Security in Contracting – Quick Steps

Path A – No IT Requirements (personnel security only)

Steps for Path A:

Project Authority Selects Common SRCL or Completes New SRCL
When there are security requirements, one of the first steps is to complete a Security Requirements Checklist (SRCL).
1. Common SRCL
  If purchasing from one of the Common Centralized Professional Services tools put in place by Publics Services and Procurement Canada (PSPC), the client Project Authority must choose the corresponding SRCL from one of the Common SRCLs. The project authority still signs this SRCL.
  
  Common Centralized Professional Services tools:
  - Learning Services
  - Professional Audits Support Services Supply Arrangement (PASS-SA)
  - ProServices
  - Solutions-Based Informatics Professional Services (SBIPS)
  - Task and Solutions Professional Services (TSPS)
  - Task Based Informatics Professional Services (TBIPS)
  Where the project authority is not certain that a tool applies, please simply attach your SOW to the PReq and the assigned contracting authority will advise on next steps.
2. New SRCL
  
  If not using a common SRCL, the Project Authority will need to complete a new SRCL, preferably using the e-SRCL described below. The project authority then signs it, and sends it to the appropriate Regional Security Officer (RSO) along with the draft Statement of Work (SOW).
  
  Electronic SRCL (e-SRCL)
  
  The digital online SRCL form (e-SRCL) is a service provided through the Contract Security Program (CSP) at PSPC. The e-SRCL form has a number of quality control measures that aids users in correctly completing the form. When used, a digital PDF of the form is created which must be saved and printed by the project authority.
  
  The project authority can complete the e-SRCL using the Online Industrial Security Services (OLISS) website. (The e-SRCL is available from "SRCL" in the left-hand menu.) ESDC employees will need to self-register on the site prior to using the e-SRCL, by clicking the link "Register for the online security requirements checklist service" in OLISS.
The RSO reviews and signs the SRCL

The RSO signs, if no changes are required, or send comments to the project authority. Once finalized, the RSO then returns the signed SRCL to the project authority. Where possible, the RSO will also identify the appropriate security clauses which are to be inserted into the contract (and the solicitation if applicable).
The Project Authority sends the signed SRCL and the security clauses to the contracting authority. (or attaches them to the PReq, along with the SOW and other pertinent documents if the PReq has not already been done)
The Contracting Authority (CFOB Procurement Specialist) reviews the SRCL and SOW and confirms the signature boxes are completed correctly. The contracting authority also signs the SRCL.
As applicable, the Contracting Authority then issues the solicitation.

Note that if a standard security clause has not already been provided with the SRCL, the CFOB procurement specialist may use the Common Centralized Professional Services SRCLs page to identify the appropriate clause.
Contracting Authority requests validation of security clearances

Following the procurement process (solicitation or sole source negotiation), once the Contractor has been selected, the contracting authority will request a confirmation, as per below, that the contractor and the proposed resources meet the security requirements.
PERSEC will confirm the personnel have the appropriate security clearance, and will advise the Contracting Authority.

For personnel validation only, the contracting authority will send the pertinent details by email to the Personnel Security (PERSEC) group at:
NC-INTEGRITY_SERVICES_PERSEC-SERVICES_INTEGRITE_SECPER-GD.

Note that if contracting with a foreign supplier, PSPC must perform the security validation as there are special processes for this.

If the supplier is not yet registered with the program then a Private Sector Organization Screening (PSOS) form will need to be completed and signed by the contracting authority. The private sector organization or the project authority typically completes most of this form. The PSOS form will then be signed by security staff within PERSEC, and sent to CSP by the contracting authority at:

TPSGC.SSIINSCRIPTION-ISSREGISTRATION.PWGSC

See Request for private sector organization screening form for more details.
Contracting Authority Awards Contract
Once the security clearances are obtained, the contracting authority attaches the SRCL to the contract and sends the contract to the supplier.

Path B – With IT Requirements (Authority to Process IT)

An "Authority to Process IT" is required when blocks 11 a) and d) of the SRCL are checked "Yes". This indicates that the contractor will be working on protected or classified information on their own IT systems.

Steps for Path B:

Project Authority selects common SRCL or completes new SRCL

When there are security requirements, one of the first steps is to complete a Security Requirements Checklist (SRCL).
1. Common SRCL
  
  If purchasing from one of the Common Centralized Professional Services tools put in place by Publics Services and Procurement Canada (PSPC), the client Project Authority must choose the corresponding SRCL from one of the Common SRCLs. The project authority still signs this SRCL.
  
