Senate Committee on National Finance

2023-24 Main Estimates
Date: November 8, 2023, from 6:45 to 8:45 pm ET
Location: Room W110, 1 Wellington St

General items

Type: Opening Statement
Event: Standing Senate Committee on National Finance 2023-24 Main Estimates
Words: 583 (under 5 minutes)

Opening Statement‌

Speaking points for:
Scott Jones, President, Shared Services Canada
Standing Senate Committee on National Finance 2023-2024 Main Estimates‌

November 8, 2023‌

Good evening.‌

I appreciate this opportunity to appear before you, as the new President of Shared Services Canada (SSC), to discuss the Main Estimates for fiscal year 2023-24.‌

Honourable Senators, SSC provides the IT infrastructure for the Government of Canada. This means ensuring reliable and secure networks, digital tools and modern hosting solutions.‌

The key to the success of digital government is collaboration across the Government of Canada. Managing IT as an enterprise simplifies maintenance and operations, and allows for continuous improvement, while reducing overall costs.‌

This fiscal year, SSC is focusing on strengthening the foundational pieces of IT infrastructure to support a hybrid workplace and enhance security.‌

SSC has identified 4 key areas for 2023-24 that will focus on the needs of its partners, embed security throughout, and strengthen the enterprise. These key areas are:‌

• networks, security and access
• digital workplace services
• hosting infrastructure
• service, projects and enterprise advice

To support these activities, SSC requested $2.6 billion in the Main Estimates, net of $853 million in revenue.‌

With this investment, we are updating Government of Canada networks to support the hybrid workplace model. This includes improving bandwidth, implementing Wi-Fi services in buildings and using a zero-trust security model.‌

We are supporting and improving the effective design, delivery and management of secure IT infrastructure. This includes identifying and preventing malicious actors from gaining access to government networks.‌

We are also working with small departments and agencies to provide services that will contribute to improving their cyber security postures.‌

In the 2023-2024 Main Estimates, SSC decreased its reference levels by $26.9 million compared to the previous year's Main Estimates.‌

The decrease in planned spending compared to the previous year is due to the sunset or funding decrease of a number of initiatives, including funding for:‌

• the Next Generation Human Resources and Pay initiative
• the Workload Modernization and Migration Program
• the Secure Cloud Enablement and Defence Evolution
• the Departmental Connectivity and Monitoring initiative from Budget 2021
• the Mission Critical Projects from the Fall Economic Statement 2017

This is offset by an increase in funding for new initiatives, such as:‌

• the Network Modernization and Implementation Fund from Budget 2021
• the Standardization of Mandatory Network, Security and Digital Services for Small Departments and Agencies from Budget 2022

Some projects were re-profiled due to delays in awarding contracts and to impacts as a result of challenges from the pandemic and supply chain issues.‌

Honourable Senators, SSC is improving the process to prioritize IT modernization and working with departments to maximize efficient and secure service delivery, while mitigating the risks associated with legacy technology.‌

As the centralized provider of IT infrastructure and provider of cloud services for the Government of Canada, SSC plays a key role in helping departments modernize and update their IT platforms, including the use of various cloud-based services.‌

Earlier this year, we launched the Delivering Digital Solutions Together for Canada initiative to continue to advance in 4 key areas:‌

• connectivity
• hosting
• cyber security
• digital services

For each of these areas, we are building roadmaps that outline how we will collaborate with partners across the government to achieve excellence in technology and operations. This will guide our service delivery, outline our key steps and provide predictability and clarity for the future.‌

SSC will continue to increase the reliability, effectiveness and capacity of the Government of Canada IT infrastructure to support the secure, efficient and reliable delivery of critical programs and benefits to Canadians.‌

I am pleased, now, to answer your questions.‌

Shared Services Canada 2023 – 2024 Main Estimates Overview

2023 to 2024 Main Estimates Overview

• Shared Services Canada (SSC) is seeking a net decrease of $26.9 million compared to last year's Main Estimates.‌

As shown in the Departmental Plan, SSC's available funding for 2023-2024 will be $2.6 billion, net of $853.0 million in revenue.‌

• $2.2 billion in Vote 1
• $269.7 million in Vote 5
• $123.2 million in Statutory

The overall net decrease of $26.9 million is due to:‌

• ($329.3 million) decrease for changes in funding relating to multi-year initiatives and projects
• ($34.4 million) decrease for transfers

offset by

• $136.4 million increase in new funding for IT services and project
• $194.9 million increase for reprofiles from previous fiscal years
• $5.5 million increase in Statutory appropriations, and nil impact items for Vote‑Netted revenue authority

