Briefing Binder: House of Commons Standing Committee on Public Accounts (PACP) - Auditor General Reports 7 and 8

Opening Statement

Scott Jones, President, Shared Services Canada - Standing Committee on Public Accounts (PACP)

To Address the Office of the Auditor General Reports on Modernizing Information Technology Systems, and Benefits Delivery Modernization Program

December 14, 2023

Mr. Chair and members of the Committee, I am pleased to be here today to address the Auditor General’s recent reports and Shared Services Canada’s progress on their recommendations.

Before I begin, I’d like to acknowledge that we are gathered on the traditional, unceded territory of the Algonquin Anishinaabe People. 

With me today from SSC are: Scott Davis, Chief Financial Officer, and Shannon Archibald, Assistant Deputy Minister of our Hosting Services Branch.

SSC welcomes the findings of the audit and its recommendations. This audit will help the Government of Canada strengthen and improve its information technology systems and hosting services.

Mr. Chair, modernizing the Government of Canada’s IT systems requires an enterprise-wide approach and SSC is committed to collaborating with departments and their Chief Information Officers to achieve this.

SSC provides the foundational IT infrastructure for departments to host their applications, so that Canadians have access to secure digital programs and services.

While SSC is responsible for the Government of Canada IT infrastructure, it is important to note that departments are responsible for modernizing or decommissioning the applications that run on SSC infrastructure.

SSC has a plan in place to address aging infrastructure, as the AG’s report pointed out, and we are working on it.

SSC continues to collaborate with the Treasury Board Secretariat and all departments to advance modernization goals and ensure that outdated IT infrastructure, is replaced with modern and stable hosting solutions.

As part of that process, we are working with TBS, departments and their Chief Information Officers to identify applications most at risk.

Investments over the last two years have allowed us to renew the base infrastructure of the government and, through that, the core network is being completely transformed into a modern network.

To support the modernization of applications by departments, SSC is offering modern hosting solutions, including cloud services and GC state-of-the-art Enterprise Data Centres. These modern solutions are key to be able to offer digital services and programs to Canadians.

For example, SSC is working on private cloud to offer opportunities to modernize applications, and edge solutions to address latency needs.

Through our Hosting Services Strategy, SSC will continue to support applications across departments and improve the security and the stability of Enterprise Data Centres.

This Hosting Services Strategy will also offer solutions tailored to different workloads and applications. Focusing on innovation, sustainability and cyber security will ensure we efficiently serve Canadians while building stronger partnerships and inspiring confidence and trust.

For Employment and Social Development Canada’s Benefits Delivery Modernization Program, SSC is providing the underlying cloud connectivity and associated procurement vehicles.

More precisely, SSC is responsible for designing and modernizing the digital infrastructure to support benefits delivery modernization through rigorous project planning, oversight and governance. 

SSC continues to work closely with ESDC to provide guidance and advisory services on the various components of the digital solution.

To better communicate and collaborate with all departments across government, SSC has launched Digital Together. This plan is designed to accelerate progress in areas of digital services, connectivity, hosting and cyber security. 

Mr. Chair, SSC acknowledges the need for efficient and cost-effective modernization. Under Digital Together, we identify and prioritize initiatives that respond to the government’s priorities, while aligning with digital modernization goals and our enterprise approach. 

This is a journey that will be powered by both larger scale modernization of legacy platforms, as well as ongoing improvements in the way Canadians interact with technology to access services. Decommissioning legacy infrastructure is complex and requires collaboration with departments to ensure there is no disruption to critical business applications.

By working together and leveraging the strengths of partners, SSC can address the complex challenges facing the government and deliver innovative solutions that drive positive, secure change for Canadians.

Mr. Chair, to summarize, SSC has a plan to have a stable IT infrastructure and to ensure connectivity coast to coast. We will continue to look for ways to innovate and improve. However, to achieve this vision, continued investments will be required.

Thank you. We would be happy to answer your questions.

---

Delivering Digital Together

Issue

Shared Services Canada (SSC) has a new strategic plan to drive operations—modernizing the Government of Canada (GC) information technology (IT) ecosystem and implementing new capabilities.

Key messages

• SSC’s “Delivering Digital Together” initiative focuses on simplifying operations, leveraging common solutions, and implementing modern capabilities so departments and agencies can efficiently deliver services to Canadians.
• The approach will provide secure and reliable digital connectivity and hosting services that allow public servants to work collaboratively and seamlessly across the GC to serve Canadians.
• The implementation of the initiative will orient the department and stakeholders toward a common destination: to modernize the delivery of programs and services to Canadians.

If pressed on

If pressed on the timing of the initiative:

• Since 2019, SSC has been guided by a set of core principles that emphasize a whole-of-government approach to managing and improving the IT ecosystem.
• This has been an effective way to deliver services and to orient departmental operations toward an enterprise model.
• The need to continue evolving and building is driven by the post-pandemic hybrid work environment, ongoing technological changes, and the growing expectation from Canadians to receive services digitally.

