Standing Committee on Public Accounts: Auditor General Report on the Cyber Security of Government Networks and Systems

Opening statement

Scott Jones
President
Shared Services Canada

Ottawa, Ontario
January 26, 2026

---

Thank you, Mr. Chair, for the opportunity to discuss the Auditor General’s Report on the Cyber Security of Government Networks and Systems.

Before we begin, I would like to acknowledge that we are on the traditional, unceded territory of the Algonquin Anishinaabe People.

I’m here today with Patrice Nadeau, Senior Assistant Deputy Minister for SSC’s Connectivity and Security Services Branch.

Introduction

Shared Services Canada (SSC) welcomes the Auditor General’s findings and is working to address the issues raised.

It’s important to underline that the Auditor General found that government had tools in place to protect and defend its networks and that the government’s cyber security plan was sound and comprehensive.

As the provider of IT services to departments and agencies, SSC plays a pivotal role in this work.

Indeed, SSC blocks about 6.5 trillion cyber threats annually, which is an average of 18 billion per day. This ensures the uninterrupted operation of government services.

We do that through a state-of-the-art enterprise infrastructure and modern commercial cyber security solutions that defend government systems against a wide range of cyber threats.

SSC uses multiple layers of defence, including firewalls, network defences, anti-denial of service measures, anti-virus and anti-malware tools, encryption, virtual private networking (VPN) and robust identification and authentication services.

We have an excellent partnership with the Treasury Board Secretariat (TBS) and the Communications Security Establishment (CSE).

This collaboration is absolutely vital, as the Auditor General underscored, and we continue to improve it. We regularly conduct postmortems on cyber events to identify ways we can do better.

Together, SSC and CSE’s Canadian Centre for Cyber Security provide sophisticated cyber defenses that go beyond commercial capabilities. Our work offers one of the most sophisticated cyber defenses in the world.

Cyber security is a space that is evolving fast, and we work continuously to keep on top of it.

That said, there is more to do, as the Auditor General rightly underscored.

We share the Auditor General’s concerns about organizations that are outside SSC’s enterprise Internet service. As the threat environment changes rapidly, that is a model that clearly needs to evolve.

This is why SSC is now working to provide connectivity and security services to 43 small departments and agencies, and is on track to complete this work by the end of March 2027.

The Auditor General also highlighted a project called Endpoint Visibility, Awareness and Security, or EVAS for short. This is one of the tools SSC is adding to its cyber security environment.

EVAS will automatically identify network-connected endpoints—such as desktops and servers—and verify they meet security requirements. Unlike our semi-manual system, EVAS is automated and enables real-time vulnerability and impact assessments.

EVAS will also provide automated response to cyber events.

While there were delays to this project, our organization has learned a number of lessons. The project has turned the corner, and since implementation began in July 2025, over 36,000 deployments have been completed.

The Auditor General also highlighted our project to develop a Security Information and Event Management system, or SIEM for short. I want to assure you that we are on track to award a competitive contract for this project in early 2026.

Further, SSC is currently operating an interim SIEM capability, which allows SSC to manage priority needs and supports an effective response to cyber threats.

Conclusion

Mr. Chair, since SSC’s creation, we have shifted the government’s business model from one that is siloed and decentralized, to a government-wide, enterprise approach.

This not only reduces costs, but strengthens overall security GC-wide. It’s easier to monitor, patch and fix one system than 45 separate ones.

We’re not done. SSC is streamlining the management of devices and software by centralizing procurement and operations. This achieves considerable efficiencies and reduces the potential for inconsistencies in security policies.

We’re also continuing to reduce duplication by replacing additional siloed back-office tools with standard, government-wide tools.

Legacy systems are also more vulnerable to cyber threats. Moving off legacy systems improves our security posture.

In short, everything we do to consolidate and modernize IT systems is essential to improving cyber security.

Mr. Chair, reports from the Auditor General are also an important tool to hold us accountable and allow us to improve our operations.

Cyber security is an evolving field with actors that don’t follow our rules. Continuous improvements are key to protecting the GC’s IT systems.

Thank you for the opportunity to speak on this important file, and I look forward to answering your questions.

Office of the Auditor General of Canada’s (OAG) Cyber security of government networks and systems report

Issue

• On October 21, 2025, the Auditor General tabled a report on the cyber security of federal networks and systems. It found the government “had tools in place to defend” its networks and its cyber security plan was “sound and comprehensive.”
• However, the report raised concerns about delays to key projects to improve the visibility of cyber events and coordinate the response to incidents. It highlighted shortcomings in the management of equipment and noted that certain small departments and agencies (SDA) were not using Shared Services Canada’s (SSC) cyber security services.

Key facts

• The report noted that of the 204 organizations in the Government of Canada:
  • 85 were required by Treasury Board of Canada Secretariat (TBS) policies to use SSC’s Internet service; however, 22 did not comply and instead used the Communications Security Establishment’s (CSE) cyber security defence sensors.
  • 119 organizations were not required to use SSC’s Internet service; among these: 24 chose to use SSC’s services and a majority—76 organizations—used CSE’s sensors.

Key messages

• SSC appreciates the Auditor General’s work, recognizing that countering cyber threats requires constant vigilance and robust security measures.
• SSC agrees with the findings and is working to address the identified issues. Specifically, SSC:
  • is committed to completing a project to provide greater visibility of suspicious cyber events
  • has initiated work to strengthen asset management practices
  • is completing an inventory of network endpoints to improve oversight and control
  • will work with TBS to update the government’s cyber event management plan this fall
• These actions will strengthen SSC’s cyber defences, which block 6.5 trillion cyber threats annually.

If pressed on the Global Affairs Canada (GAC) cyber attack “7-day” delay

• On Friday, January 19, 2024, the Canadian Centre for Cyber Security (the Cyber Centre) officially requested specific VPN-related security information from SSC. The request was approved within an hour and all parties (SSC, GAC and the Cyber Centre) agreed to make the transfer on Monday, January 22, 2024.
• While this kind of transfer is typically not required, SSC has included this process in its standard operating procedures to ensure that future requests are treated more rapidly.

