners who occupy positions which may enable them to adversely affect an organization's policies or practices in the performance of classified contracts.

The organization is responsible for determining its KSOs and for reporting this information to the appropriate field industrial security officer (FISO) of Public Services and Procurement Canada's (PSPC's) Contract Security Program (CSP). PSPC reserves the right to challenge the organization's list of KSOs, and to call for amendments or exclusions to this list.

Refer to Annex 3-A: Designated organization screening requirements (protected information) and Annex 3-B: Facility security clearance requirements (classified information) in this chapter for specific levels of clearance required by KSOs, the CSO and employees requiring access, for each level and type of FSC.

3. Organizations must have their KSOs cleared, as a minimum, to the classification level required before an FSC will be granted.

4. Normally, an FSC is required before an organization can obtain personnel security clearances for employees other than KSOs. Clearance requests for other employees may be submitted concurrently. However, they will not be authorized until after the establishment of the FSC.

5. In establishing the FSC, the Canadian head office will be inspected and, if classified safeguarding is required at the head office, must be inspected, and the FSC will include a site clearance for that office. In addition, a separate inspection and site clearance is required for each additional location where classified information or assets will be stored or handled.

6. An FSC is based on an assessment of the following elements:

  1. the organization is not under adverse foreign influence
  2. the owners, officers, directors (of the board), executives and partners of the organization can be entrusted to participate in classified contracts
  3. the organization can protect classified information or assets at its facilities, when required

7. PSPC will notify the organization in writing as to whether an FSC has been granted.

8. When an FSC is granted, an organization can request the clearance of their employees anywhere in Canada.

351. Personnel security clearances for key senior officials

1. The CSO must maintain a current list of all KSOs, and submit a copy to PSPC's CSP each time the list is amended. The list must designate by name and title those KSOs who are cleared, those not yet cleared but who are being processed for a personnel security clearance, and those who have been excluded from access to sensitive information.

  1. KSO exclusions. When the government has an urgent need to issue an FSC to an organization, PSPC may temporarily waive the requirement that all KSOs be security cleared before an FSC is granted. The process for KSO exclusions will be considered to allow an organization to:
    1. receive a request for proposal (RFP) or other pre-contractual documentation containing classified information
    2. be awarded a classified contract
    3. continue with contracts when a company takeover has occurred
  2. Security procedures must exist within the organization to ensure that excluded KSOs are denied access to classified information and assets. The exclusion does not become effective until formally approved by PSPC, who will also determine the number of excluded KSOs to be permitted, on a case-by-case basis. If the excluded official's position or responsibilities in the organization change, the CSO must notify PSPC's CSP, who will review the exclusion. Exclusions will not normally be approved for the president or chief executive officer of an organization

352. Parent organizations

1. When an organization has a requirement to obtain classified document safeguarding capability (DSC) (that is, the authorization for an organization to store and handle protected and classified information or assets at their work sites), its parent organization (if applicable) must also possess an FSC at the same level or it must be excluded from access to the classified information and assets held by the subsidiary organization. Where a parent organization exclusion is required, the organization must submit the following completed forms:

  1. Annex 3-D: Resolution of exemption of parent organization form
  2. Annex 3-E: Non-disclosure certificate form
  3. Annex 3-F: Subsidiary board resolution noting parent's exclusion and resolution to exclude parent organization

2. The exclusion of a parent organization does not become effective until formally approved by PSPC, who will determine if there is a valid need for the exclusion of the parent organization.

353. Foreign ownership, control or influence

1. In certain circumstances, such as involvement in extremely sensitive information security (INFOSEC) programs and contracts, there is a need to evaluate, in more detail, the ownership of an organization and the degree of influence exercised by owners and senior management personnel. In such cases, organizations would be required to provide full details concerning:

  1. corporate organization, up to ultimate ownership (direct or indirect)
  2. foreign directors or officers
  3. actual or potential foreign control or influence over the election, appointment or tenure of directors or officers
  4. ownership of foreign interests
  5. foreign contracts, agreements, understandings or arrangements
  6. foreign indebtedness or foreign sources of income
  7. the relationship between directors and foreign interests

2. The existence of foreign ownership, control or influence (FOCI) does not, in itself, prohibit an organization from holding an FSC. Each case is assessed individually. In cases of an adverse FOCI, details will be discussed with the organization to determine whether certain measures can be taken to negate the risk or reduce it to an acceptable level.

354. Care and custody of classified information and assets

The organization's facility must meet the physical and administrative security requirements necessary for the performance of the classified work to be performed under the contract before an FSC with DSC will be granted.

Refer to Chapter 4: Facility safeguarding, and Chapter 5: Handling and safeguarding of protected and classified information and assets of this manual. Specific guidance will be provided by the FISO of PSPC's CSP.

355. Pre-contractual negotiations

Pre-contractual negotiations, involving classified information and assets, may not be initiated with the organization until after an FSC has been granted. This is also applicable when a cleared organization wishes to subcontract to another non-government organization.

356. Government of Canada security agreement

Prior to being granted an FSC, the organization must enter into an agreement with the Canadian government, whereby the organization undertakes to:

  1. abide by the provisions of this manual, and such other security requirements as may form part of a classified contract awarded to the organization
  2. permit PSPC's CSP, or other government authorities at the request of PSPC, to enter their premises at any time for the purpose of conducting security inspections
  3. not seek reimbursement from the government for security costs except as provided for in a contract

Refer to Annex 3-G: Public Services and Procurement Canada security agreement in this chapter.

357. Types of facility security clearances

1. There are 3 types of FSCs:

a. Personnel assigned (PA)
This is the most basic type of FSC. It normally applies to those organizations involved in contracts for services as opposed to goods. A PA FSC will involve security screening of the organization's KSOs and employees. There is no requirement to evaluate the physical security status of the organization's facilities. A PA FSC does not authorize the organization to possess or store classified information and assets within its facilities.
b. Document safeguarding capability (DSC)
This type of FSC involves the security screening of the organization's KSOs and employees. In addition, the physical security of the organization's facilities is assessed to ensure they meet the requirements for the safeguarding of government information and assets. A DSC for FSC will authorize the organization to possess and store classified information and assets at their facility.
c. Production (PROD)
This type of FSC includes all the same elements of a DSC FSC. In addition, the security of the manufacturing, repairing, modifying or otherwise working on classified components or items is assessed, to ensure they meet the government security requirements.

2. Each type of FSC may be authorized at the classification level of Confidential, of Secret or Top Secret, or of NATO Confidential or NATO Secret.

358. Status of facility security clearance

Where organizations receive a request from other organizations, other government departments or other governments to confirm their FSC, such requests will be referred to PSPC's CSP.

359. Period of validity

1. An FSC granted by PSPC is not awarded in perpetuity. An FSC is granted for the performance of a specific contract, or on the basis of registration where it appears an organization may receive a contract award. An FSC lapses on completion of the last classified contract, upon confirmation that registration is not renewed or both. The organization will be advised, in writing by PSPC, when the FSC is about to be terminated, and will be given the opportunity to show cause for FSC continuation.

2. An FSC will be suspended or revoked by PSPC if the organization fails to maintain the required security standards. Existing contracts will be cancelled and the organization will not be eligible for future security-related contracts while the organization's FSC is under suspension.

360. Site clearances within an organization located in Canada

1. Separate site clearances are necessary for each location where classified information or assets will be stored or handled.

2. When classified DSC is required at sites physically separate from the Canadian head office, the following conditions must be met at each location before a site clearance will be granted:

  1. the head office must have an FSC
  2. the KSO in charge of each location must be cleared to the required level
  3. at least one other employee must be cleared to the same level
    • in the case of a one-person operation or organization, PSPC may consider an exception on a case-by-case basis
  4. at least 2 security officers must be appointed
  5. each location must meet the required physical and administrative security requirements

361. Branch office outside of Canada

1. For the purpose of this manual, a branch office is not considered to be a separate legal entity requiring a separate FSC.

2. Where it is necessary to safeguard classified information and assets at a branch office outside of Canada, the Canadian head office must submit a written request for clearance to PSPC's CSP, in order that the appropriate action may be taken with the designated industrial security authority of that nation. Depending on the country involved, PSPC's CSP may not always be able to establish safeguarding capability at the branch office(s).

362. Reciprocal facility security clearances

1. For the purpose of this manual, a subsidiary is considered to be a separate legal entity requiring a separate FSC.

2. Under a number of industrial security agreements (such as between the United States and Canada), PSPC can request a foreign government to grant a reciprocal FSC to a subsidiary of a Canadian organization located in another country. This is useful when the subsidiary wishes to get involved as a subcontractor in a Canadian classified contract.

Note: Reciprocal FSCs are somewhat restricted. For the most part, a reciprocal FSC will only permit the subsidiary to get involved in Canadian classified work. Involvement in classified contracts with the government of the country in which the subsidiary is located may not be permitted with this type of FSC.

3. When a Canadian subsidiary requires an FSC for involvement or potential involvement in classified work for the government of the country in which it is located, the subsidiary may be required to apply directly to the industrial security authorities of that country for a regular FSC. (PSPC's CSP can provide points of contact of industrial security authorities in other countries.) In most cases, the subsidiary will have to be incorporated in that country before qualifying for an FSC.

Chapter 3 part II annexes

Annex 3-A: Designated organization screening requirements (protected information)

A designated organization screening (DOS) allows organizations to get security screening for their personnel at the reliability status level, which is required when accessing protected information and assets.

Learn which personnel require security screening at the reliability status level to access the 3 levels of protected information and assets at each of the 3 types of designated organization screening (DOS).

Reliability status requirements for various activity types and for different security levels of protected information and assets
Protected Information Activity Is reliability status required for this position or the organization?
Key senior official (KSO) Company security officer (CSO) Employees Designation organisation screening (DOS)
Protected "A" Personnel assigned (PA) No Yes Yes Yes
Document safeguarding capability (DSC) No Yes Yes Yes
Production No Yes Yes Yes
Protected "B" Personnel assigned (PA) No Yes Yes Yes
Document safeguarding capability (DSC) No Yes Yes Yes
Production No Yes Yes Yes
Protected "C"Footnote 1 Personnel assigned (PA) No Yes Yes Yes
Document safeguarding capability (DSC) No Yes Yes Yes
Production No Yes Yes Yes

More information

Annex 3-B: Facility security clearance requirements (classified information)

A facility security clearance (FSC) allows organizations to get security clearance for their personnel up to the classified level, which is required when accessing classified information, assets and work sites.

Level of personnel and facility security clearance required for various activity types and for different security levels of
classified information and assets
Classified Activity Clearance required
Key senior official (KSO) Company security officer (CSO) Employees Facility security clearance (FSC)
Confidential Personnel assigned (PA) Secret Secret Secret Secret
Document safeguarding capability (DSC) Secret Secret Secret Secret
Production Secret Secret Secret Secret
Secret Personnel assigned (PA) Secret Secret Secret Secret
Document safeguarding capability (DSC) Secret Secret Secret Secret
Production Secret Secret Secret Secret
Top SecretFootnote 2 Personnel assigned (PA) Top Secret Top Secret Top Secret Top Secret
Document safeguarding capability (DSC) Top Secret Top Secret Top Secret Top Secret
Production Top Secret Top Secret Top Secret Top Secret

North Atlantic Treaty Organization classified information requirements

Refer to the table at Annex 3-C: Facility security clearance requirements (North Atlantic Treaty Organization classified information).

More information

Annex 3-C: Facility security clearance requirements (North Atlantic Treaty Organization classified information)

Organizations bidding on North Atlantic Treaty Organization (NATO) opportunities must meet the security requirements listed in the contract.

Personnel and facility security clearance requirements for various activity types and for different security levels of
NATO classified information and assets
Classified Activity Clearance required
Key senior official (KSO) Company security officer (CSO) Employees Facility security clearance (FSC)
NATO Confidential Personnel Assigned (PA) Canadian Secret Canadian Secret NATO Secret Canadian Secret
Document safeguarding capability (DSC) NATO Secret NATO Secret NATO Secret NATO Secret
Production NATO Secret NATO Secret NATO Secret NATO Secret
NATO Secret Personnel Assigned (PA) Canadian Secret Canadian Secret NATO Secret Canadian Secret
Document safeguarding capability (DSC) NATO Secret NATO Secret NATO Secret NATO Secret
Production NATO Secret NATO Secret NATO Secret NATO Secret
COSMICtable 1 note 1 (Top Secret) Personnel Assigned (PA) Canadian Top Secret Canadian Top Secret COSMIC Canadian Top Secret
Document safeguarding capability (DSC) COSMIC COSMIC COSMIC COSMIC
Production COSMIC COSMIC COSMIC COSMIC

Table 1 Notes

Table 1 Note 1

The term COSMIC Top Secret is used in lieu of NATO Top Secret for Top Secret information handled within NATO.

Return to table 1 note 1 referrer

Non-North Atlantic Treaty Organization classified information requirements

Refer to the table at Annex 3-B: Facility security clearance requirements (classified information).

More information

Annex 3-D: Resolution of exemption of parent organization form

The parent organization uses this form to request the exclusion of the parent organization from accessing classified information and assets held by any subsidiaries of the organization.

Completing and submitting this form

You may complete this form on-screen or by hand. Select the “Print” button at the bottom of this page.

Learn how submit requests, forms and other documents or contract security.

Resolution of exemption of parent organization form

the duly elected secretary of

a corporation located in

do hereby certify that the following is a true and complete copy of a resolution passed at a meeting of the board of directors of said corporation, at which a quorum was present, duly called, and held

Be it resolved that

its officers and directors, as such, will not require and not have access to protected/classified information or assets in the custody of

a subsidiary corporation, and further that

has been delegated full authority to act completely independent of

in all matters which involve or relate to

responsibility to safeguard protected/classified information and assets. Be it further resolved that these actions of the board of directors of

are taken for the purpose of exempting the

from the necessity of a facility security clearance in conformity with the Public Services and Procurement Canada Industrial Security Manual.

Annex 3-E: Non-disclosure certificate form

An officer or director of a subsidiary organization uses this form to certify that the subsidiary will not disclose protected or classified information to the parent organization.

Completing and submitting this form

You may complete this form on-screen or by hand. Select the “Print” button at the bottom of this page.

Learn how to submit requests, forms and other documents or contract security.

Non-disclosure certificate form

I, the undersigned, am an officer and/or director of

a corporation which, by official action of its board of directors, is excluded from access to protected/classified information. I am also an officer and/or director of

and I am required to be granted a government personnel security clearance as a condition of clearing

for access to protected/classified information. I understand that

is not cleared for access to protected/classified information and I certify that I shall not disclose protected/classified information to the

or any of its agents regardless of my official business or personal association therewith. I further understand that any breach of security with respect to the disclosure of protected/classified information or assets to

may result in the denial of access to such information to

Annex 3-F: Subsidiary board resolution noting parent's exclusion and resolution to exclude parent organization

The duly elected secretary of the subsidiary organization must complete this form when:

Completing and submitting this form

You may complete this form on-screen or by hand. Select the "Print" button at the bottom of this page.

Learn how to submit requests, forms and other documents or contract security.

Subsidiary board resolution form

the duly elected secretary of

a corporation in the province or territory of

do hereby certify that the following is a true and complete copy of a resolution passed at a meeting of the board of directors of said corporation, at which a quorum was present, duly called, and held

Be it resolved that officials of

the parent organization of

shall not require and shall not have access to protected or classified information in the custody of

a subsidiary organization.

acknowledges the execution of a resolution by name and address of parent organization

whereby the corporation, its officers and directors, as such, will not require and not have access to protected or classified information in the custody of

a subsidiary corporation, and further that this action will not affect adversely the policies of said subsidiary involving the security and safeguarding of protected or classified information or performance of classified contracts.

Be it further resolved that

acknowledges non-disclosure certificates executed by the below listed individuals who are officers or directors of

and

that they will not disclose protected or classified information to

or any or its agents.

Be it further resolved that these actions of the board of directors of the

are taken for the purpose of exempting the

from the necessity of facility security clearance equivalent to that held by the

in conformity with the Public Services and Procurement Canada Industrial Security Manual.

Chapter 4: Facility safeguarding

400. General

Introduction

  1. Facility protection (physical security) is one of the essential subsystems for implementing an effective security program. Operational standards for the physical security of sensitive information and assets are contained in Treasury Board's Policy on Government Security and its associated directives and standards. The Public Services and Procurement Canada’s (PSPC) Contract Security Program (CSP) is responsible for the application of these standards in all private sector organizations that participate in PSPC's CSP
  2. Additional requirements exist, including some for information technology (IT), for the handling of communications security (COMSEC) information and assets, over and above those safeguards outlined in this chapter.

Concept

  1. A physical security system should safeguard against unauthorized access, detect actual or attempted unauthorized access and be able to activate a response. Protection involves physical, procedural and psychological barriers to delay or deter. Detection refers to devices and methods designed to show and, possibly, verify attempted or actual unauthorized access. Response refers to reactions such as the involvement of guard or police forces, assessments to damage and measures to prevent the failure of other elements of the system
  2. Given enough time, almost any physical security measure can be compromised. It is therefore important to point out that protective measures must be predicated on the time required for a response unit or person to arrive at the scene. PSPC's CSP will assist in the development of an overall facility protection plan

Scope

This chapter deals with the physical security requirements of the plant and grounds, the setting up of security zones (control of access into and within the facility) and the security of protected and classified information and assets.

Carefully consult Chapter 5: Handling and safeguarding of classified and protected information and assets of this manual to ensure that the necessary measures are incorporated into the overall facility protection plan.

Protection design

Physical security starts with the initial design of the facility. To avoid or reduce the cost of security retrofit, organizations should consult PSPC's CSP at an early stage when considering construction, purchase, lease or renovation of facilities for which a site clearance will be required.

401. Physical security

Secure zones

Organizations holding a designated organization screening (DOS) or a facility security clearance (FSC) are required to establish the appropriate number of progressively restrictive zones to control access to protected and classified information and assets. The first 2 types of zones listed below (public zone and reception zone) are not considered secure for safeguarding protected and classified information and assets. Their main purpose is to set up an initial base from which other secure zones can be developed.

Types of secure zones
Public zone

A public zone generally surrounds or forms part of an organization's facility. Examples include the grounds surrounding a building and public corridors and elevator lobbies in multiple-occupancy buildings. Boundary designators such as signs and direct or remote surveillance may also be used to discourage unauthorized activity.