If pressed on next steps:

• “Delivering Digital Together” is focused on sharing clear and transparent plans in all core areas of business.
• SSC will continue to develop and refine its “Delivering Digital Together” activities through engagement with government stakeholders, including the Treasury Board of Canada Secretariat Office of the Chief Information Officer, Deputy Heads and Departmental Chief Information Officers.
• SSC will also leverage engagement with external stakeholders and industry partners to create opportunities to collaborate on developing solutions that will meet the needs of the government.

Background

As part of its mandate to consolidate and standardize IT infrastructure for the GC, SSC has continued to evolve and improve how it provides shared IT services to its partners and clients.

Today, the post-pandemic hybrid work environment, ongoing technological changes, and the growing requirement to deliver services digitally are all driving the need to continue evolving our approach, while building on the successes and lessons learned over the past 4 years.

OAG Audit of Modernization of Information Technology Systems – SSC Management Action Plan

Recommendation	Management Action Plan	Position Responsible	Completion Date
Shared Services Canada (SSC) should: analyze the financial and non-financial impact of continuing to operate legacy applications and infrastructure instead of migrating modernized applications to new or modernized infrastructure	1. Develop a proof of concept/preliminary FINOPS model and data collection process Develop methodology for data collection process and/or access to consumption data Determine measures for reporting on utilization and other metrics per department	Chief Financial Officer Branch (CFOB)	December 31, 2024
	2. Strategic reporting Report on Cost of Hosting Services by partner, including non-financial reporting, such as risk, evergreening, etc.	CFOB	April 30, 2024
	3. Regular updates and progress reporting Align with the annual Departmental Plans on Service and Digital (DPSD) updates	CFOB	April 30, 2024
in coordination with the Treasury Board of Canada Secretariat and partner departments and agencies, undertake a review and prioritization exercise, including estimated timelines and budget, to modernize and migrate legacy applications to new supporting infrastructure and close the remaining legacy data centres	1. Develop and implement an evidence-based decision framework for the prioritization and execution of legacy workload migration projects for: Large and complex legacy data centres Small and medium legacy data centres	Workload Migration Program – Project Management and Delivery Branch (PMDB) Data Centre Facilities Management – Hosting Services Branch (HSB)	Completed August 31, 2024
	2. Develop and implement a comprehensive costing model for legacy workload migration projects.	Workload Migration Program – PMDB	Completed
	3. Work with TBS and partner organizations to prioritize, plan and cost the migration of the remaining GC applications in legacy data centres to optimal hosting solutions.	Workload Migration Program – PMDB, in collaboration with HSB	September 30, 2024
	4. Develop a decision framework to prioritize closures of legacy data centres.	Data Centre Facilities Management – HSB	March 31, 2024

Notes on context:

• SSC is responsible for the infrastructure, as referenced in the recommendation; partners and clients are responsible for the applications that run on SSC infrastructure.
• Some legacy applications and/or legacy infrastructure will have to be retained to meet the operational and program requirements of some departments. The recommended analysis would need to exclude these cases, as the results could be misleading. The challenge is that these cases would not be identified until SSC is working with a department to plan its migration.

Auditor General’s Report on Modernizing Information Technology (IT) Systems

Issue

On October 19, 2023, the Auditor General of Canada tabled a report in Parliament that included a chapter on Modernizing Information Technology (IT) Systems. The audit’s objective was to determine whether Treasury Board Secretariat (TBS) and Shared Services Canada (SSC) have led and supported the efficient and effective modernization of IT systems across government. The audit presented 5 recommendations: 1 for SSC and 4 directed at TBS.

Key facts

• The audit found that TBS and SSC did not provide federal organizations with the leadership and support needed to modernize outdated IT. It suggests that better oversight and a concrete action plan, along with a funding approach, are needed to prioritize critical systems and address the challenges that may arise as modernization occurs.
• The audit noted that SSC had made some progress on modernizing the Government of Canada (GC) IT infrastructure, accelerated by the COVID-19 pandemic. While SSC is responsible for infrastructure, clients are responsible for their applications.
• SSC is progressing by building roadmaps outlining its work with stakeholders to achieve excellence in technology and operations.
• The roadmaps will guide SSC service delivery, outline key next steps and provide predictability and clarity about the future for connectivity, hosting, digital and cyber security services.

Key messages

• SSC welcomes the results of the audit and the recommendations made by the Auditor General of Canada. This audit will help the Government of Canada strengthen and improve its IT systems and hosting services.
• SSC will undertake a holistic impact analysis of legacy technology, including applications and supporting infrastructure.
• SSC will work to improve the alignment of the process to prioritize whole-of-government IT modernization work with the needs of partners and clients, in order to maximize efficient and secure service delivery while mitigating the risks associated with legacy technology.

On hosting services

• SSC is laying the groundwork for a digital future by providing our partners with secure and smart hosting solutions that are scalable and reliable so they can deliver services to Canadians efficiently.
• SSC is modernizing IT infrastructure by closing legacy data centres and providing partners with modern hosting alternatives.
• SSC provides partners and clients with reliable and scalable hosting solutions, including cloud, enterprise data centres, and expanded edge computing solutions that enable them to deliver programs and services to Canadians, both domestically and abroad.