If pressed on cyber attack on GAC

• SSC is providing responsive support to departments to defend against cyber attacks.
• We recognize the importance of enhanced communication during a cyber event, and SSC works continuously with the Cyber Centre and TBS to improve communications.
• SSC and GAC jointly developed a Remediation Action Plan to enhance network security and collaboration. The plan reflects our shared commitment to effective coordination and strengthened security practices.
  • It reaffirms decision-making authorities, defines respective roles and responsibilities, establishes a process for sharing information and identifies mechanisms to resolve issues quickly.

If pressed on security information and event management (SIEM)

• The Government of Canada (GC) is conducting a collaborative and competitive procurement process for a security information and event management (SIEM) solution.
  • These efforts will allow the GC to better predict, detect and respond to cyber threats.
  • For example, integrating threat intelligence feeds will facilitate the response to cyber incidents.
  • A centralized solution will collect data to enable faster responses to potential threats.

If pressed on the endpoint visibility, awareness and security (EVAS) project

• SSC’s Endpoint, Visibility and Awareness Security (EVAS) project will enable a real‑time view of all endpoint devices connected to GC networks, such as desktops and servers.
• It will also enhance security capabilities, including protection to block file-based malware and other malicious activity, and continuous monitoring at endpoints with an automated response to cyber events.
• The project is under way and completion is expected by March 2028.

If pressed on vulnerability and patch management

• SSC continues to improve its vulnerability and patch management processes across all its systems and services. These improvements will reduce exposure to cyber attacks, minimize lost productivity and protect data and infrastructure.

If pressed on small departments and agencies (SDA)

• SSC is working to provide connectivity and security services to 43 SDAs.
  • By the end of 2024-25, 23 SDAs had fully transitioned to government-managed Internet and remote access services, while 15 had adopted the shared email system.
  • By the end of 2025-26, 6 additional SDAs are expected to fully transition.

Background

• The GC, like all organizations worldwide, faces ongoing cyber threats from bad actors on a national and international level that require constant attention and strong security measures. Cyber threats are becoming more complex and sophisticated. These include criminal activities such as ransomware attacks and attacks by state-sponsored adversaries.

Cyber security

Issue

• The Government of Canada (GC), like all organizations worldwide, faces ongoing cyber threats from bad actors, on a national and international level, that require constant attention and strong security measures. Cyber threats are becoming more complex and sophisticated. These include criminal activities such as ransomware attacks and attacks by state-sponsored adversaries.

Key facts

• Shared Services Canada (SSC) blocks approximately 6.5 trillion cyber threats annually, ensuring the uninterrupted operation of government online services.
• Investments in strong cyber security systems reduce the costs associated with service disruptions and recovery.

Key messages

• SSC provides state-of-the-art enterprise infrastructure and employs modern commercial cyber security solutions to defend GC systems against a wide range of cyber threats.
• SSC employs multiple layers of cyber security defences, including firewalls, network defences, anti-denial of service measures, anti-virus and anti-malware tools, encryption, virtual private networking (VPN) and robust identification and authentication services.
• Together, SSC and the Communications Security Establishment’s (CSE) Canadian Centre for Cyber Security (the Cyber Centre) provide sophisticated cyber security tools, including proprietary sensors that provide additional defence beyond commercial capabilities.
• SSC is actively reducing security vulnerabilities by consolidating, standardizing and modernizing IT systems across the GC.
• To strengthen data protection, SSC is implementing zero-trust principles—minimizing reliance on implicit trust within networks and deploying modern, industry-leading security solutions.
• In consultation with the Treasury Board of Canada Secretariat (TBS) and CSE, SSC integrates security and privacy by design when developing new services.

If pressed on supply chain integrity

• Together with the Cyber Centre, SSC has completed over 83,000 Supply Chain Integrity reviews since 2012 to help ensure that components used in systems do not compromise safety or security.

If pressed on quantum computing

• A quantum computer capable of compromising many cryptographic standards could be available in the next 5 to 8 years.
• Departments and agencies will be required to develop customized migration plans to transition their systems to post-quantum cryptography. SSC is developing a comprehensive strategy to ensure its enterprise solutions align with the cryptographic recommendations from the Cyber Centre.

If pressed on small departments and agencies

• SSC is working with 43 small departments and agencies (SDAs) to deliver a targeted set of secure IT services. By the end of 2024-25, 23 SDAs had fully transitioned to government-managed Internet and remote access services, while 15 had adopted the shared government email system.

If pressed on provincial and territorial cooperation

• In September, all 14 federal, provincial and territorial jurisdictions signed a historic cyber security agreement to share real-time intelligence, tools and services to counter cyber threats.
• The agreement strengthens SSC’s cyber security posture through secure intergovernmental collaboration on threat intelligence and incident response.

Background

• Cyber security is a shared responsibility across the GC:
  • TBS sets government-wide cyber security policies and leads the response to major cyber incidents.
  • SSC builds and manages secure IT systems, monitors key applications and ensures new services are designed with security and privacy in mind.
  • CSE is the lead agency for cyber security. It provides defensive capabilities that are not currently available commercially, adding an additional layer of defence unique to the GC.
  • All departments and agencies must protect their own systems and applications.
  • Public Safety Canada leads the National Cyber Security Strategy, working with partners outside government to protect Canadians and businesses.
  • The Royal Canadian Mounted Police (RCMP) investigates cyber crimes that target government systems.
  • The Canadian Security Intelligence Service (CSIS) gathers intelligence on threats to national security and supports departments through security screening and foreign intelligence.
  • The Canadian Armed Forces (CAF) shares cyber threat intelligence with allies and conducts foreign cyber operations.
• The GC Cyber Security Event Management Plan (GC CSEMP) outlines how different departments respond to cyber incidents. Smaller issues are handled by the affected department, while serious ones are managed by teams led by TBS and the Cyber Centre. SSC’s responsibilities during a cyber security event include watching for unusual network activity, blocking cyber threat activity, assessing service impacts, reporting through the Cyber Centre and implementing prevention, mitigation and recovery efforts, such as emergency patching and isolating infrastructure.

