Standing Committee on Public Accounts Auditor General’s Report on Canada Revenue Agency Contact Centres

Opening statement

Scott Jones
President
Shared Services Canada

Ottawa, Ontario
October 28, 2025

Thank you, Mr. Chair, for the opportunity to discuss the Auditor General’s Report on Canada Revenue Agency (CRA) contact centres.

I am accompanied by Kristin Brunner, Assistant Deputy Minister, Digital Services Branch; and Scott Davis, Assistant Deputy Minister and Chief Financial Officer (CFO).

Before we begin, I would like to acknowledge that we are on the traditional, unceded territory of the Algonquin Anishinaabe People.

Introduction

Shared Services Canada (SSC) welcomes the Auditor General’s findings. They help us continue to improve and support vital service delivery to Canadians.

SSC agrees with the recommendations; many have already been implemented and we are working to address the remaining items.

SSC provides essential IT services to departments and agencies that enable secure connectivity, cyber security, hosting and digital services.

I am very proud of our dedicated teams that work 24/7 to ensure secure, reliable digital services.

Since its creation, SSC has worked relentlessly to modernize IT infrastructure the while consumption of our services skyrocketed.

Today, SSC is at the forefront of driving digital transformation for the government.

Contact centres

Part of our work is to provide technology solutions for roughly 220 contact centres for our partners across government. They vary in size and complexity based on our partners’ business needs, such as consumption, infrastructure and capabilities.

They support major programs like Employment Insurance, Old Age Security and the Canada Pension Plan, as well as smaller programs like Transport Canada’s Marine Safety and Security program.

Every day, these systems route calls to thousands of agents across the country who have the right expertise to respond to questions.

Demand can fluctuate rapidly, requiring a scalable and flexible infrastructure to adapt quickly to changing circumstances. Contact centres are built on technologies that continue to evolve rapidly, as do industry business models.

I am proud that the contact centres are stable and reliable, without a major outage since 2021.

It is important to note that while SSC is responsible for administering the contract— providing the IT infrastructure for contact centres—our partners decide what features to enable, which results in higher costs.

Current contract

The Auditor General’s report examined a contract awarded over a decade ago, in 2015, long before modern cloud services existed.

I would like to take the opportunity to clarify the contract currently in place.

The $50-million minimum is not and was never an estimated contract value. This is a mischaracterization and paints an inaccurate picture. A minimum commitment provides assurance to the vendor that they can recoup their initial set-up investment.

At the request of the government, the vendor set up multiple data centres and ensured redundancy to meet the requirements of SSC’s 2 primary partners, CRA and Employment and Social Development Canada.

This competitive contract is within budget. As of June 2025, the total cost for the first 10 years of the contract is $190 million. SSC’s total procurement authorities for this contract are $300 million.

The contract’s performance was regularly reviewed and monitored internally and by departments. Amendments that increased the overall value of the contract reflected increased usage by CRA, added features to support agents and other business requirements from our partners.

SSC has a well-established process in place to validate invoices and rigorous internal reviews by our Chief Financial Officer Branch. We are transparent and collaborative with our partners about billing.

In short, the government has paid about $20 million per year to operate the 8 largest contact centres in the GC. SSC now supports 13 contact centres through this contract. These are some of the largest and most complex contact centres in government.

Mr. Chair, SSC is also using this service for its own help desk. I can assure you that the GC has received good value for money spent.

The Auditor General also mentioned that she will audit this contract. We welcome this opportunity to work with her and her team, and I am confident that we will demonstrate our sound management, comprehensive reporting and monitoring.

New contract responds to Auditor General’s findings

SSC has actively worked with industry and our partners, including CRA, to apply lessons learned in awarding a replacement contract in July 2025.

The new contract addresses the Auditor General’s key findings pertaining to SSC with 3 key features.

First, it includes stronger financial oversight and clearly defined roles for SSC and CRA.

The new contract replaces custom requirements with standard commercial services. Government discounts are applied to the vendor’s public catalogue, which simplifies financial management and improves transparency.

Second, the OAG report noted that SSC could not clearly define CRA’s individual usage on our bill—SSC had been receiving a single invoice for the GC’s total consumption.

With the new services, this is significantly improved. SSC established a separate contract for CRA, which will provide CRA with improved usage reporting and cost tracking.

Finally, while the old contract defined the specific features of the service when it was signed, the new contract gives CRA access to the full range of current and future commercial features offered by the vendor, including more autonomy to deploy and manage features as their needs evolve without reopening the contract.

These improvements are important and reflect the model by which SSC works iteratively with partners like CRA, refining service offerings to fit the service and stewardship objectives of the government.

Additional benefits of the new contract

And there are many other benefits with this new contract.

It provides a commercial solution to manage client interactions across multiple channels, including phone, email and chat, that helps serve Canadians when and how they wish.

The existing contract uses what we call “on-premise” technology. That means that the vendor purchased hardware infrastructure that is hosted in a data centre and dedicated to this program’s use.

When we want to add capacity, new features or contact centres, that might mean we need to procure more hardware or additional space in the data centre. This takes time and makes it cumbersome to pivot during surges like tax season.

The new contract uses a modern “cloud” platform. That means capacity can be switched on—or switched off—rapidly. It is elastic and adaptable to CRA’s needs.