Audit recommendation for Shared Services Canada (SSC)

Part 1: Analyze the financial and non-financial effects of continuing to operate legacy applications and infrastructure instead of migrating modernized applications to new or modernized infrastructure.

• SSC will conduct an impact analysis of operating legacy applications and infrastructure to increase its understanding of the implications associated with maintaining these systems.
• The analysis will inform SSC’s decisions, ensuring that the transition aligns with both cost-effectiveness and modernization goals.

Part 2: In coordination with TBS and other departments and agencies, undertake a review and prioritization exercise (including timelines and budget) to modernize and migrate legacy applications to new infrastructure and close the remaining legacy data centres.

• SSC will support TBS in conducting a review and prioritization exercise.
• As reflected in Delivering Digital Together, SSC is committed to working closely with partners and clients toward shared modernization goals.
• SSC recognizes the need for efficient and cost-effective modernization and will identify and prioritize initiatives that respond to the GC priorities, while aligning with digital modernization goals and the enterprise approach.
• SSC continues to collaborate with partners and TBS to advance modernization goals and ensure that outdated IT systems across government are replaced by modern and stable hosting solutions, as demonstrated through programs such as the Application Modernization and Workload Migration.
• As of June 2023, SSC has closed 450 legacy data centres out of the original 720, facilitating a modern, agile and secure digital government that meets the expectations of Canadians.

If pressed on

If pressed on fiscal responsibility:

• SSC takes fiscal responsibility seriously and supports partners and clients in delivering their programs and services to Canadians by providing secure, modern and reliable IT infrastructure.
• While SSC is responsible for the infrastructure, it is important to note that partners and clients are responsible for the applications that run on SSC infrastructure.
• SSC recognizes that some legacy applications and infrastructure must remain in legacy data centres due to current operational and program requirements, and will work with TBS to determine an optimal modernization strategy for these on a case-by-case basis.

Background

• This audit is a follow-up to the 2010 Auditor General's Report on Aging Information Technology Systems.
• SSC was created in 2011 and given the responsibility of modernizing and consolidating technology infrastructure across the government.
• In 2013, TBS introduced the Application Portfolio Management Software to monitor and track the state of applications within departments and agencies.
• In 2021, the GC released the Digital Operations Strategic Plan, which focuses on modernizing the way government replaces, builds and manages major information technology systems.

Benefits Delivery Modernization

Issue

Outlining Shared Services Canada’s (SSC) role in the delivery of the Benefits Delivery Modernization (BDM) program at Employment and Social Development Canada (ESDC).

Key messages

• Technology and systems modernization are fundamental components to advancing the government’s online benefits delivery of programs and services to Canadians, such as Old Age Security, Employment Insurance and the Canada Pension Plan.
• SSC’s role in support of ESDC’s Benefits Delivery Modernization initiative is primarily focused on providing the underlying cloud connectivity and associated procurement vehicles.
• SSC’s main responsibility is to design and modernize the digital infrastructure to support benefits delivery modernization through rigorous project planning, oversight and governance.
• SSC welcomes the recent report from the Auditor General. This audit will help the Government of Canada (GC) strengthen and improve its information technology (IT) systems and hosting services.

If pressed on

If pressed on current focus:

• The initial focus is on the digital modernization of the Old Age Security benefit.
• SSC has a dedicated team collaborating with ESDC to ensure successful program delivery.

Background

Roles and responsibilities by department:

Shared Services Canada (SSC)

• Project engagement and oversight for cloud platform integration
• Engagement and integration on key BDM-related initiatives, such as contact centre procurement and procurement of identity management solutions
• Ongoing support for key infrastructure and solution modernization
• Providing insight, feedback and guidance to ESDC throughout the life cycle of the program and participating in program governance
• Engagement with subject-matter experts internally and within industry to support BDM

Treasury Board of Canada Secretariat (TBS)

• Provides the required oversight for the project to ESDC and SSC

Employment and Social Development Canada (ESDC)

• Responsible for the management and support of the newly built applications and their data

Tools capable of extracting data from Government of Canada devices

Issue

Media and MPs have raised concerns regarding the use of tools capable of extracting data from mobile devices and other assets within the Government of Canada (GC). While the media narrative makes reference to “spyware,” that is not an accurate description of the tools used by Shared Services Canada (SSC).

Key facts

• Departments use digital forensic tools for administrative investigations. These investigations are conducted under the authority of the Financial Administration Act, section 7, and in line with the Policy on Government Security and under the authority of SSC’s Chief Security Officer (CSO).
• SSC uses digital forensic tools to investigate credible allegations of wrongdoing by GC employees in the course of an official administrative investigation.
• At the outset of an investigation, the CSO engages SSC’s forensic team to collect and confirm evidence and to ensure impartiality in data collection.
• Digital forensic tools are used in controlled environments. Electronic devices are brought to a physically segregated secret-level area where the tools are used for analysis. Devices are stored in a forensic vault, only accessible to a few employees of the forensic team.
• Throughout the processes, the employee that is the subject of the investigation is informed of each step, and procedural fairness is top of mind.