New funding – $136.4 million increase

1. A. A total of $67.4 million for the Network Modernization and Implementation Fund from Budget 2021
   • This funding will be used to meet the increasing demand for higher bandwidth for users, reduce single points of failure and promote readiness to adopt emerging technology in response to persistent digital demand.
2. B. A total of $38.4 million for the costs of providing core information technology (IT) services
   • This funding is provided to SSC as an adjustment to support costs associated with the provision of digital services to federal government employees such as mobile devices, email service, hardware (laptops, tablets) secure remote access, and necessary software.
3. C. A total of $29.3 million for the Standardization of Mandatory Network, Security and Digital Services for Small Departments and Agencies (SDA) from Budget 2022
   • This funding will be used to provide SDAs with a bundle of SSC network, security and digital services that will be enhanced by Communications Security Establishment's (CSE) suite of sensors.
4. D. A total of $1.3 million for compensation adjustments associated with collective agreements concluded for executives and senior leaders in the core public administration

Transfers between departments – ($34.4 million) net decrease

1. E. An increase of $0.9 million from Public Services and Procurement Canada (PSPC) for the reimbursement related to reduced accommodation requirements because of data centre consolidations
2. F. An increase of $0.1 million from the Treasury Board Secretariat (TBS) for the Greening Government Fund
   • This funding will be used to support a joint initiative with the TBS Office of the Chief Information Officer that aims to measure and reduce federal greenhouse gas emissions embedded in GC IT infrastructure.

3. G. A decrease of ($10.5 million) related to the GC IT Enterprise Service Model (ESM) for revenue in lieu of appropriation

   As SSC and its stakeholders are adapting to the implementation of the ESM and to ensure quality service delivery, this transfer is an extension of the 2022-2023 fiscal year agreement. This agreement recognizes that for revenue-dependent departments, a portion of the initial Budget 2021 transfer will be returned, and SSC will invoice these departments in fiscal year 2023-2024 for this amount instead:‌

   • ($7.9 million) to PSPC
   • ($1.9 million) to Innovation, Science and Economic Development Canada
   • ($0.4 million) to Immigration and Refugee Board of Canada
   • ​​​​​​​($0.3 million) to the Canadian Nuclear Safety Commission
4. H. A decrease of $7.7 million to the Department of National Defence (DND) for the continual operation of its Static Military Command and Control (C2) systems
   • Funding for these systems was included in the initial funding transfers to SSC; however, it has been determined that these systems are not within SSC's mandate. This transfer returns this funding to DND on a permanent basis.
5. I. A decrease of ($6.1 million) to the Communications Security Establishment (CSE) for the Security Information and Event Management (SIEM) project to allow CSE to operate the new Canadian Centre for Cyber Security SIEM solution components
   • The financial resources will provide CSE with support for people, process and technology development during the implementation of the solution.

A decrease of ($0.3 million) to TBS, which includes:‌

1. J. ($0.2 million) to support Financial Management Transformation
   • This funding is for SSC's contribution to the Financial Management Transformation - Digital Comptrollership Program (DCP) in support of the DCP's goal to develop, maintain, and evolve the SAP S/4HANA GC Digital Core Template business capabilities that support the GC's ongoing business.
2. K. ($0.1 million) to support the business function role and responsibilities for the GCpass Service
   • This funding is for 1 FTE and fulfills the agreement made between TBS and SSC during the planning phase of the Internal Centralized Authentication Services project, now referred to as the GCpass Service.

Vote realignment within SSC:‌

1. L. A decrease of ($10.8 million) for the realignment of funding from Vote 1 Operating to Vote 1 Personnel to support SSC's human resources requirements.
   • This will cover the costs related to the Employee Benefits Plan.
2. M. A nil net impact for the realignment of funding from the Vote 5 (Capital) to Vote 1 (Operating) of $54.4 million to support the ongoing service delivery emerging from the completion of the Mission Critical Projects.
   • As these projects continue to successfully close and transition to ongoing services, the capital requirements have diminished. This transfer will help fund operating requirements, such as ongoing costs related to these projects.

Reprofiles – $194.9 million increase

A total increase of $194.9 million for the following initiatives, which experienced delays mainly brought on by the pandemic:‌

1. N. A total of $80.6 million for the Workload Modernization and Migration Program (Budget 2021).
   • This funding will be used to continue working with partners to migrate their workloads and close legacy data centres.
2. O. A total of $64.7 million for cyber and IT security projects: Government of Canada Secret Infrastructure Expansion and Endpoint Visibility, Awareness and Security (Budget 2018).
   • This helps align funding with the revised timelines to deliver on the objectives and planned outcomes of these two projects, in support of GC secured IT requirements.
3. P. A total of $46.1 million for Mission Critical Projects (2017 Fall Economic Statement).
4. Q. A total of $3.5 million for the Innovative Solutions Canada program, which promotes the development and adoption of innovative technologies in Canada.
   • This funding is received through a Special Purpose Allotment as departments are not able to carry forward funds but can submit a reprofile request.