This new solution will help improve the services that CRA provides to Canadians.

Conclusion

Mr. Chair, reports from the Auditor General are an important tool to hold us accountable and assure Canadians that the government is properly run.

SSC is committed to this and will continue to drive efficiencies across government, creating savings and value for taxpayers.

We will also collaborate with the OAG on the audit of this contract.

Thank you for your attention. I’d be pleased to answer your questions.

New call centre contract

Issue

• In July 2025, following a formal procurement process, in close collaboration with Canada Revenue Agency (CRA), Shared Services Canada (SSC) awarded a five-year contract (with one five-year option) to Bell Canada for its Genesys Cloud CX platform, a Contact Centre as a Service (CCaaS) that will replace the Hosted Contact Centre Service (HCCS). Contracts are in place for CRA, Employment and Social Development Canada (ESDC); other departments can be added.

Key messages

• SSC applied lessons learned from the current HCCS contract to procure a new contact centre solution.

Issues with Old HCCS Contract

1. Awarded in 2015, way before modern cloud services existed.
   • Solution in New CCaaS Contract: Uses modern cloud technology and business models to improve service and reduce costs.
2. Relied on on-premises infrastructure, requiring physical space and hardware to increase capacity, which is costly and time-consuming.
   • Solution in New CCaaS Contract: Uses cloud services with scalable capacity that can be switch on/off and consumed only when needed.
3. CRA could not tailor requirements directly with the service provider; SSC had to be involved.
   • Solution in New CCaaS Contract: CRA can now tailor requirements directly with the provider, enabling faster adaptation to changing needs.
4. Government was invoiced for total platform usage across departments. SSC had to manually break down partner costs based on their individual usage.
   • Solution in New CCaaS Contract: Separate contracts for each department with improved billing and data tracking, enabling better validation of the bills.
5. Used custom government requirements and pricing models, leading to complex interpretation and management.
   • Solution in New CCaaS Contract: Uses standard commercial services and public pricing, simplifying contract management.
6. Usage-based billing, meaning that the government only paid for what it was using. It also required one-time infrastructure investments to increase capacity.
   • Solution in New CCaaS Contract: Will continue to only pay for what the government is using, but no infrastructure investments are needed to scale capacity as the solution in based in the cloud.

If pressed on

If pressed on data sovereignty

• The new contact centre solution provided by Genesys, under the Bell contract, will be hosted in data centres in Montreal.
• This will ensure that Canadian’s data will be under sovereign control.

Performance requirements

Issue

• The Auditor General’s report on Canada Revenue Agency (CRA) Contact Centres found that the performance penalties in the contract were not applied, real-time queue updates were not provided and the workforce management module required manual input, resulting in 180,000 emails sent for the purpose of managing hours of work.

Key messages

• The contract was structured so that a wide range of features were available for purchase and could be added without needing to re-open/renegotiate the contract. This has provided great flexibility to departments and allowed them to evolve their contact centre solutions based on their business requirements.
• Approximately half the features available under the contract were implemented. Features that were not needed by CRA were not activated and not paid for. Other features were added over the life of the contract, resulting in contract amendments.
• Some of the Auditor General’s concerns involve the CRA’s business model, which the Agency itself is best placed to explain.

If pressed on

If pressed on service credits

• While the potential of applying service credits (i.e. penalties) was examined with our legal services, they were ultimately not pursued due to differing interpretations.
• The previous contract was replaced to enhance services to Canadians, and had included unique requirements for the Government of Canada. Some of these were beyond the capabilities of the vendor's commercial off-the-shelf products, requiring additional work between the vendor and the client and resulted in performance issues. Due to these specialty requirements, SSC did not pursue performance penalties. However, when performance issues were identified, the vendor took corrective action and resolved them.
• These issues were addressed in the new contract by using standard commercial terms, which reduce ambiguity and simplify management.

If pressed on manual workforce management

• Schedule adherence measures an agent’s actual activities against their planned schedule.
• CRA established the agent adherence target in the system. They also established a manual process to adjust agent adherence so as not to penalize agents when circumstances arose beyond their control. This was a business decision taken by CRA.
• The current workforce management solution was tested and accepted by CRA. SSC is not aware of any CRA request for changes to the functionality.
• CRA is best placed explain the design of their business model.

If pressed on feature availability

• SSC’s position is that the features and functionalities outlined by the Auditor General, are available and either are in use or could have been implemented at the request of departments.

If pressed on real-time queue updates

• The Hosted Contact Centre Service (HCCS) technology is functioning properly as per the design which is based on CRA’s requirements. The solution was tested and accepted by CRA. SSC works with departments to ensure that the contact centre technology supports their business requirements. SSC is not aware of any request from CRA to provide real-time queue position updates.
• CRA is best placed to comment on the design of their queue management.

Invoice validation

Issue

• The Auditor General’s report on Canada Revenue Agency (CRA) Contact Centres reported “limited validation of vendor invoices” and that neither CRA nor Shared Services Canada (SSC) could confirm whether invoices were accurate.

Key messages

• Vendor invoices under the contract were for the total cost of all departments using the platform. SSC used vendor consumption reports to determine the costs applicable to each the specific department.
• SSC evaluated the accuracy of vendor billing and consumption reporting before the system was launched to ensure accuracy.