Reception zone

A reception zone is located at the entry to the facility where:

To varying degrees, activity in a reception zone is monitored by the personnel who work there, by other personnel or by security staff. Access by the public may be limited to specific times of the day or for specific reasons. Entry beyond the reception zone is indicated by a recognizable perimeter such as a doorway or an arrangement of furniture and dividers in an open office environment.

Operations zone

An operation zone is an area where access is limited to security screened personnel at the appropriate level who work there and to properly escorted visitors. Operations zones should be monitored at least periodically, based on a threat and risk assessment, and should preferably be accessible from a reception zone.

Security zone

A secure zone is an area to which access is limited to authorized and security screened personnel at the appropriate level and to authorized and properly-escorted visitors. Security zones should preferably be accessible from an operations zone and through an entry point. A security zone need not be separated from an operations zone by a secure perimeter. Security zones are monitored 24 hours a day and 7 days a week by security staff, other personnel or electronic means.

High-security zone

A high-security zone is an area to which access is controlled through an entry point and limited to authorized, appropriately screened personnel and authorized and properly escorted visitors. High-security zones should be accessible only from security zones and are separated from security zones and operations zones by a perimeter built to the specifications recommended in a threat and risk analysis. High-security zones are monitored 24 hours a day and 7 days a week by security staff, other personnel or electronic means.

Attributes of secure zones
  1. Signs must be used to demarcate secure zones and must include the term “operations zone,” “security zone” or “high-security zone.”
  2. The physical attributes of a secure zone may vary. For example, a security zone could be a desk in an open-office environment that normally functions as an operations zone, if the person working there is able to control and monitor access to the protected and classified information and assets. A security zone could also be an enclosed office to prevent unauthorized seeing or hearing of information
  3. The definition of secure zones may vary according to the period of use during the day or week. For example, a reception zone during public access hours may be defined as an operations zone during restricted access hours, such as on weekends and at night
  4. Physical security is more acceptable and effective if measures, such as barriers, are adapted to normal operations as much as possible. Proper location and demarcation of secure zones will help ensure appropriate functional use as well as controlled access
  5. Access to secure zones must be limited to security screened personnel at the appropriate level who work there and to properly escorted visitors

Regulations and codes

Physical security systems are to comply with relevant provincial and municipal regulations and codes, such as those relating to fire, construction and electrical installations.

402. External areas and perimeters

External perimeter

Fences and free-standing walls delineate and control external perimeters. They are typically used where a facility contains valuable assets. Some types of fences and walls may also prevent unauthorized observation. They can compensate for security deficiencies in the building design, such as ground-level windows exposing information or areas.

Landscaping

Landscaping around a secure facility should be designed to enhance:

  1. protection, by demarcating and securing the perimeters and by channelling personnel and the public
  2. detection, by allowing for easily identifiable controlled areas, by reducing the opportunity for concealment and by developing circulation routes that will allow employee surveillance of the facility
  3. response, by allowing unimpeded access to the facility for emergency response personnel and equipment

Parking lots

Parking lots should be designed to reduce the threat to the facility, its employees and visitors by:

  1. channelling pedestrian traffic
  2. easing surveillance of high-risk areas
  3. discouraging the casual use of exit doors and shipping or receiving areas
  4. not allowing parked vehicles to be located so close to buildings that they increase the security risk

Security lighting

External security lighting is normally required to facilitate surveillance. It may demand increased intensity or a specialized colour spectrum, or both, for identification purposes or for closed-circuit television applications. In view of its technical complexity and the necessity to meet safety and other codes, qualified personnel should plan security lighting. PSPC's CSP will advise on the specific requirement.

Doors, windows and other openings

Access doors should be restricted to the smallest number possible. Windows should preferably be of a non-opening type. All must be of sturdy construction and securely installed. Other perimeter openings, such as drains or utilities tunnels, must be secured to deny unauthorized entry. PSPC's CSP will advise on specific requirements and standards.

Emergency exits

Emergency exits should not allow uncontrolled access to secure zones. Information and assets controlled by an organization are most vulnerable during an emergency. Therefore, measures must be implemented to ensure that emergency exit routes are adequately protected during an emergency.

Security control centres

An organization granted a DOS or FSC with document safeguarding capability (DSC) may require at each site so cleared a security control centre to monitor and control the status of security equipment and systems such as:

A security control centre may be operated by the facility, by a commercial agency under contract, or some combination of the 2, to provide full-time coverage. The security monitoring system must have the capability to operate independently of other facility monitoring systems.

For more information on DOS or FSC, refer to section 304. Types of designated organization screening (DOS) or section 357. Types of facility security clearances (FSC) of this manual.

403. Control of access to secure zones

Reception

Entry points should be established to channel employees and visitors, verify employee identity and prohibit visitor entry until properly recorded and accompanied by an employee.

Personnel identification

  1. Where organizations are large enough that personnel identification between employees becomes uncertain, employees should be required to wear cards that identify the bearer and/or access badges that allow access to specified zones or facilities
  2. An identification card should contain the individual's photograph, name and signature, name of the issuing organization and a card number with an expiry date. It does not convey access, but merely identifies the bearer. Access requires an additional control such as an access list, knowledge of a combination, electronic access card or an access badge. An access list or access badge shows authorization only. Therefore, additional control procedures may be necessary to verify identity and regulate entry or exit
  3. It is desirable that identification cards and access badges be colour coded or marked in such a way as to quickly indicate clearance level and/or access authorization
  4. Organizations are required to:
    1. establish procedures to verify cards or badges held by personnel and to withdraw cards or badges for cause
    2. provide for the replacement of any or all cards or badges whenever a threat and risk assessment shows that this is necessary
    3. set up a procedure for reporting the damage to, or the loss or theft of, personnel identification cards or access badges
    4. maintain inventories of all cards or badges
    5. replace personnel identification cards or access badges whenever personal appearance changes significantly from the photograph on the card or badge

Guards

  1. Guards may be required to control access to secure zones where there is a need for personal interaction and judgment, or for quiet-hours patrolling and to provide timely response to actual or attempted unauthorized entry or other emergency. Guards must be appropriately screened to the level of possible access to protected and classified information and assets. This does not include access resulting from the discovery of a security breach
  2. Exceptions may be recommended by the responsible field industrial security officer (FISO), on a case-by-case basis, based upon an on-site inspection and a threat and risk assessment

Electronic access control

Electronic access control devices can be used to record authorized entry and to deter unauthorized entry. Their expense, variety and technical complexity make it essential that organizations consult with PSPC's CSP on acceptable systems and their specific application. An essential prerequisite for installation of electronic access control devices is the establishment of a secure perimeter. Alternative measures must also be available when controls are out of service. Installed systems must comply with applicable building and fire codes and regulations.

Electronic intrusion detection

Electronic intrusion detection (EID) devices signal an alert on attempted unauthorized access. They can be used, in some circumstances, as an alternative to guards or to increase the efficiency of guards. They should be supported by a response capability related to the threat and risk assessment. EID devices are to be checked regularly to ensure reliable operations and alternate measures are to be available. Organizations considering installation of EID devices should obtain advice from the FISO at PSPC's CSP.

Closed-circuit television

Closed-circuit television systems (CCTVs) televise scenes that are broadcast only to selected receivers for surveillance and assessment purposes. CCTVs can also serve as a psychological deterrent and, when linked to a video recorder, serve as an aid in investigating incidents of unauthorized access. CCTVs can be used to improve guard effectiveness by extending their range of view and to assess the need for an immediate response to an alarm. Alternate measures are to be available if the CCTV is out of service.

Interior access controls

In some circumstances, access controls and procedures may have to be established within a facility to control and record entry to certain security or high-security zones.

Service spaces

  1. Care must be taken to ensure that common service spaces cannot be used to circumvent the physical security system. Circulation routes should be located to prevent the unauthorized viewing or hearing of protected or classified information. Common service facilities such as general-use photocopiers should not be located in security or high-security zones
  2. Public access service spaces, such as washrooms and cloakrooms, are to be located outside of secure spaces

404. Security of recorded information

Collection of personnel information

  1. Due to its sensitivity, personnel security screening documentation containing personal information should not be retained in the organization's general personnel files, but rather in a separate security file and safeguarded as protected in accordance with Chapter 5: Handling and safeguarding of classified and protected information and assets of this manual. Completed personnel security clearance questionnaires pending transmittal to PSPC's CSP, as well as any adverse information regarding the individual, should be afforded an enhanced level of protection, normally at the Protected B level
  2. Contracts for statistical studies or surveys involving confidentiality, or other contracts for the collection of personnel information, will contain specific protection provisions to be observed by the contractor

Secure environment for the handling of protected and classified information and assets

  1. Secret and Top Secret information and assets must be processed, stored and destroyed in a security zone unless a threat and risk analysis recommends a higher level of security zone
  2. Confidential information and assets must be processed, stored and destroyed in an operations zone
  3. Protected A and Protected B information and assets should be processed, stored and destroyed in an operations zone
  4. Protected C information and assets should be processed, stored and destroyed in a security zone or, if recommended in a threat and risk analysis, in a higher security zone

Effective use of restricted zones

In an open office environment, the effective use of restricted zones depends on the implementation of appropriate security procedures, which include:

  1. respecting the need-to-know principle, having the proper security clearances in place, and respecting zone perimeters
  2. escorting visitors
  3. securing protected and classified information and assets when leaving the work area
  4. using precautions when discussing protected or classified information
  5. locating equipment such as containers and shredders, where they can be used without leaving protected and classified information and assets unattended
  6. preparing and handling Protected C information and assets in a security zone or, if recommended in a threat and risk analysis, in a higher security zone

Handling and safeguarding of protected and classified information and assets

Consult Chapter 5: Handling and safeguarding of classified and protected information and assets of this manual for special requirements relating to:

  1. records office security
  2. mailroom security
  3. storage
  4. keys for containers
  5. transmittal
  6. removal and transport
  7. destruction

405. Security of assets

  1. Organizations are responsible for determining and, subsequently, managing the risk to the security of all protected and classified assets under their control. They must document and implement an asset security system that:
    1. identifies management and employee responsibilities
    2. determines assets requiring safeguards
    3. establishes procedures for maintaining an inventory, for reporting and dealing with security incidents and for maintaining a threat and risk assessment
    4. details proper personnel and physical security measures
  2. Protected and classified assets should be listed with their location, the type of safeguards that may apply and the name of their custodian. Custodians should be assigned responsibility areas and report anything they consider detrimental to the safekeeping of the asset. Procedures should require that all instances of damage to assets and of confirmed missing assets are reported to the company security officer (CSO) as soon as possible

Chapter 5: Handling and safeguarding of classified and protected information and assets

500. General

  1. The Government of Canada is responsible for stipulating and applying the required level of security for its information and assets. These levels are Protected A, B, or C and as well as Confidential, Secret and Top Secret.

    When an organization is awarded a contract that calls for safeguarding at any of these security levels, the company security officer (CSO) is responsible for consulting the appropriate government department regarding the level of security to be applied for any in-house documentation created by the organization in support of the contract. The creator of the documentation must then ensure that it is appropriately marked and safeguarded.

  2. The improper handling and safeguarding of protected and classified information and assets is the leading cause of difficulties that result in the suspension or revocation of an organization's designated organization screening (DOS) or facility security clearance (FSC). The application of the procedures, detailed throughout this chapter, will help to reduce the risk of a security infraction or breach.

  3. Access to information and assets must be limited to persons who have the appropriate reliability screening or security clearance and who have a need-to-know. Precautions must be taken to ensure that persons who are not cleared and who may be in the proximity of information and assets do not gain access to this information and assets.

  4. Particular attention should be paid to the requirements for control and registration of information and assets and to the proper procedures for their packaging and transmittal predicated on the Policy on Government Security.

  5. Additional requirements exist for the handling of communications security (COMSEC) information and assets, over and above those safeguards outlined in this chapter.

Refer to the COMSEC Support to the Private Sector—Project Managers' Quick Reference Guide. Contact the Contract Security Program to request a copy of this guide.

501. Security warning for contractor produced publications

  1. Unless otherwise specified in the contract, where a contractor is producing a publication on behalf of the Government of Canada that contains protected information, the following warning must be printed on both the front cover and title page:

    "This publication contains PROTECTED information, which must be safeguarded under the provisions of Canada's Policy on Government Security. It has been produced by (contractor's name) under the provisions of (contract number or other authorization) on behalf of (the Government of Canada the department, as applicable). Release of this publication or of any information contained herein to any person not authorized by the originating agency to receive it is prohibited."

  2. All classified publications, pamphlets, handbooks or brochures which are produced by a contractor on behalf of the Government of Canada must have, in addition to the regular security classification markings as prescribed in this chapter, the following security warning on both the front cover and the title page:

    "This publication contains CLASSIFIED information affecting the national interest of Canada. It has been produced by (contractor's name) under the provisions of (contract number or other authorization) on behalf of (the Government of Canada or the department, as applicable) and is to be safeguarded, handled and transported in accordance with the Policy on Government Security. Release of this publication, or of any CLASSIFIED information contained herein, to any person not authorized to receive it is prohibited by the Security of Information Act."

  3. Where a contractor produces classified publications on behalf of a foreign government department or agency, any warning must be worded as stipulated in the contractual documentation.

You may contact international contract security to obtain further advice and assistance.

For more information, refer to the Security of Information Act.

502. Marking protected and classified information

General

Protected and classified information must be marked, as a minimum, according to the standards detailed in this manual.

Marking

Organizations are required to implement the following procedures for marking information:

  1. for protected information, mark the word "PROTECTED" in the upper right corner of the face of the document and where required, with the letter "A", "B" or "C" to indicate the level of safeguarding
  2. for Confidential information, mark the word "CONFIDENTIAL" in the upper right corner of the face of the document
  3. for Secret information, mark the word "SECRET" in the upper right corner of each document page
  4. for Top Secret information, mark the words "TOP SECRET" in the upper right corner of each document page and show the total number of pages on each page of the document (for example, "Page 2 of 10")
  5. mark covering or transmittal letters or forms or circulation slips to show the highest level of classification or protection of the attachments
  6. mark all materials used in preparing protected and classified information (such material includes notes, drafts, carbon copies and photocopies)
  7. the letters used in marking should be larger than those used in the text of the document
  8. printed forms that only become protected and classified when completed should be so marked, for example:

    a. "CONFIDENTIAL"
    (when completed)

  9. in addition to marking individual pages as stipulated above, documents must be appropriately marked on the outside of both the front and back covers
  10. loose documents must be marked on every sheet
  11. images such as charts, maps and drawings must be prominently marked near the margin or title block in such manner that the marking is clearly visible when the document is folded
  12. security markings should include the applicable protection or classification and the date or event at which declassification or downgrading is to occur, if it is possible to determine this at the time the information is created or collected

Marking copies

Organizations are required to implement the following procedures for controlling copies of classified information:

  1. control copies of Confidential documents as for secret when warranted by a threat and risk assessment
  2. for secret information, number each copy, show the copy number on the face of each copy and maintain a distribution list
  3. for top secret information, assign a unique whole number to each copy, marking the copy number on each page and maintain a distribution list. Recipients of top secret information must not copy it without specific authorization of Public Services and Procurement Canada (PSPC)

Marking microforms

  1. Microform is a generic term for any storage medium that contains micro-images
  2. Organizations are required to implement the following procedures for the marking of microforms:
    1. assign a protection or security classification at the highest protection or classification of the information contained on the microform
    2. mark microforms containing protected information "PROTECTED" in eye-readable form, with the microform number and the total number of microforms
    3. mark microforms containing classified information with the proper classification in eye-readable form, with the microform number and the total number of microforms

Marking electronic storage material

  1. Electronic material on which is stored protected and classified information is to be assigned a protection and security classification at the highest protection or classification of the information it contains
  2. Where possible, the security marking should be in both eye-readable and machine-readable form. Where this is not possible, as with certain types of hard disks, the security marking should be machine-readable
  3. Electronic storage material includes flexible disks, hard disks (both removable and permanent), storage cartridges, printed output from computers, video display units, magnetic tapes, magnetic cassettes, punched cards and punched paper tapes
  4. Removable storage material should bear standard labels. Where bypass label processing is allowed, procedures are needed to ensure that the proper item is loaded into the computer.

    Refer to Chapter 8: Information Technology Security of this manual.

  5. Specific advice on how to mark various forms of electronic storage material may be obtained from PSPC's Contract Security Program (CSP)

International documentation

Marking must be in accordance with international industrial security memoranda of understanding, agreements or other international standards and guidelines.

You may contact international contract security to obtain further advice and assistance.

503. Records management

General

Organizations must maintain records and establish adequate facilities, such as a records office, for receiving, distributing and storing protected and classified information and assets.

Recording of protected information and assets

Unless specifically identified in a contract, there is no requirement to keep records of protected information and assets, except for Protected C, which must be recorded in the same manner as classified information and assets. Persons receiving or granted access to protected information and assets must be briefed on their responsibilities for its safeguarding.

Recording of classified information and assets

A record must be kept of the dates, names and transactions of all classified information and assets indicating:

  1. receipt by the facility
  2. distribution within the facility
  3. creation within the facility
  4. reproduction within the facility
  5. destruction within the facility
  6. transmittal outside the facility
    • Transmittal of information and assets outside the facility must be performed as detailed in section 506. Packaging and transmittal of classified and protected information and assets of this chapter. Records of distribution, circulation and return within the facility must include receipt by signature, of the persons involved. Persons who have access to classified information and assets must be briefed on their responsibilities for its protection, and any special restrictions concerning its use or further dissemination
  7. All records of classified information and assets and all classified information and assets must be made available for inspection by field industrial security officers of PSPC's CSP

Records office security

Management of records offices, or parts thereof, where protected and classified information is stored or processed must ensure the following procedures are followed:

  1. as a minimum, these offices must be managed as a security zone
  2. records office staff who have access to protected and classified information must hold a reliability status or personnel security clearance to the highest level required
  3. protected and classified information must be filed and circulated in marked file jackets that clearly indicate they contain protected and classified information
  4. a file must be marked according to the highest level of sensitivity retained in the file
  5. areas where mail is opened must be managed according to mailroom security standards. Refer to the section on Mailroom security below
  6. release of protected files from records offices must be limited to employees with reliability status with a need-to-know
  7. release of confidential files from records offices must be limited to security-cleared employees with a need-to-know
  8. release of top secret and secret files from records offices must be limited to appropriately security-cleared employees with a need-to-know. Those personnel authorized access must be identified on an access list approved by the responsible manager (such as the project manager)
  9. classified information of foreign origin must be accorded the same protection as Canadian information of equivalent classification. If in doubt, contact international contract security to obtain further advice and assistance
  10. special precautions are necessary to prevent unauthorized disclosure or access to classified information and assets to non-Canadian citizens:
    • such persons must not be given access to information that bears restrictive markings such as "FOR CANADIAN EYES ONLY" without prior approval of PSPC's CSP
    • further restrictions may apply to bilateral and multinational contracts, programs or projects. If in doubt, contact PSPC's CSP

Mailroom security

Areas where mail is opened must be managed as a security zone or high-security zone. Mail that is marked "to be opened only by the addressee" must be delivered to the intended recipient directly. Classified mail must only be opened by the appointed authority within the facility responsible for ensuring its registration.