Key messages

• SSC takes the protection of the privacy of employees and all Canadians very seriously, while at the same time ensuring the security of GC networks.
• SSC uses digital forensic tools only on government-issued devices and in very specific circumstances.
• Digital forensic tools are used in 2 specific scenarios:
  • When there is a credible allegation of employee wrongdoing
  • To gather evidence at the request of law enforcement in support of lawful investigations (for example, court orders, warrants, subpoenas)
• All administrative investigations are conducted under the authority of SSC’s CSO, aligned with the department’s standard operating procedures.
• Under no circumstances does SSC extend the use of digital forensic tools outside an investigative mandate.

If pressed on

If pressed on use of these tools:

• Digital forensic tools are not deployed remotely or used in any monitoring capacity.
• In the past 2 years, these tools have only been used 6 times at SSC, in the course of mandated administrative investigations under the purview of the CSO.
• Examples of an allegation that would result in a review include:
  • Suspected inappropriate website browsing
  • A malicious software installed on a device
  • A suspected false claim of overtime
• These tools are solely used for review when wrongdoing is suspected or to ensure the security of government networks for the benefit of Canadians.

If pressed on contracting:

• As the IT service provider for the GC, SSC contracts can be used not only by SSC directly, but also by the departments that SSC supports.
• The contractual agreement for these device-monitoring products may also be used by other departments of the GC.

Background

Media began reporting on the use of “spyware” by 13 government departments during the week of November 29, 2023, suggesting that government agencies are “ignoring” the federal mandate to conduct a privacy impact assessment (PIA). Since the media reporting began, the Standing Committee on Access to Information, Privacy and Ethics has agreed to conduct a study of the use of these tools, beginning on January 29. SSC has been named as one of the witnesses to be called to the committee for this study.

Diversity and inclusion in procurement

Issue

The Government of Canada (GC) has set a priority on increasing diversity and inclusion in procurement.

Key facts

• In 2022-23, Shared Services Canada (SSC) awarded contracts to 343 different small and medium-sized enterprises (SME). Of these, 325 were Canadian.
• A total of $1.167 billion in SSC-funded contracts were awarded to SMEs, with a total value of $1.163 billion to Canadian SMEs.
• A total of 1,598 SSC-funded contracts were awarded to SMEs. Of these, 1,575 were awarded to Canadian SMEs.

Key messages

• SSC is creating new opportunities for under-represented groups to participate in federal contracting by piloting the implementation of socio-economic considerations in procurements where there may be fewer opportunities.
• ScaleUp is a social procurement initiative led by SSC, with support from TECHNATION, a national technology industry association. ScaleUp increases the diversity of vendors competing for federal government contracts.
  • SSC has awarded 17 contracts and prequalified an additional 8 companies through the ScaleUp initiative.
  • Among those contractors:
    • 32% are micro-businesses (that is, have 4 employees or less) and 68% are small businesses
    • 68% are owned or led by visible minorities
    • 52% are women-owned or led
    • 8% are owned by or led by persons with a disability

Shared Services Canada’s involvement in ArriveCAN

Issue

The ArriveCAN application continues to be under scrutiny.

Key facts

• ArriveCAN was developed for the Government of Canada (GC) to assist with border screening measures during the COVID-19 pandemic.
• The program has been under scrutiny for its cost, effectiveness and reported errors in its functionality.
• Shared Services Canada (SSC) awarded 7 contracts on behalf of the Canada Border Services Agency (CBSA) in support of ArriveCAN. It is important to note that the CBSA has accounted for these contracts in their own reporting.

Key messages

• SSC delivers digital services to GC organizations. It does this by providing networks and network security, data centres and cloud offerings, digital communications, and IT tools to enable federal organizations to effectively deliver programs and services to Canadians.
• SSC’s primary role was to support the operations of ArriveCAN by enabling connectivity between the cloud and data centres and providing access to IT goods and services.
• SSC did this by:
  • enabling the application to exchange information between the cloud solution and GC data centres
  • ensuring the connections are secure and the information of Canadians is protected
  • providing the CBSA with contracting mechanisms to acquire IT goods and services in support of the ArriveCAN application

If pressed on

If pressed on Shared Services Canada’s (SSC) role in application development:

• SSC is only mandated to develop applications for its own department.
• SSC supports other organizations by ensuring that the applications they develop are securely hosted in GC data centres or, if hosted in the cloud, can communicate securely with GC data centres.

If pressed on Shared Services Canada’s (SSC) contracts in support of ArriveCAN:

• One pre-existing GC enterprise-wide contract was leveraged to provide backbone network connectivity for a value of $87,000.
• SSC awarded 7 contracts on behalf of the CBSA in support of ArriveCAN. It is important to note that the CBSA has accounted for these expenses in their own reporting.
• The contracts included cloud services, software licences, cyber security services and microcomputer equipment.
• Of the 7 contracts, 6 were competitive.
• One contract of $39,998.00 was sole-sourced for software licences for a scanning application using mobile phone cameras.

Supply chain integrity

Issue

Concerns have been raised regarding the presence and/or access to the Canadian market of information and communication technology (ICT) products manufactured by Chinese owned entities. There are claims that some of these entities have direct ties to the Chinese government. For example, companies such as Huawei and Lenovo are often mentioned.