If pressed on

If pressed on price increases

• The vendor mistakenly billed a feature annually instead of monthly. The correction resulted in a cost increase for SSC. The vendor did not seek to retroactively charge SSC.

Contract amendments

Issues

• The Auditor General’s report on Canada Revenue Agency (CRA) Contact Centres reported that feature price increases were accepted and that the contract had a minimum guarantee of $50 million. $190 million has been spent to date.

Key messages

• The $50 million minimum was never a total estimated contract value but rather the minimum commitment for the vendor to be assured they would recoup their initial infrastructure and set-up investment. Once consumption began, service orders were placed and the contract value was amended accordingly.
• The contract is within its budget. As of June 2025, total one-time costs and forecasted monthly costs for the first 10 years of the contract is $190 million. SSC’s procurement authorities in this space are a maximum of $300 million.
• The government only paid for the features and consumption that it used.
• Increases to the contract value reflect increases in CRA usage in order to meet the agency’s business requirements. This was determined by CRA over time, including exercising option years, adding new contact centers, increasing use or capacity in the pandemic, and was not a change in pricing.

If pressed

If pressed on increased contract spending

• Not all features available under contract were initially activated. Some were added later, resulting in contract amendments. This allowed the service to address the evolving need of the department.
• Rather than award a full estimated contract value at the outset, SSC took the best practice approach of awarding smaller service orders in increments, based on predictable consumption and feature implementation forecasts. This put in place controls and gating to ensure that the contract and spending was regularly reviewed internally and with our partners. Amendments increasing the overall value of the contract were simply a reflection of the service orders as consumption took place.
• In 2017, SSC’s President approved the contract against a total forecast of $190 million over the firm contract years (October 2017 – 2025). SSC is right on budget with its spending against the original forecast.

Shared Services Canada Government Transformation

Issue

As the Government of Canada’s common information technology (IT) services provider, Shared Services Canada plays a central role in driving government transformation and creating government-wide efficiencies—in close collaboration with the Treasury Board of Canada Secretariat’s Office of the Chief Information Officer and Public Services and Procurement Canada.

Key facts

• N/A

Key messages

• The Government of Canada is committed to transformation—to increasing government productivity while reducing the cost of operations. A more effective and efficient government will result in improved program and service delivery to Canadians
• As a common services provider to departments and agencies across government, Shared Services Canada is uniquely positioned to drive efficiencies across the enterprise, creating important savings
• Shared Services Canada also supports the government’s broader digital transformation agenda through partner-led projects and initiatives, including Benefits Delivery Modernization; ongoing work to improve human resources and pay for federal public servants; and enabling the Department of National Defence to modernize their systems to support the Canadian Armed Forces at home and abroad
• Shared Services Canada has, for many years since its creation, sought efficiencies in its internal operations in order to identify funds for reinvestment in the Government of Canada’s digital transformation
• Aligned to the Government of Canada priority to modernize the way government procures goods and services, Shared Services Canada is reviewing all aspects of its IT procurement, including by undertaking benchmarking, prioritizing Canadian vendors and sovereign infrastructure and services, and ensuring best value for Canada
• Shared Services Canada is also enabling artificial intelligence (AI) deployment by the Government of Canada, increasing productivity, innovation, sovereignty and security, while creating a more efficient and effective public service. SSC’s AI toolbox includes generative-AI tools, AI-powered chatbots and process automation to accelerate routine tasks so employees can focus on creativity, problem-solving and human judgment
• Shared Services Canada has fine-tuned large language models on Canadian content and is working with Canadian vendor Cohere and others to explore opportunities to deploy technologies across the Government of Canada to enable departments and agencies to transform their operations using AI

If pressed on cost savings:

• Over the summer, the Department of Finance launched the Comprehensive Expenditure Review (CER), in order to reduce operating expenditures by 15% by 2028-29
• Shared Services Canada is streamlining the management of devices and software by centralizing procurement and operations. This approach simplifies lifecycle management and achieves considerable efficiencies
• For example, replacing siloed back-office tools will reduce duplication, saving $250 million over 7 years, while modernizing 145 legacy data centres saves $25 million annually

Background

Shared Services Canada is responsible for modernizing, securing and managing the IT infrastructure that supports departments and agencies. This ensures reliable and effective service delivery to Canadians, both domestically and abroad.

The Treasury Board of Canada Secretariat’s Office of the Chief Information Officer sets government-wide direction for data, IT, cyber security and service management, while individual departments and agencies remain responsible for their own applications and data.

Artificial intelligence

Issue

• Artificial intelligence (AI) is considered a foundational technology, which stands to propel significant social and economic change. Shared Services Canada (SSC) is exploring how to use new technologies like AI to support government work.