504. Safeguarding of information and assets

Storage

  1. As a minimum, protected information and assets must be stored in a locked container. Protected C information and assets and all classified information must be stored in an approved security container in accordance with the Royal Canadian Mounted Police (RCMP) Technical Security Branch Security Equipment Guide (G1-001). Protected or classified information and assets may be stored on open shelving in a secure room, only after inspection and approval by PSPC's CSP and only to the level approved by PSPC's CSP
  2. Protected and classified information and assets must not be stored in the same container as negotiable or attractive assets
  3. Organizations required to store protected and classified information and assets are permitted to purchase approved security equipment through PSPC's CSP. In consultation with the field industrial security officer (FISO), the CSO or alternate company security officer (ACSO) should determine the equipment to meet the specific requirement, and submit the Annex 5-A: Registering a document for equipment purchase form in this chapter. After endorsement by the FISO, PSPC's CSP will process the request, although the invoicing and delivery for the equipment is between the purchaser (the CSO) and the supplier. Examples of equipment available through this procedure are listed in Annex 5-B: Approved equipment available for purchase by organizations

Keys for containers

  1. Keys (devices such as instruments, cards, combinations and code numbers used to open and close containers) must be safeguarded at the highest level of sensitivity of the information or assets to which they provide access. This also applies to recorded information that would allow a key to be produced
  2. When a key is issued, the recipient must sign for the key. The number of the key, the location of the container it opens, and the name of the recipient must be recorded and kept by the CSO
  3. The organization's security office must maintain a record of the dates of, and reasons for, all key changes
  4. Assigned keys should be changed:
    • at least every 12 months
    • when those with access to the container are transferred, released or no longer require access

    The key must be changed immediately when a container has been or may have been compromised.

Precautions during use

Special care must be taken to safeguard against disclosure or unauthorized access when protected and classified information and assets are removed from approved storage containers. Specific points to observe are:

  1. do not leave protected and classified information and assets unattended
  2. ensure that protected and classified information and assets cannot be viewed, or discussion of it overheard, by persons not possessing reliability screening or the appropriate level of clearance or without a need-to-know

505. Use of laptop computers

1. If laptop computers are utilized for protected or classified information, they must not be removed from the organization that holds the facility security clearance (FSC) or designated organization screening (DOS). If such laptops need to be transported, written permission must be obtained from the CSO or an ACSO by completing the Annex 5-D: Appendix A-1—Courier certificate/itinerary form.

2. Storage of laptop computers used to handle protected or classified information must be in accordance with security procedures established by the organization for the level of sensitivity of the information.

506. Packaging and transmittal of classified and protected information and assets

1. The security of protected and classified information and assets during transmission depends on:

  1. proper packaging
  2. record while in transit
  3. record of delivery
  4. transmission by an approved postal service or security-cleared courier. Contact international contract security regarding approved postal services and security-cleared couriers

2. Protected and classified information and assets must be packaged and transmitted in accordance with the standards outlined in Annex 5-C: Standard for the transmittal of classified and protected information and assets.

3. In addition, specific procedures for the hand carriage of and/or bulk shipment of specific protected and classified information and assets are necessary. These procedures are detailed in the following annexes and appendices:

507. Temporary removal of classified and protected information and assets

1. Protected and classified information and assets cannot be removed from an organization, for transportation or use outside of Canada, without the prior approval of PSPC's CSP.

2. In Canada, with the exception of Top Secret, Protected C and COMSEC material, protected and classified information and assets may be taken temporarily from an organization. Written permission must be obtained from the CSO or an authorized ACSO by completing the Annex 5-D: Appendix A-1—Courier certificate/itinerary form.

3. The CSO or ACSO must record, and obtain a receipt for the information and assets to be removed.

4. If protected and classified information and asset removal is authorized for overnight use, the employee must be informed that this does not constitute continued retention authority and the information and assets are to remain in the possession of the employee at all times.

5. The CSO or ACSO must account for and record the material upon its return, and give the employee a receipt for the returned material.

508. Reproduction

1. Reproductions of protected information must be marked in the same manner as the originals. Reproduction of classified information must only be done with the authorization of the CSO, or an authorized ACSO. Reproductions must be marked, registered and accounted for, in the same manner as for the originals.

2. Some classified information bears a caveat prohibiting or restricting reproduction. In such cases, authorization of the originator is required before reproduction. Protected C, Top Secret, and COMSEC information must never be reproduced without written authorization from PSPC.

3. Special precautions must be taken with the use of photocopy machines. Notices concerning the proper procedures for reproduction of information must be placed in an obvious place close to each machine. Care should be taken to ensure that original documents are not left in the machine, and all copies, including waste, are removed.

4. Contracts for printing and microfiching of protected and classified documents must only be awarded to commercial firms that have the appropriate level of DOS or FSC.

509. Reclassification and declassification

1. Documents whose classification markings include a schedule for downgrading or declassification may be downgraded or declassified in accordance with the schedule, unless in receipt of notification to the contrary. Documentation that does not contain such provisions may only be downgraded or declassified upon receipt of written authorization from the originator through PSPC's CSP.

2. When an organization considers that foreign or North Atlantic Treaty Organization (NATO) classified information should be downgraded or declassified, it must submit a written request to international contract security with full details, including justification.

3. When official notification is received from PSPC's CSP authorizing the reclassification of a document, all copies must be re-marked with the new classification as follows:

Declassified
or
Downgraded to (insert new classification)
or
Upgraded to (insert new classification)
by authority of Public Services and Procurement Canada letter dated (insert date)
or
by authority of Security Requirements Checklist dated (insert date)
or
by authority of contract dated (insert date)

510. Retention

1. When a bid is not accepted, or upon completion or termination of the contract, protected and classified material and assets must be returned to PSPC's CSP for disposal or, with the written concurrence of PSPC, be destroyed by the organization or returned to the originator. Upon request, organizations may be authorized to retain such material when approved by the originator through PSPC's CSP.

2. Requests for retention authority must identify:

If the organization has been authorized to retain protected and classified information for a specific period after contract completion, details of this authorization must be included with the retention request.

3. Unless the retention authority is received in writing, disposal of protected and classified information must be made in accordance with the provisions of this manual and instructions from PSPC's CSP.

511. Destruction

1. Unless otherwise specified, Protected C, Top Secret, COMSEC and foreign classified information and assets must be returned to PSPC's CSP for disposal.

2. Unless otherwise specified, Protected A and B, Secret and Confidential information and assets, of Canadian origin, may be destroyed by the organization with the approval of PSPC.

Note: Destruction of classified information and assets must be recorded on a certificate of destruction form, a copy of which must be forwarded to PSPC's CSP Document Control Unit (DCU) at tpsgc.dgsssiprojetintl-dobissintlproject.pwgsc@tpsgc-pwgsc.gc.ca.

3. Protected and classified information and assets that have been authorized for destruction must be disposed of in accordance with the following:

  1. it must be destroyed only by approved destruction equipment, or at a facility authorized by PSPC
  2. information awaiting destruction or in transit to destruction must be safeguarded in the manner prescribed for the most highly protected and classified information asset involved
  3. protected and classified information and assets awaiting destruction must be kept separate from other information and assets awaiting destruction
  4. an employee with a reliability status or with a proper security clearance, as applicable, must be present to monitor the destruction of protected and classified information respectively
  5. surplus copies and waste that could reveal protected and classified and information must be protected to the appropriate level and should be promptly destroyed

512. Security violations, breaches, and compromises

1. Organizations must establish a procedure to ensure that suspected or actual violations of security, breaches and compromises are recorded and immediately reported to the CSO. Records should be kept by the organization for a period of 2 years following the incident and are subject to inspection by the field industrial security officer.

2. Upon receipt of such a report, the CSO must immediately conduct a preliminary inquiry into the incident to determine all of the circumstances, including:

  1. What, where and when did the incident occur?
  2. Who reported it, to whom, and when?
  3. What information or asset was involved (in detail)?
  4. What was the security marking and description of the information or asset involved?
  5. Who originated the information or asset?
  6. When, for how long, and under what circumstances was the information or asset vulnerable to unauthorized disclosure, and to whom?
  7. What actions were taken to secure the information or asset and limit the damage?
  8. Is any information or asset lost or unaccounted for?

3. When the results of the preliminary inquiry indicate a suspected or actual breach or compromise of information and assets, PSPC's CSP is to be immediately notified by the CSO. A full report covering the preliminary inquiry and any subsequent investigative results are to be forwarded to PSPC's CSP as soon as possible.

513. Verbal and message communication

1. Unprotected telephones or facsimiles are not to be used to communicate classified or sensitive information. Requirements for secure telephones or facsimiles must be coordinated through the Communications Security Establishment (CSE).

2. Any conference rooms used for discussion of classified matters should be:

  1. a sensitive discussion area located in a security zone or high-security zone
  2. safeguarded against acoustic or electronic eavesdropping and should not contain items such as:
    1. telephones
    2. intercoms
    3. radios
    4. tape recorders

Chapter 5: Annexes

Annex 5-A: Registering a document for equipment purchase form

From (complete mailing address)
From (complete shipping address)
Item

Terms and conditions

Suspected or actual compromise
All suspected or actual compromises of security equipment experienced by authorized users are to be reported immediately to the Public Services and Procurement Canada's (PSPC) Contract Security Program (CSP).
Equipment approval level changes
Authorized users will be notified by their field industrial security officer (FISO) of any changes to the level of classification, i.e.: upgrading/downgrading of equipment.
Maintenance
The Royal Canadian Mounted Police (RCMP), in tandem with the FISO, are to provide maintenance of security equipment through their own resources by utilizing locksmiths specifically authorized by them.
Inspection
Periodic inspections may be conducted by the RCMP and/or PSPC's CSP to ensure that security equipment is operational and has not been modified. When new contracts are to be awarded to organizations who already possess security equipment, the equipment may require to be inspected and/or certified by the RCMP or PSPC's CSP.

Agreement

agree to the terms and conditions outlined in this registering document. This certifies that I have signing authority.

Confirmation (internal use)
Signed on

Public Services and Procurement Canada - Canadian Industrial Security Directorate

Annex 5-B: Approved equipment available for purchase by organizations

Most requested security equipment

Filing cabinet with integral combination lock—Lateral (2-drawer)

Description
Security steel, cap, filing cabinet with integral combination lock—lateral (2-drawer)
Model
global model FG36-2FCL
Dimensions
36 inches wide, 18 inches deep, 26.625 inches high
North Atlantic Treaty Organization (NATO) stock number
7110-20-002-8735

Filing cabinet with integral combination lock—Lateral (4 drawer)

Description
Security steel, cap, filing cabinet with integral combination lock—lateral (4 drawer)
Model
global model FG36-4FCL
Dimensions
36 inches wide, 18 inches deep, 26.625 inches high
NATO stock number
7110-20-002-8736

Filing cabinet—Security cabinet (2-drawer safe)

Dimensions
19 inches wide, 28 inches deep, 27.375 inches high
Weight
250 pounds
NATO stock number
7110-21-852-6693

Filing cabinet—Security cabinet (4-drawer safe)

Dimensions
19 inches wide, 28 inches deep, 51.375 inches high
Weight
450 pounds
NATO stock number
7110-21-852-6695

Locker safe

Dimensions
23.125 inches wide, 32.5 inches deep, 51.625 inches high
Weight
400 pounds (without cabinet)
NATO stock number
7110-21-108-0743

Note
Four drawer filing cabinet insert for locker safe is also available.

Annex 5-C: Standard for the transmittal of classified and protected information and assets

Preparation for transmittal

Protected and classified information must be prepared for transmittal in the following manner:

  • components too large to be wrapped or too large to be hand carried may be transported in crates or sealed containers within a locked vehicle or container that is escorted and denies visual access from the outside. Shipments of this nature must be approved by the Public Services and Procurement Canada (PSPC) Contract Security Program (CSP) on a case-by-case basis (refer to Annex 5-E in this chapter)
  • for classified or Protected C information and assets, enclose a self-addressed receipt in the inner envelope or wrapping and close the inner envelope or wrapping with an approved security tape. The inner envelope or wrapping must bear the security marking and the recipient's address. For shipments of large components, contact PSPC's CSP for approved sealing methods
  • envelopes or wrapping used to prepare classified and protected information for transmittal must be of heavy-duty paper which will withstand rough handling
  • record Top Secret information and assets before they are sent outside a security zone
  • notify intended recipients of Top Secret information and assets in advance of shipment
  • when double enveloping information and assets for transmission, the inner but not the outer envelope must be security marked. Address the inner envelope and, if appropriate, it should be marked "to be opened only by". Upon receipt, sealing devices and wrapping should be examined and any tampering reported to the company security officer and, if compromise is suspected, to PSPC's CSP

Methods of preparation and transmittal

The following charts depict the authorized means for the preparation and transmittal of information and assets.

Note
Transmittal outside of Canada must be through PSPC's CSP, except where PSPC's CSP or a contract, program, project, or memorandum of understanding specifically authorizes hand carriage or escort. PSPC's CSP will provide instructions on a case-by-case basis.

Methods of Preparation of protected and classified Information
Category To and from
points		 Preparation
envelopes		 Preparation
seals
1 2 Gum Government approved security tape
Protected "A" Within building x n/a x n/a
Within Canada x n/a x n/a
Other countries x n/a x n/a
Protected "B" Within building x n/a x n/a
Within Canada x n/a x n/a
Other countries x n/a x n/a
Protected "C" Within building n/a x x n/a
Within Canada n/a x x x
Other countries n/a x x x
North Atlantic Treaty Organization (NATO) and Foreign Restricted Within building x n/a x n/a
Within Canada x n/a x n/a
Other countries x n/a x n/a
Confidential (including NATO) Within building n/a x x n/a
Within Canada n/a x x x
Other countries n/a x x x
Secret (including NATO) Within building n/a x x n/a
Within Canada n/a x x x
Other countries n/a x x x
Top Secret (including NATO) Within building n/a x x x
Within Canada n/a x x x
Other countries n/a x x x
Methods of Transmittal of protected and classified Information
Category To and from points First class mail Priority courier Security regular mail Courier (table 2 note 3) (table 2 note 4) (Contact PSPC's CSP) Locked case
(table 2 note 1) (table 2 note 2)		 Through PSPC's CSP
Protected "A" Within building n/a n/a n/a table 2 note 5 n/a n/a
Within Canada n/a x x table 2 note 3/table 2 note 4/table 2 note 5 n/a n/a
Other countries x x x n/a n/a n/a
Protected "B" Within building n/a n/a n/a table 2 note 3/table 2 note 5 n/a n/a
Within Canada n/a x x table 2 note 3/table 2 note 4/table 2 note 5 n/a n/a
Other countries n/a n/a n/a n/a n/a x
Protected "C" Within building n/a n/a n/a table 2 note 3 n/a n/a
Within Canada n/a x x table 2 note 3/table 2 note 4 n/a n/a
Other countries n/a n/a n/a n/a n/a x
NATO Within building n/a n/a n/a table 2 note 3 n/a n/a
Within Canada n/a x x table 2 note 3/table 2 note 4 n/a n/a
Other countries n/a n/a n/a n/a n/a x
Confidential (including NATO) Within building n/a n/a n/a table 2 note 3 n/a n/a
Within Canada n/a x x table 2 note 3/table 2 note 4 table 2 note 1 n/a
Other countries n/a n/a n/a n/a n/a x
Secret (including NATO) Within building n/a n/a n/a table 2 note 3 n/a n/a
Within Canada n/a x x table 2 note 3/table 2 note 4 table 2 note 1 n/a
Other countries n/a n/a n/a n/a n/a x
Top Secret (including NATO) Within building n/a n/a n/a table 2 note 3 table 2 note 2 n/a
Within Canada n/a x x table 2 note 3/table 2 note 4 table 2 note 2 n/a
Other countries n/a n/a n/a n/a n/a x

Table 2 Notes

Table 2 Note 1

When hand carried: locked case.

Return to table 2 note 1 referrer

Table 2 Note 2

When hand carried: approved locked case.

Return to table 2 note 2 referrer

Table 2 Note 3

A reliability screened/security cleared individual employed by the dispatching/receiving Facility Security Cleared Canadian organization.

Return to table 2 note 3 referrer

Table 2 Note 4

A reliability screened/security cleared individual employed by an approved facility security cleared commercial carrier (contact PSPC's CSP).

Return to table 2 note 4 referrer

Table 2 Note 5

An individual employed with the organization.

Return to table 2 note 5 referrer

Annex 5-D: Arrangement for the hand carriage of classified/Protected B documents, equipment and/or components within Canada

1. Special hand carriage arrangements may be approved to meet an urgent need for the transport of Protected B and classified documents in Canada, in connection with a Government of Canada project, program or contract. The company security officer (CSO) must approve each need on a case-by-case basis.

Note

The documentation necessary for the hand carriage is included as Appendix A to this annex and comprises:

  1. Courier certificate/itinerary form
  2. Notes for the courier
  3. Pre-trip declaration form
  4. Post-trip declaration form

2. The arrangements in this section apply to the hand carriage of Protected B and classified documents, equipment and/or components by an authorized individual only when they can maintain personal control over them at all times. The highest level of security must not exceed Protected B/Secret. The owning government or agency must authorize the release of the documents or equipment in conjunction with the project, program or contract.

3. The documents, equipment and/or components must be of such size, weight and configuration that they can be hand carried.

4. The authorized individual must be a permanent employee of the dispatching or receiving company.

5. The authorized individual must have been granted a reliability status/personnel security clearance to at least the level of the Protected B/classified document(s) which is/are to be hand carried.

6. Before the start of each journey, the CSO must brief the authorized individual on these arrangements. The authorized individual must read and sign the declaration indicating that they have been briefed and have read and understand the notes for the courier. A record that the authorized individual has signed the declaration must be maintained for a minimum of 12 months after each trip.