Security information and event management (SIEM)

Issue

• The Auditor General’s report on Cyber Security of Government Networks and Systems found that Shared Services Canada’s (SSC) project to develop a security information and event management (SIEM) solution experienced delays and cost increases.
• SSC began SIEM in April 2017 with a budget of $72.7 million. Its costs were revised to $144.3 million and SIEM was put on hold in June 2024, pending approval of additional funding.

Key messages

• SSC has learned from its experience and has applied lessons learned to the new procurement process. The initial requirements when the process was first launched were overly complex, with unnecessary technical specifications, causing avoidable timeline delays.
• This prompted a major recalibration of the procurement process, with a focus on simplified requirements for vendors to meet core needs. Simplification helps focus a procurement on those core requirements and protect the integrity of a project.
• The Government of Canada (GC) was never without a security information and event management (SIEM) solution. SSC and the Communications Security Establishment’s Canadian Centre for Cyber Security are currently operating an interim SIEM solution that will be decommissioned once the new SIEM solution is implemented.
• This solution supports SSC’s effective response to managing cyber threats and events, which will automate and accelerate large parts of the security monitoring process, helping SSC better predict, detect and respond to cyber threats.
• The GC conducted a collaborative and competitive procurement process for a SIEM solution. The new solution is in the final procurement stages and will be completed by March 31, 2027.
• This consolidated enterprise tool will:
  • improve the collection of security event data
  • automate detection and response for basic cyber threats
  • provide SSC with an overview of all GC networks and systems it manages

If pressed on timing

• SSC has taken the time to ensure it procures the appropriate solution for responding to and managing cyber threats and events. The relevant funding will be provided from the fiscal framework.
• SSC expects to award a contract for SIEM in January 2026. Multiple bids have been considered for this competitive contract. The process has concluded and a top-ranked vendor has been identified.

If pressed on lessons learned

• SSC learned several lessons on the SIEM project that have helped improve our procurement process and that were applied in the new process. We have:
  • improved collaboration between SSC’s project and procurement teams, so that projects evolve from procurement advice during their development.
  • developed clearer provisions related to supply chain integrity (SCI) in an agile procurement process.
  • requested clearer and more streamlined financial evaluation criteria and pricing tables from bidders. Overly complicated financials create risk on non-compliant bids, as well as opportunities for bidders to “game” financial evaluations.
  • introduced a “proof of solution” step in agile procurement. After bidders pass technical evaluations, it adds value to have suppliers demonstrate their solutions before moving to negotiate pricing.

Endpoint Visibility, Awareness and Security (EVAS) project

Issue

The Auditor General’s report on Cyber Security of Government Networks and Systems found shortcomings in how inventories of federal IT assets, such as servers, laptops and printers, were assessed. The report states that Shared Services Canada (SSC) should enhance its understanding of the networks and systems it manages, including supporting software, to better identify which assets require patches, updates or maintenance, and which are no longer supported by a vendor. This improvement is essential to effectively manage cyber risks and address vulnerabilities.

Key messages

• Shared Services Canada’s (SSC) existing cyber defences provide state-of-the-art enterprise protection to the Government of Canada’s (GC) IT systems, with no known equivalent among peer nations, blocking roughly 6.5 trillion cyber threats annually.
• SSC has learned from its existing inventory management system, which is semi-manual and can contain inconsistencies due to the timing of updates. The new Endpoint Visibility, Awareness and Security (EVAS) project will deliver an automated and central asset inventory for desktops and servers.
• The project rollout began in July 2025 and will continue until March 2028.
• The EVAS project will deliver modern capabilities that will provide monitoring and automated responses in real time:
  • The first stream, “Endpoint Visibility and Awareness,” will allow the identification of network-connected endpoints, such as desktops and servers, and ensure they meet the appropriate security profile.
  • The second stream, “Secure Endpoint Initiative,” consists of two capabilities that will provide continuous monitoring and automated response to cyber events, as well as protection from malware and other malicious activity. It will replace current legacy software.

EVAS is an additional tool at SSC’s disposal to ensure cyber security, and it

• will be deployed to over 620,000 desktops and servers (endpoints) across 43 departments.
  • It has been deployed to about 35,000 desktops so far and will be deployed to a total of 87,000 this fiscal year.
• Continuous monitoring and early detection and response are key to reducing the impacts and recovery costs from cyber attacks.

If pressed on incomplete inventory of servers and laptops

• SSC’s current inventory management system is semi-manual. While SSC knows where its existing devices are, a drawback to this approach is that inventories may contain inconsistencies due to the timing of updates.
• While our existing system enables an understanding of vulnerabilities and cyber events, an automated solution will enable a more accurate and real-time impact assessment, further strengthening our security posture.
• An initiative to strengthen SSC’s asset management processes and systems will be complete by March 31, 2028.

If pressed on complicating factors

• Not all devices are updated with patches, as some are stored and will be activated in the future when they are connected to the network. EVAS does not track stored assets; it tracks active endpoints.

If pressed on unauthorized device access

• If an unauthorized person obtains a government device, login credentials are still required in order to access it and the network.
• Remotely disabling a desktop computer is currently managed by partners, but will be centrally managed after migration to the Enterprise Desktop Service.

If pressed on vulnerability and patch management

• SSC continuously improves its vulnerability and patch management processes across all its systems and services. These improvements are intended to reduce exposure to cyber attacks, minimize lost productivity, and protect data and infrastructure.
• Lessons learned are captured as part of cyber events and cyber security training exercises, which are then used to inform improvements to cyber security processes.