Other adjustments – ($329.3 million) net decrease

1. R. A number of adjustments totaling ($329.3 million) are related to multi-year initiatives and projects where funding amounts changed. These are as follows:
   • A decrease of ($130.0 million) for the Workload Modernization and Migration Program (Budget 2021).
   • A decrease of ($63.2 million) for Next Generation Human Resources and Pay (off cycle Budget 2019).
   • A decrease of ($61.1 million) for Mission Critical Projects (2017 Fall Economic Statement).
   • A decrease of ($35.0 million) for the Secure Cloud Enablement and Defence Evolution and Departmental Connectivity and Monitoring initiative (Budget 2021).
   • A decrease of ($25.8 million) for the costs of providing core IT services.
   • A decrease of ($17.7 million) for the High Performance Computing for the Environment and Climate Change Canada Project.
   • A net increase of $3.5 million for various projects and initiatives.

Statutory appropriations – $5.5 million net increase

1. S. A net increase of $5.5 million (Statutory) in the Employee Benefit Plan (EBP) mainly due to FTE increases at SSC.

NIL impact items

The following items result in a NIL (Net $0) impact on SSC's voted budgetary authorities as they have offsetting amounts between the Vote-Netted Revenues (VNR – Operating and/or VNR – Capital) and the Operating and/or Capital expenditures vote (Vote 1 – Operating and/or Vote 5 – Capital). As a result, the increases below are for revenues that will offset related expenditures incurred in the same fiscal year that the revenues are received.‌

1. T. Vote Netted Revenue (VNR):
   • An increase of $370.9 million in Vote 1 (Operating) due to continued increase in demand from partner organizations for IT investments and transformation for the GC digital government strategy.
   • An increase of $16.7 million in Vote 1 (Operating) for a technical adjustment to reflect the correct amount for fiscal year 2023-2024.
   • An increase of $60.0 million in Vote 5 (Capital) to extend the policy exemption on the Directive on Charging and Special Financial Authorities for a three-year period, from April 1, 2023, to March 31, 2026.

Hot issues

Involvement in ArriveCAN

Issue

The ArriveCAN application continues to be under scrutiny, with the Royal Canadian Mounted Police (RCMP) indicating this month (October) that it would be investigating alleged misconduct in contract outsourcing.‌

Key facts

• ArriveCAN was developed for the Government of Canada to assist with border screening measures during the COVID-19 pandemic.
• The program has been under scrutiny for its cost, effectiveness and reported errors in its functionality.

Key messages

• Shared Service Canada's (SSC) primary role was to support the operations of ArriveCAN by enabling connectivity between the cloud and data centres.
• SSC did this by:
  • enabling the application to exchange information between the cloud solution and Government of Canada (GC) data centres
  • ​​​​​​​ensuring the connections were secure and that Canadians' information was protected‌

If pressed on SSC's role in application development:

• SSC is only mandated to develop applications for its own department
• SSC supports other organizations by ensuring that the applications they develop are securely hosted in GC data centres or, if hosted in the cloud, can communicate securely with GC data centres

If pressed on SSC contract for connectivity:

• One pre-existing GC enterprise-wide contract was leveraged to provide backbone network connectivity for a value of $87,000

If pressed on RCMP Investigation:

• ‌SSC is aware of the investigation and has not been contacted by the RCMP. If the department is contacted, SSC will collaborate with the RCMP

Cyber security overview

Issue

• Explaining Shared Services Canada's (SSC) role in addressing cyber security, which is a shared responsibility with other agencies, such as the Treasury Board of Canada Secretariat - Office of the Chief Information Officer (TBS-OCIO) and the Communications Security Establishment (CSE), which holds the Canadian Centre for Cyber Security (CCCS).

Key messages

• SSC works diligently to keep networks safe, secure and accessible for Canadians
• SSC applies cyber security measures to identify and prevent malicious actors from gaining access to government networks by using firewalls, network scans, anti-virus, anti-malware, as well as identification and authentication tools and services
• Cyber security is a shared responsibility between SSC, the Communications Security Establishment (CSE), the Treasury Board Secretariat (TBS), as well as departments and agencies
• When a cyber security event occurs, SSC and its partners coordinate to determine root causes, limit impact and undertake recovery
• SSC supports the effective design, delivery and management of IT security initiatives

If pressed on current and future cyber security investments:

• The government is investing $515.8 million over 6 years for SSC, CSE and TBS to address the rapidly evolving cyber threat landscape
• The proposed funding will:
  • support cloud security at SSC
  • expand cyber security protection for small departments and agencies
  • support SSC's security information and event management system
  • modernize the government's approach to cyber security
  • support TBS's associated efforts to reinforce government cyber security
• SSC's responsibilities include government networks, email, data centres and classified IT infrastructure

If pressed on SSC's responsibility vs. that of CSE:

• Although SSC designs and manages most security systems that protect the government's IT infrastructure, CSE uses solutions>complementary solutions to supplement SSC-managed security systems.
• In short, SSCs ensure the GC is protected by state-of-the-art commercial solutions, while CSE fills the gap between commercial solutions and the most sophisticated adversaries.
• While SSC provides IT security infrastructure, CSE monitors systems and networks for malicious activities and cyber-attacks. It leads the government's operational response to cyber security events.