7. The authorized individual must be provided with a courier certificate and a copy of the notes for the courier.

8. The authorized individual must be made aware that the non-fulfilment of their obligation to safeguard the Protected B/classified information contained in the consignment entrusted to them and/or any other negligent action chargeable to them that gives rise to a security breach, will constitute not only a matter of contractual obligation but also a matter of possible penal responsibility. In the event of a breach by the individual, the dispatching organization must carry out an investigation and report their findings to the Public Services and Procurement Canada's (PSPC) Contract Security Program (CSP). Legal action may follow as appropriate.

9. Courier certificates must be numbered sequentially by the CSO for tracking purposes. The CSO may deliver to their alternate company security officer(s) (ACSO) a limited number of pre-numbered courier certificates, according to the foreseeable needs of the organization for a reasonable period of time, which the ACSO may personally authorize for use for hand carriage of documents.

10. At the end of each trip, the authorized individual must sign a post-trip declaration certifying that no situation occurred that may have compromised the security of the consignment during the journey.

11. The dispatching CSO must make out 3 copies of a receipt, listing the Protected B/classified documents to be hand carried by the authorized individual. The dispatching CSO must retain 1 copy and pack the other 2 copies with the Protected B/classified documents or equipment. The documents or equipment must be wrapped, sealed and placed in a container, approved by PSPC's CSP authorities, by or in the presence of the CSO or an ACSO.

12. In those cases where the authorized individual is merely acting as a courier, the addresses of the security officer of the receiving and dispatching organization must be shown on the inner and outer envelope or wrapping.

13. The security officer of the dispatching organization must obtain a receipt for the sealed packages from the authorized individual.

14. The authorized individual is responsible for the safe custody of the Protected B/classified documents and/or equipment until such time as they have been returned or handed to the CSO or a designated government representative and a receipt has been provided as evidence of delivery.

15. In those cases where the authorized individual is merely acting as a courier, the receiving CSO, or the designated government representative, must sign both copies of the receipt in the package. One copy must be returned to the courier. On their return, the authorized individual must provide the completed receipt to their CSO. The second copy of the receipt must be kept by the receiving CSO for a period of 2 years.

16. The receipt, which is packed with the Protected B/classified documents and/or equipment, must contain the following details, as applicable:

  1. exact description of the Protected B/classified documents and/or equipment (originating organization, date of issue, level of security, copy number, registry reference number and number of pages, including annexes), where applicable
  2. date and time of handing over of the package to the addressee
  3. name and position or appointment of the authorized individual that signed the receipt
  4. signature of the recipient

17. In those cases where the authorized individual is acting as a courier, the dispatching CSO must notify the receiving CSO or government representative of the anticipated date and time of their arrival. If the courier has not arrived within 8 hours of the expected time of arrival, the receiving CSO or government representative must conduct an initial investigation and notify PSPC's CSP if the reason for the delay cannot be determined.

18. Throughout the journey, the Protected B/classified documents/equipment must remain under the direct personal control of the authorized individual.

19. The authorized individual must comply with official requests to open Protected B/classified consignments by public officials (like RCMP or military police). When inspection is unavoidable, care must be taken to only show sufficient parts of the contents of the consignments to enable the officials to determine that the consignment does not contain any items other than those reported.

  1. In cases where the consignment is opened, to comply with a request by public officials, the courier must notify their CSO who must notify PSPC's CSP
  2. Under no circumstances must the consignment be surrendered to public officials

20. When carrying Protected B/classified assets under these arrangements, the courier must not travel by surface or air routes outside of Canada.

Annex 5-D: Appendix A-1-Courier certification/itinerary form

Courier certificate

Courier itinerary

Name and signature of company security officer

Annex 5-D: Appendix A-2-Notes for the courier

The following are notes to the courier for the hand carriage of Protected B and/or classified documents, equipment and/or components within Canada.

Notes for the courier

You have been appointed to hand carry a Protected B or classified consignment. Your courier certificate has been provided. Before starting your journey, you will be briefed on the security regulations governing the escorting of this consignment and on your security obligations during the specified journey (like behaviour, itinerary and schedule). You will also be requested to sign a declaration that you have read and understand and will comply with prescribed security obligations.

The following general points are brought to your attention:

  1. You will be held liable and responsible for the consignment described in the courier certificate
  2. Throughout the journey, the consignment must remain under your control
  3. You must not be open the consignment en route except in the circumstances described in paragraph 7 below
  4. You may not discuss or disclose the consignment in any public place
  5. You must not, under any circumstances, leave the consignment unattended. During overnight stops, you may utilize military facilities or Public Services and Procurement Canada's (PSPC) Contract Security Program (CSP) approved industrial facilities having appropriate security clearance. Your company security officer (CSO) will instruct you on this matter
  6. In cases of emergency, you must take such measures as you consider necessary to protect the consignment, but on no account will you allow the consignment out of your direct personal control unless secured in accordance with paragraph 5 above. Refer to paragraph 9 below for instructions on how to contact the security authorities
  7. If unforeseen circumstances make it necessary to transfer the consignment to someone other than scheduled designated representatives, you must only give it to individuals authorized by 1 of the points of contact listed in paragraph 9 below.
    1. There is no assurance of immunity from search by police and other public officials; therefore, should such officials inquire into the contents of the consignment, show them your courier certificate and this note and insist on showing them to a senior official. If the senior official demands to see the actual contents of the consignment, you may open it in their presence, but this should be done in an area out of sight of the general public
    2. You must take precautions to show officials only as much of the contents as will satisfy them that the consignment does not contain any other item and ask the official to re-pack or assist in re-packing it immediately upon completion of the examination
    3. You must request the senior official to provide evidence of the opening and inspection of the packages by signing and sealing them when closed and by confirming in the shipping documents (if any) that the consignment has been opened.
      1. If you have been required to open the consignment under such circumstances as the foregoing, you must notify the receiving CSO, who in turn will notify PSPC's CSP
    4. Under no circumstances will the consignment be turned over to public officials for their custody without prior approval of PSPC's CSP
  8. Upon your return, you must produce a bona fide receipt for the consignment signed by the security officer of the company or agency receiving the consignment
  9. To request assistance along the route you may contact (the):
    1. dispatching CSO
    2. receiving CSO (if applicable)
    3. other officials (if applicable)

Annex 5-D: Appendix A-3-Pre-trip declaration form

Courier information

Pre-trip declaration

The company security officer of the

has briefed me on the hand carriage arrangements and handed to me the notes to the courier concerning the handling and custody of Protected C, Confidential or Secret material to be escorted by me. I have read and understood their contents.

Witnessed by

To be retained by company security officers.

Annex 5-D: Appendix A-4-Post-trip declaration form

Note
Sign this form at the end of your journey.

Post-trip declaration

I declare in good faith that, during the journey covered by this courier certificate number
I am not aware of any occurrence or action, by myself or by others that could have resulted in the compromise of the consignment.

Witnessed by

Annex 5-E: Arrangements for escorting Secret, Confidential or Protected C bulk shipments within Canada that cannot be hand carried

The following are arrangements for escorting Protected C, Confidential, and Secret bulk shipments within Canada that cannot be hand carried.

Arrangements

1. Unless otherwise specified in a contract, the following arrangements must be used with the approval of the company security officer (CSO), on a case-by-case basis, for transporting Protected C, Confidential, and Secret bulk shipments within Canada. These arrangements do not apply to the shipment of Top Secret material (contact Public Services and Procurement Canada's (PSPC) Contract Security Program (CSP) for direction on bulk shipments of communication security (COMSEC) material).

2. The arrangements in this section apply to the escorting of Protected C, Confidential, and Secret documents, equipment and/or components (material) by an authorized individual only when they can maintain control over them at all times.

  1. If the material is of a size, bulk, weight, or nature that precludes the use of envelopes for packaging, other materials must be used for packaging that are of such strength and durability that they provide the necessary protection while the material is in transit. To prevent items from breaking out and to facilitate the detection of tampering, puncture resistant material must be used for packaging. As long as the material is enclosed in a double container, the material may be wrapped or boxed in paper, wood, metal, or a combination thereof. The inner package must be addressed, return addressed, and plainly marked with the highest level of security of the contents and any appropriate warning notices. The outer container must be addressed, return addressed, and carefully sealed with no markings to indicate that the contents are Protected C, Confidential, and Secret
  2. If the Protected C, Confidential, and Secret material is an internal component of a packageable item of equipment with an outside shell or body which is not protected or classified and completely shields the internal components from view, the shell or body may be considered as the inner container. The shell or body must be marked with the level of security of the equipment, but the address and return address may be omitted. The outer container must be addressed, return addressed, and sealed with no markings or notations to indicate that the contents are Protected C, Confidential, and Secret
  3. If the Protected C, Confidential, and Secret material is an inaccessible internal component of a bulky item of equipment that is not reasonably packageable, such as a missile, no inner container is required and the outside shell or body may be considered as the outer container, if it is unclassified. If the shell or body is Protected C, Confidential, and Secret, the material must be draped with an opaque covering that will conceal all Protected C, Confidential, and Secret features. The covering must be capable of being secured to prevent inadvertent exposure of the item
  4. If specialized shipping containers, including closed cargo transporters, are used for transmitting Protected C, Confidential, and Secret material, the specialized container may be considered as the outer container. The address may be omitted from the inner and outer container for shipments in full truckload lots, when such an exception is contained in the provisions of the contract or approved by PSPC's CSP. Under no circumstances will the outer container, or the shipping document attached to the outer container, reflect the level of security of the contents or the fact that the contents are Protected C, Confidential, and Secret

3. A sufficient number of escorts must be assigned to each Protected C, Confidential, and Secret shipment to ensure continuous surveillance and control over the shipment while it is in their custody.

4. The authorized individual must be a permanent employee of the dispatching or receiving company.

5. The authorized individual must have been granted a reliability status or personnel security clearance to at least the level of the Protected C, Confidential, and Secret document(s) which is/are to be escorted.

6. Escorts assigned for the safeguarding of security shipments must conduct themselves as follows:

  1. in such a manner that the security of material entrusted to them will not be prejudiced through carelessness, inadvertence, or lack of vigilance
  2. they must possess an identification card that, as a minimum, has the name and a photograph of the escort. The ID card must be carried at all times while having custody of a shipment. The card must be safeguarded and the loss of a card must be reported immediately to the CSO
  3. when the shipment is by rail, escorts must provide continuous observation of the shipment during stops or layovers
  4. when travelling in an escort car accompanying a Protected C, Confidential, and Secret shipment via rail, keep the shipment cars under observation and detrain at stops, when practical and time permits, in order to guard the shipment cars and check the cars or container locks and seals. The escort car (after arrangements with the railroad) should be prepositioned immediately behind the car used for the shipment to enable the escort to keep the shipment car under observation
  5. maintain liaison with train crews, other railroad personnel, special police, and law enforcement agencies, as necessary
  6. when escorting Protected C, Confidential, and Secret shipments via motor vehicles, maintain continuous vigilance for the presence of conditions or situations which might threaten the security of the cargo, take such action as circumstances might require to avoid interference with continuous safe passage of the vehicle, check the seals and locks at each stop where time permits, and observe vehicles and adjacent areas during stops or layovers
  7. when escorting shipments via aircraft, provide continuous observation of plane and cargo during ground stops and of cargo during loading and unloading operations. The escort shall not board the plane until after the cargo area is secured. Furthermore, the escort should preferably be the first person to depart the plane in order to observe the opening of the cargo area. Advance arrangements with the airline and airport security are required
  8. notify the receiving CSO by the fastest means available if there is an unforeseen delay en route, an alternate route is used, or an emergency occurs. If appropriate and the security of the shipment is involved, also notify the officials listed at paragraph 9 of the notes for the escort (refer to Annex 5-E, Appendix A-2)

Note: The documentation necessary for escorting is included at appendix A to this annex and comprises the following:

  1. Courier certificate/itinerary form
  2. Notes for the escort
  3. Pre-trip declaration form
  4. Post-trip declaration form

7. Before commencement of each journey, the CSO must brief the escort on these arrangements. The escort must read and sign the pre-trip declaration indicating that they have been briefed and has read and understands the notes for the escort. A record that the courier has signed the declaration must be maintained for a minimum of 12 months after each trip.

8. The authorized individual must be provided with a courier certificate and a copy of the notes for the escort.

9. The escort must be made aware that the non-fulfilment of their obligation to safeguard the Protected C, Confidential, and Secret information contained in the consignment entrusted to them and/or any other negligent action chargeable to them that gives rise to a security breach, will constitute not only a matter of contractual obligation but also a matter of possible legal liability. In the event of a breach by the individual, the dispatching organization must carry out an investigation and report their findings to PSPC's CSP.

10. At the end of each trip the authorized individual must sign a pre-trip declaration certifying that no situation occurred that might have compromised the security of the consignment during the journey.

11. The dispatching CSO or alternate company security officer (ACSO) must make 3 copies of a receipt, listing the Protected C, Confidential, and Secret material to be escorted by the authorized individual. The dispatching CSO or ACSO must retain 1 copy and must pack the other 2 copies with the Protected C, Confidential, and Secret material. The material must be wrapped, sealed and placed in a container, approved by PSPC's CSP authorities, by or in the presence of the CSO or ACSO.

12. Where multiple package shipments are involved, the outer wrapper of the packages must be marked beginning with package number 1 followed by the total number of packages comprising the shipment (for example, a shipment of 3 packages must show "1 of 3," "2 of 3" and "3 of 3").

13. The security officer of the dispatching organization must:

  • instruct the authorized individual in all of his duties
  • ensure that they understand them
  • complete the declaration described in paragraph 8 above

14. The security officer of the dispatching organization must obtain a receipt for the sealed packages from the authorized individual.

15. The authorized individual will be responsible for the safe custody of the Protected C, Confidential, and Secret material until such time as they have been handed over to the CSO or ACSO or a designated government representative and a receipt has been provided as evidence of delivery.

16. The receiving CSO, ACSO or a designated government representative must sign both copies of the receipt. One copy must be returned to the authorized individual. On their return the individual must provide the completed receipt to their CSO or ACSO. The second copy of the receipt must be kept by the receiving CSO or ACSO for a period of 2 years.

17. The receipt, which is packed with the Protected C, Confidential, and Secret material, must contain the following details:

  1. exact description of the Protected C, Confidential, and Secret material (originating organization, date of issue, level of security, copy number, registry reference number and number of pages, including annexes), where applicable
  2. date and time of handing over of the material to the addressee
  3. name and position or appointment of the individual that signed the receipt
  4. signature of the recipient

18. The dispatching CSO must notify the receiving CSO or designated government representative of the anticipated date and time of the escort's arrival. If they have not arrived within 8 hours of the expected time of arrival, the receiving CSO or designated government representative must conduct an initial investigation and notify PSPC's CSP if the reason for the delay cannot be determined.

19. The courier's attention must be brought to the document entitled, notes for the escort, to point out what is expected of them should a public official (like RCMP or military police) demand that the shipment be opened for examination.

20. When escorting Protected C, Confidential, and Secret assets under these arrangements, the escort must not travel by surface routes outside of Canada.

Annex 5-E: Appendix A-1-Courier certification/itinerary form

You may complete this form on-screen or by hand. Select the "Print" button at the bottom of this page.

Courier certificate

This is to certify that the bearer
born on
identity card number
issued by
on
and employed with
is authorized to escort on the journey detailed below, the following consignment:

Courier itinerary

From
To
Authorized stops (required)

Do you authorize any stops?

Company security officer authorization

Annex 5-E: Appendix A-2-Notes for the escort

The following are notes for the escort of Protected B and/or classified documents, equipment, and/or components within Canada that are such size, weight and configuration that they cannot be hand carried.

Notes for the escort

You have been appointed to escort a Protected B and/or classified consignment. Your courier certificate has been provided. Before starting your journey, you will be briefed on the security regulations governing the escorting of this consignment and on your security obligations during the specified journey (for example: behaviour, itinerary and schedule). You will also be requested to sign a declaration that you have read and understand and will comply with prescribed security obligations.

The following general points are brought to your attention:

  1. You will be held liable and responsible for the consignment described in the courier certificate
  2. Throughout the journey, the consignment must remain under your control
  3. You must not open the consignment en route except in the circumstances described in paragraph 7 below
  4. You must not discuss or disclose the consignment in any public place
  5. You must not, under any circumstances, leave the consignment unattended. During overnight stops, you may be utilize military facilities or International Industrial Security Directorate (IISD) approved industrial facilities having appropriate security clearance. Your company security officer will instruct you on this matter
  6. In cases of emergency, you must take such measures as you consider necessary to protect the consignment, but on no account may you allow the consignment out of your direct personal control unless secured in accordance with paragraph 5 above
  7. If unforeseen circumstances make it necessary to transfer the consignment to other than scheduled designated representatives, you must only give it to individuals authorized by 1 of the points of contact listed in paragraph 9.
    1. There is no assurance of immunity from search by police and other public officials; therefore, should such officials inquire into the contents of the consignment, show them your courier certificate and this note and insist on showing them to a senior official. If the senior official demands to see the actual contents of the consignment, you may open it in their presence, but this must be done in an area out of sight of the general public
    2. You should take precautions to show officials only as much of the contents as will satisfy them that the consignment does not contain any other item and ask the official to re-pack or assist in re-packing it immediately upon completion of the examination
    3. You should request the senior official to provide evidence of the opening and inspection of the packages by signing and sealing them when closed and by confirming in the shipping documents (if any) that the consignment has been opened
    4. If you have been required to open the consignment under such circumstances as the foregoing, you must notify the receiving company security officer, who in turn must immediately notify IISD
    5. Under no circumstances may the consignment be turned over to public officials for their custody without prior approval of IISD
  8. Upon your return, you must produce a bona fide receipt for the consignment signed by the security officer of the company or agency receiving the consignment
  9. To request assistance along the route you may contact the:
    1. dispatching company security officer
    2. receiving company security officer (if applicable)
    3. other officials (if applicable)

Annex 5-E: Appendix A-3-Pre-trip declaration form

Courier information

Declaration

The company security officer of the

has briefed me on the escorting arrangements and handed to me the notes to the escort concerning the handling and custody of Protected C, Confidential or Secret material to be escorted by me. I have read and understood their contents.

Witnessed by

To be retained by company security officer

Annex 5-E: Appendix A-4—Post-trip declaration form

Note
Sign this form at the end of your journey.

Post-trip declaration

I declare in good faith that, during the journey covered by this courier certificate number,
I am not aware of any occurrence or action, by myself or by others that could have resulted in the compromise of the consignment.