If pressed on delays

• The EVAS project encountered delays mainly associated with:
  • defining the governance, specifically roles and responsibilities after the creation of the Canadian Centre for Cyber Security in October 2018
  • the pandemic affecting the availability of project resources
  • the procurement process, e.g., non-compliant bids and the need to realign the procurement approach

If pressed on lessons learned

• SSC learned several lessons on the EVAS project that have helped improve our procurement process. We have:
  • improved collaboration between SSC’s project and procurement teams, so that projects evolve from procurement advice during their development.
  • enhanced collaboration with industry and advanced procurement approaches that align to every changing environment.
  • simplified requirements for vendors to meet our core needs. Simplification helps focus a procurement on those core requirements and protect the integrity of a project.
  • introduced the requirement for supply arrangements to be justified with a clear business case that SSC’s partners need multiple options instead of one standard solution across government.
  • introduced a “proof of solution” step in agile procurement. After bidders pass technical evaluations, it adds value to have suppliers demonstrate their solutions before moving to negotiate pricing.
• From a project perspective, SSC will endeavour to reduce the scope and timeline of its cyber security projects to limit delays encountered as a result of changes in technology, project interdependencies and complex requirements/procurements.

Small departments and agencies

Issue

On October 21, 2025, the Auditor General’s report on Cyber Security of Government Networks and Systems highlighted that certain federal organizations were not using Shared Services Canada’s (SSC) cyber security services.

Key facts

• The report noted that, of the 204 organizations in the Government of Canada (GC):
  • 85 were required by Treasury Board of Canada Secretariat (TBS) policies to use SSC’s Internet Service. However, 22 did not comply and instead used only the Communications Security Establishment’s (CSE) cyber security defence sensors.
  • 119 were not required to use SSC’s Internet Service. Among these, 24 chose to use SSC’s services, while a majority—76 organizations—used CSE’s sensors.

Key messages

• The Government of Canada is continuously working to improve the cyber security posture of small departments and agencies (SDAs) through increased protection under SSC’s enterprise cyber security umbrella.
• SSC has a project targeting 43 SDAs to improve their overall security.
  • By the end of 2024–25, 23 of these SDAs had fully transitioned to government-managed Internet and remote access services, while 15 had adopted SSC’s Enterprise Email Service.
  • By the end of 2026-27, all remaining eligible SDAs are expected to fully transition.
• The current client model is overly complex and includes both mandatory and optional partners, depending on the type of service in question. It would require machinery changes to simplify and streamline SSC’s authorities.
• Furthermore, while the Communications Security Establishment (CSE) offers network-based sensors to some departments and agencies, these are not a replacement for the level of security that SSC’s enterprise Internet provides.

If pressed on who SSC must and may serve

• The number of organizations varies over the years, as new organizations are added and removed based on machinery of government decisions.
• Since SSC’s creation in 2011, 45 departments and agencies have been receiving email, network and data centre services from SSC on a mandatory basis. An additional 45 organizations, mostly smaller departments, have also been required to obtain these services from SSC since 2015.
• SSC is authorized to provide services to any federal institutions, including Crown corporations and Agents of Parliament, who can choose to receive services from SSC, but are not required to.
• SSC currently provides connectivity and security services to some of these optional organizations and is working to extend these services to others.

If pressed on partners with isolated email systems

• SSC has migrated 38 of the original 45 mandated departments and agencies from their previous managed email service or their isolated on-premises email systems to an Enterprise Email Service leveraging a suite of collaboration tools, hosted on a cloud-based platform.
• Of the SDAs targeted by the special initiative, 18 are already leveraging SSC’s Enterprise Email Service (hosted in M365). The remaining SDAs are expected to be onboarded by the end of 2026-27.

If pressed on timeline

• This is a transformative initiative, as most of these organizations previously had minimal integration with SSC and limited use of SSC services.
• Early challenges included technology gaps identified during the discovery phase, which required refining the scope and developing tailored solutions.
• Progress to date:
  • Enterprise Internet Service (EIS): 6 onboarded; 5 more planned by end of 2026-27
  • Local Internet Access Service (LIAS): 3 onboarded; 9 more by end of 2026-27
  • Secure Remote Access: 2 onboarded; 38 more by 2025-26 and 3 by end of 2026-27
  • Enterprise Email: 13 onboarded; 15 more by 2026-27
  • Other services (EXO, EMDM, DSIA): Onboarding under way with phased targets through 2026-27

If pressed on National Security and Intelligence Committee of Parliamentarians (NSICOP)

• In February 2022, NSICOP found that the inconsistent provision of cyber defences by SSC and CSE to federal organizations created security risks.
• In April 2022, the budget provided $178.7 million over five years, and $39.5 million ongoing, to expand cyber security protection for small departments, agencies and Crown corporations.
• NSICOP also found that the monitoring of government networks is inconsistent and that SSC’s security information and event management system is not standardized for all its clients. This means that SSC does not have full visibility over government networks to identify risks and respond to incidents.
• While NSICOP has not reported on the federal government’s cyber security since 2022, CSE’s cyber operations were studied as part of its report on the national security activities of Global Affairs Canada and cyber attacks were one of the tools foreign entities examined in NSICOP’s report on foreign interference.

Global Affairs Canada cyber attack “7 day” delay

Issue

The Auditor General’s report on network cyber security criticized Shared Services Canada’s (SSC) management of a January 2024 cyber attack on Global Affairs Canada (GAC), writing that it took “7 days” to provide information, delaying the response.

Key messages

On January 10, 2024, SSC was made aware of suspicious traffic on Global Affairs Canada’s VPN service. SSC immediately engaged with GAC and the Communications Security Establishment’s (CSE) Canadian Centre for Cyber Security (CCCS) to determine the appropriate security mitigation measures.

On January 19, 2024, CCCS officially requested specific VPN-related security information from SSC. The request was approved within an hour, and SSC, GAC and CCCS agreed to make the transfer on January 22, 2024.

While this kind of transfer had not been required over the 13 years since SSC was founded, the department has now incorporated the production of security information as part of its standard operating procedures to ensure similar requests will move faster.

After being made aware of the suspicious traffic on the GAC VPN service, SSC was fully engaged in managing the incident and operating under established security controls considered best practices in the IT industry.

For security reasons, SSC does not publicly disclose details about specific measures, equipment or software.