  Common Centralized Professional Services tools:
  - Learning Services
  - Professional Audits Support Services Supply Arrangement (PASS-SA)
  - ProServices
  - Solutions-Based Informatics Professional Services (SBIPS)
  - Task and Solutions Professional Services (TSPS)
  - Task Based Informatics Professional Services (TBIPS)
  Where the project authority is not certain that a tool applies, please simply attach your SOW to the PReq and the assigned contracting authority will advise on next steps.
2. New SRCL
  If not using a common SRCL, the Project Authority will need to complete a new SRCL, preferably using the e-SRCL described below. The project authority then signs it, and sends it to the appropriate Regional Security Officer (RSO) along with the draft Statement of Work (SOW).
  
  Electronic SRCL (e-SRCL)
  
  The digital online SRCL form (e-SRCL) is a service provided through the Contract Security Program (CSP) at PSPC. The e-SRCL has a number of quality control measures that aids users in correctly completing the form. When used, a digital PDF of the form is created which must be saved and printed by the project authority.
  
  The project authority can complete the e-SRCL using the Online Industrial Security Services (OLISS) website. (The e-SRCL is available from "SRCL" in the left-hand menu.) ESDC employees will need to self-register on the site prior to using the e-SRCL, by clicking the link "Register for the online security requirements checklist service" in OLISS.
  
  When an e-SRCL is used, properly signed, and sent to PSPC for processing, PSPC's service standard is 2 days rather than the usual 14 days.
  
  Electronic Link
  
  Box 11 e of the SRCL asks if there will be an electronic link. PSPC has stated that an IT link, as referred to in box 11 e, means a "dedicated or leased line". ESDC would rarely, if ever, have such a connection.
The RSO reviews and signs the SRCL if no changes are required.
Since there are IT security requirements, the RSO sends the SRCL and the SOW to the IT Security group within the Innovation, Information and Technology Branch (IITB). The RSO sends the documents to the IT Security group at: NC-ITSRM-STIGR-GD
IT Security reviews and signs the SRCL

IT Security reviews and signs the SRCL and returns the signed version to the RSO along with an IT Security Assessment with the IT security requirements that must be inserted into the SOW.

Information on IT Security Assessment

For contracts where the supplier will work on or store protected or classified documents on their own computer systems, IITB will provide an IT Technical Assessment with guidance and instructions for managing the requirement. The project authority must ensure that that statement of work includes the appropriate IT security requirements as identified in the assessment. These security requirements are instructions which the contractor must follow on the identification, proper use of the contractor's networks, accessing sensitive data, storage, and disposal of IT Media.
The RSO returns the SRCL to the project authority along with the IT security assessment which contains the IT security requirements to be inserted into the SOW.
The project authority sends the signed SRCL to the contracting authority. (or attaches them to the PReq, along with the SOW and other pertinent documents if the PReq has not already been done)
The Contracting Authority (CFOB Procurement Specialist) reviews the SRCL and SOW and confirms the signature boxes are completed correctly. The contracting authority signs the SRCL and sends it with the SOW to the Contract Security Program (CSP) at PSPC.
Submit the SRCL to CSP at: TPSGC.SSILVERS-ISSSRCL.PWGSC
CSP will then sign the SRCL and return it along with appropriate security clauses

The contracting authority will insert these clauses in the contract (or planned contract if a solicitation).
The solicitation process then takes place.
Following the procurement process (solicitation, negotiation), once the Contractor is selected, the contracting authority needs to confirm that contractor and proposed resources meet the security requirements.
PERSEC will confirm the personnel have the appropriate clearance, and advise the Contracting Authority.

For personnel validation, the contracting authority will send the pertinent details by email to the Personnel Security (PERSEC) group at:
NC-INTEGRITY_SERVICES_PERSEC-SERVICES_INTEGRITE_SECPER-GD.

Note that if contracting with a foreign supplier, PSPC must perform the security validation as there are special processes for this.

If the supplier is not yet registered with the program then a Private Sector Organization Screening (PSOS) form will need to be completed and signed by the contracting authority. The private sector organization or the project authority typically completes most of this form. The PSOS form will then be signed by security staff within PERSEC, and sent to CSP by the contracting authority at:

TPSGC.SSIINSCRIPTION-ISSREGISTRATION.PWGSC

See Request for private sector organization screening form for more details.
Once the security clearances are obtained, the contracting authority attaches the SRCL to the contract and sends the contract to the supplier.
PSPC-CSP does Authority to Process IT Clearance
Since an authority to process IT is required, the contracting authority will send the contractor information, any subcontractor information, and a copy of the contract to the Contract Security Program (CSP) at Public Services and Procurement Canada (PSPC) for validation of the required clearances.

Send these documents to: SSICONTRATS.ISSCONTRACTS

PSPC's service standard for an Authority to Process IT is up to 30 business days for a company located in the NCR and up to 90 business days for a company outside the NCR. Companies who have already been cleared can typically be done more quickly.

General Timelines

Personnel security – up to 5 days
Authority to Process IT (NCR) – up to 30 business days
- Authority to Process IT (outside NCR) – up to 90 business days
Register a new Supplier for a security clearance – up to 6 months
Facility Security Clearance (FSC) – 6 months or more