Witnessed by

Chapter 6: Classified visit clearance protocol for Canadian-based industry

600. General

  1. A request for visit (RFV) is required when a security-cleared individual has to visit a government or private sector organization in Canada or abroad, other than the site of the organization where he or she is employed, for the purpose of having access to classified information on an oral or visual basis or where access to installations is restricted in the interest of national security. The host private sector organization must deny access to classified information or access to a controlled site, unless the visitor's personnel security clearance level and their need-to-know has been verified through official visit protocol. Follow the procedures detailed in this chapter to prevent the unauthorized access to or disclosure of national or international classified information
  2. Canada has adopted a new Request for visit form for both domestic and international requests for visits. The form is used by the members of the Multinational Industrial Security Working Group (MISWG) and by the North Atlantic Treaty Organization (NATO) for visits related to international contracts and programs.

    Note: Use the form when visits involve access to classified information. You may also use the form when visits involve protected information as required. Detailed instructions are included in the form.

  3. In Canada, a RFV initiates a verification by the Contract Security Program (CSP) that:
    1. the private sector organization requesting the visit has a facility security clearance to the required level
    2. each of the proposed visitors has a personnel security clearance to the required level
    3. foreign disclosure limitations (refer to Chapter 11: International security issues), if any, are identified and strictly observed in accordance with international agreements and specific contracts
  4. In Canada, a RFV is approved (visit authorized) when the requesting private sector organization is notified by the CSP. (The only exception is for certain visits between Canadian-based private sector organizations as detailed in section 604, type 1, article 1a of this chapter.) Visitors must receive authorized clearance before they can proceed with visits involving access to classified information and/or assets
  5. It is important to note that an approved RFV authorizes access to classified information on an oral and visual basis only. It does not authorize the removal or hand carriage of classified materiel (refer to Chapter 5: Handling and safeguarding of classified and protected information and assets of this manual for advice on the removal or hand carriage of classified material). Any access or disclosure limitations prescribed in the visit clearance authorization must be strictly observed

601. Types of requests for visits

One-time visit

A one-time visit authorizes a single visit for a specified continuous period of time. It is not renewable.

Recurring visit

A recurring visit authorizes a series of visits over an extended period of time.

In addition, recurring visits:

602. Mandatory prerequisites

  1. As a prerequisite, all private sector organizations requesting a visit for access to classified information, must hold a current facility security clearance at or above the classification level of the requested visit. In addition, each person involved must hold a personnel security clearance at or above the classification level of the requested visit, before the request will be actioned
  2. Foreign nationals residing in Canada who work for a cleared Canadian private sector organization, must hold a Canadian personnel security clearance before the CSP will approve a visit to other countries or to other Canadian private sector organizations
  3. Foreign nationals visiting a Canadian private sector organization on an approved international RFV are not eligible for inclusion in a Canadian request for visit to another Canadian private sector organization. The CSP will entertain exceptions, on a case-by-case basis, given proper justification and details. Under no circumstances may such visitors be included on Canadian request for visits to other countries

603. Categories of requests for visits

The following 6 categories of visits exist in Canada:

Category I

Visits by representatives of:

This category also covers project lists and Canadian Forces Technical Services Agency (CFTSA) lists.

Category II

Visits by representatives of (the):

Category III

Visits by representatives of (the):

Category IV

Visits by representatives of:

Category V

Visits by representatives of:

Category VI

Visits authorized under:

604. Information requirements for requests for visits (by category)

Category I

There are 3 types of category I RFVs within Canada (domestic):

Type 1: Canadian private sector organization-to-private sector organization visits
  1. Company security officers of registered Canadian private sector organizations are authorized to submit RFVs directly to other Canadian private sector organizations for their employees who hold a Canadian personnel security clearance at the required level. However, the CSP must process requests for visits involving:
    1. foreign nationals, even though they may hold Canadian personnel security clearances with limitations
    2. access to, or disclosure of, classified information requiring special access authorization, for example:
      • communications security (COMSEC)
      • extremely sensitive information security (INFOSEC)
      • NATO
      • other special-access or limited-access programs
  2. Procedures for processing type 1 request for visits:
    1. requests must be submitted in writing, and include all of the information that appears on the Request for visit form, plus confirmation from the requesting company security officer, that their organization holds a valid facility security clearance. Company security officers are encouraged to make use of the request form for this purpose. Each visit must have a unique identification or serial number
    2. the request for visit may be submitted by email, mail, fax or courier. Learn how to submit requests, forms and other documents for contract security
    3. the request for visit must reach the host private sector organization at least 10 days in advance of the intended visit:
      • in exceptional or emergency cases, visit arrangements may be made by telephone, provided all details are confirmed in writing
      • under no circumstances may employees hand carry their own visit requests to the place being visited
    4. verification must be obtained from the CSP, if either the originating or host private sector organization's company security officer is uncertain about the nature of the visit or the facility security clearance of the other private sector organization
    5. any loss or lowering of facility security clearance by either private sector organization must immediately be made known to the company security officer of the other private sector organization
    6. the company security officer initiating the request must immediately notify the host private sector organization of any change in a visitor's status, such as termination of employment, suspension, leave of absence, and the revocation or termination of clearance, which will require the visit authorization to be terminated prior to its normal termination date
    7. the company security officer of the host private sector organization is authorized to approve the request provided all necessary conditions are met. The officer is encouraged to confirm approval of the visit to the requesting company security officer, either orally or in writing. If the visit is not approved (denied), the company security officer who made the decision must promptly notify the requesting company security officer
Type 2: Canadian private sector organizations to Canadian government visits

The Request for visit form must be completed and submitted to the CSP.

Type 3: Canadian government-to-Canadian private sector organization visits
  1. Company security officers of registered Canadian private sector organizations are authorized to process requests directly from departmental security officers of government departments and agencies, to visit Canadian private sector organizations by their employees who hold Canadian personnel security clearances at the required level and have a legitimate need to discuss their classified contracts
  2. Procedures for processing type 3 request for visits:
    1. requests must be submitted in writing, and include all of the information that appears on the Request for visit form. Company security officers are encouraged to request departmental security officers to make use of the request form for this purpose. Each visit must have a unique identification or serial number
    2. the Request for visit form may be submitted by email, mail, fax or courier. Learn how to submit requests, forms and other documents for contract security
    3. requests must reach the host private sector organization at least 10 days in advance of the intended visit:
      • in exceptional or emergency cases, visit arrangements may be made by telephone provided all details are confirmed in writing
      • under no circumstances may employees hand carry their own visit requests to the place being visited
    4. verification must be obtained from the CSP if the host private sector organization's company security officer is uncertain about the nature of the visit or the personnel security clearances of the proposed visitors
    5. the company security officer of the host private sector organization must advise the departmental security officer initiating the request that the officer must immediately notify the host private sector organization of any change in a visitor's status, such as termination of employment, suspension, leave of absence, and the revocation or termination of clearance, which will require the visit authorization to be terminated prior to its normal termination date
    6. the company security officer of the host private sector organization is authorized to approve the request provided all necessary conditions are met. The officer is encouraged to confirm approval of the visit to the requesting department security officer, either orally or in writing; if the visit is disapproved (denied), the company security officer who made the decision must promptly notify the requesting departmental security officer and inform the CSP

Category II, III, IV and V

Category II, III, IV and V requests for visits must be submitted to the CSP using the Request for visit form (refer to instructions which accompany the form).

Category VI

The requirements for processing this category of visits vary according to the specific case. The CSP will notify Canadian private sector organizations of applicable procedures, if and when required.

The Contract Security Program representatives

Notwithstanding the above procedures, industrial security representatives of the CSP who hold the appropriate level of personnel security clearance may visit private sector organizations in an official capacity without having notified, in advance, their intention to visit. The private sector organization must grant the CSP personnel reasonable access to classified information upon presentation of valid Government of Canada credentials. If in doubt as to the identity of the individual or level of access authorized, the company security officer may verify such credentials and level of clearance with the CSP.

605. Lead-time requirements

In most cases, strict lead-times are imposed by clearance-granting authorities. Every effort must be made to ensure that lead-times are observed (refer to Annex 6-B: Lead-time requirements in this chapter), as failure to do so will likely result in rejection of the RFV.

606. Procedures for urgent visits as a result of an invitation

  1. Special procedures exist for processing urgent RFVs through official CSP channels as a result of an invitation from a host private sector organization. Responsibility rests with the requesting organization's company security officer to adequately justify the urgent requirement and to provide all details which will allow the request for visit to be fast-tracked through clearance channels. An example would be an urgent need for field service representatives to repair equipment whose non-serviceability is preventing the continuation of test trials, and thereby affecting the overall progress of a program or contract
  2. Fast-tracking a RFV through the CSP channels requires the following additional information:
    1. written reason (justification) for the urgency
    2. name and telephone number of point-of-contact at the host private sector organization who has requested or invited individuals to visit under the lead-time
    3. statement that the point-of-contact, where appropriate, will approach the clearance-granting authorities of their own country to request that the established lead-time be waived

607. Amendments

  1. When submitting additions or deletions of visitors to approved RFVs, you must include the CSP visit identification number assigned to the original approval
  2. Normally, the purpose or period of a visit cannot be changed by amendment submission, and a new RFV may be required. The company security officer is encouraged to contact CSP's visit clearance unit, prior to submitting these types of amendments

608. Obligation to notify host organization

  1. A request for visit approval constitutes an authority, from a security point of view, for a classified visit to take place. It does not remove the requirement for the private sector organization to seek, as required, visas for the visitors to the appropriate government agency. All administrative arrangements for the visit, including the date and time, must be agreed upon between the two organizations. Notwithstanding formal request for visit authorization, it is essential that the visitor(s) contact the host organization prior to departure to reconfirm the visit arrangements
  2. Visits to foreign countries: There is no fixed requirement for the amount of advance notification of a visit to establishments of foreign organizations, however, a prudent consideration of the distance and cost involved would indicate a minimum of 10 days' notice

609. Host organization responsibilities

  1. Private sector organizations that host classified visits are responsible for ensuring that no unauthorized disclosure occurs during the visit. Access to information classified higher than the level in the visit authorization must not be granted, regardless of the level of the visitor's personnel security clearance. Company security officers must ensure that the procedures detailed in this section are observed
  2. Identification and control of visitors:
    1. private sector organizations being visited must ensure that they are in possession of a RFV, covering the specific purpose of the visit, either from the CSP, or approved by the host company security officer in the case of Canadian private sector organization-to-private sector organization visits. In the case of Canadian private sector organization-to-private sector organization visits, the host company security officer must ensure that the private sector organization requesting the visit has a facility security clearance at the required level. This verification may be based upon an existing contractual relationship involving classified information of the same or higher level, or by reference to the CSP. Once the requesting organization's facility security clearance status has been determined, certification by that private sector organization's company security officer as to the proposed visitor(s)'s personnel security clearance may be accepted
    2. the visitor's identity must be positively verified prior to any disclosure of classified information. If there is any question as to the validity of a visit request or identity of the visitor, confirmation shall be obtained from the CSP
    3. host private sector organizations must ensure that visitors are only afforded access to classified information consistent with the authorized purpose of the visit. Particular care must be taken to ensure that foreign national visitors, whether from abroad or from Canadian private sector organizations, may not have access except as provided for by the terms of the visit authorization. Foreign nationals must be escorted when being afforded access to classified information in accordance with the terms of the visit authorization, and when in areas where classified information may be accessible. The escort must be a responsible, appropriately cleared employee who has been briefed regarding the visitor's access limitations or restrictions on the visitor's movements
    4. classified material must not be released to the visitor for removal from the host private sector organization, except as provided for in this manual
  3. Visitor record:
    1. private sector organizations must maintain a record of all individuals who visit their facility for the purpose of having access to classified information. This record must be separate from the record of unclassified visits, and must indicate the:
      1. visitor's full name
      2. name of the private sector organization, agency or government department that he or she represents
      3. date(s) of their arrival and departure from the facility
      4. approved visit identification number(s)
    2. the visitor record does not need to indicate whether the visitor actually did or did not gain access to classified information. Records of authorized visit requests that have actually taken place must be retained by the host private sector organization for a minimum of 2 years, and are subject to random inspection by the CSP during that period
    3. a separate set of visitor records must be kept for NATO visits. A NATO visit is a visit:
      1. by a person from a foreign country to a Canadian private sector organization in connection with pre-contract negotiations or contract performance on a contract involving NATO classified information
      2. by a person from a NATO agency or NATO command to a Canadian private sector organization in connection with pre-contract negotiations or contract performance on a contract involving NATO classified information
      3. between a Canadian prime contracting private sector organization and a subcontracting private sector organization involving NATO classified information
      4. in which access to NATO classified information has been specifically authorized
    4. the CSP and NATO security office representatives whose requirement for access to NATO classified information is only incidental to the accomplishment of security inspections at the organization's facility, must not be considered to be NATO visitors nor be required to enter their names on NATO visit records

610. Visiting organization responsibilities

Visiting private sector organizations are responsible to ensure that (the):

  1. host private sector organization is given adequate notification of, and has approved the visit
  2. host private sector organization is aware of the purpose and classification level of the visit
  3. visitors are fully briefed on the specific classified information and classification level authorized for disclosure during the visit; this is especially important during foreign visits
  4. visitors only disclose classified information to host organizations that have the applicable level of clearance, and a need-to-know
  5. if visitors are transporting classified material, the procedures detailed in Chapter 5: Handling and safeguarding of classified and protected information and assets of this manual are fully observed
  6. classified material is not left at the host organization except as specifically authorized in accordance with Chapter 5: Handling and safeguarding of classified and protected information and assets of this manual

611. Project lists

  1. The CSP will address when a classified contract or project requires the creation of continuing visitor lists, instead of individual RFVs, on a case-by-case basis, communicating arrangements and authorization to all concerned
  2. Where establishments to be visited under project lists are situated in remote locations requiring special transportation and/or accommodation, care must be taken to ensure that visit approval has been obtained before personnel proceed to the establishment

612. Unclassified visits

  1. For unclassified visits to United States Department of Defence facilities, a visit approval using the Canada and United States Joint Certification Program directly arrangement visit (DAV) process may be required by Canadian private sector organizations for access to certain establishments (refer to Chapter 10: Joint Certification Program of this manual)

Chapter 6 annexes

Annex 6-B: Lead-time requirements

Lead time is made up of the time required by the Contract Security Program (CSP) to process the request plus the time needed by the host government. It begins upon receipt of the request by CSP. Completion of a request for visit for a foreign visit within these lead times is contingent upon timely responses from foreign clearance-granting authorities.

Requests coming from foreign industries, organizations and agencies to Canadian private sector organization must be received by CSP 20 working days prior to the date of the visit.

Table A: Lead time requirements, in working days
From Canadian private sector organizations to: Contract security Program lead time/Department of National Defence lead-time Foreign government lead time Total lead time
Canadian private sector organization (when a private sector organization is requesting the assistance of the CSP 8 n/a 8
Canadian military and government establishments 35 n/a 35
Denmark 8 7 15
Netherlands, New Zealand, Norway 8 10 18
Finland 8 14 22
France 8 15 23
Meetings at North Atlantic Treaty Organizations (NATO) agencies 8 18 26
Belgium, Bulgaria, Germany, Israel, Italy, Spain, Switzerland, United Kingdom 8 20 28
United States 8 21 29
Other nations 8 25 33

December moratorium: United States and German authorities will not normally accept visit requests for a period of four-to-six weeks starting early in December.

Chapter 7: Classified and protected contracts

700. General

1. Contracts or formal agreements will contain security clauses when access to protected or classified information or assets is required. This may include pre-contractual enquiries and negotiations.

There may also be instances whereby the contract or formal agreement (the document) may be marked as protected or classified even though there is no requirement for access to protected or classified information or assets.

2. The security requirements associated with a contract are identified to the contractor in the security requirements checklist (SRCL) issued with bid solicitation documents and subsequent contract, and are contained in one or more security clauses included in the contract document itself. The SRCL, the "Security and Protection of Work" clause contained in the general conditions and any accompanying remarks and security clauses in the contract all form a legally binding part of that contract. Organizations are cautioned to ensure that the provisions and implications of the contract security requirements, including the cost of providing necessary security arrangements, are fully understood before the contract is signed. The onus is on the contractor to determine, by contacting the program management office or the appropriate technical authority, the specific details required when applying the SRCL to the contract.

3. The organization must ensure that a copy of the contract, including the SRCL, is given to the contractor's company security officer (CSO), who is responsible for ensuring that all its requirements are adhered to.

For more information, refer to Chapter 1: General introduction of this manual.

4. Protected or classified information or assets provided by the Government of Canada to contractors must only be provided to contractor personnel who:

  1. are cleared under the contractor's organization
  2. have a need-to-know for the performance of the contract
  3. have the reliability status or security clearance required to access the level of information or assets granted by Public Services and Procurement Canada’s (PSPC) Contract Security Program (CSP)

701. Contract responsibility

1. According to Canada's Policy on Government Security, provisions for safeguarding protected and classified information and assets apply equally to both the contracting process and to internal government operations. The policy further states that the contracting authority is responsible for ensuring that contracts involving access to protected and classified information and assets comply with the appropriate requirements and for ensuring that contract documentation includes the necessary clauses.

2. PSPC's CSP is responsible for:

  1. ensuring compliance with the Policy on Government Security in contracts that are outside the delegated contracting responsibilities of departments and providing access to protected and classified assets as well as to critical government assets
  2. on request, ensuring compliance with this policy in contracts that are within delegated contracting responsibilities of departments and providing access to protected and classified assets as well as to critical government assets
  3. screening private sector employees, inspecting the organization's facilities and coordinating inspection or testing of the organization's information technology (IT) facilities

3. Scheduled and unscheduled access by government security inspectors is a normal condition of a contract that requires access to protected and classified information and assets.

702. Contract security instructions

1. The security requirements that apply to a contract will be identified in bid solicitation documents or in any resulting contract. These requirements will be detailed in one or all of the following: the SRCL and accompanying instructions and the security requirements clause or clauses in the bid documents and contract.

2. In cases where, following a review by the department or agency (that is, the office of primary interest, or OPI) with respect to a contract (that is, the client), the OPI determines that a change in the security requirement is necessary:

  1. the contractor will be notified by way of a revised SRCL or revised security clauses, issued under cover of an amended request for proposal or contract amendment
  2. the client will identify the changes in security requirements to the PSPC's CSP, that will issue specific written instructions to the contractor
  3. the contractor's CSO must then ensure that the revised security requirements are met

703. Subcontracts

1. Prime contractors must ensure the secure safeguarding of work assigned to subcontractors.

2. Contractors may subcontract work to only those organizations holding a current designated organization screening (DOS) or a facility security clearance (FSC), of the type and at the level appropriate to the work to be performed under the subcontract. The DOS or FSC must be valid for the specific sites where the work will be performed.