Mobile Threat Defense

Issue

Shared Services Canada (SSC) is advancing an enterprise service for Mobile Threat Defense (MTD) systems for over 219,000 smartphones across the Government of Canada (GC).

Key messages

SSC is working to bolster the security and functionality of the government’s mobile devices through the Mobile Theat Defense project.

Mobile devices have become a prime target for malicious cyber threats, such as malware, spyware and phishing—putting sensitive information at risk.

The enterprise MTD service will strengthen mobile device security through notification of potential vulnerabilities and exposures to threats. It will take automated and immediate actions, such as blocking unverified Wi-Fi, remotely locking or wiping devices, and implementing patch management. This will all be integrated into the existing management tool for GC mobile devices.

MTD will improve productivity. Instead of using travel devices with limited functionality, MTD will allow employees to travel to more destinations using their usual device with access to corporate email, contacts, resources and collaboration applications.

The MTD service will be deployed to 31,000 Department of National Defence devices by March 2027. Deployment to all other departments will follow at a later date.

If pressed on procurement

Following a request for proposal last fall, SSC will award a competitive contract this winter for an MTD solution.

The costs of the project are being determined.

If pressed on existing use

Currently, Global Affairs Canada uses its own MTD solution for 10,000 domestic and international smartphones due to the risks faced by its employees.

A few departments, including Employment and Social Development Canada, Finance Canada, Justice Canada, the Privy Council Office and Transport Canada, have MTD solutions deployed to a limited number of smartphones.

Background

Today, SSC offers an International Travel Service (ITS) to employees travelling to high-risk locations aboard. A separate device is provisioned for this purpose, with a separate blank email account, no contacts and no access to collaboration applications. The decision on whether a domestic device can be used abroad is made by each department’s security officer. Even with MTD, some high-risk destinations will still require travel devices.

Through Mobile Services, SSC manages over 219,000 smartphones across more than 50 organizations, ensuring secure, always-available access to communication and collaboration tools. This centrally managed service provides cost efficiency, increased security through common controls, and a seamless and standardized experience for employees.

OAG Audit of Cyber Security of Government Networks and Systems – SSC Management Action Plan

Recommendation	Management Action Plan	Position Responsible	Completion Date
Shared Services in collaboration with Communications Security Establishment Canada should develop a clear action plan with defined criteria and timelines to develop a Security Information and Event Management (SIEM) application that addresses the existing gaps in cyber security monitoring.	██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████	Assistant Deputy Minister, Project Management and Delivery Branch (PMDB)	█████████████████
	███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████	Assistant Deputy Minister, PMDB	██████████████
	MVP design – Start of the engineering process to design the solution.	Assistant Deputy Minister, PMDB	December 31, 2026
	MVP build – Solution getting built according to the design and controls.	Assistant Deputy Minister, PMDB	December 31, 2026
	MVP ATO – Solution to get the Authority to Operate following the acceptance of risk from the established controls in the build	Assistant Deputy Minister, PMDB	March 31, 2027
Shared Services Canada should: Ensure the department has an up-to-date central inventory of its IT assets and a process to manage devices that need to be patched, updated, maintained, or replaced. The department should install the needed patches, perform the needed updates, and maintain and replace IT assets accordingly Determine a solution to resolve the procurement challenges facing the Endpoint Visibility, Awareness and Security Project	Shared Services Canada (SSC) will leverage its Materiel Management Transformation Initiative and the Materiel Management 3-Year Strategic Plan (2025–2028) to strengthen IT asset lifecycle controls and resolve asset management life cycle challenges. This initiative is governed through CFOPB oversight and aligns with SSC’s enterprise asset management objectives. The initiative will deliver the following outcomes: Operationalizing the quarterly In-Stock Asset Reporting aligned with the Financial Situation Report (FSR) process. Visibility of Assets in stock to all service lines as part of the planning process, prior to procurement activities. Integration of Materiel Management into Procurement-to-Pay (P2P) ensuring asset shipping/storage locations controls. Introduce asset compliance checks ensuring governance and accountability to monitor progress and performance through Reporting and Performance Monitoring. Simplify the asset divestment process through automation and improved data integration. Departmental realignment of MM functions to support the Enterprise Asset Management model as a centralized service provider.	Assistant Deputy Minster, Chief Financial Officer and Procurement Branch (CFOPB)	March 31, 2028
	Define Configuration Management Database (CMDB) Roles and Responsibilities Identifies all Data Providers contributing to the CMDB, including IT Operations and Security Deliverable: CMDB Roles and Responsibilities RACI matrix	Senior Assistant Deputy Minister, Operations and Client Services Branch (OCSB)	March 31, 2026
	Validate ODS Data Against SIGMA Asset Repository OCSB will establish a process to: Compare operational data in the ODS with asset records in SIGMA Identify discrepancies and report them to the appropriate Data Source Owners. Deliverable: Documented discrepancy reporting template	Senior Assistant Deputy Minister, OCSB	March 31, 2026
	The Endpoint Visibility, Awareness and Security (EVAS) Project has 2 streams to be contracted. Stream 1 EVA: A contract was awarded with CCI for a product named Tanium that constitute the EVA services. Stream 2 SEI: The EVAS project established a supply arrangement for the Secure Endpoint Initiative stream, screening by technical requirements.  An RFP amongst qualified bidders is expected to result in a contract before end of FY 25/26. ███████████████████████████████████ ██████████████	Assistant Deputy Minister, PMDB	March 31, 2026
Treasury Board of Canada Secretariat, Communications Security Establishment Canada and Shared Services Canada should re-evaluate its cyber security incident management practices and protocols to enable better coordination and timely access to required critical information when responding to cyber security incidents affecting federal organizations.	Cyber incident management practices and protocols are being reviewed on a continuous basis, especially following events. SSC will review and update its Cyber Security Event Management Processes.	Senior Assistant Deputy Minister, Connectivity and Security Services Branch (CSSB)	April 30, 2025 (Complete)
	SSC will collaborate with TBS and CCCS in the execution of a cyber event simulation exercise with a view to test the current GC-CSEMP processes, as well as new processes	Senior Assistant Deputy Minister, CSSB	May 31, 2025 (Complete)
	SSC will support CCCS lead role in the establishment of the GC-wide cyber security event collaboration platform. CCCS has indicated that they agree with the recommendation █████████████████████	Senior Assistant Deputy Minister, CSSB	CCCS lead – dates to be determined

Government transformation

Issue

• As the Government of Canada’s (GC) common information technology (IT) services provider, Shared Services Canada (SSC) plays a central role in driving government transformation and creating government-wide efficiencies—in close collaboration with the Treasury Board of Canada Secretariat’s (TBS) Office of the Chief Information Officer (OCIO) and Public Services and Procurement Canada (PSPC).