Key facts

• N/A

Key messages

• By scaling the use of AI across departments and agencies, the Government of Canada (GC) will drive government transformation and support a more efficient and effective public service.
• SSC is building foundational tools in-house instead of outsourcing them. This lowers costs and keeps knowledge within government.
• SSC has fine-tuned large language models (LLMs) on Canadian content to ensure that AI tools reflect Canadian context, values and priorities. SSC’s AI chatbot, CANChat, is a safe place for public servants to use AI without danger of falling into unauthorized hands, and it is trained on Canadian data and hosted on government-accredited infrastructure.
• SSC is leading the GC’s AI transformation by developing secure tools like CANChat. Furthermore, by enabling public servants to safely use generative AI and advancing procurements for sovereign AI platforms, SSC is building an AI toolkit to support public servants in their work and enhance their productivity.
• SSC is in the process of launching a government-wide procurement of generative AI tools that integrate with office productivity suites such as Microsoft 365. There are currently 5 qualified respondents that are expected to submit bids, 3 of which are Canadian.
• Ahead of the final solicitation, pilots will be coordinated across the GC to assess the capabilities of these tools.
• SSC is also building the infrastructure and skills needed to support AI adoption, including making commercial AI tools available, creating an AI marketplace for sharing resources and helping establish a secure supercomputing facility for research and national security.
• SSC operates the AI Centre of Excellence (AICoE), supporting departments and agencies in applying AI, sharing best practices, contributing to policy development and fostering collaboration through peer reviews and working groups.
• The GC is committed to ensuring the responsible use of AI and ensuring it is governed with clear values, ethics and rules.

If pressed on

If pressed on jobs

• AI is meant to support the work of public servants, not replace them. It can assist with routine and repetitive tasks so employees can focus on work that needs creativity, problem-solving and human judgment.
• This can increase agility, efficiency and retention by automating routine and time-consuming tasks.

If pressed on implementation

• SSC is piloting its first application, CANChat, with departments and agencies this year, with strengthened security (Protected B).
• Over the next 2 years, SSC is set to launch an AI marketplace, enabling the sharing of models, applications and services across the government.

If pressed on sovereignty

• The GC recently signed a Memorandum of Understanding with Cohere Inc. to explore opportunities for AI deployment in internal government operations and bolster digital sovereignty through a made-in-Canada digital and AI ecosystem.
• SSC is also exploring Canadian service providers’ capacity to deliver sovereign cloud services and AI computing solutions.

Background

To guide the responsible use of AI, the Treasury Board of Canada Secretariat released key resources, including the Directive on Automated Decision-Making, the Guide on the use of generative artificial intelligence and the Algorithmic Impact Assessment tool.

Digital sovereignty

Issue

Digital sovereignty ensures a country retains control over its digital infrastructure, data and critical technologies. This protects national security, supports economic competitiveness and allows the country to operate independently in the digital age. It includes:

• Data sovereignty: Ensuring data complies with national laws and remains under the jurisdiction and control of the country
• Operational sovereignty: Retaining control over how digital services are deployed and preventing reliance on, or interference from, foreign entities
• Technological sovereignty: Maintaining the ability to make independent decisions about technology without being overly dependent on monopolistic or foreign-controlled vendors

Key facts

• Under the Directive on Service and Digital, departments and agencies are expected to prioritize computing facilities within Canada—or on Government of Canada premises abroad—for storing or handling sensitive electronic information, such as Protected B, C or classified data. This helps keep important data secure and under Canadian control.
• Under the Policy on Privacy Protection, departments and agencies must protect personal information properly, reduce privacy risks and remain open and accountable, even when it is processed or stored by third-party companies.

Key messages

• Digital sovereignty is a critical priority for the Government of Canada to protect essential data, reduce risks of foreign interference and strengthen domestic IT capabilities.
• Shared Services Canada is investing in Canadian technology capabilities and strengthening policies to protect critical infrastructure.
• Shared Services Canada has been actively working to strengthen IT diversification by reducing vendor concentration and influence in strategic areas, while promoting Canadian-made solutions.
• Shared Services Canada continues to work closely with industry to strengthen Canada’s IT capacity, including preparations for an upcoming procurement process for Canadian-based cloud services.

If pressed on

If pressed on how SSC strengthens digital sovereignty

• CANChat is a secure, generative AI platform designed by the Government of Canada that integrates multiple open-source large language models (LLM) trained on Canadian data, with Canadian values and hosted in Canada. Today, it is used by 5,000+ Government of Canada users and growing.
• Shared Services Canada is advancing a sovereign cloud procurement process that prioritizes Canadian-controlled cloud service providers. These efforts ensure the government’s cloud capacity is through Canadian-owned and controlled infrastructure.
• The Government of Canada recently signed a Memorandum of Understanding with Cohere Inc. for AI deployment in internal government operations, bolstering digital sovereignty through a made-in-Canada digital and AI ecosystem.
• Shared Services Canada works with Canadian telecommunications companies and provides the Government of Canada with a fast, secure and reliable network.
• Shared Services Canada protects Government of Canada data using a zero trust approach, which means no one is trusted by default—even from inside the network.
• Shared Services Canada’s enterprise data centres (EDCs) are located within Canada and operate on Canadian-owned assets. This helps keep important data secure and under Canadian control.
• Shared Services Canada uses state-of-the-art enterprise infrastructure and multiple layers of defence, including cutting-edge sensors designed to identify and eradicate cyber threats
  • Shared Services Canada also shares its core security services with small departments and agencies to strengthen cyber security across government

Background

Due to the global dominance of U.S.-based technology vendors and the comparatively small size of Canada’s IT sector, targeted interventions are essential to scale Canadian capabilities. Cloud computing, in particular, is dominated by Amazon Web Services, Google Cloud and Microsoft Azure, posing challenges to operational and technological sovereignty.