Key facts

• A number of departments and agencies play a role in cyber security, including the Treasury Board of Canada Secretariat (TBS), the Communications Security Establishment (CSE), Shared Services Canada (SSC), Public Safety Canada (PS), the Royal Canadian Mounted Police (RCMP), the Canadian Security Intelligence Service (CSIS), and the Department of National Defence (DND).
• All departments and agencies have a responsibility to ensure cyber security within their organization. TBS, SSC and CSE are the primary stakeholders with responsibility for ensuring the government’s cyber security posture is effective and able to respond to evolving threats.

Key messages

• The Government of Canada (GC) takes the security and privacy of its network infrastructure and any devices that access it very seriously.
• SSC conducts a supply chain integrity (SCI) review, with support from the CSE, for all information technology (IT) purchases.
• This assessment ensures the security of the GC’s IT infrastructure.

If pressed on

If pressed on supply chain integrity review:

• SSC relies on the Canadian Centre for Cyber Security (CCCS) (part of CSE) as the GC’s centre of excellence for the supply chain integrity (SCI) review function.
• The SCI function, implemented in 2012, ensures that goods and services purchased are as safe from cyber security threats as possible.
• SCI reviews apply to procurement in 4 areas: email, data centres, networks and workplace technology devices (such as laptops, printers and cellular devices).
• Not only are these areas essential to the operation of government; they are also the main targets of cyber threats.
• SSC continuously works to enhance cyber security in Canada by collaborating with partners across government to prepare for all types of cyber incidents.

Background

• On June 6, 2023, an article entitled, “Faut-il avoir peur des appareils Lenovo?” was published in La Presse.
• The news article stated that the GC has not banned equipment from Lenovo.
• CSE is quoted in the article. CSE confirmed that the GC has not banned equipment from Lenovo and mentioned that they evaluate equipment on a case by case basis.
• TBS provides strategic oversight of government cyber security event management.
• SSC provides IT security infrastructure (design, deploy and operate). In conjunction with TBS and CSE, SSC also provides security and privacy by design as part of the establishment of new services. The security of goods and services is evaluated by CSE and SSC during the procurement process.
• CSE houses the CCCS, which monitors systems and networks for malicious activities and cyber attacks and leads the cyber event operational response.
• PS leads national cyber security policy and strategy.
• The RCMP is the primary investigative department on all cyber security incidents dealing with actual or suspected cybercrime of non-state origin against GC infrastructure.
• CSIS is responsible for investigating threats against information systems and critical infrastructure posed by foreign state actors and terrorists.
• DND/Canadian Armed Forces is responsible for addressing cyber threats, vulnerabilities or security incidents against or on military systems.

Blocking TikTok, WeChat and Kaspersky

Issue

The Government of Canada (GC) banned TikTok, WeChat and Kaspersky mobile applications from government-issued devices.

Key messages

• The GC’s use and choice of digital tools are reviewed on an ongoing basis to address the ever-changing risk environment, and to ensure government networks and data remain secure and protected.
• It was determined by the Treasury Board of Canada Secretariat (TBS) Deputy Minister (DM) and Chief Information Officer of Canada (CIOC) that the TikTok, WeChat and Kaspersky applications present an unacceptable risk to privacy and security.
• Shared Services Canada (SSC), which manages GC smartphones, blocked TikTok, WeChat and Kaspersky from all government-issued mobile devices.

If pressed on

If pressed on Shared Services Canada’s (SSC) role in banning the applications:

• SSC blocked the TikTok application, as per the direction of the TBS DM and CIOC on February 27, 2023.
• SSC blocked the WeChat and Kaspersky suite of applications, as per the direction of the CIOC on October 30, 2023.

Background

• On February 27, 2023, the TBS DM and CIOC announced that, pursuant to their responsibilities under section 4.4.1.9 of the Policy on Service and Digital, the use of the TikTok application would be blocked on GC devices as of 5 pm ET on February 27, 2023.
• This decision was made after a review of the behaviour of the application as it relates to GC privacy and security standards, and it impacts all organizations subject to the Policy on Service and Digital.
• On October 30, 2023, the CIOC made the decision to block the WeChat and Kaspersky suite of applications from use and downloading on all government issued mobile devices.
• The decision was made after it was determined that the applications present an unacceptable risk to privacy and security.

Cyber security overview

Issue

Addressing cyber security is a shared responsibility between Shared Services Canada (SSC), the Treasury Board of Canada Secretariat - Office of the Chief Information Officer (TBS-OCIO) and the Communications Security Establishment’s (CSE) Canadian Centre for Cyber Security (CCCS).

Key messages

• SSC works diligently to keep Government of Canada (GC) networks safe, secure and accessible for Canadians.
• SSC applies cyber security measures to identify and prevent malicious actors from gaining access to government networks by using firewalls, network scans, anti-virus, anti-malware, as well as identification and authentication tools and services.
• Cyber security is a shared responsibility between SSC, CSE, TBS and departments and agencies.
• When a cyber security event occurs, SSC and its partners respond in a consistent, coordinated and timely manner to ensure the security and resilience of GC programs and service delivery.
• SSC is responsible for planning, designing, building, operating and maintaining effective, efficient and responsive enterprise IT security infrastructure services to secure GC data and systems under its responsibility.