Key facts

• N/A

Key messages

• The GC is committed to transformation—to increasing government productivity while reducing the cost of operations. A more effective and efficient government will result in improved program and service delivery to Canadians and businesses.
• SSC is playing a key role in digital transformation across the GC—facilitating the adoption and scaling of artificial intelligence (AI) across the public service. SSC will also achieve $318.5 million in ongoing savings through efficiencies in its internal operations.
• SSC is enabling AI across government by:
  • developing a sovereign made-in-Canada AI platform that can be deployed across the government in partnership with leading Canadian AI companies, the Communications Security Establishment and the Department of National Defence
  • leading a competitive procurement process for generative AI productivity tools for government employees, which includes 3 Canadian pre-qualified vendors
  • enabling access to sovereign AI compute capacity for public and private research, in collaboration with the National Research Council Canada (NRC)
  • applying AI and automation across internal operations to automate common IT support requests and reduce call volumes and costs, while improving the user experience
• SSC is transforming the government’s hosting infrastructure from a sprawling landscape of siloed and outdated systems to modern hosting solutions. This new model combines cloud services and traditional on-premise data centres to optimize performance, reduce costs and provide flexibility.
• SSC will advance a common government-wide desktop solution to transition departments to a standardized, cloud-managed desktop service. This will reduce complexity, standardize IT security, increase portability and result in significant cost savings for Canadians.
• Aligned to the GC priority to modernize the way government procures goods and services, SSC is reviewing all aspects of its IT procurement by undertaking benchmarking, prioritizing Canadian vendors and sovereign infrastructure and services, and ensuring best value for Canada.
• SSC also supports the government’s broader digital transformation agenda through partner-led projects and initiatives, including enabling access to sovereign AI compute capacity in collaboration with NRC; ongoing work to improve human resources and pay for federal public servants; and enabling the Department of National Defence to modernize their systems to support the Canadian Armed Forces at home and abroad.

If pressed on cost savings

• Under the Comprehensive Expenditure Review (CER), SSC will meet up to 15% in savings targets over 3 years, achieving ongoing savings of $318.5 million.
• Specifically, SSC will
  • standardize platforms, including realigning enterprise software offerings to match current needs
  • eliminate low-use or redundant licences
  • eliminate non-essential telephone fixed lines in all GC buildings, which will reduce expenses, and deploy cost-effective softphones to all workers
  • review, consolidate and renegotiate contracts to eliminate duplication, secure better pricing and align spending with enterprise needs
  • leverage emerging technologies to automate repetitive tasks, use AI-driven tools to optimize operations and service delivery, automate common IT support requests to reduce call volumes and costs while improving user experience
  • build its in-house capacity and expertise to reduce spending on external consultants and contractors for ongoing operations
  • simplify the GC cloud footprint by consolidating over 287 departmental partner cloud environments into GC Cloud One, SSC’s enterprise cloud
  • reduce and rationalize the remaining 190 legacy data centres across Canada into 4 enterprise data centres, 1 High Performance Computing Centre, 5 consolidation data centres, and approximately 50 edge computing sites

Background

• SSC is responsible for modernizing, securing and managing the IT infrastructure that supports departments and agencies. This ensures reliable and effective service delivery to Canadians, both domestically and abroad. TBS’s OCIO sets government-wide direction for data, IT, cyber security and service management, while individual departments and agencies remain responsible for their own applications and data.

Artificial intelligence

Issue

• Artificial intelligence (AI) is considered a foundational technology, which stands to propel significant social and economic change. Shared Services Canada (SSC) is exploring how to use new technologies like AI to support government work.

Key facts

• N/A

Key messages

• By adopting AI, the Government of Canada (GC) will transform government operations and support a more efficient and effective public service.
• SSC is playing a leading role in digital transformation across the GC, facilitating the adoption and scaling of AI across the public service. SSC is:
  • developing a sovereign made-in-Canada AI platform that can be deployed across the federal government in partnership with leading Canadian AI companies, the Department of National Defence (DND) and the Communications Security Establishment (CSE)
  • leading a competitive procurement process for generative AI productivity tools for government employees, which includes 3 Canadian pre-qualified vendors
  • enabling access to sovereign AI compute capacity for public and private research, in collaboration with the National Research Council Canada (NRC)
  • applying AI and automation across internal operations to automate common IT support requests, reducing call volumes and costs while improving the user experience

If pressed on SSC’s AI initiatives

• SSC is building foundational tools using in-house AI experts, reducing dependency on contractors, lowering costs and keeping knowledge within government.
• SSC has fine-tuned large language models (LLMs) on Canadian content to ensure that AI tools reflect Canadian context, values and priorities.
• SSC is scaling its in-house developed generative AI tool called CANChat. This is a safe and secure AI platform for public servants, ensuring that GC data remains in Canada, is hosted on government-accredited infrastructure and is not accessible by foreign service providers.
• SSC is in the process of launching a government-wide procurement of generative AI tools that integrate with office productivity suites such as Microsoft 365. There are currently 5 qualified respondents that are expected to submit bids, 3 of which are Canadian.
• SSC is expanding the infrastructure, skills and expertise to support AI adoption, including making commercial AI tools available, creating an AI marketplace for sharing resources and helping establish a secure and sovereign supercomputing facility for advancing AI research.
• SSC operates the AI Centre of Excellence (AICoE), which supports departments and agencies in applying AI, shares best practices, contributes to policy development and fosters collaboration through peer reviews and working groups.
• The GC is committed to ensuring the responsible use of AI and  ensuring it is governed by clear values, ethics and rules.