If pressed on any particular cyber event (Exchange Vulnerability, Log4j, Print Nightmare, Global Affairs Canada (GAC) Incident, National Research Council (NRC) Incident, etc.):

• SSC has people, technology and processes in place to safeguard systems, and it works collaboratively with TBS, CSE and departments to detect and respond to cyber threats
• When a cyber security event occurs, SSC and other partners coordinate to determine root causes, limit impact and undertake recovery
• The risk of cyber attacks is persistent and requires constant vigilance

Auditor General’s report on modernizing IT systems

Issue

• On October 19, 2023, the Auditor General of Canada tabled a report in Parliament that included a chapter on modernizing IT systems. The audit's objective was to determine whether Treasury Board of Canada Secretariat (TBS) and Shared Services Canada (SSC) have led and supported the efficient and effective modernization of IT systems across government. The audit presented 5 recommendations: 1 for SSC and 4 directed at TBS.

Key facts

• The audit found that TBS and SSC did not provide federal organizations with the leadership and support needed to modernize outdated IT. It suggests that better oversight and a concrete action plan along with a funding approach are needed to prioritize critical systems and address the challenges that may arise as modernization occurs.
• The audit noted that SSC had made some progress on modernizing the government of Canada IT, accelerated by the COVID 19 pandemic. While SSC is responsible for infrastructure, clients are responsible for their applications.
• SSC is progressing by building roadmaps outlining its work with stakeholders to achieve excellence in technology and operations.
• The roadmaps will guide SSC service delivery, key next steps and provide predictability and clarity about the future for connectivity, hosting, digital and cyber security services.

Key messages

• SSC welcomes the results of the audit and the recommendations made by the Auditor General of Canada. This audit will help the Government of Canada strengthen and improve its IT systems and hosting services.
• SSC will undertake a holistic impact analysis of legacy technology, including applications and supporting infrastructure.
• SSC will work to improve the alignment of the process to prioritize whole‑of‑government IT modernization work with the needs of partners and clients to maximize efficient and secure service delivery while mitigating the risks associated with legacy technology.

On hosting services:

• SSC is laying the groundwork for a digital future by providing our partners with secure and smart hosting solutions that are scalable and reliable so they can deliver services to Canadians efficiently
• We are modernizing IT infrastructure by closing legacy data centres and providing partners with modern hosting alternatives
• SSC provides partners and clients with reliable and scalable hosting solutions including cloud, enterprise data centres and expanded edge computing solutions that enable them to confidently deliver programs and services to Canadians domestically and abroad‌

Audit recommendation for SSC:

• SSC will conduct an impact analysis of operating legacy applications and infrastructure to increase our understanding of the implications associated with maintaining these systems
• The analysis will inform SSC's decisions, ensuring that the transition aligns with both cost effectiveness and modernization goals‌

• SSC will support the Treasury Board of Canada Secretariat (TBS) in conducting a review and prioritization exercise
• As reflected in Delivering Digital Solutions Together for Canada (Digital Together), SSC is committed to working closely with partners and clients towards shared modernization goals
• SSC recognizes the need for efficient and cost-effective modernization and will identify and prioritize initiatives that respond to the Government of Canada's priorities, while aligning with digital modernization goals and our enterprise approach
• SSC has, and continues to, collaborate with partners and TBS to advance modernization goals and ensure that outdated IT systems across government are replaced by modern, stable hosting solutions, as demonstrated through programs such as Application Modernization and Workload Migration
• As of June 30, 2023, SSC has closed 450 legacy data centres out of the original 720, facilitating a modern, agile and secure digital government that meets the expectations of Canadians

If pressed on fiscal responsibility:‌

• SSC takes fiscal responsibility seriously and supports partners and clients in delivering their programs and services to Canadians by providing secure, modern and reliable IT infrastructure.
• While SSC is responsible for the infrastructure referenced in the recommendation, it is important to note that partners and clients are responsible for the applications that run on SSC infrastructure. This division of responsibility is crucial for fiscal accountability.
• SSC recognizes that some legacy applications and infrastructure must remain in legacy data centres due to current operational and program requirements. SSC will work with TBS to determine an optimal modernization strategy for these on a case-by-case basis.