If pressed on

If pressed on current and future cyber security investments:

• The government is investing $220.1 million over 7 years for SSC to address the rapidly evolving cyber threat landscape.
• The proposed funding will be used to enhance technological and human capacity, identify and assess vulnerabilities, and deliver new enterprise capabilities that will enable organizations across the GC to continue delivering services to Canadians securely.
• The funding will enable SSC to:
  • procure and deploy new cyber security tools to reduce threats to GC infrastructure. These tools will:
    • help to identify all the ways a threat could potentially gain access to the organization’s environment
    • provide a centralized assessment of vulnerabilities and identify mitigations (like software upgrades or patches)
    • provide a proactive process that monitors the effectiveness of security controls. SSC can simulate a cyber attack and identify weaknesses before they can be exploited by a threat
  • support cloud security by enabling GC cloud guardrail compliance monitoring
  • support the implementation of the priorities of the SSC cyber security services roadmap
  • modernize the government’s approach to cyber security
  • support TBS’s associated efforts to reinforce government cyber security through the GC Enterprise Cyber Security Strategy and Implementation Plan
• SSC’s responsibilities include government networks, email, data centres and classified IT infrastructure.

If pressed on Shared Services Canada’s (SSC) responsibility vs. that of the Communications Security Establishment (CSE):

• Although SSC designs and manages most security systems that protect the government’s IT infrastructure, CSE uses complementary solutions to supplement SSC-managed security systems.
• In short, SSC ensures the GC is protected by state-of-the-art commercial solutions, while CSE fills the gap between commercial solutions and the most sophisticated adversaries.
• While SSC provides IT security infrastructure, CSE monitors systems and networks for malicious activities and cyber attacks. It leads the government’s operational response to cyber security events.

If pressed on any particular cyber event:

• SSC has people, technology and processes in place to safeguard systems, and works collaboratively with TBS, CSE and departments to detect and respond to cyber threats.
• When a cyber security event occurs, SSC and its partners respond in a consistent, coordinated and timely manner to ensure the security and resilience of GC programs and service delivery.
• The risk of cyber attacks is persistent and requires constant vigilance.

Auditor General’s Report on Cybersecurity of Personal Information in the Cloud

Issue

In November 2022, the Auditor General of Canada tabled a report in Parliament that included a chapter on Cybersecurity of Personal Information in the Cloud. Shared Services Canada (SSC), Public Services and Procurement Canada (PSPC), the Communications Security Establishment (CSE) and the Treasury Board of Canada Secretariat (TBS) were in scope. The audit presented 5 recommendations—4 directed at TBS and 1 made jointly to SSC and PSPC. In March 2023, SSC appeared before the Standing Committee on Public Accounts (PACP) alongside TBS and CSE to address questions stemming from the audit. The Committee was satisfied with SSC’s progress and encouraged the department to pursue planned measures, including guardrail automation.

Key facts

• The audit highlighted the following:
  • There were weaknesses in departments’ controls for preventing, detecting and responding to cyber attacks.
  • The roles and responsibilities for ensuring cloud cyber security were unclear and incomplete.
  • TBS did not provide departments with a costing model or funding approach for cloud services.
  • PSPC and SSC did not include environmental criteria in their procurement of cloud services.
• SSC enables smart cloud adoption for departments so they can harness the benefits of cloud technology by providing:
  • easy and secure access to cloud services
  • secure network connection between government applications hosted in the cloud and government data centres
  • operational guidance and support
• A number of strict security requirements, including cloud guardrails, must be met before departments can begin to store data in the cloud.
• At the time of tabling, SSC had initiated the development of automated guardrail validation, allowing SSC to consistently and accurately report to TBS on guardrail compliance.
• In fall 2023, SSC began a phased GC-wide roll-out of the automated guardrail validation. The roll-out is being done in phases, the first of which will be completed in Q1 of 2024-25 and will represent over 80% of the GC’s cloud presence. In the interim, the manual process has remained in effect.
• PSPC and SSC are aligning on the GC approach to cloud procurement. Cloud procurement templates have been developed, which include standard contract clauses and sustainability terms for cloud service providers.
• SSC has also worked with TBS officials as they implement their Management Action Plan in response to this audit.

Key messages

• SSC accepted the recommendations made by the Auditor General. The findings of this audit have helped SSC strengthen its operating framework for cloud services.
• Protecting the government’s systems and information is a shared responsibility across 3 organizations: CSE (through the Canadian Centre for Cyber Security), the TBS Office of the CIO (TBS-OCIO) and SSC. Collectively, this group is committed to a whole-of-government vision and plan for cyber security.
• The GC has a critical role to play in protecting the information of Canadians. It has implemented an approach to managing security risks in the cloud that safeguards Canadians’ data and privacy through a series of policy instruments that guide departments as they adopt cloud services.
• SSC is aware that threats and vulnerabilities continue to arise. While departments are obliged to meet security requirements prior to storing data, continuous guardrail monitoring must be an ongoing process.