If pressed on jobs

• AI is meant to support the work of public servants, not replace them. It can assist with routine and repetitive tasks so employees can focus on work that needs creativity, problem-solving and human judgment. This can increase agility, efficiency and retention by automating routine and time-consuming tasks.

If pressed on memoranda of understanding for AI

• The GC recently signed a memorandum of understanding with Cohere Inc. to explore opportunities for deploying AI in internal government operations and to strengthen digital sovereignty through a made-in-Canada digital and AI ecosystem. SSC’s efforts to define requirements for sovereign cloud hosting services furthers this work.

Background

• To guide the responsible use of AI, the Treasury Board of Canada Secretariat released key resources, including the Directive on Automated Decision-Making, the Guide on the use of generative artificial intelligence and the Algorithmic Impact Assessment tool.

Digital sovereignty

Issue

• Digital sovereignty is defined as the ability to exercise autonomy over digital infrastructure, data and intellectual property, as well as critical technologies. This protects national security, supports economic competitive and allows a country to operate independently and reduce the risks of foreign interference in the digital age. It includes:
  • Data sovereignty: Ensuring data complies with national laws and remains under the jurisdiction and control of the country
  • Operational sovereignty: Retaining control over how digital services are deployed and preventing reliance on, or interference from, foreign entities
  • Technological sovereignty: Maintaining the ability to make independent decisions about technology without being overly dependent on monopolistic or foreign‑controlled vendors

Key facts

• Under the Directive on Service and Digital, departments and agencies are expected to prioritize computing facilities in Canada—or on Government of Canada (GC) premises abroad—for storing or handling sensitive electronic information, such as Protected B, C or classified data. This helps keep important data secure and under Canadian control.
• Under the Policy on Privacy Protection, departments and agencies must protect personal information properly, reduce privacy risks and remain open and  accountable, even when it is processed or stored by third-party companies.
• Data protection obligations are embedded in contracts with service providers through standardized security clauses, access restrictions and incident reporting requirements.

Key messages

• Digital sovereignty is a critical priority for the GC to protect essential data, reduce risks of foreign interference and strengthen domestic IT capabilities.
• Shared Services Canada (SSC) is investing in Canadian technology capabilities and strengthening policies to protect critical infrastructure.
• SSC has launched a procurement process to establish Sovereign Canadian Cloud capabilities for the GC through a process that prioritizes Canadian-owned and controlled cloud service providers. These efforts will secure Canadian capacity as part of the GC cloud ecosystem.
• SSC will also develop a sovereign made-in-Canada AI platform that can be deployed across the government, in partnership with leading Canadian AI companies, and enable greater access to sovereign AI compute.
• SSC has been actively working to strengthen IT diversification by reducing vendor concentration and influence in strategic areas, while promoting Canadian-made solutions.

If pressed on protections

• The GC applies a range of technical safeguards to protect data, maintain service reliability and ensure continued operation of its systems. These include secure system design; encryption to protect information in storage and in transit; access and identity management; and continuous monitoring to detect and respond to incidents.

If pressed on how SSC strengthens digital sovereignty

• SSC works with Canadian telecommunications companies and provides the GC with a fast and reliable network in Canada that operates on Canadian-owned assets. This helps keep important data secure and under Canadian control.
• SSC uses state-of-the-art enterprise infrastructure and multiple layers of defence, including cutting-edge sensors designed to identify and eradicate cyber threats.
• SSC delivers hybrid hosting models to meet the GC’s needs for security, scalability and sovereignty. Hosting models range from fully GC-owned data centres (maximum sovereignty) to public cloud services (lower control, higher scalability).
• SSC’s enterprise data centres (EDCs) are located within Canada and operate on Canadian-owned assets. This helps keep important data secure and under Canadian control.

Background

• Due to the global dominance of U.S.-based technology vendors and the comparatively small size of Canada’s IT sector, targeted interventions are essential to scale Canadian capabilities. Cloud computing, in particular, is dominated by Amazon Web Services, Google Cloud and Microsoft Azure, posing challenges to operational and technological sovereignty.
• Advanced cyber threat actors are increasingly using supply chains to bypass traditional security defences by introducing vulnerabilities. Since 2012, SSC has mitigated this risk through Supply Chain Integrity (SCI) procurement reviews for equipment, software and services. These assessments help departments and agencies to identify and potentially mitigate security vulnerabilities before they impact operations.
• The GC has made strategic investments in Canadian IT firms, including a March 2025 announcement by Innovation, Science and Economic Development Canada (ISED) of up to $240 million in funding for Toronto-based Cohere Inc. This investment marks Cohere as the first recipient of the AI Compute Challenge, part of the $2 billion Canadian Sovereign AI Compute Strategy. In August, the GC signed a memorandum of understanding with Cohere to explore opportunities for deploying AI technologies across the GC to enhance operations within the public service and to build out Canada’s commercial capabilities in using and exporting AI.

Shared Services Canada procurement

Issue

This note explains Shared Services Canada’s (SSC) general procurement practices and achievements.

Key messages

• SSC follows a fair, open and transparent procurement process, guided by well-established rules and controls.
• Most SSC contracts are awarded through competitive bidding to ensure best value for Canadians.
• SSC is advancing an information technology (IT) diversification strategy, which will increase vendor diversity, reduce reliance on foreign technologies, foster a sovereign IT ecosystem and promote Canadian-made solutions.

If pressed on the interim Policy on Reciprocal Procurement

• The Policy on Reciprocal Procurement aims to ensure fairness in federal procurement by limiting access to suppliers from countries that restrict Canadian participation in their own government contracts.
• It prioritizes Canadian suppliers and those from trusted trading partners, helping to strengthen domestic supply chains and support Canadian businesses.

If pressed on sole-sourcing

• SSC occasionally awards non-competitive contracts, which are subject to the same rigorous review as competitive ones, based on their risk and value.
• Justifications for these contracts are grounded in clear criteria, such as urgency, exclusivity or national interest.