Advanced cyber threat actors are increasingly using supply chains to bypass traditional security defences by introducing vulnerabilities. Since 2012, Shared Services Canada has mitigated this risk through Supply Chain Integrity (SCI) procurement reviews for equipment, software and services. These assessments help departments and agencies to identify and potentially mitigate security vulnerabilities before they impact operations.

The Government of Canada (GC) has made strategic investments in Canadian IT firms, including a March 2025 announcement by Innovation, Science and Economic Development Canada (ISED) of up to $240 million in funding for Toronto-based Cohere Inc. This investment marks Cohere as the first recipient of the AI Compute Challenge, part of the $2 billion Canadian Sovereign AI Compute Strategy. In August, the GC signed a Memorandum of Understanding with Cohere to explore opportunities for deploying AI technologies across the GC to enhance operations within the public service and to build out Canada’s commercial capabilities in using and exporting AI.

Shared Services Canada procurement

Issue

• This note explains Shared Services Canada’s (SSC) general procurement practices and achievements.

Key facts

• In 2024-25, SSC awarded 11,391 contracts and amendments valued at approximately $3.17B (net):
  • 7,823 contracts valued at $2.15B
  • 2,589 positive contract amendments valued at $1.30B
  • 979 negative contract amendments valued at -$270.85M
  • 9.8% of the value of SSC-funded contracts were awarded to Indigenous businesses, representing $228.3M and surpassing the Government of Canada’s 5% Indigenous procurement target
  • 65.9% of contract awards—valued at $1.12B—were awarded to Canadian SMEs with Canadian companies
  • 32.5%—valued at $554M—went to Canadian SMEs with foreign parent companies

Key messages

• SSC follows a fair, open and transparent procurement process, guided by well-established rules and controls.
• Most SSC contracts are awarded through competitive bidding to ensure best value for Canadians.
• SSC is advancing an IT Diversification Strategy, which will increase vendor diversity, reduce reliance on foreign tech h2nologies, foster a sovereign IT ecosystem and promote Canadian-made solutions.

If pressed on

If pressed on the interim policy on reciprocal procurement

• The Policy on Reciprocal Procurement aims to ensure fairness in federal procurement by limiting access to suppliers from countries that restrict Canadian participation in their own government contracts.
• It prioritizes Canadian suppliers and those from trusted trading partners, helping to strengthen domestic supply chains and support Canadian businesses.

If pressed on sole-sourcing

• SSC occasionally awards non-competitive contracts, which are subject to the same rigorous review as competitive ones, based on their risk and value.
• Justifications for these contracts are grounded in clear criteria, such as urgency, exclusivity or national interest.

If pressed on no substitution

• Due to operational requirements, SSC will occasionally purchase equipment from a manufacturer to ensure compatibility with existing systems, in circumstances where there is no possible alternative.
• When this happens, SSC provides a technical reason to support the decision. In some cases, the contract is still competed—but only among authorized resellers of the specific equipment.

If pressed on outsourcing

• SSC uses professional services to help deliver programs and projects; to meet delivery targets; or to provide outside expertise on a particular project.
• Spending on management consulting was significantly reduced, from $175 million in 2022–23 to $120 million in 2023–24, with further reductions planned. Oversight has been strengthened to ensure services are used only when operationally justified.

If pressed on procurement ombud “bait and switch” report

• SSC typically engages consultants using Public Service and Procurement Canada’s (PSPC) established methods of supply. To ensure quality and compliance, SSC verifies that proposed individual resources meet or exceed both PSPC’s minimum qualifications and SSC’s specific requirements.
• SSC has strengthened its guidance to procurement officers by updating instructions to clarify the process and enhance the consistency and completeness of the documentation.

If pressed on supply arrangements

• SSC has established supply arrangements that promote Indigenous business participation, including measures such as Indigenous Participation Plans to support subcontracting, employment and skills development.
• Contracts over $5 million undergo governance reviews to ensure meaningful consideration of Indigenous businesses in the procurement process.

Background

GC contracting is governed by well-established laws, regulations and government-wide policies. SSC complies with the Financial Administration Act, the Government Contracts Regulations, the Directive on the Management of Procurement, the Policy on the Planning and Management of Investments, the Code of Conduct for Procurement, trade agreements, court decisions, the Policy on Green Procurement, the Procurement Strategy for Indigenous Business and the Nunavut Directive.

Cyber security

Issue

The Government of Canada (GC), like all organizations worldwide, faces ongoing cyber threats from bad actors, on a national and international level, that require constant attention and strong security measures. Cyber threats are becoming more complex and sophisticated. These include criminal activities such as ransomware attacks and attacks by state-sponsored adversaries.

Key facts

• Shared Services Canada (SSC) blocks approximately 6.5 trillion cyber threats annually, ensuring the uninterrupted operation of government online services.
• Investments in strong cyber security systems reduce the costs associated with service disruptions and recovery.