If pressed on

If pressed on cloud procurement:

• SSC provides access to 8 cloud service providers who were pre-vetted based on security and other requirements.
• These framework agreements provide departments with standardized terms and conditions, and cloud services that have been assessed by the Canadian Centre for Cyber Security and the Contract Security Program.

If pressed on cloud security:

• The protection and privacy of the GC data stored and processed in the cloud is a top priority for SSC.
• Measures are in place to enforce where data resides and how it is controlled.
• Processes are in place to ensure that specific security requirements and standards are met when awarding cloud contracts.
• To securely consume cloud services, each department must implement and maintain specific security guardrails.
• SSC actively monitors adherence to security requirements.

Background

Proportionately, cloud represents a small percentage of application hosting solutions. Over 90% of all applications are hosted in GC-managed data centres, with the remainder in the cloud.

SSC acts as a centre of excellence for cloud services across the government, providing technical expertise and tools to guide customers.

The Auditor General undertook this audit for the following reasons:

• Information stored digitally, whether on-premises in data centres or in the cloud, is exposed to risks of being compromised.
• Departments are increasingly moving software applications and databases into the cloud, including some that handle or store Canadians’ personal information. Departments must work together to protect this information from a number of risks, including cyber attacks.
• Cyber security breaches are on the rise. Strong controls to prevent, detect and respond to them can reduce the risk of breaches.

Cloud overview and way forward

Issue

The Government of Canada (GC) is evolving its approach to the use of cloud services.

Key facts

• ‘Cloud first’ was put in place in 2018. This approach challenged departments to consider cloud as their preferred application hosting model.
• Since then, the GC has learned that cloud is not the right hosting model in all situations.
• With cloud consumption rising across the GC, the policy orientation was adapted from ‘cloud first’ to ‘cloud smart.’
• As the GC Cloud Strategy 2024 is rolled out across the GC, engagement will occur with multiple stakeholders, including dedicated sessions with industry.
• Aligned with its legislated mandate, the new Cloud Strategy will see Shared Services Canada (SSC) operate GC hosting services—both cloud and data centres.
• The new direction will support departments and agencies as they navigate the modernization of their information technology (IT) and improve the delivery of programs and services to Canadians.

Key messages

• The GC has adapted the direction of its Cloud Strategy from ‘cloud first’ (that is, departments and agencies should consider cloud as their preferred delivery model for IT) to ‘cloud smart’ (that is, departments and agencies should use cloud when the economics and business case make sense).
• The new Cloud Strategy will help ensure that the GC uses its IT assets efficiently.
• It will support departments and agencies in navigating IT modernization in a way that incorporates financial sustainability and ensures sound decision making across the enterprise.
• The new Cloud Strategy is aligned with SSC’s mandate and strengths as a common IT service provider for the GC.

Background

• Since 2019, the GC has used cloud to modernize its technology environment, meet time-sensitive demands and deliver services to Canadians. Today, approximately 10% of systems now reside in the cloud. There have been many successes and lessons learned from those who have onboarded cloud services.
• Increased use of cloud has generated pressures in how we govern, operate, fund and procure cloud services.
• The new GC Cloud Strategy and Funding Model developed by the Treasury Board of Canada Secretariat’s Office of the Chief Information Officer of Canada is informed by:
  • lessons learned over the past 7 years of GC cloud adoption
  • findings and recommendations provided by the Auditor General’s Reports on Cybersecurity of Personal Information in the Cloud and IT Modernization
  • consultation with departments using cloud, Finance Canada and Public Services and Procurement Canada, the Office of the Comptroller General and SSC
  • external review
• The direction set through the new Cloud Strategy is aligned to SSC’s mandate to deliver modern, secure and reliable IT services to federal departments and agencies. This approach is also in line with the GC’s Digital Ambition, as well as with SSC service roadmaps under the Delivering Digital Together for Canada initiative.

Next Generation Human Resources and Pay initiative

Issue

Shared Services Canada (SSC) led the initial phase of the Next Generation Human Resources and Pay (NextGen HR and Pay) initiative to assess the viability of a commercial HR and pay solution for the Government of Canada (GC).

Key facts

• Budget 2018 announced the government’s intention to move away from the current pay system and explore options for a solution that would be better aligned with the complexity of the federal government’s human resources and pay structure.
• Budget 2019 reaffirmed the GC’s commitment by announcing the next step in working with vendors and stakeholders to develop the best options, including pilot projects that allowed for further testing with select departments and agencies, while assessing the ability of vendors to deliver.
• In May 2019, once this analysis was complete, TBS submitted an offcycle funding request for further testing through pilot projects, requesting $113.1 million in new funding over 3 years.
• On April 1, 2020, the NextGen HR and Pay team was transferred from TBS to SSC. ████████████████████████████████████████████████████████████████
• The purpose of the NextGen HR and Pay initiative was to assess the viability of a commercial HR and pay solution to replace the current GC pay system and over 33 HR systems now in use across the GC.
• Under Phase 1 of the initiative, SSC completed solution testing in spring 2023 and the Final Findings Report in summer 2023.
• The Final Findings Report will inform the development of an integrated approach to enterprise HR and pay for the GC, now under development by the Public Services and Procurement Canada (PSPC) Enterprise Pay Coordination Centre.
• On June 26, 2023, the Prime Minister appointed an Associate Deputy Minister at PSPC to focus on Enterprise Pay Coordination.
• In July 2023, PSPC assumed functional leadership for the NextGen HR and Pay initiative project team as it began the next phase. On November 20, 2023, the NextGen HR and Pay organization was formally transferred from SSC to PSPC, allowing the team to continue their important work on the next phase of enterprise HR and pay.

Key messages

• Canada’s public servants deserve to be paid accurately and on time, every time.
• The purpose of the NextGen HR and Pay initiative was to assess the viability of a commercial HR and pay solution to replace the current pay system and over 33 HR systems now in use across the GC.
• The NextGen HR and Pay initiative tested a commercial solution against a number of complex scenarios that represent the GC HR and pay requirements.
• This testing was undertaken with partner departments and agencies to ensure that the initiative is testing complex scenarios that reflect their daily reality. All testing took place in a simulated environment, separate from the existing system used to pay employees.
• Testing was completed in spring 2023 and the Final Findings Report was developed in summer 2023.
• Findings indicate that the tested solution (Ceridian Dayforce) already meets the vast majority of requirements needed for critical HR and pay.
• The initiative has also identified a number of complex HR and Pay practices that will need to be addressed to allow the GC to adopt a commercial solution. Notably, standardization and simplification of HR and pay rules will be essential to successfully implement any commercial solution.
• The report will now inform the development of an integrated approach to enterprise HR and pay for the GC now under development at PSPC.

If pressed on

If pressed on Shared Services Canada’s (SSC) role:

• SSC was responsible for Phase 1 (Research and Experimentation), which included the design, exploration and testing of potential solutions from HR and pay industry experts.
• The approach of Phase 1 allowed for learnings on what the GC as an enterprise may have to change to be in a position to effectively leverage a commercial HR and pay solution.
• In summer 2023, PSPC assumed functional leadership for the NextGen HR and Pay initiative project team as it began the next phase. On November 20, 2023, the NextGen HR and Pay organization was formally transferred from SSC to PSPC.

If pressed on cost:

• The initiative is assessing the total cost of ownership of major components of an HR and pay system as the way forward is developed.
• The total cost of a new system, including permanent operational costs of transition, as well as ongoing costs, will be determined once a solution has been determined to be viable.

If pressed on contracts:

• NextGen HR and Pay tested a solution with the vendor against the complexities of the GC’s HR and pay requirements.
• To do so, the team used an agile procurement process to move forward and quickly adapt to changing circumstances.
• Using this innovative procurement process, 3 qualified vendors were chosen (SAP, WorkDay and Ceridian), with an option to pivot to a different pre-qualified vendor, if required.
• This option was used to pivot to a new vendor (Ceridian) for Research and Experimentation.

Background

• NextGen HR and Pay used an agile procurement process to move forward and quickly adapt to changing circumstances. Using this innovative procurement process, 3 qualified vendors were chosen (SAP, WorkDay and Ceridian) for the NextGen HR and Pay solution, with an option to pivot to a different pre-qualified vendor, if required. In August 2021, this option was used to pivot to a new vendor (Ceridian) for Research and Experimentation.
  In spring 2021, after completing the first contract with SAP Canada Inc., the GC entered negotiations with SAP to proceed with the remainder of Phase 1 activities. Unable to come to a mutual agreement with SAP, the GC moved to the next pre qualified vendor, signing a contract with Ceridian on September 14, 2021.
• As the funding for Phase 1 expired on March 31, 2023, SSC submitted a funding proposal to continue the activities to complete Phase 1 and initiate Phase 2. Budget 2023 allocated $41  million (including accommodation) in funding to SSC to continue the work required to develop an informed decision on the future of HR and pay.
• As of October 4, 2023, $23.8 million of this additional funding was spent on this initiative, as part of Phase 1, to complete the research and experimentation activities and to start work on the recommendation to the GC on HR and pay.
• As part of Phase 1, for research and experimentation, the following activities were completed:
  • Testing of the solution to support the viability assessment
  • Drafting of the Final Findings Report, which analyzes testing results about the technical viability of the solution
• Phase 2 funding has been used for activities that include:
  • Analyzing options to support a recommendation to the GC on HR and pay
  • The integration of the initiative with the Enterprise Strategy on HR and Pay, under the authority of PSPC
• On October 14, 2020, the selection of the Department of Canadian Heritage for the Exploratory Phase of the Next Generation HR and Pay initiative was announced. Canadian Heritage was selected as the pilot department for this phase because this organization provides a good representation of the government’s human resources complexities, including multiple occupational groups, regional representation, overtime and other considerations.
• On July 27, 2021, the GC announced the expansion of testing to include Fisheries and Oceans Canada, the Canadian Coast Guard and Canada Economic Development for Quebec Regions. In 2022, it further expanded to include Crown Indigenous Relations and Northern Affairs Canada and Indigenous Services Canada.
• The NextGen HR and Pay team also engaged a broad representation of employees across 27 departments through a wide variety of forums, such as presentations, information sessions, and over 2,100 HR and pay cases tested.