If pressed on no substitution

• Due to operational requirements, SSC occasionally purchases equipment from a manufacturer to ensure compatibility with existing systems, in circumstances where there is no possible alternative.
• When this happens, SSC provides a technical reason to support the decision. In some cases, the contract is still competed—but only among authorized resellers of the specific equipment.

If pressed on outsourcing

• SSC uses professional services to help deliver programs and projects, to meet delivery targets or to provide outside expertise on a particular project.
• Spending on management consulting was reduced by 81%, from $175 million in 2022–23 to $34 million in 2023–24. Oversight has been strengthened to ensure services are used only when operationally justified.

If pressed on the Procurement Ombud’s “Bait and Switch” report

• SSC typically engages consultants using Public Services and Procurement Canada’s (PSPC) established methods of supply. To ensure quality and compliance, SSC verifies that proposed individual resources meet or exceed both PSPC’s minimum qualifications and SSC’s specific requirements.
• SSC has strengthened its guidance to procurement officers by updating instructions to clarify the process and enhance the consistency and completeness of the documentation.

If pressed on supply arrangements

• SSC has established supply arrangements that promote Indigenous business participation, including measures such as Indigenous Participation Plans to support subcontracting, employment and skills development.
• Contracts over $5 million undergo governance reviews to ensure meaningful consideration of Indigenous businesses in the procurement process.

Background

• GC contracting is governed by well-established laws, regulations and government-wide policies. SSC complies with the Financial Administration Act, the Government Contracts Regulations, the Directive on the Management of Procurement, the Policy on the Planning and Management of Investments, the Code of Conduct for Procurement, trade agreements, court decisions, the Policy on Green Procurement, the Procurement Strategy for Indigenous Business and the Nunavut Directive.
• In 2024–25, SSC awarded 11,391 contracts and amendments valued at approximately $3.17B (net):
  • 7,823 contracts valued at $2.15B
  • 2,589 positive contract amendments valued at $1.30B
  • 979 negative contract amendments valued at -$270.85M
  • 9.8% of the value of SSC-funded contracts were awarded to Indigenous businesses, representing $228.3M and surpassing the Government of Canada’s 5% Indigenous procurement target
  • 65.9% of contract awards—valued at $1.12B—were awarded to Canadian small and medium-sized enterprises (SMEs) with Canadian companies
  • 32.5%—valued at $554M—went to Canadian SMEs with foreign parent companies

Office of the Auditor General of Canada (OAG)’s Contact centres report

Issue

• In this report, the Auditor General found the Canada Revenue Agency’s (CRA) contact centres failed to consistently provide callers with accurate and timely information.
• The report highlighted deficiencies in the management of the Hosted Contact Centre Service (HCCS) platform provided through a contract with Shared Services Canada (SSC).

Key facts

• The HCCS contract has a $50‑million minimum revenue guarantee over 10 years. SSC’s authorities permit spending up to $300 million for this contract and the current expenditure forecast is $190 million.
• The contract was awarded in 2015, implemented for CRA and other departments in November 2018 and runs until 2027.
• In 2025, following a competitive process, SSC awarded a 5‑year contract (with one 5‑year option) to Bell Canada for its Genesys Cloud CX platform. The initial contract is valued at $7 million, which will grow over time as the services are consumed. As the design and implementation of the new contract is in development, its expected total cost is not yet available.

Key messages

• The contract is within its budget. As of June 2025, the total one-time costs and forecasted monthly costs for the first 10 years of the contract is $190 million. SSC’s procurement authorities for this are a maximum of $300 million.
• SSC welcomes the Auditor General’s findings. Modern contact centres are essential for partners to deliver services to Canadians.
• SSC generally agrees with the recommendations, has already implemented many and is working to address the remaining items.
• Using learnings from the previous contract, SSC awarded a new contract in July 2025 to replace the existing IT services for CRA’s contact centres. The new solution will allow CRA to leverage current and emerging technologies, which are scalable and flexible over the life of the contract, to support effective service delivery.
• SSC remains committed to sound stewardship and accountability. SSC, in collaboration with CRA, continues to strengthen contract management practices with clearly defined roles, responsibilities and processes.

If pressed on new contract

• Partner departments, including CRA, were fully engaged in defining requirements and evaluating the new contact centre solution. Under the new contract, CRA will benefit from:
  • greater autonomy to deploy and test features, allowing for more agile service improvements
  • detailed billing information, which simplifies invoicing and increases clarity when certifying the receipt of goods and services and authorizing payment
• The new Contact Centre as a Service (CCaaS) is an on-demand, flexible and scalable commercial solution to manage client interactions across various channels, such as phone, email, chat and social media.

If pressed on value

• The government only paid for the features and consumption that it used.
• Increases to the contract value reflect increases in usage over time, such as exercising option years, adding new contact centres, increasing use or capacity in the pandemic, and are not changes to pricing.

If pressed on cost conflation

• The $50‑million minimum was never a total estimated contract value but rather the minimum commitment to assure the vendor they would recoup their initial infrastructure and set-up investment. Once consumption began, service orders were placed and the contract value was amended accordingly.
• Not all features available under contract were initially activated. Some were added later, resulting in contract amendments. This allowed the service to address the evolving need of the department.
• Rather than award the full estimated contract value at the outset, SSC used the best-practice approach of awarding smaller service orders in increments based on predictable consumption and feature implementation forecasts. This established controls and gating to ensure that the contract and spending was regularly reviewed internally and with our partners. Amendments increasing the overall value of the contract were simply a reflection of the service orders as consumption took place.

Background

• In 2013, the Government of Canada pursued a consolidated contact centre solution. In 2015, SSC awarded a contract to IBM for the HCSS system. It included new functions such as call-routing to agents with relevant knowledge, nation-wide call queuing, an integrated voice-response system, estimated wait times and workforce management functionalities. The contract was designed to include many features that CRA and other departments could choose to implement as their business requirements evolved over the life of the contract.