For more information, refer to Chapter 3: Facility security clearances, Part II—Facility security clearance (classified) of this manual.

3. PSPC approval of the subcontractor must be obtained before award of the subcontract. The DOS or FSC for the proposed subcontractor(s) must be verified by PSPC's CSP before bid solicitation documents are issued. Upon receipt of a written registration request and a completed SRCL from the prime contractor, PSPC's CSP will initiate DOS or FSC actions on the potential subcontractor(s).

Refer to Annex 7-A: Instructions for completing the security requirements checklist (SRCL) in this chapter.

4. Contractors must ensure the secure safeguarding of work assigned to subcontractors, and must issue as part of the subcontract either a copy of the SRCL and any additional security guidance that forms an integral part of the prime contract, or a new SRCL and any additional security guidance appropriate to the work covered by the subcontract. A copy of the subcontract containing the SRCL and any additional security guidance, forming part of a subcontract and including the PSPC file number of the prime contract, must be sent to PSPC's CSP.

704. Subcontracting to organizations outside Canada

1. Contractors may not assign a subcontract to organizations located outside of Canada without the prior written approval of PSPC and the PSPC contracting authority. The security status of foreign organizations must be re-verified through PSPC before entering into any commercial commitments. In addition, release authorization must be received through PSPC before the transfer of protected and classified information to a foreign government can take place.

2. Where defence work is carried out in the United States (U.S.), one of the services of the U.S. Armed Forces (for example, Army, Navy or Air Force) must assume security responsibility over the U.S. organization selected. Transmittal of material between the Canadian contractor and the proposed or actual U.S. subcontractor may be necessary. Therefore, it is essential that PSPC's CSP be consulted before award of subcontracts to ensure that the provisions of the U.S.—Canada Industrial Security Agreement are observed. In all cases of subcontracts to U.S. organizations where information is involved, the prime contractor must supply PSPC's CSP with 3 copies of the relevant subcontract together with the SRCL and any additional guidance for the particular subcontract item(s).

For more information, refer to Annex 5-C: Standard for the transmittal of classified and protected information and assets of this manual.

3. Where it is proposed that there be an award of subcontracts containing protected or classified security requirements to the U.S. (for non-defence production), to other North Atlantic Treaty Organization (NATO) member nations or to other foreign governments, the contracting authority and PSPC's CSP must be consulted for guidance and approval before the proposed award

Refer to the procedure outlined in paragraph 4 of section 703. Subcontracts in this chapter.

705. Standing offers

1. A standing offer is not a contract. It is an agreement whereby government departments and agencies may deal directly with suppliers on an as-and-when ordered basis, at a prearranged price, under fixed terms and conditions. Security requirements, such as security screening, may form part of the fixed terms and conditions of the agreement.

2. A call-up (order or requisition) against the standing offer constitutes a contract. Contractors providing goods and services under a call-up against the standing offer must observe the same security measures that are applicable to any other contract of the same security classification. If a contractor is offered a call-up with a security requirement that is at a higher level of security than that which the organization holds at that time, the offer must be declined. In addition, the security requirements identified in the standing offer fixed terms and conditions are the minimum security requirements applicable to all call-ups against that particular standing offer.

706. Publicity

The following security criteria apply to organizations registered in PSPC's CSP and to all contracts, Canadian or foreign, for which PSPC is responsible.

Although having a security status or clearance is not a secret in and of itself, there is an expectation of good judgment regarding sharing that information. Security information must be adequately safeguarded to mitigate the risk that cleared organizations might become targets for security infiltration or terrorism activity:

General information about a contract can be released as this is already public knowledge:

Protected or classified information cannot be made public or advertised in any manner.

707. Release of information to foreign entities

Approval requirement

The release of protected and classified information or assets to foreign countries must comply with Canada's international bilateral security instruments and foreign legislation, and must have the approval of PSPC's CSP.

Procedures

Requests must be reviewed by PSPC's CSP to ensure adherence to Policy on Government Security and to international bilateral security instruments with Canada. Where Canadian, foreign, NATO or European Union classified information must be released to foreign entities, as is frequently the case, the concurrence of such nations or international organizations must be obtained by PSPC and the respective foreign partner. It normally takes several months to get concurrence from foreign entities. Applications for such release must be submitted to PSPC's CSP well in advance with the following details:

  1. title of documents or nomenclature of assets to be released
  2. copies of the documents and copies of brochures or other documentary data of the assets
  3. name or organization of the originator of the items to be released
  4. security classification of the items to be released
  5. approval letter with date from the originator stating the concurrence to release such items to foreign entities
  6. contract or solicitation request number, where applicable
  7. country or countries to which the release is proposed
  8. purpose of the release

Annex 7-A: Instructions for Completing the Security Requirements Check List

General: Processing this form

The project authority must make arrangements for the completion of this form.

The organization or company security officer (CSO) must review and approve the security requirements identified in the form, in cooperation with the project authority.

The contracting security authority is the organization responsible for ensuring that the suppliers are compliant with the security requirements identified in the security requirements checklist (SRCL).

Note
All requisitions and subsequent tender and contractual documents including subcontracts that contain protected and/or classified requirements must be accompanied by a completed SRCL.

It is important to identify the level of protected information or assets (A, B or C), when applicable; however, certain types of information may only be identified as protected. No information pertaining to a protected and/or classified government contract may be released by suppliers, without prior written approval of the individual identified in block 17 of this form.

The level of security assigned to a particular stage in the contractual process does not mean that everything applicable to that stage is to be given the same classification. Every item must be protected and/or classified according to its own content. If a supplier is in doubt as to the actual level to be assigned, they may consult with the individual identified in block 17 of this form.

Completing this form

Part A: Contract information

Contract number (top of the form)

This number must be the same as that found on the requisition and should be the one used when issuing a request for proposal (RFP) or contract. This is a unique number (no two requirements will have the same number). A new SRCL must be used for each new requirement or requisition (for example: new contract number, new SRCL or new signatures).

1. Originating government department or organization

Enter the department or client organization name or the prime contractor name for which the work is being performed.

2. Branch or directorate

Use this block to further identify the area within the department or organization for which the work will be conducted

3. a) Subcontract number

If applicable, this number corresponds to the number generated by the prime contractor to manage the work with its subcontractor.

3. b) Name and address of subcontractor

Indicate the full name and address of the subcontractor, if applicable.

4. Brief description of work

Provide a brief explanation of the nature of the requirement or work to be performed.

5. a) Will the supplier require access to controlled goods?

The Defence Production Act (DPA) defines controlled goods as certain goods listed in the Export Control List, a regulation made pursuant to the Export and Import Permits Act (EIPA). Suppliers who examine, possess, or transfer controlled goods within Canada must register in the Controlled Goods Program or be exempt from registration.

5. b) Will the supplier require access to unclassified military technical data subject to the provisions of the Technical Data Control Regulations?

The prime contractor and any subcontractors must be certified under the Joint Certification Program if the work involves access to unclassified military data subject to the provisions of the Technical Data Control Regulations.

6. Indicate the type of access required

Identify the nature of the work to be performed for this requirement. Select 1 of the types of access described in 6 a, b or c.

6. a) Will the supplier and its employees require access to protected and/or classified information or assets?

The supplier would select this option if they require access to protected and/or classified information or assets to perform the duties of the requirement.

6. b) Will the supplier and its employees (for example: cleaners and maintenance personnel) require access to restricted access areas? No access to protected and/or classified information or assets is permitted

The supplier would select this option if they require regular access to government premises or a secure work site only. The supplier will not have access to protected and/or classified information or assets under this option.

6. c) Is this a commercial courier or delivery requirement with no overnight storage?

The supplier would select this option if there is a commercial courier or delivery requirement. The supplier will not be allowed to keep a package overnight. The package must be returned if it cannot be delivered.

7. Type of information, release restrictions, level of information

Identify the type(s) of information that the supplier may require access to, list any possible release restrictions, and if applicable, provide the level(s) of the information. The user may make multiple selections based on the nature of the work to be performed.

Departments must process SRCLs through Public Services and Procurement Canada (PSPC) where contracts that afford:

  • access to protected and/or classified foreign government information and assets
  • foreign contractors access to protected and/or classified Canadian government information and assets
  • foreign or Canadian contractors access to protected and/or classified information and assets as defined in the documents entitled Identifying information security (INFOSEC) and INFOSEC Release
7. a) Indicate the type of information that the supplier will be required to access

Canada

If Canadian government information and/or assets are identified, the supplier will have access to protected and/or classified information and/or assets that are owned by the Canadian government.

North Atlantic Treaty Organization

If North Atlantic Treaty Organization (NATO) information and/or assets are identified, this indicates that as part of this requirement, the supplier will have access to protected and/or classified information and/or assets that are owned by NATO governments. NATO information and/or assets are developed and/or owned by NATO countries and are not to be divulged to any country that is not a NATO member nation. Persons dealing with NATO information and/or assets must hold a NATO security clearance and have the required need-to-know.

Requirements involving classified NATO information must be awarded by PSPC. PSPC's Canadian Industrial Security Directorate (CISD) is the designated security authority for industrial security matters in Canada.

Foreign

If foreign information and/or assets are identified, this requirement will allow access to information and/or assets owned by a country other than Canada.

7. b) Release restrictions

If "No release restrictions" is selected, this indicates that access to the information and/or assets are not subject to any restrictions.

If "Not releasable" is selected, this indicates that the information and/or assets are for Canadian eyes only (CEO). Only Canadian suppliers based in Canada can bid on this type of requirement.

Note: If Canadian information and/or assets coexist with CEO information and/or assets, the CEO information and/or assets must be stamped ‘'Canadian Eyes Only".

If "All NATO countries" is selected, bidders for this requirement must be from NATO member countries only.

Note: There may be multiple release restrictions associated with a requirement depending on the nature of the work to be performed. In these instances, a security guide should be added to the SRCL clarifying these restrictions. The security guide is normally generated by the organization's project authority and/or security authority.

7. c) Level of information

Using the chart, indicate the appropriate level of access to information/assets the supplier must have to perform the duties of the requirement.

8. Will the supplier require access to protected and/or classified communication security information or assets?

If "Yes," the supplier personnel requiring access to communication security (COMSEC) information or assets must receive a COMSEC briefing. The briefing will be given to the holder of the COMSEC information or assets. In the case of a personnel assigned contract, the customer department will give the briefing.

When the supplier is required to receive and store COMSEC information or assets on the supplier's premises, the supplier's COMSEC custodian will give the COMSEC briefings to the employees requiring access to COMSEC information or assets.

If "Yes," the level of sensitivity must be indicated.

9. Will the supplier require access to extremely sensitive information security information or assets?

If "Yes," the supplier must provide the short title of the material and the document number. Access to extremely sensitive INFOSEC information or assets will require that the supplier undergo a Foreign Ownership Control or Influence (FOCI) evaluation by CISD.

Part B: Personnel (supplier)

10. a) Personnel security screening level required

Identify the screening level required for access to the information, assets or client facility. More than one level may be identified depending on the nature of the work. Please note that site access screenings are granted for access to specific sites under prior arrangement with the Treasury Board of Canada Secretariat. A site access screening only applies to individuals, and it is not linked to any other screening level that may be granted to individuals or organizations.

Security screening level(s):

  • Reliability status
  • Secret
  • NATO Secret
  • Top Secret
  • Top Secret Signal Intelligence (SIGNIT)
  • control of secret material in an international command (COSMIC) Top Secret

If multiple levels of screening are identified, a security classification guide must be provided.

10. b) May unscreened personnel be used for portions of the work?

Indicating "Yes" means that portions of the work are not protected and/or classified and may be performed outside a secure environment by unscreened personnel. The following question must be answered if unscreened personnel will be used:

Will unscreened personnel be escorted?

If "No," unscreened personnel may not be allowed access to sensitive work sites and must not have access to protected and/or classified information and/or assets.

If "Yes," unscreened personnel must be escorted by an individual who is cleared to the required level of security in order to ensure there will be no access to protected and/or classified information and/or assets at the work site.

Part C: Safeguards (supplier)

Information/Assets
11. a) Will the supplier be required to receive and store protected and/or classified information and/or assets on its site or premises?

If "Yes," specify the security level of the documents and/or equipment that the supplier will be required to safeguard at their own site or premises using the summary chart (see below).

11. b) Will the supplier be required to safeguard COMSEC information or assets?

If "Yes," specify the security level of COMSEC information or assets that the supplier will be required to safeguard at their own site or premises using the summary chart.

Production
11. c) Will the production (manufacture, repair and/or modification) of protected and/or classified material and/or equipment occur at the supplier's site or premises?

Using the summary chart, specify the security level of material and/or equipment that the supplier manufactured, repaired and/or modified and will be required to safeguard at their own site or premises.

Information technology media
11. d) Will the supplier be required to use its information technology systems to electronically process and/or produce or store protected and/or classified information and/or data?

If "Yes," specify the security level in the summary chart. This block details the information and/or data that will be electronically processed or produced and stored on a computer system. The client department and/or organization will be required to specify the information technology (IT) security requirements for this procurement in a separate technical document. The supplier must also direct their attention to the following document: Operational Security Standard: Management of Information Technology Security (MITS).

11. e) Will there be an electronic link between the supplier's information technology systems and the government department or agency?

If "Yes," the supplier must have their IT system(s) approved. The client department must also provide the connectivity criteria detailing the conditions and the level of access for the electronic link (usually not higher than Protected B level).

Summary chart

For users completing the form manually use the summary chart to indicate the category(ies) and level(s) of safeguarding required at the supplier's site(s) or premises.

For users completing the SRCL form online, the summary chart is automatically populated by your responses to previous questions.

12. a) Is the description of the work contained within this Security Requirements Check List protected and/or classified?

If "Yes," classify this form by annotating the top and bottom in the area entitled "Security classification".

12. b) Will the documentation attached to this Security Requirements Check List be protected and/or classified?

If "Yes," classify this form by annotating the top and bottom in the area entitled "Security classification" and indicate with attachments (for example: Secret with attachments).

Part D: Authorization

13. Organization project authority

This block is to be completed and signed by the appropriate project authority within the client department or organization (for example: the person responsible for this project or the person who has knowledge of the requirement at the client department or organization). This person may, on occasion, be contacted to clarify information on the form.

14. Organization security authority

This block must be signed by either the:

  • departmental security officer (DSO)
  • delegate of the department identified in block 1
  • security official of the prime contractor
15. Are there additional instructions (for example: security guide or security classification guide) attached?

A security guide or security classification guide is used in conjunction with the SRCL to identify additional security requirements which do not appear in the SRCL, and/or to offer clarification to specific areas of the SRCL.

16. Procurement officer

This block is to be signed by the procurement officer acting as the contract or subcontract manager.

17. Contracting security authority

This block is to be signed by the contract security official. Where PSPC is the contract security authority, CISD will complete this block.

Chapter 8: Information technology security

800. General

Purpose and scope

  1. This chapter establishes operational standards in Canadian industry for the safeguarding of government information electronically processed, stored or transmitted. It also applies to the safeguarding of the technology assets
  2. In addition to these standards, the administrative and organizational, physical and personnel security standards as documented in this manual also apply to the information technology (IT) environment
  3. The Policy on Government Security and the Operational Security Standard: Management of Information Technology Security requires that the degree of safeguarding provided by industry be commensurate with the level of the information and assets and the associated threats and risks. Without appropriate safeguards, the confidentiality, integrity and availability of information systems and services may be adversely affected

Roles and responsibilities

Government institutions are responsible for safeguarding protected and classified information and assets under their control. With respect to government contracts with the private sector, the contracting authority is responsible for ensuring that the requirements of the Policy on Government Security are met and that the security standards are applied. The security standards contained in the Policy on Government Security and the Operational Security Standard: Management of Information Technology Security are the minimum standards for security in the private sector.

Guidance

Assessments, advice and guidance regarding these standards are available from Public Services and Procurement Canada's (PSPC) Contract Security Program (CSP).

801. Organization and administration

Organization

The organization may be required to appoint a full-time security person to be responsible for IT security depending on the:

Questions regarding this policy are to be discussed with PSPC's CSP.