Background

Recommendation directed to SSC:

SSC should:‌

• analyze the financial and non-financial impacts of continuing to operate legacy applications and infrastructure instead of migrating modernized applications to new or modernized infrastructure
• in coordination with TBS and partner departments and agencies, undertake a review and prioritization exercise (including estimated timelines and budget) to modernize and migrate legacy applications to new supporting infrastructure and close the remaining legacy data centres

Shared Services Canada Management response:‌

• SSC agrees with this recommendation.
• SSC will undertake an impact analysis focused on legacy technology as a whole, including applications and supporting infrastructure.
• This analysis will be the foundation upon which SSC will engage partners on the planning and prioritization of workload modernization. The department proposes to utilize the Workload Migration Program methodology to develop business cases for the strategic closure of data centres when it is cost effective and aligned with the modernization agendas of partners. This methodology represents a concerted approach to modernization that has proven to be effective and sensitive to the complexity of these initiatives.
• This audit is a follow up to the 2010 Auditor General Report on Aging Information Technology Systems.
• In 2011, SSC created and given the responsibility for modernizing and consolidating technology infrastructure across the government.
• In 2013, TBS introduced the Application Portfolio Management software to monitor and track the state of applications within departments and agencies.
• In 2021, the Government of Canada Digital Operations Strategic Plan focuses on modernizing the way government replaces, builds and manages major information technology systems.

Outsourcing information technology services

Issue

Media reports have focused on the year-over-year increase in general outsourcing by federal departments.

Key messages

• SSC works to ensure the operation of secure, modern and reliable government information technology (IT) infrastructure and systems.
• SSC has established a robust process to assess all potential options for delivery. This process focuses on best practices, existing capacity and solutions to determine whether:
  • the solution can be built and operated in-house
  • commercial solutions should be included
  • external expertise is needed to achieve the desired outcome
• Accessing some services and technologies through contracts enables SSC to provide effective digital solutions and services that are aligned with global best practices.
• Providing access to services and technologies best delivered by industry allows SSC to provide secure and cost-effective solutions to meet the needs and expectations of a digital government
• In doing so, SSC is able to leverage large-scale investments that industry has made in other public sectors and private markets to obtain cost-effective, secure and reliable off-the-shelf products and highly specialized solutions

If pressed on management consulting:

• SSC is committed to providing high-quality services to Canadians while ensuring the best value for taxpayers. The procurement of professional services, including management consulting services, is sometimes needed to acquire special expertise.
• Work performed by management consultants is diverse and can include providing advice on SSC's technology roadmaps, performing a third-party review on a business case, providing support to SSC in developing processes or supporting tools for SSC enterprise services.
• SSC exercises due diligence when contracting for goods or services. All contracts are issued in accordance with the Treasury Board policies, as well as regulations, guidelines and procedures.

If pressed on reasons for outsourcing technologies:

• SSC outsources access to technology where it would be more costly to deliver it directly. Satellite services are an example of a highly specialized domain where industry excels and the technology is better delivered by the private sector.
• Another example is the contract for the High-Performance Computing solution that Environment and Climate Change Canada uses to generate environment and weather forecasts, advisories and warnings. This is an example of a highly specialized domain that would cost more if delivered internally.

If pressed on reasons for outsourcing work:

• SSC uses temporary professional services for specialized IT expertise from the industry to complement its internal capacity and support programs and projects that have defined periods and require surge capacity for delivery.
• SSC is committed to managing industry resources responsibly without compromising the planning and execution of its time-limited programs and projects.

Supply chain integrity

Issue

• Concerns have been raised regarding the presence and/or access to the Canadian market of information and communication technology (ICT) products manufactured by Chinese-owned entities. There are claims that some of these entities have direct ties to the Chinese government. For example, companies such as TikTok, Huawei and Lenovo are often mentioned.

Key facts

• A number of departments and agencies play a role in cyber security, including the Treasury Board of Canada Secretariat (TBS), the Communications Security Establishment (CSE), Shared Services Canada (SSC), Public Safety Canada (PS), the Royal Canadian Mounted Police (RCMP), the Canadian Security Intelligence Service (CSIS) and the Department of National Defence (DND).
• All departments and agencies have a responsibility to ensure cyber security within their organization. TBS, SSC and CSE are the primary stakeholders with responsibility for ensuring the government’s cyber security posture is effective and able to respond to evolving threats.

Key Messages

• The Government of Canada takes the security and privacy of its network infrastructure and any devices that access it very seriously
• SSC conducts a supply chain integrity (SCI) review with support from the CSE for all IT purchases
• This assessment ensures the security of the Government of Canada’s (GC) IT infrastructure

If pressed on the Supply Chain Integrity Review:

• SSC relies on the CCCS (part of CSE) as the government centre of excellence of the SCI review function
• The SCI function, implemented in 2012, ensures that the goods and services purchased are as safe from cyber security threats as possible
• SCI applies to procurement in 4 areas: email, data centres, networks and workplace technology devices (such as laptops, printers and cellular devices)
• Not only are these areas essential to the operation of government, but they are also the main targets of cyber threats
• SSC will continuously work to enhance cyber security in Canada by collaborating across government to prepare for all types of cyber incidents

If pressed on TikTok:

• TikTok was deemed by TBS's Deputy Minister and Chief Information Officer of Canada as a risk to the privacy and security of government information
• SSC, which manages GC smartphones, blocked the application per this direction in February 2023