Key messages

• SSC provides the state-of-the-art enterprise infrastructure and employs modern commercial cyber security solutions to defend GC systems against a wide range of cyber threats.
• SSC employs multiple layers of cyber security defences, including firewalls, network defences, anti-denial of service measures, anti-virus and anti-malware tools, encryption, virtual private networking (VPN) and robust identification and authentication services.
• Together, SSC and the Communications Security Establishment’s (CSE) Canadian Centre for Cyber Security (the Cyber Centre) provide sophisticated cyber security tools, including proprietary sensors that provide additional defences beyond commercial capabilities.
• SSC is actively reducing security vulnerabilities by consolidating, standardizing and modernizing IT systems across the GC.
• To strengthen data protection, SSC is implementing zero trust principles—minimizing reliance on implicit trust within networks and deploying modern, industry-leading security solutions.
• In consultation with the Treasury Board of Canada Secretariat (TBS) and CSE, SSC integrates security and privacy by design when developing new services.

If pressed on

If pressed on supply chain integrity

• Together with the Cyber Centre, SSC has completed over 83,000 Supply Chain Integrity reviews since 2012 to help ensure that components used in systems do not compromise safety or security.

If pressed on quantum computing

• A quantum computer capable of compromising many cryptographic standards could be available in the next 5 to 8 years.
• Departments and agencies will be required to develop customized migration plans to transition their systems to post-quantum cryptography (PQC). SSC is developing a comprehensive strategy to ensure its enterprise solutions align with the cryptographic recommendations from the Cyber Centre.

If pressed on small departments and agencies

• SSC is working with 43 small departments and agencies (SDAs) to deliver a targeted set of secure IT services. By the end of 2024-25, 23 SDAs had fully transitioned to government-managed Internet and remote access services, while 15 had adopted the shared government email system.

Background

Cyber security is a shared responsibility across the GC:

• TBS sets government-wide cyber security policies and leads the response to major cyber incidents.
• SSC builds and manages secure IT systems, monitors key applications and ensures new services are designed with security and privacy in mind.
• CSE is the lead agency for cyber security. It provides defensive capabilities that are not currently available commercially, adding an additional layer of defence unique to the GC.
• All departments and agencies must protect their own systems and applications.
• Public Safety Canada leads the National Cyber Security Strategy, working with partners outside government to protect Canadians and businesses.
• The Royal Canadian Mounted Police (RCMP) investigates cyber crimes that target government systems.
• The Canadian Security Intelligence Service (CSIS) gathers intelligence on threats to national security and supports departments through security screening and foreign intelligence.
• The Canadian Armed Forces (CAF) shares cyber threat intelligence with allies and conducts foreign cyber operations.

The GC Cyber Security Event Management Plan (GC CSEMP) outlines how different departments respond to cyber incidents. Smaller issues are handled by the affected department, while serious ones are managed by teams led by TBS and the Cyber Centre. SSC’s responsibilities during a cyber security event include watching for unusual network activity, blocking cyber threat activity, assessing service impacts, reporting through the Cyber Centre and implementing prevention, mitigation and recovery efforts, such as emergency patching and isolating infrastructure.

Delays to RCAF tech

Issue

• On September 17, 2025, the Globe and Mail reported on comments by Lieutenant-Colonel Amanda Whalen, director of the Royal Canadian Air Force (RCAF) Digital Hub, that while her team can develop new digital applications quickly, they spend months navigating outdated policies and processes, including with Shared Services Canada (SSC).

Key fact

• N/A

Key messages

• SSC is fully committed to supporting its partners and clients, and to making it easier and faster for them to get what they need. Work is underway to continue to increase efficiency and reduce the processing time of requests.
• SSC is increasing support for the Department of National Defence’s (DND) digital modernization as part of government-wide reinvestment in defence.
• SSC is committed to maintaining high standards of security and compliance. While some complex requests take time, this ensures the security and integrity of government IT systems.

If pressed on

If pressed on continuous improvement

• SSC is committed to a culture of continuous improvement. Regular feedback and performance evaluations are in place to identify areas for enhancements and to implement best practices across all operations.
• SSC invests in training and development to ensure employees are equipped with the latest skills and knowledge. This focus on professional development helps in maintaining a high level of expertise and innovation.

If pressed on hosting

• SSC implemented the Application Hosting Strategy and launched the GC Hosting Services Portal, making it faster and simpler for departments and agencies to request hosting for their applications.
• The Application Hosting Selection Tool is now fully digital, allowing organizations to easily submit hosting requests and enabling SSC to quickly assess the best hosting solution.
• SCC has introduced new tools for GC organizations. For example, GC Cloud One allows developers to build and run their software applications without worrying about managing the platforms they’re hosted on, while LaunchPad helps organizations quickly test, develop and refine cloud-based solutions.

Background

Shared Services Canada (SSC) is mandated to provide secure and reliable IT services and tools to 45 partner departments and agencies, including the Department of National Defence (DND). This ensures that government operations are supported by robust and secure IT infrastructure.

Office of the Auditor General (OAG) Contact Centres Report

Issue

• In this report, the Auditor General found the Canada Revenue Agency’s (CRA) contact centres failed to consistently provide callers with accurate and timely information.
• The report highlighted deficiencies in the management of the Hosted Contact Centre Service platform (HCCS) provided through a contract with Shared Services Canada (SSC).