Planning

  1. Cost-effective IT security depends on planning that takes into account all phases of a system's life-cycle, from creation of the source documentation, through input transaction, communications, processing, storage, retrieval, output and disposal. In addition, plans must incorporate the interrelationship of physical and personnel security with IT security, confidentiality, integrity, and availability requirements. Because of TEMPEST emission security considerations, plans should also address communications security (COMSEC) requirements even if communications links are not involved in the present information system. The application of TEMPEST measures will always be based on a threat identified in a threat or risk assessment
  2. Any security program consists of an organizational structure and administrative procedures which support the 3 subsystems: physical security, information technology security and personnel security. These subsystems are interrelated. The total effectiveness of the security system depends on the performance, and therefore, the coordinated planning of all subsystems

802. Roles and responsibilities

Public Services and Procurement Canada’s Contract Security Program

  1. Whenever an organization is awarded a contract, through PSPC, to electronically process government information using IT equipment, the field industrial security officer (FISO) will arrange for and coordinate an IT inspection. The FISO will also coordinate an IT inspection for cause
  2. The FISO will contact the organization directly to discuss and finalize an inspection date. The inspection team may comprise 1 to 5 members and it may take between a half-day to 2 weeks to complete the inspection, depending on the complexity of the contract and other factors such as the level of sensitivity of the data
  3. Once the IT inspection team has completed their inspection, they will provide a report to the FISO for review. A copy of the report will be forwarded to the organization for action after the FISO has reviewed the report and confirms its findings. The organization must submit an action plan to address how it will implement the recommendations within 30 days of receiving the report, and they must report to PSPC's CSP on the status of the outstanding recommendations on a regular basis, usually once a month. PSPC's CSP will issue a call letter to the organization when the inspection update status report is required
  4. The implementation of recommendations is mandatory, while suggestions represent good business practice. Although implementing a report's suggestions is not mandatory, the organization should eventually implement them
  5. The contents of the report will not be released outside of PSPC without the expressed permission of the organization
  6. If the data requires TEMPEST protection, PSPC's CSP will request that the Communications Security Establishment (CSE) verify its adequacy. This involves either the testing of the TEMPEST compliant equipment or witnessing the final test of the shielded enclosure
  7. CSE will also provide a report to PSPC's CSP, however, the report only states the status of the equipment or shield and recommends corrective actions, as required. Once the equipment or shield have passed all necessary tests and inspections, the PSPC COMSEC group issues a certificate indicating that the equipment or shield is satisfactory

Contractor

  1. PSPC's CSP must approve the prime contractor's IT facility(s) before processing government information. However, it is the prime contractor's responsibility to ensure that subcontractors are informed of and meet IT security requirements and that upon termination of the subcontract, no residual information is left on the subcontractor's computer(s) or in other areas
  2. The FISO and CSE, if applicable, will contact the organization (prime contractor) to arrange for and finalize a time frame to conduct their inspection or test
  3. The organization must arrange to provide a copy of their IT operational procedures and security procedures, organizational charts and list of contact personnel, complete with telephone numbers for distribution to the IT inspection team during the initial meeting of the inspection. In some instances, the inspection team leader may request a preliminary visit, approximately 2 to 4 weeks before the actual inspection day, in order to meet the staff, tour the facility and pick-up any documentation for study
  4. At the conclusion of the inspection, the IT inspection team will conduct a debriefing session for the purpose of informing the contractor of their findings. The organization should take advantage of this opportunity to clarify any points or discuss proposed solutions. The documentation requested earlier will be returned during the meeting with CSE, once it verifies the adequacy of the organization's TEMPEST measures. This will involve either the testing of the TEMPEST compliant equipment or witnessing the final test of the shielded enclosure
  5. CSE will also provide a report to PSPC's CSP, however, it will only state the status of the equipment or shield and recommend corrective actions as required. Once the equipment or shield have passed all necessary tests and inspections, the PSPC COMSEC group will issue a certificate indicating that the equipment or shield is satisfactory
  6. PSPC's CSP will subsequently issue a call letter to the organization requesting that it submit to PSPC's CSP an updated status report on all outstanding security evaluation and inspection team recommendations and suggestions. When completing the request for an updated status report, the organization should indicate the status of each recommendation by using key words accompanied by essential detail when necessary. The key words are:
    1. implemented: indicating how (by using or upgrading software, hardware, procedures, etc.) the recommendation was implemented
    2. active: indicating what is being done by whom, and when the completed recommendation is expected
    3. deferred: stating the reason(s) why the implementation of the recommendation has been delayed, and when reactivation to implement the recommendation is expected
    4. rejected: giving substantive reasons why no action to implement the recommendation will be taken

803. Requirements for emission security

  1. The purpose for applying TEMPEST measures to telecommunications or electronic information processing equipment is to protect information from compromise through the intercept and analysis of electromagnetic emissions by unauthorized persons
  2. PSPC's CSP will determine the TEMPEST measures required on a case-by-case basis, taking into account threat and risk

804. Secure telecommunications requirements

In addition to TEMPEST considerations, an organization which needs to transmit government information over telecommunication links or networks must protect this information through the use of government approved encryption or other government approved COMSEC measures such as approved (physically protected) circuits. PSPC's CSP must be made aware of such requirements as soon as possible. In such cases, PSPC's CSP will provide instructions and directions specific to the communications security systems involved.

805. Security of communications security information and assets

  1. COMSEC material includes all documents, devices, equipment or apparatus and crypto material used in establishing or maintaining secure communications. Crypto material is all material containing information essential to the encryption, decryption or authentication of communications, including documents, devices or equipment
  2. An organization which has a validated requirement to hold COMSEC material will be required to establish a COMSEC account with PSPC's CSP and must appoint a qualified COMSEC custodian and alternate COMSEC custodian who together with the company security officer will be held accountable for safeguarding this material
  3. Because of the special sensitivity of COMSEC material, a comprehensive set of rules and procedures for the handling and physical safeguarding of COMSEC material is provided in the Industrial COMSEC Material Control Manual and the Industrial Security Manual. All organizations with a need to hold COMSEC material must obtain a copy of the COMSEC Support to the Private Sector—Project Managers' Quick Reference Guide, which is available from the CSP

Chapter 9: Security requirements for the North Atlantic Treaty Organization

900. General

1. Canada is a member of the North Atlantic Treaty Organization (NATO), an alliance of 30 countries:

Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Montenegro, Netherlands, North Macedonia, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Turkey, United Kingdom, and the United States.

As a member of NATO, Canada has agreed to observe the security regulations applicable to classified NATO information.

2. NATO information is classified information circulated within and by NATO, including information:

Note: When a circulated NATO document contains classified information contributed by a member nation, the classified information remains the property of the originating nation.

3. This chapter identifies the security requirements applicable to classified NATO information. For convenience, it combines references to NATO, found in other chapters of this manual.

901. Personnel security clearances

1. An employee with a Canadian personnel security clearance does not automatically have access to NATO information. A separate application is required for a NATO personnel security clearance. A personnel security clearance at the level of Control of Secret Material in an International Command (COSMIC) Top Secret, NATO Secret or NATO Confidential is required for access to those levels of NATO classified information.

2. Non-government employees must have a reliability status for oral or visual access to NATO Restricted information. NATO Restricted documents may not be released to an unscreened person. They must be handled and safeguarded in keeping with Protected A level information.

3. In the case of non-Canadians, a NATO clearance does not include a right to access non-NATO Canadian classified information. A Canadian personnel security clearance must be obtained separately. Refer to the procedures for requesting a personnel security clearance located in Chapter 2: Security screening, Part II—Personnel security clearances of this manual.

4. A NATO personnel security clearance for a national of another NATO member nation may only be granted by that parent nation, regardless of the length of time the person has resided in Canada.

5. Organizations must maintain a separate record of all employees at the facility who have been authorized access to NATO classified information. Prior to granting an employee access to NATO classified information, the company security officer (CSO) must review the following with an employee:

  1. what NATO information is (refer to section 900. General, article 2 in this chapter)
  2. when to mark "NATO" on a document signifies that the document is the property of NATO. This marking must be used on all copies of documents classified as Restricted, Confidential or Secret that are circulated within NATO. The marking « COSMIC TOP SECRET » also signifies that the document is the property of NATO, and is used exclusively on all copies of Top Secret documents circulated within NATO
  3. safeguarding NATO classified documents according to the requirements (refer to Chapter 5: Handling and safeguarding of classified and protected information and assets of this manual) for the handling of Confidential, Secret and Top Secret material, with the exception that they will be kept separate from other types of protected, classified or unclassified information. NATO Restricted documents must be handled and safeguarded to the Protected A level
  4. only people who hold a personal security clearance at the appropriate level and having a need-to-know , shall be permitted access to NATO classified information
  5. if access to COSMIC Top Secret information is required, employees must receive a separate briefing about their responsibilities for safeguarding such information
    • these employees must sign a certificate acknowledging that they received this briefing
    • the Public Services and Procurement Canada's (PSPC's) Contract Security Program (CSP) will give detailed instructions to the CSO of the organization concerned

902. Facility security clearances

Facility security clearances (FSC) may be authorized at the level of NATO Restricted, NATO Confidential, NATO Secret or COSMIC Top Secret. Chapter 3: Facility security clearances, Part II—Facility security clearance (classified) of this manual identifies the requirements and procedures for obtaining a FSC personnel security clearance. In addition, Annex 3-C: Facility security clearance requirements (North Atlantic Treaty Organization classified information) of this manual gives full details of the personnel security clearance required by key senior officials (KSO), the CSO and the organization's employees, for each level and type of NATO FSC.

903. Handling of classified North Atlantic Treaty Organization

1. All classified NATO information received must be handled in accordance with Chapter 5: Handling and safeguarding of classified and protected information and assets of this manual and with the following additional requirements:

  1. classified NATO documents must be recorded in a NATO register
  2. when classified NATO material is received through channels other than those established by PSPC, details of such incident(s) must be reported directly to PSPC's CSP
  3. classified NATO information must be marked with "COSMIC" or "NATO", as appropriate, in addition to other classification markings
  4. classified NATO information must be returned to PSPC's CSP for destruction

2. When transmitting classified NATO information to another nation, Canadian industry must go through PSPC's CSP, unless otherwise authorized by PSPC.

904. Visits

1. When Canadian organizations are involved in visits under NATO international visit control procedures, PSPC's CSP will identify the procedures to be followed.

2. Organizations must keep a record of all visitors to their facility when such visitors will have access to classified information. A separate visitor log must document NATO visits. NATO visitors do not include PSPC's CSP representatives. As such PSPC's CSP representatives are not required to enter their names in NATO visit logs.

A NATO visit is:

  1. a visit by a person from a NATO country to a contractor in connection with pre-contract negotiations or contract performance on a NATO classified contract
  2. a visit between a Canadian contractor performing on a NATO classified contract
  3. other visits in which access to NATO classified information has been specifically authorized

3. The NATO visitor log must indicate the:

  1. visitor's full name
  2. name of the person(s) visited
  3. name of the organization, agency or government department that they represent
  4. date(s) of the visitor's arrival at and departure from the facility

The host organization must maintain records of authorized visits that have taken place over the previous 2 years, at minimum, and are subject to random inspection by PSPC's CSP during that period.

4. When requesting authorization to attend NATO meetings, PSPC's CSP must receive the request for visit at least 21 days prior to the date of the meeting.

905. Contracts

1. A NATO security aspects letter must accompany the contract. The letter documents the security requirements for classified NATO contracts. When a Canadian organization is bound to observe NATO security protocol in respect of a contract, PSPC's CSP may provide additional details as applicable and/or required.

2. Prior to the award of a classified NATO subcontract to a foreign contractor, the contracting authority and PSPC's CSP section must be consulted for guidance and approval before the proposed award.

3. When contractors negotiate directly with foreign governments and/or organizations, care must be taken to ensure that classified material to be transmitted outside of Canada is forwarded through the designated security channels established by PSPC for the particular program (refer to Chapter 5: Handling and safeguarding of classified and protected information and assets of this manual).

4. In addition to the above, all the requirements of personnel security clearance (refer to Chapter 2: Security screening, Part II—Personnel security clearances of this manual), request for visit (refer to Chapter 6: Classified request for visit protocol for Canadian-based industry of this manual) and foreign release and export sales (refer to Chapter 7: Classified and protected contracts of this manual) apply equally to NATO contracts.

Chapter 10: Joint Certification Program

1000. General

The United States (U.S.) and Canada share a unique, long-standing military and economic relationship. The two countries are partners in the joint defence of North America and have established a bilateral common structure (NORAD) for mutual defence. Canadian industry is a part of the North American Defense Industrial Base. The United States and Canada consult and cooperate on the development of common industrial security procedures and technology controls. Both governments have entered into numerous bilateral agreements that codify and support this relationship.

In 1985, the U.S. and Canada signed a memorandum of understanding (MOU) that established the U.S.–Canada Joint Certification Program (JCP). As stated in the program's terms of reference, the program was established "to certify contractors of each country for access, on an equally favourable basis, to unclassified technical data disclosing critical technology" controlled in the U.S. by the Department of Defense. Under the laws of each nation, the U.S. Department of Defense (DoD) and Canada's Department of National Defence (DND) may withhold such technical data from public disclosure.

Contractors must be certified under the U.S.–Canada JCP to be eligible to bid or receive a contract involving access to unclassified militarily critical technical data under the control of DND or DoD. Contractors currently cleared under the Contract Security Program must be certified if they wish to receive unclassified technical data government by the Technical Data Control Regulations or by DoD Directive 5230.25. Participation in the JCP is limited to contractors located in Canada or the United States.

1001. Joint certification process

  1. To become a certified contractor, an organization must complete DD form 2345 and forward it to the U.S.–Canada Joint Certification Office (JCO) at the address provided on the contact the Joint Certification Program webpage. In addition, a copy of the organization's incorporation certificate, state or provincial license, sales tax identification form or other documentation which verifies the legitimacy of the organization must accompany DD form 2345.
  1. When a Canadian contractor intends to request access to unclassified military critical technical data under the control of DoD, it must complete DD form 2345. Technical data transferred to a certified contractor is mailed to the location shown on the form. Each corporate subsidiary or division that is to receive or work with unclassified military critical technical data must be certified separately
  2. To become a certified contractor, an organization must agree to abide by the terms and conditions listed on the form. Once accepted by the JCO, the form constitutes an agreement with the organization and the JCO that unclassified military critical technical data will not be further disseminated to unauthorized individuals. If a contractor violates the provisions of the agreement, its certification for access to unclassified military critical technical data may be revoked
  3. Contractors become certified on the date that the JCO accepts their certification. Organizations approved under the JCO will receive a copy of their agreement form, signed by Canadian and U.S. representatives, showing their 7-digit certification number. The certification number and a statement of intended use must accompany all requests for unclassified military critical technical data submitted to DND or DoD. Certification must be renewed every 5 years. The JCO will provide a renewal notice 120 days before expiration of a contractor's certification
  4. Certification establishes the eligibility of Canadian–U.S. contractors to:
    1. receive unclassified militarily critical technical data having military or space application under the control of DND or DoD
    2. respond to defence-related contract opportunities whose specifications involve technical data that are releasable only to certified organizations
    3. attend gatherings restricted to contractors that are certified by the JCO, such as symposia, program briefings, meetings designed to publicize advance requirements of contracting agencies, pre-solicitation, pre-bid, pre-proposal, pre-award conferences and workshops
    4. arrange unclassified procurement-related visits directly with other certified Canadian and U.S. contractors as well as with DND and DoD military facilities where the visits will involve access to technical data that are releasable only to certified contractors

1002. Unclassified visits

  1. For Canadian contractors, visits between U.S.–Canadian organizations are predicated on the fact that the unclassified military critical technical data is releasable under the Canadian exemption in the U.S. International Traffic in Arms Regulations (ITAR)
  2. Certified contractors wishing to initiate an unclassified visit to a DoD military installation must make arrangements with the installation's security office. By regulation, the commander of the installation retains final approval authority for any visit and may deny it for security or operational reasons

How to get approval for unclassified visits

1003. Contact point

For additional information, including access to DD form 2345:

Chapter 11: International security issues

1100. General

This chapter contains information on Canadian foreign disclosure policies and regulations and international security agreements and arrangements executed between the Government of Canada and allied governments, concerning the exchange and safeguarding of protected and classified information and assets.

1101. Roles and responsibilities

Under the Policy on Government Security, Public Services and Procurement Canada (PSPC) is responsible, for:

1102. Foreign disclosure policy

  1. Organizations involved in the Canadian PSPC's Contract Security Program (CSP) that wish to exchange information and assets with a foreign government or private sector organization must contact the PSPC's CSP which will determine whether the:
    1. information may be released to the foreign government
    2. disclosure is in compliance with Canadian foreign disclosure policies and regulations
    3. information can be adequately safeguarded by the foreign participant
  2. Decisions to disclose information and assets to foreign interests are based on a determination that release is in support of an authorized Canadian government program
  3. Prior to release of protected and/or classified information or assets to foreign interests, PSPC's CSP must request and receive a security assurance from the responsible foreign government (for example, the level of facility security clearance (FSC) held by the recipient organization)
  4. When the disclosure parameters cannot readily be determined from past records, contractual documentation or a security requirements checklist (SRCL), PSPC's CSP may have to consult with other Canadian government entities (for example, Department of National Defence (DND) or major Crown project offices) to obtain a foreign disclosure decision. In such cases, it is prudent for the contractor to contact IISD well in advance of any proposed exchange or release, as foreign disclosure reviews may take up to 30 days for staff of the various agencies and departments to reach a decision
  5. In addition to the above, PSPC's CSP must receive proof that the dispatching organization has complied with Canada's Export and Import Permits Act (EIPA) before initiating a government-to-government exchange. As proof, PSPC's CSP will accept a:
    1. copy of an approved export permit
    2. letter from the Export Controls Division, Global Affairs Canada to the effect that a licence is not required
    3. a letter from the organization certifying that the transaction does not require a licence under the Export and Import Permits Act or that a licence is not required because of prior Canadian government approval, for example:
      1. Canadian government approved contract
      2. PSPC/DND subcontracting approval
      3. a letter of authorization from PSPC/DND
      4. other Canadian government organization authorizing release
  6. Export permits and advice or information about the EIPA may be obtained by contacting:

    Export Controls Division
    Special Trade Relations Bureau
    Global Affairs Canada
    P.O. Box 481, Station A
    Ottawa ON  K1A OG2

  7. Transfer of national or international information and assets by Canadian industry to a foreign entity (government or private sector) must be undertaken through PSPC's government-to-government channels, unless otherwise agreed to by PSPC (for example, exceptions may apply to protected material). It is important to note that most government-to-government exchanges of information and assets are carried out using the diplomatic bag service of Global Affairs Canada. This being the case, contractors who have specific delivery deadlines should contact PSPC's document control unit to determine the diplomatic mail schedule for the country in question. In the case of transmissions to the United States only, PSPC makes use of Canada Post's priority service to expedite transmissions whenever possible (weight restrictions apply). When these methods of transport would result in unacceptable delays to a contract, program or project, the company security officer (CSO) may contact PSPC's CSP to request an alternate method of transmission, such as hand carriage by an organization employee
  8. The CSO must strictly control the disclosure of national or international information to a foreign person employed by a Canadian contractor. Persons holding Canadian, with limitations clearances, may be given access to Canadian information and assets and/or information and assets from their country of nationality. Information belonging to a third nation may not be released to these individuals without the prior written approval of the originating nation, through PSPC
  9. Disclosure of information to foreign visitors is prohibited unless disclosure authority has been obtained from PSPC in the form of an approved visit request (refer to Chapter 6: Classified requests for visit protocol for Canadian-based industry of this manual) or other authorizing document

1103. Bilateral security agreements

  1. Bilateral security agreements are negotiated with foreign governments. This chapter contains the principle requirements embodied in these agreements
  2. A general security agreement, negotiated through diplomatic channels, states that each party to the agreement will afford information substantially the same degree of security safeguarding afforded it by the releasing government. It contains provisions concerning limits on the use of this information, including third party transfers and proprietary rights. It provides for the reporting of compromises of information and assets and for visits by security authorities of participating governments
  3. PSPC negotiates the industrial security agreement on behalf of Canadian industry, normally as an annex to the general security agreement with a foreign government. It contains security procedures for contracts and government-approved arrangements involving access to information and assets. It also includes provisions for information handling, security classification guidance, security requirements clauses, visits and the exchange of security assurances, and it designates a responsible agency to administer the agreement (PSPC's CSP in Canada)
  4. When a Canadian organization becomes involved in a program or contract covered by an industrial security agreement, PSPC's CSP will identify the special security protocols, if any, which must be observed for the particular contract or program

1104. Multinational armament cooperative programs with North Atlantic Treaty Organization allies

  1. In order to facilitate the exchange of information and assets required by industry, for multinational cooperative programs, Canadian industrial security authorities have agreed, with NATO member nations, to use standard security practices and procedures for Multinational Armaments Cooperative Programs that are not under NATO security jurisdiction. In some respects, these practices and procedures may differ from the requirements set forth in this manual
  2. For additional information concerning these procedures, contractors participating in a multinational program involving NATO member nations are encouraged to contact the international security visits and document control division of PSPC's CSP by email: ssivisites-.issvisits@tpsgc-pwgsc.gc.ca
  3. PSPC's CSP represents Canada on the Multinational Industrial Security Working Group (MISWG) which is responsible for negotiating and developing international standard security practices and procedures. This group meets twice a year in various NATO member nations. The procedures and practices approved by this committee are sometimes referred to as "MISWG documents"
  4. Each nation's designated security authority (DSA) is responsible for the application of approved standardized procedures on a specific program or project. In Canada, there are two DSAs for Multinational Armaments Cooperative Programs. PSPC's CSP is the designated security authority for security matters involving private sector personnel and organizations and Department of National Defence / Division of security (DSECUR) is the designated security authority for security matters involving Canadian military personnel and establishments
  5. Industry should notify PSPC's CSP with concerns, or when they experience security-related problems in Multinational Cooperative Programs
  6. Where a Canadian organization must fulfill certain obligations, under an international security protocol, PSPC's CSP will contact the CSO and identify the detailed requirements which must be met in each case

1105. Handling and safeguarding of foreign classified information and assets

Foreign government classified information or assets at the Confidential, Secret or Top Secret level must be safeguarded in the same manner as Canadian classified information and assets of an equivalent level, unless advised otherwise by PSPC's CSP (for information on how to safeguard foreign unclassified but special information or assets, contact your field industrial security officer (FISO)).