Background

• On June 6, 2023, an article, “Faut-il avoir peur des appareils Lenovo ?” was published in La Presse.
• The news article states that the Government of Canada has not banned equipment from Lenovo.
• The Communications Security Establishment (CSE) is quoted in the article. CSE confirmed that the Government of Canada has not banned equipment from Lenovo and mentions that they evaluate equipment on a case-by-case basis.
• TBS provides strategic oversight of government cyber security event management.
• SSC provides IT security infrastructure (designs, deploys and operates). In conjunction with TBS and CSE, SSC also provides security and privacy by design as part of the establishment of new services. The security of goods and services is evaluated during the procurement process by CSE and SSC.
• CSE houses the Canadian Centre for Cyber Security (CCCS) which monitors systems and networks for malicious activities and cyber attacks and leads the cyber event operational response.
• Public Safety Canada (PS) leads national cyber security policy and strategy.
• The RCMP is the primary investigative department on all cyber security incidents dealing with actual or suspected cybercrime of non-state origin against GC infrastructure.
• CSIS is responsible for investigating threats against information systems and critical infrastructure posed by foreign state actors and terrorists.
• DND/Canadian Armed Forces is responsible for addressing cyber threats, vulnerabilities or security incidents against or on military systems.
• On February 27, 2023, the TBS Deputy Minister and Chief Information Officer of Canada announced that, pursuant to their responsibilities under section 4.4.1.9 of the Policy on Service and Digital, the DM and CIOC directed that the TikTok application be blocked on GC devices as of 5 pm ET on February 27, 2023. This decision was made after a review of the behaviour of the application as it relates to our privacy and security standards and impacts all organizations subject to the Policy on Service and Digital.
• SSC, which manages GC smartphones blocked the application per this direction on February 27, 2023.

Other

Shared Services Canada’s (SSC) 2023-24 Departmental Plan

Issue

SSC’s 2023-24 Departmental Plan was tabled on March 9, 2023. The Plan details the department’s mandate, priorities and resources for the upcoming fiscal year.

Key facts

N/A

Key messages

• SSC is responsible for operating and modernizing the Government of Canada's (GC) Information Technology (IT) infrastructure, which is the backbone of a digital government. SSC is supporting a digital government by improving digital services, accelerating modernization and strengthening the support for tools and networks.
• An enterprise approach is key to the success of digital government in keeping up with new technologies and managing emerging risks. It simplifies IT maintenance and operations and allows for continuous improvement while reducing overall costs.
• Over the coming year, SSC will focus on strengthening the foundational pieces of IT infrastructure to support a hybrid workplace and enhance security.
• SSC has identified 4 key areas for 2023-24 that will focus on the needs of its partners, embedding security throughout and strengthening the enterprise.
• These key areas are:
  • networks, security and access
  • digital workplace services
  • hosting infrastructure
  • service, projects and enterprise advice

If pressed on the hybrid workplace:

• SSC is adapting GC networks to support the hybrid workplace model. Key network and security updates include improving bandwidth, implementing Wi-Fi services in buildings and using a zero-trust security model.

If pressed on cybersecurity:

• SSC will outline a cybersecurity strategy to set direction for the evolution of cybersecurity capabilities within SSC-managed IT infrastructure. This will provide an accurate view of the security landscape across the SSC-managed infrastructure.
• This strategy will also allow SSC to make informed decisions on investments and actions to mitigate threats. Once completed, SSC will oversee the implementation of this strategy.
• SSC is working with small departments and agencies to extend a mandatory subset of its services that will contribute to improving their cyber security postures.

If pressed on cloud services:

• As the centralized provider of IT infrastructure and provider of cloud services for the GC, SSC plays a key role in helping departments modernize and update their IT platforms, including the use of various cloud-based services.
• The updated GC Cloud Adoption Strategy outlines how SSC plays a key role in helping departments choose the most appropriate hosting model.

If pressed on enterprise IT service management:

• SSC uses an enterprise-wide approach to IT service management, which includes implementing and managing IT services for partners. The objective for SSC is to fully integrate IT services with its partners based on the adoption of a common digital solution.

If pressed on procurement:

• SSC developed an agile contracting framework to carry out procurement projects that will result in better contract outcomes.
• This framework will also result in faster delivery, better use of private sector expertise and will more effectively meet the needs of the end user.

If pressed on the department's expenditures and revenues:

• Planned spending for 2023-24 is $2,591,969,423:
  • The decrease from 2022-23 forecast spending to 2023-24 planned spending is due to the sunset or decrease in funding of a number of initiatives. This includes funding for the Next Generation Human Resources and Pay initiative, the Workload Modernization and Migration Program, as well as the Secure Cloud Enablement and Defence Evolution, the Departmental Connectivity and Monitoring initiative from Budget 2021, and mission critical projects from the 2017 Fall Economic Statement.‌
  • This is offset by an increase in funding for new initiatives such as the Network Modernization and Implementation Fund from Budget 2021 and for the Standardization of Mandatory Network, Security and Digital Services for Small Departments and Agencies from Budget 2022.
• Planned full-time equivalents (FTE) for 2023-24 is 8,370:
  • The FTE increases throughout the fiscal years are mainly due to additional positions that were created to respond to the increase of demand for services.
  • SSC as a service provider continuously optimizes available resources to respond to the demand for its services.
• SSC is required to provide specialized IT services to its partners and clients. The 2023-24 planned revenues of $853.0 million represents the vote-netted authority for SSC, which enables the department to re-spend the revenues received, offsetting the expenditures arising from their provision in the same fiscal year.

2022-23 Departmental Results Report

Issue

• The President of the Treasury Board will table Shared Services Canada’s (SSC) 2022-23 Departmental Results Report (DRR) in Parliament the week of October 23, 2023 (tbc). This report provides details on SSC’s mandate, commitments and results achieved in 2022-23.

Key facts

• N/A

Key Messages

• SSC provides the IT infrastructure — reliable and secure networks, digital tools and modern hosting solutions –– which is the foundation for digital transformation.
• SSC had many accomplishments in 2022-23 as it played a key role in supporting the shift to a hybrid workplace for thousands of employees. Results achieved in 2022-23 that support employees in a hybrid work environment include:
  • Upgrading 85% of Government of Canada (GC) sites with low bandwidth
  • Establishing a new GC Networks Hub in Vancouver for employees in the West and Northwest
  • Combining numerous networks into 3 network contracts
  • Migrating departments to a consolidated cloud-based email system
• SSC's enterprise approach allowed for the continued secure, efficient and reliable delivery of critical programs and benefits to Canadians.
• The Departmental Results and associated Result indicators have been updated for next fiscal year to better reflect SSC's current operating model. This will improve visibility and provide a more precise picture of the department’s performance.

If pressed on enterprise achievements:

• Closed 52 small- and medium‑sized legacy data centres following workload migrations to modern hosting solutions
• Onboarded 26 departments to the Secure Cloud to Ground environment, including 6 that have been onboarded to multiple cloud service providers
• Upgraded network capacity and added redundancy to improve reliability for the Montréal and Toronto GC Networks Hubs
• Extended a mandatory subset of services to 8 small departments and agencies to strengthen their security posture.

If pressed on expenses and revenues:

• Expenses for 2022-23 were $83‑million higher than planned (planned: $3,467 million; actual: $3,551 million). This is compared to $3,342 million in total expenses for 2021-22.‌
  • Salaries and employee benefits represented the largest portion of expenses, followed by telecommunications expenses and rental expenses. These represent SSC's 3 major expenses for 2022-23.
• Revenues for 2022-23 were $104‑million higher than planned (planned: $787 million; actual: $892 million). This is compared to $947 million in total revenues in 2021-22.
  • Of these revenues, the majority are re-spendable revenues related to IT infrastructure services that SSC provides to departments and agencies on a cost-recovery basis.

If pressed on the Next Generation Human Resources and Pay initiative:

• In 2022-23, SSC was the functional and technical authority responsible for Phase 1, which included the design, exploration and testing of potential solutions from HR and pay industry experts.
• Public Services and Procurement Canada (PSPC) is now the functional authority for the Next Generation HR and Pay initiative as it begins Phase 2: Recommendation and Investment Decision.
• Work is now under way on a final findings report on the results of the solution testing. The final report will inform a recommendation to the GC.
• Treasury Board of Canada Secretariat's (TBS) Office of the Chief Human Resources Officer is the business owner of the Next Generation Human Resources and Pay initiative.

Background

• N/a

Auditor General Report on the cyber security of personal information in the cloud

Issue

In November 2022, the Auditor General of Canada tabled a report in Parliament that included a chapter on the cyber security of personal information in the cloud. Shared Services Canada (SSC), Public Services and Procurement Canada (PSPC), the Communications Security Establishment (CSE) and the Treasury Board Secretariat (TBS) were in scope. The audit presented 5 recommendations: 4 directed at TBS and 1 recommendation made jointly to SSC and PSPC. In March 2023, SSC appeared before the Standing Committee on Public Accounts (PACP), alongside TBS and the CSE, to address questions stemming from the audit. The Committee was satisfied with SSC’s progress and encouraged the department to pursue planned measures, including guardrail automation.