Key facts

• The HCCS contract has a $50 million minimum revenue guarantee over 10 years. SSC’s authorities permit spending up to $300 million for this contract and the current expenditure forecast is $190 million.
• The contract was awarded in 2015, implemented for CRA and other departments in November 2018 and runs until 2027.
• In 2025, following a competitive process, SSC awarded a five-year contract (with one five-year option) to Bell Canada for its Genesys Cloud CX platform. The initial contract is valued at $7 million which will grow over time as the services are consumed. As design and implementation of the new contract is underway, its expected total cost is not yet available.

Key messages

• The contract is within its budget. As of June 2025, total one-time costs and forecasted monthly costs for the first 10 years of the contract is $190 million. SSC’s procurement authorities for this are a maximum of $300 million.
• SSC welcomes the Auditor General’s findings. Modern contact centres are essential for partners to deliver services to Canadians.
• SSC generally agrees with the recommendations, has already implemented many and is working to address the remaining items.
• Using learnings from the previous contract, SSC awarded a new contract in July 2025 to replace the existing IT services for CRA’s contact centres. The new solution will allow CRA to leverage current and emerging technologies that are scalable and flexible over the life of the contract to support effective service delivery.
• SSC remains committed to sound stewardship and accountability. SSC, in collaboration with CRA, continues to strengthen contract management practices with clearly defined roles, responsibilities, and processes.

If pressed on

If pressed on new contract

• Partner departments, including CRA, were fully engaged in defining requirements and evaluating the new contact centre solution. Under the new contract, CRA will benefit from:
  • Greater autonomy to deploy and test features, allowing for more agile service improvements.
  • Detailed billing information, which simplifies invoicing and increases clarity when certifying the receipt of goods and services and authorizing payment.
• The new Contact Centre as a Service (CCaaS) is an on-demand, flexible and scalable commercial solution to manage client interactions across various channels, such as phone, email, chat and social media.

If pressed on value

• The government only paid for the features and consumption that it used.
• Increases to the contract value reflect increases in usage over time (i.e. exercising option years, adding new contact centers, increasing use or capacity in the pandemic, etc.) not changes to pricing.

If pressed on cost conflation

• The $50 million minimum was never a total estimated contract value but rather the minimum commitment for the vendor to be assured they would recoup their initial infrastructure and set-up investment. Once consumption began, service orders were placed and the contract value was amended accordingly.
• Not all features available under contract were initially activated. Some were added later, resulting in contract amendments. This allowed the service to address the evolving need of the department.
• Rather than award a full estimated contract value at the outset, SSC took the best practice approach of awarding smaller service orders in increments, based on predictable consumption and feature implementation forecasts. This put in place controls and gating to ensure that the contract and spending was regularly reviewed internally and with our partners. Amendments increasing the overall value of the contract were simply a reflection of the service orders as consumption took place.

Background

In 2013, the Government of Canada made the decision to pursue a consolidated contact centre solution. In 2015, SSC awarded a contract to IBM for the HCSS system. It included new functions such as call routing to agents with relevant knowledge, nation-wide call queuing, an integrated voice-response system, estimated wait times and workforce management functionalities. The contract was designed to include many features that give the CRA and other departments the flexibility to choose and implement as their business requirements evolved over the life of the contract.

OPO report on bait and switch

Issue

• On October 16, the Office of the Procurement Ombud (OPO) reported on “bait and switch” tactics in the replacement of resources in federal professional services in six departments, including Shared Services Canada (SSC).
• The Ombud found that in more than half of the files reviewed, the practice of replacing resources was done correctly. In some cases, replacement resources did not meet or exceed the qualifications of the original resource proposed to secure the bid. The review did not find any intentional bait and switch practices.

Key facts

N/A

Key messages

• SSC agrees with the Ombud’s recommendations and is continuing to improve its procurement process.
• Five files reviewed originated with SSC - four contracts and one solicitation under the former and revised Methods of Supply for Task-Authorization (TA)-based contracts.
• Two of the four contracts the Ombud reviewed are still active. The work we tasked was completed and the deliverables were approved by the technical authorities.
• SSC typically engages consultants using Public Service and Procurement Canada’s (PSPC) established methods of supply. SSC verifies that proposed individual resources meet or exceed both PSPC’s and SSC’s specific requirements.

If pressed on

If pressed on why SSC had the highest number of resource replacements

• Of the five files reviewed, OPO identified three instances in which resources were replaced after the contract award by SSC.
  • In one case, OPO found that of 36 resources performing work, evaluation grids for 14 resources did not demonstrate assessment against the criteria required by the contract.
• SSC’s internal review confirmed the substitutions were not intentional or misleading; vendors provided legitimate reasons for changes (e.g., resignation, turnover, long delay between bid evaluation and TA issuance).
• All replacement resources were qualified, and SSC continued to obtain value for money

If pressed on when resources are evaluated

• SSC assesses a company’s experience during the solicitation stage for all task-based contracts. Individual resource qualifications are evaluated later, at the task authorization stage.

If pressed on process improvements

• SSC has strengthened its guidance to procurement officers by updating instructions to clarify the process and enhance the consistency and completeness of the documentation.
• SSC acknowledges gaps in its file documentation and is actively enhancing quality and completeness through tools, checklists, communication, and its Compliance and Quality Assurance Program. It remains committed to integrity, transparency, and accountability in procurement.