1106. Protected information

The private sector must not release Canadian protected information and assets to other countries without written authorization from PSPC. Foreign governments and organizations must be informed of the level of safeguarding required for protected information and assets, by way of contract security clauses, or through written instructions approved by PSPC's CSP.

1107. Restricted information

Foreign restricted

The <<RESTRICTED>> classification no longer exists in Canada, however many allied governments still use this classification. Canada must safeguard foreign restricted information and assets in accordance with international industrial security agreements. Unless otherwise advised by PSPC's CSP, organizations which are in possession of foreign restricted information and materiel must safeguard this information in the same manner as Canadian Protected A. Additional safeguarding procedures are as follows:

  1. PSPC's CSP must provide prior approval before foreign restricted information is released to any government, person or institution of another country
  2. restricted information may only be accessed by persons whose access is considered to be necessary in connection with a government or multinational program, project or contract
  3. the CSO must inform all recipients of foreign restricted information and assets of their responsibility for safeguarding the information and assets
  4. NATO restricted information requires additional safeguards
  5. to avoid confusion, organizations must indicate the country of origin of foreign restricted information and assets, in brackets, beside the classification, for example, <<RESTRICTED (Italy)>>, <<RESTRICTED (France)>>

Information or assets previously classified as Canadian restricted

  1. Organizations which are in possession of Canadian documents bearing the classification <<RESTRICTED>> should request an official reclassification of the documentation through PSPC's CSP, to determine if and how it should be safeguarded under existing Canadian government security policies and regulations. Pending an official reclassification, formerly restricted Canadian information and assets must be safeguarded in the same manner as Protected A information and assets
  2. Foreign recipients of formerly restricted Canadian information and assets must continue to handle and safeguard such information and assets in accordance with existing bilateral and multinational security agreements or arrangements unless otherwise advised by the Government of Canada

1108. Security requirements for contracts awarded to foreign interests

  1. In addition to the requirements specified in Chapter 7: Classified and protected contracts of this manual, the following requirements apply to the awarding of contracts to organizations outside of Canada holding a valid FSC in their nation:
    1. when a contractor obtains PSPC approval to award a subcontract, or enters into other direct commercial arrangements involving information and assets with a foreign contractor, the contractor must incorporate security requirements clauses in the contract document and provide security classification guidance for the Canadian information, through the use of a Security requirements checklist (SRCL) (refer to Chapter 7: Classified and protected contracts of this manual)
  2. The following security clauses must be incorporated in all contracts or subcontracts awarded to organizations outside of Canada:
    1. all protected and classified information and assets, furnished or generated pursuant to this contract, must be safeguarded as follows:
      1. the recipient must not release the information and assets to a third-country government, person or organization, without the prior written approval of the Canadian government
      2. the recipient must afford the information and assets a degree of safeguarding equivalent to that afforded to it in Canada
      3. the recipient must not use the information and assets for other than the intended purpose without prior written approval of the Canadian government
    2. information and assets furnished or generated pursuant to this contract, must be transferred through government channels or other channels specified in writing by national security authorities. It may only be released to persons who have an appropriate security authorization and an official need-to-know in the performance of the contract
    3. information and assets furnished under this contract must be marked by the receiving government authority with their government's equivalent security classification markings
    4. information and material generated under this contract must be assigned a security classification, as specified by the contract security classification specifications provided with this contract
    5. the contractor must promptly report to its government's security authorities all cases, in which it is known or there is reason to believe that information and assets furnished or generated pursuant to this contract has been lost or disclosed to unauthorized persons
    6. information and assets furnished or generated pursuant to this contract, must not be provided to another contractor or subcontractor unless:
      1. the potential contractor or subcontractor has been approved for access to the information and assets by industrial security authorities
      2. if located in a third country, prior written consent is obtained from the Canadian government
    7. upon completion of the contract, all information and assets furnished or generated pursuant to the contract, must be returned to the Canadian contractor

Chapter 12: Security education

1200. General

  1. To ensure proper security in the organization, the company security officer (CSO) works closely with management, from the top down, to conduct a security education program. Inadequate security may result in the loss of an organization's facility security clearance (FSC) and the cancellation of contracts involving protected or classified information and assets
  2. The CSO and security staff are not the only ones responsible for an organization's security. Managers and supervisors, at all levels, are responsible for their own personal security measures in addition to ensuring that proper security procedures are followed by all employees in the organization. It is recommended that performance assessments include a measure of the individual's security effectiveness, just as they include other organizational assessments
  3. An initial security briefing, reinforced by an ongoing security education and awareness program, is essential to the maintenance of an effective security program. Ultimately, the success of a security program depends on the employees of the organization. All of the procedures, regulations and physical safeguards will be of little use if employees are not fully aware of their individual responsibilities and the importance of the security requirements, along with the necessity for these security requirements
  4. The Security screening certificate and briefing form which each person reads and signs upon receiving their reliability status or personnel security clearance(PSC), is an acknowledgement of their responsibilities. It must be accompanied by a briefing from the CSO, which details the individual's specific responsibilities and duties, relative to security in the facility
  5. An ongoing security education and awareness program may encompass many forms of instruction including, but not limited to:
    1. general briefings to all employees
    2. smaller, group briefings
    3. movies/videos
    4. articles in an organization's newsletter(s)
    5. security bulletins
    6. posters
  6. Assistance with training sessions is available from Public Services and Procurement Canada's (PSPC)'s Contract Security Program (CSP)
  7. Periodic sessions with small, work-related groups, where the material is tailored to the needs of the group, can be particularly effective. The small group fosters greater attentiveness and stimulates participation by all present
  8. New employees, even though not yet security-screened and therefore prohibited from access to protected/classified information and assets, should be given a security briefing appropriate to their duties. Security in the private sector includes the requirements for corporate security, as well as the safeguarding of government protected and classified information and assets

1201. Suggested security briefing content

Each organization's security education and awareness program must be tailored to the situation and needs of the specific facility and include references to security orders as appropriate (refer to Chapter 1, Annex 1-C of this manual).

Resources

Browse the alphabetical list of terms as well as abbreviations and acronyms found in the Industrial Security Manual.

Glossary of terms

Use the alphabetical directory to navigate to the term you wish to learn about.

All terms include their equivalent in the other official language, and some terms include an abbreviation.

List of services and programs starting with the letter A

access control methods (méthodes de contrôle de l'accès)
The methods used to prevent unauthorized access. These methods might include person-based systems which make use of guards and receptionists, systems based on physical characteristics such as fingerprints and signatures or systems based on access control items such as keys and magnetic cards.
approved security container (contenant de sécurité approuvé)
Specific types of containers that have met standards developed by an interdepartmental committee established for this purpose. The Royal Canadian Mounted Police's Security Equipment Guide (G1-001): lists approved security containers.
alternate authorized official (fonctionnaire autorisé remplaçant)
Individual, employed within the organization, security screened to reliability status and appointed by the organization to assist, or if applicable, assume the duties of the authorized official.
authorized official (fonctionnaire autorisé)
Individual, security screened to reliability status, and appointed by the organization to carry out security responsibilities associated with the personnel security screening function for those organizations that possess a designated organization screening.

List of services and programs starting with the letter B

breach (atteinte à la sécurité)
When any protected or classified information or assets have been compromised. Without restricting its scope, a breach may include compromise in circumstances that make it probable that a breach has occurred.

List of services and programs starting with the letter C

classified assets (biens classifiés)
Assets, other than information, that are important to the national interest and therefore warrant safeguarding.
classified information (renseignements classifiés)
Information related to the national interest that may qualify for an exemption or exclusion under the Access to Information Act or Privacy Act and the compromise of which would reasonably be expected to cause injury to the national interest.
communications security (COMSEC) (sécurité des télécommunications (COMSEC))
Cryptographic, transmission and emission security measures applied to information stored, processed or transmitted electronically. COMSEC is a subset of information technology security.
compromise (compromission, perte d'intégrité)
Unauthorized disclosure, destruction, removal, modification, interruption or use of information and assets.
COMSEC custodian (responsable des ressources frCOMSEC)
The person designated by the COMSEC authority or Communications Security Establishment to be responsible for the receipt, transfer, accountability, safeguarding, and destruction of COMSEC material.
continuous monitoring (surveillance continue)
Checking of the monitored assets by personnel in control of the assets, guards or electronic means with enough regularity to detect attempted unauthorized access.
courier certificate (ordre de mission de courrier)
A courier certificate authorizes an individual to transport protected and classified information and assets either for use by the authorized individual at the destination, or, for use and retention by authorized personnel at the destination.

List of services and programs starting with the letter D

designated organization screening (DOS) (vérification d'organisation désignée (VOD))
An administrative determination that an organization is eligible, from a security viewpoint, for access to protected information or assets of the same or lower level as the clearance being granted.
document safeguarding capability (DSC) (autorisation de détenir des renseignements (ADR))
Certification that a facility of an organization that has been granted either a designated organization screening (DOS) or a facility security clearance (FSC), and has been authorized to store or handle protected (designated organization screening) or protected and classified (facility security clearance) material or assets. Separate DSCs can be granted for the head office and/or one or more physically separate sites belonging to the organization. A DSC is separate from and is in addition to a DOS or a FSC.

List of services and programs starting with the letter E

emission security (sécurité des émissions)
Refer to TEMPEST.

List of services and programs starting with the letter F

facility (installation)
A physical setting used to serve a specific purpose. A facility may be within a building, or a whole building, or a building plus its site; or it may be a construction that is not a building. The term encompasses both the physical object and its use.
facility security clearance (FSC) (attestation de sécurité d'installation (ASI))
An administrative determination that an organization is eligible, from a security viewpoint, for access to classified and, if necessary protected, information or assets of the same or lower classification level as the clearance being granted.
field industrial security officer (FISO) (agent local de la sécurité industrielle (ALSI))
The Public Services and Procurement Canada's (PSPC)'s Contract Security Program (CSP) representative assigned to assist an organization in establishing and maintaining an effective Contract Security Program. The FISO is the company security officer's (CSO)'s point of contact with PSPC's CSP for all physical security matters.
for cause (pour cause)
A determination that there is sufficient reason to review, revoke, suspend or downgrade a reliability status or a security clearance. In the context of a security assessment, a determination whether more in-depth verifications are required.

List of services and programs starting with the letter G

government-to-government (gouvernement à gouvernement)
International transactions, such as visit clearances and material transmissions, that must take place between governmental industrial security authorities of the countries involved (in Canada, the Canadian Industrial Security Directorate) or that can be executed by private sector organizations, but only with the written approval of the governmental industrial security authorities of the countries involved.
government-to-government channels (voies de gouvernement à gouvernement)
Channels that have been approved by the governmental industrial security authorities of the countries involved (in Canada, the Canadian Industrial Security Directorate).

List of services and programs starting with the letter H

public access hours
Hours when the public can enter a reception area and, with authorization, a reserved access area. Employee access does not necessarily require authorization.

List of services and programs starting with the letter I

identification card (carte d'identité)
A document issued by the organization to identify the bearer.
Information Technology Security Directive for the Control of COMSEC Material in the Canadian Private Sector (Directive en matière de sécurité des Technologie de l'information sur le contrôle du matériel frCOMSEC au sein des entreprises du secteur privé canadien)
A directive that provides COMSEC practitioners with the minimum security requirements for the control and management of COMSEC material authorized by the Communications Security Establishment (CSE) for use by a Canadian private sector company within Canada. This publication is issued under the authority of the Chief of the CSE in accordance with the federal Policy on Government Security.
Information Technology Security Directive for the Control of COMSEC Material in the Government of Canada (Directive en matière de sécurité des Technologie de l'information sur le contrôle du matériel frCOMSEC au sein du gouvernement du Canada)
A directive that provides the minimum security requirements for the control and management of COMSEC material authorized by the Communications Security Establishment (CSE) for use by the Government of Canada. This publication is issued under the authority of the Chief of the CSE in accordance with the federal Policy on Government Security.

List of services and programs starting with the letter K

key senior official (KSO) (cadres supérieurs clés (CSC))
An individual who must be granted a personnel security clearance before an organization will be granted a facility security clearance (FSC). This includes the company security officer (CSO) and the owners, officers, directors of the board, executives and partners who occupy positions which would enable them to adversely affect the organization's policies or practices in the performance of classified contracts.

List of services and programs starting with the letter N

national interest (intérêt national)
Concerns the defence and maintenance of the social, political and economic stability of Canada.
need-to-know basis (besoin de connaître)
The need for someone to access and know information in order to perform his or her duties.

List of services and programs starting with the letter O

organization (organisation)
Any institution, other than a Canadian government department, agency or crown corporation, holding or seeking a designated organization screening (DOS) or facility security clearance (FSC). The majority are commercial corporations, but other institutions are also included such as universities, partnerships, and other levels of government and their agencies.

List of services and programs starting with the letter P

personnel security clearance (attestation de sécurité de personnel)
Status granted as a result of an assessment of loyalty to Canada and, so far as it is related thereto, the reliability of an individual.
protected (protégé)
The marking that shows that the information qualifies as protected information and requires more than basic safeguarding. Protected A is used to specify the requirement for minimum standards of protection, Protected B indicates the need for additional security measures and Protected C signals the need for special, stringent safeguards.
protected assets (biens protégés)
Assets, other than information, that have been identified by the institution as being important to operations by virtue of the function performed or as being valuable and therefore warranting safeguarding; cash and other negotiables; and computer systems that require safeguards to ensure the confidentiality, integrity and availability of the information stored therein.
protected information (renseignements protégés)
Information related to other than the national interest that may qualify for an exemption or exclusion under the Access to Information Act or Privacy Act and the compromise of which would reasonably be expected to cause injury to private interest or non-national interest.
public access hours (heures d'accès du public)
When the public may enter the reception zone and, if authorized, enter secure zones. Employee access may or may not require authorization.

List of services and programs starting with the letter R

reliability screening (enquête de sûreté)
The process which must be completed before the individual may be granted a reliability status.
reliability status (cote de fiabilité)
Successful completion of a reliability screening; allows regular access to government assets and with a need-to-know to protected information.
risk assessment (évaluation du risque)
An evaluation of the chance of vulnerabilities being exploited, based on the effectiveness of existing or proposed security measures.

List of services and programs starting with the letter S

security orders (consignes de sécurité)
Written documentation developed, implemented and maintained by an organization to formalize and standardize security arrangements and procedures within the organization.
security requirements check list (SRCL) (liste de vérification relative à la sécurité (LVRS))
Form designed for use by project authorities, departmental security officers, procurement officers or other government employees in the contracting process to identify security requirements at the start of any contractual or pre-contractual process.
security screening (filtrage de sécurité)
The process which must be completed before an individual can be granted a security clearance.

List of services and programs starting with the letter T

TEMPEST
The classified code name for emission security, which is the discipline that deals with the suppression of unintentionally radiated or conducted electromagnetic signals that divulge information.
threat assessment (évaluation de la menace)
An evaluation of the nature, likelihood and consequences of acts or events that could place protected or classified information and assets at risk.

List of services and programs starting with the letter V

violation of security (violation de la sécurité)
Any act or omission that contravenes any provision of the Industrial Security Manual (ISM) or contractual obligation. Such acts may include failure to classify or safeguard information in accordance with the policy; classification, or continuation of same, in violation of the policy; unauthorized modification, retention, destruction or removal of protected or classified information; and unauthorized interruption of the flow of protected or classified information.

Abbreviations and acronyms

ACSO
alternate company security officer
CCSO
corporate company security officer
CCTV
closed-circuit television
CEO
chief executive officer
CFTSA
Canadian Forces Technical Services Agency
COMSEC
communications security
CSE
Communications Security Establishment
CSP
Contract Security Program
CSIS
Canadian Security and Intelligence Service
CSO
company security officer
DAV
Directly Arranged Visit
DND
Department of National Defence (Canada)
DOD
(U.S.) Department of Defense
DOS
designated organization screening
DSA
designated security authority
DSC
document safeguarding capability
EID
electronic intrusion detection
EIPA
Export and Import Permits Act
FISO
field industrial security officer
FOCI
foreign ownership, control or influence
FSC
facility security clearance
ISM
Industrial Security Manual
IT
information technology
ITAR
International Traffic in Arms Regulations
JCO
(United States–Canada) Joint Certification Office
JCP
(United States–Canada) Joint Certification Program
KSO
key senior official
MCTD
military critical technical data
MISWG
Multinational Industrial Security Working Group
MOU
memorandum of understanding
NATO
North Atlantic Treaty Organization
NDHQ
National Defence Headquarters
NORAD
North American Aerospace Defense Command
NSA
national security authority
OPI
office of primary interest
PA
personnel assigned
PSPC
Public Services and Procurement Canada
RCMP
Royal Canadian Mounted Police
RFP
request for proposal
RFV
Request for Visit
ROD
resolution of doubt
SC
site clearance
SRCL
security requirements check list

From: Public Services and Procurement Canada

Page details

Date modified: