Canada: Is The New Contract Security Manual For Federal Suppliers … Incomplete?
Procurement Bulletin

The federal Contract Security Program¹ has recently renamed and updated the Industrial Security Manual (the "old Manual"). Now referred to as the "Contract Security Manual" (the "new Manual"), PSPC explains that the revisions were made to better explain the security requirements government suppliers must meet to be able to access government information, data and assets.

Although the new Manual is a valuable starting point to understand the Contract Security Program requirements, relying on the new Manual alone may not provide the complete picture as the revisions go beyond mere clarifications.

Some of the important changes to be aware of are outlined below.

Certain Forms Have Been Removed

The old Manual contained many of the forms a supplier would be required to complete as it proceeded through the registration process. Some of these forms are no longer publicly available (for example: Company Security Officer appointment forms and the PSPC security agreement), and will only be provided after the supplier submits their application for registration.

Information Formerly Located in the Old Manual Isn't in the New Manual (but still applies to the Program)

Although still mandatory, there are several requirements no longer found in the new Manual. Not being aware of these requirements could cause delays in processing of applications or the maintenance of registrations for suppliers, subcontractors and their respective personnel. Some examples include:

• The mandatory requirement that at least one Alternate Company Security Officer (ACSO) be appointed at the organization's facility where the Company Security Officer is located, and at least two ACSOs be appointed at each additional facility of the organization where protected or classified information and assets are safeguarded (with the exception of a one person organization).
• In all cases of subcontracts to U.S. organizations where information is involved, the prime contractor must supply the Contract Security Program with 3 copies of the relevant subcontract together with the Security Requirements Checklist and any additional, related documentation.
• The process and requirements for the transfer and duplication of an individual's reliability status between organizations.

The new Manual Will Likely Apply to Contracts Executed Before August 12, 2020

The notice for the new Manual identifies that for contracts "dated" before August 12, 2020 (the date the new Manual was released), the old Manual may apply.

However, suppliers should note that in most cases, the security requirement provisions of their contracts will require that they comply with the most current version of the Manual (e.g. the contractor's security approach should evolve in conjunction with the government's security requirements as the government responds to security risks or identified threats). As such, supplier policies and processes that may have been based on the information provided in the old Manual should be audited against the new Manual and the other information made publicly available.

Unfortunately, at this time, there is no central list of requirements for the Program; suppliers will now need to search for information made publicly available, in addition to reviewing their contracts for contract-specific requirements. Suppliers should consider clarifying with a Contract Security Program officer how to ensure that they are in possession of all of the necessary Program compliance obligations (e.g. in addition to the Manual, contract terms, Company Security orders, where else should a supplier look?).

Not All References Have Been Updated in Government Documentation

Not all references to the old Manual on the government website or in ancillary documents and forms are updated as yet, so there are still places where the old Manual is referenced but should be understood to refer to the new Manual.

An archived version of the old Manual can be found on the Government of Canada website.

Contract Security Program Backgrounder

The Contract Security Program is responsible for granting the necessary security clearances to contractors and their subcontractors for access to Government of Canada information or assets designated as PROTECTED or higher. Key requirements include:

• individual and facility security clearances must be received in advance of any access to government information or assets;
• individual and facility security clearances must match the level of security assigned to the information or assets being accessed;
• security clearances cannot be extended, transferred, or assigned between organizations;
• site-specific Document Safeguarding Capability (DSC) security clearance is required for organizations that handle government information or assets at their facilities;
• IT systems that will receive, store, and process government information must be approved in advance;
• foreign-based employees accessing government information or assets at Canadian facilities must obtain a visitor screening approval in advance;
• foreign-based employees accessing government information or assets from locations outside of Canada require security clearances, as does the facility within which they are working;
• subcontractors who will receive, process, store or access government information or assets are subject to all of the same assessments and requirements as are the prime contractors (those holding the contract with the Canadian government) and must possess a valid security clearance for each contract;
• prime contractors remain solely responsible (and liable) for the subcontractors compliance with the Contract Security Program;
• compliance with the Contract Security Program requirements (including the Manual) is a material requirement for any government contract with a security requirement; and
• failure to comply with these requirements can result in suspension or termination of security clearances. The termination of security clearances is considered to be a breach of contract, which entitles the government to terminate the contract for default.

The process for receiving security clearances is extensive and conducted in a 'staged' approach. Any failure to submit the required information, or the submission of incorrect or inaccurate information can result in significant processing delays. Contract Security Program clearances may be required in advance of contract award (and in certain cases, in order to submit a bid), so advance planning is key.

Registration in the Contract Security Program is not a "marketing tool". The new Manual (as was the case with the old Manual), prohibits suppliers and their employees from using registration as a "marketing tool", including making public disclosures on websites or in marketing materials, or disclosing clearances in resumes or in public forums.

Footnote

1 The Contract Security Program is operated and managed by Public Services and Procurement Canada (PSPC). PSPC is the working name for the Department of Public Works and Government Services Canada (which remains the legal name of the department).