Key facts

• The audit highlighted the following:
  • There were weaknesses in departments' controls for preventing, detecting and responding to cyberattacks.
  • The roles and responsibilities for ensuring cloud cyber security were unclear and incomplete.
  • TBS did not provide departments with a costing model or funding approach for cloud services.
  • PSPC and SSC did not include environmental criteria in their procurement of cloud services.
• SSC enables smart cloud adoption across departments so they can harness the benefits of cloud technology by providing:
  • an easy and secure access to cloud services
  • a secure network connection between government applications hosted in the cloud and government data centres
  • operational guidance and support
• A number of strict security requirements, including cloud guardrails, must be met before departments can begin to store data in the cloud.
• At the time of tabling, SSC had initiated the development of automated guardrail validation, allowing SSC to consistently and accurately report on guardrail compliance to TBS.
• SSC began a phased GC-wide roll-out of the automated guardrail validation in fall 2023. The roll-out is being done in phases and will be complete by April 2024.In the interim, the manual process has remained in effect.
• PSPC and SSC are aligning on the Government of Canada (GC) approach to cloud procurement. Cloud procurement templates have been developed, which include standard contract clauses and sustainability terms for cloud service providers.
• SSC has also worked with TBS as they implement their Management Action Plan in response to this audit.

Key messages

• ​​​​​​SSC accepted the recommendations made by the Auditor General. The findings of this audit have helped SSC strengthen its operating framework for cloud services.
• Protecting the government's systems and information is a shared responsibility across 3 organizations: the CSE through the Canadian Centre for Cyber Security, TBS's Office of the CIO (TBS-OCIO) and SSC. Collectively, this group is committed to a whole‑of‑government vision and plan for cyber security.
• The GC has a critical role to play in protecting the information of Canadians. It has implemented an approach to managing security risks in the cloud that safeguards Canadians data and privacy through a series of policy instruments that guide departments as they adopt cloud services.
• SSC is aware that threats and vulnerabilities continue to arise. While departments are obliged to meet security requirements prior to storing data, continuous guardrail monitoring must be an ongoing process.

If pressed on cloud procurement:

• SSC provides access to 8 cloud service providers (CSPs) who were pre‑vetted based on security and other requirements.
• These Framework Agreements provide departments with standardized terms and conditions, and cloud services that have been assessed by the Canadian Centre for Cyber Security and the Contract Security Program.

If pressed on cloud security:

• The protection and privacy of the GC data stored and processed in the cloud is a top priority for SSC.
• Measures are in place that enforce where data resides and how it is controlled.
• Processes are in place to ensure that specific security requirements and standards are met when awarding cloud contracts.
• To securely consume cloud services, each department must implement and maintain specific security guardrails.
• SSC actively monitors adherence to security requirements.

Background

Proportionately, cloud represents a small percentage of application hosting solutions. Over 90% of all applications are hosted in GC managed data centres, with the remaining in the cloud.‌

SSC acts as a centre of excellence for cloud services across the government, providing technical expertise and tools to guide customers.‌

The Auditor General undertook this audit because:‌

• Information stored digitally, whether on-premises in data centres or in the cloud, is exposed to risks of being compromised.
• Departments are increasingly moving software applications and databases into the cloud, including some that handle or store Canadians' personal information. Departments must work together to protect this information from a number of risks, including cyber attacks.
• Cyber security breaches are on the rise and strong controls to prevent, detect and respond to them can reduce the risk of breaches.

Delivering Digital Solutions Together for Canada

Issue

• Shared Services Canada (SSC) has a new strategic direction and implementation approach that will drive operational activities to modernize the Government of Canada (GC) information technology (IT) ecosystem and implement new capabilities.

Key facts

• N/A

Key messages

• SSC's Delivering Digital Solutions Together for Canada initiative focuses on simplifying operations, leveraging common solutions, and implementing modern capabilities so organizations can efficiently deliver services to Canadians.
• The approach will provide secure and reliable digital connectivity and hosting services that allow public servants to work collaboratively and seamlessly across the GC to serve Canadians.
• Implementation will use roadmaps to orient the department and stakeholders toward our common destination: to modernize the delivery of programs and services to Canadians.

If pressed on timing of the initiative:

• Since 2019, SSC has been guided by a set of core principles that emphasize a whole-of-government approach to managing and improving the IT ecosystem.
• This has been an effective way to deliver services and to orient departmental operations toward an enterprise model.
• The need to continue evolving and building is driven by the post-pandemic hybrid work environment, ongoing technological changes and the growing expectation from Canadians to receive services digitally.

If pressed on next steps:

• Delivering Digital Solutions Together (Digital Together) for Canada is focused on sharing clear and transparent plans in all core areas of business.
• SSC will continue to develop and refine its Digital Together activities through engagement with government stakeholders, including the Treasury Board Secretariat Office of the Chief Information Officer, deputy heads and departmental chief information officers.
• SSC will also leverage engagement with external stakeholders and industry partners to create opportunities to collaborate on developing solutions that will meet the needs of the government.

Background

• As part of its mandate to consolidate and standardize IT infrastructure for the GC, SSC has continued to evolve and improve how it provides shared IT services to its partners and clients.
• Today, the post-pandemic hybrid work environment, ongoing technological changes, and the growing requirement to deliver services digitally are all driving the need to continue evolving our approach while building on the successes and lessons learned over the past 4 years.