If pressed on professional services contracting

• SSC supports a wide range of crucial Government of Canada (GC) operations—from office work and scientific research to frontline service delivery, national security and defense—at thousands of locations worldwide.
• SSC hires temporary contractors to handle short-term fluctuations in workloads, such as supporting government entities or increasing team size for specific tasks.
• SSC also hires external resources for time-bound projects that require specialized skills, allowing us to optimize our resources and ensure successful project implementation.

Background

The review examined how often the individuals listed in a winning bid are not the ones who end up doing the work, a practice often called 'bait and switch’. While the review found that SSC had no conclusive findings of intentional “bait and switch” practices, it highlighted some compliance issues, including insufficient documentation, replacement resources not consistently meeting mandatory criteria, and inconsistent application of evaluation standards. The review’s recommendations included:

• DND and SSC should review its policies and training, and update as required to ensure mandatory resources criteria address the minimum qualifications required by the selected method of supply.
• IRCC and SSC should discontinue the practice of evaluating individual resource qualifications at the bid evaluation stage for large TA-based contracts where multiple resources are required, in compliance with the terms of their Master Level User Arrangements (MLUAs).

The Ombud noted that policy changes made by PSPC effectively eliminate the use of ‘Bait and Switch’ tactics from being used.

OAG Network Cybersecurity Report

Issue

• On October 21, 2025, the Auditor General tabled a report on the cyber security of federal networks and systems. It found the government “had tools in place to defend” its networks and its cyber security plan was “sound and comprehensive.”
• However, the report raised concerns about delays to key projects to improve visibility of cyber events and coordinate the response to incidents. It highlighted shortcomings in the management of equipment, and noted that certain Small Departments and Agencies (SDAs) were not using Shared Services Canada’s (SSC) cyber security services.

Key facts

• The report noted of the 204 federal organizations in the Government of Canada:
  • 85 were required by Treasury Board of Canada Secretariat (TBS) policies to use SSC’s Internet Service; however, 22 did not comply and instead used the Communications Security Establishment’s (CSE) cyber security defence sensors.
  • 119 organizations were not required to use SSC’s Internet Service. Among these: 24 chose to use SSC’s services, and a majority—76 organizations—used CSE’s sensors.

Key messages

• SSC appreciates the Auditor General’s work, recognizing that countering cyber threats requires constant vigilance and robust security measures.
• SSC agrees with the findings and is working to address the identified issues. Specifically, SSC:
  • is committed to completing a project to provide greater visibility of suspicious cyber events
  • has initiated work to strengthen asset management practices
  • is completing an inventory of network endpoints to improve oversight and control
  • will work with TBS to update the government’s cyber event management plan this fall
• These actions will strengthen SSC’s cyber defences, which block 6.5 trillion cyber threats annually.

If pressed on

If pressed on the Global Affairs Canada (GAC) cyber attack “7 day” delay

• On Friday, January 19, the Canadian Centre for Cyber Security (CCCS) officially requested specific VPN-related security information from SSC. The request was approved within an hour and all parties (SSC, GAC and CCCS) agreed to make the transfer on Monday, January 22.
• While this kind of transfer was typically not required, SSC has acted to include this process within standard operating procedures used by the department to ensure that future requests will be treated more quickly.

If pressed on cyber attack on GAC

• SSC is providing responsive support to departments to defend against cyber attacks.
• We recognize the importance of enhanced communication during a cyber event, and SSC is continuously working with the CCCS and TBS to improve communications.
• SSC and GAC jointly developed a Remediation Action Plan to enhance network security and collaboration. The plan reflects our shared commitment to effective coordination and strengthened security practices.
  • It reaffirms decision-making authorities, defines respective roles and responsibilities, establishes a process for sharing information, and identifies mechanisms to resolve issues quickly.

If pressed on security information and event management (SIEM)

• The Government of Canada (GC) is conducting a collaborative and competitive procurement process for a SIEM solution.
  • These efforts will allow the GC to better predict, detect and respond to cyber threats.
  • For example, the integration of threat intelligence feeds in one place will facilitate the response to cyber incidents.
  • A centralized solution will collect data that will enable faster response to potential threats.

If pressed on the endpoint visibility, awareness, and security (EVAS) project

• SSC’s EVAS project will enable a real-time view of all endpoint devices connected to GC networks, such as desktops and servers.
• It will also enhance security capabilities, including protection to block file-based malware and other malicious activity, and continuous monitoring at endpoints with an automated response to cyber events.
• The project is underway and is expected to be completed by March 2028.

If pressed on vulnerability and patch management

• SSC continues to improve its vulnerability and patch management processes across all its systems and services. These improvements will reduce exposure to cyber-attacks, minimize lost productivity, and protect data and infrastructure.

If pressed on small departments and agencies (SDA)

• SSC is working to provide connectivity and security services to 43 SDAs.
  • By the end of 2024-25, 23 SDAs had fully transitioned to government-managed internet and remote access services, while 15 had adopted the shared email system.
  • By the end of 2025-26, 6 additional SDAs are expected to fully transition.

Background

The GC, like all organizations worldwide, faces ongoing cyber threats from bad actors on a national and international level that require constant attention and strong security measures. Cyber threats are becoming more complex and sophisticated. These include criminal activities such as ransomware attacks and attacks by state-sponsored adversaries.