Work site security requirements

Learn how the Contract Security Program will guide your organization through the requirements to secure your work site and obtain a document safeguarding capability.

On this page

Why you need to secure your work site

A secure work site is designed to prevent, delay and respond to unauthorized access to sensitive work sites, information and assets.

If your organization is required by contract to store sensitive government information and assets, you will need to obtain a document safeguarding capability through the Contract Security Program.

Site inspections

The program will conduct a site inspection before granting clearance for document safeguarding capability. This will identify what is required to secure your work site, information and assets.

Before the inspection: what to expect

In preparation for the inspection, the field industrial security officer with the program will review the following documents:

You will be asked to review and complete a security guideline package, the required forms, and a pre-inspection questionnaire. The field industrial security officer will also request a detailed floor plan in order to perform the security inspection.

Consult the floor plan and hierarchy of zones diagram

During the inspection: what to expect

Although there is no cost for the inspection, organizations must pay for the cost of any equipment or construction required to safeguard information and assets at their work sites.

The field industrial security officer will identify:

Photographs

During the inspection, the field inspection security officer will require authorization and access from your organization to photograph the following:

After the inspection: what to expect

Inspections may be conducted at any time throughout the life of the contract. If your organization does not comply with contract requirements, security clearance may be denied or terminated.

Your organization can begin work on the contract once the:

Security orders for personnel

Security orders are required for organizations with document safeguarding capability. It must be submitted to the field industrial security officer before being granted clearance.

Security orders are a document that your organization will create and use to:

It must state that employees:

All employees of the organization are required to carefully read these security orders before signing the acknowledgment at the end of the document.

Learn about security orders in the Industrial Security Manual

Access controls

Access controls are a type of physical security used to safeguard information and assets. The program provides guidance and advice on what types of access controls are required for specific work sites.

Some access controls include:

Organizations must ensure that all employees, contractors and subcontractors such as cleaners and maintenance workers are properly cleared and are escorted at all times when they enter security zones.

Storage and cabinets

The field industrial security officer from the program will provide storage recommendations. If necessary, the field industrial security officer will assist you in ordering cabinets approved by the Royal Canadian Mounted Police (RCMP). These cabinets are required for storage of classified and Protected C federal government information and assets.

Floor plan and hierarchy of zones

A detailed floor plan must be completed before an inspection can take place.

Your detailed floor plan should identify the following:

You will need to create a hierarchy of zones to control who can, and cannot, access sensitive information and assets at your work site. These zones must be shown on your floor plan, as illustrated in the images below.

Organization of zones and example of a floor plan

Organization of zones and example of a floor plan - Description of the image is in the text following the image.

Description of the organization of zones and example of a floor plan

The organization of zones is depicted by circles. The outer circle is the largest and it encloses the other circles. As the circles get smaller, the security requirements for the zone increase.

The outermost circle represents the public access zone. This is an area where the public has unimpeded access, such as the grounds surrounding a building or its public corridors.

The second outermost circle represents the reception zone. This is an area where the transition from a public zone to a restricted-access area is demarcated and controlled.

The third outermost circle represents the operation zone. This is an area where access is limited to personnel who work there and to properly-escorted visitors, such as a typical open office space or an electrical room.

The fourth outermost circle is also the second innermost circle. It represents the security zone. This is an area to which access is limited to authorized personnel and to authorized and properly-escorted visitors, such as an area where secret information is processed or stored.

The innermost circle represents the high security zone. This is an area to which access is limited to authorized, appropriately-screened personnel and authorized and properly-escorted visitors, such as an area where high-value assets are handled by selected personnel.

The example of a floor plan is depicted by a bird's-eye view of a rectangular room. The room contains the following zones:

Access to the security zone is for personnel within the operation zones only. The high security zone is contained within the security zone. Access to the high security zone is restricted to personnel within the security zone.

Access in and out of the room is provided by the following access points:

More information about security zones

Learn more about:

Security markings

Information, whether paper or electronic, should be marked to identify it as protected or classified. Organizations should follow government standards for marking protected and classified information.

Learn about marking protected and classified information in the Industrial Security Manual

Destruction and shredding

Sensitive information and assets are destroyed at the end of their life cycle to preserve their confidentiality. This is required for original documents, copies, drafts and notes—any document that includes protected and classified information.

Shredding

Protected shredding capability

Organizations can shred protected information at their work site using shredding equipment purchased from an office supply store

Secret shredding capability

Classified shredding capability

Organizations must use the services of a company with classified shredding capability, and obtain a certificate of destruction once completed

Protected C, Top Secret, COMSEC, NATO and foreign classified information and assets

Return to the program for disposal or shredding

Shredding facilities

The Contract Security Program inspects shredding companies annually. They must be cleared for shredding capability to the level of the information being stored at their facility.

Mobile shredding

Mobile shredding trucks can be approved to shred protected level information and higher if they meet RCMP standards. In addition, cleared employee of the organization must be present to:

The company security officer (CSO) must ensure that the shredding company is cleared to the appropriate level with the program.

A certificate of destruction must be obtained from the shredding company after the materials are destroyed.

Incineration

Destruction by incineration may only be done by an RCMP-approved incinerator.

Minimum standards for storage, transmittal and destruction

Protected A

Storage

Transmittal

Destruction

Protected B

Storage

Transmittal

Destruction

Protected C

Storage

Transmittal

Destruction

Confidential

Storage

Transmittal

Destruction

Secret

Storage

Transmittal

Destruction

Top Secret

Storage

Transmittal

Destruction

Reference sheet: Secure worksites

Secure worksites reference sheet - long description below
Description of the reference sheet: Secure worksites

The title of the image is "Contract Security Program: Secure worksites—Reference sheet." The Public Services and Procurement Canada corporate signature appears at the top of the image. A disclaimer that reads "Note: Subject to change based on program updates" appears at the top of the image.

Document safeguarding

When your organization is required to store sensitive Government of Canada (GC) information and assets, it needs to obtain a document safeguarding capability (DSC) through the Public Services and Procurement Canada (PSPC) Contract Security Program (CSP).

Before an organization can obtain a DSC, it requires 1 of the following 2 clearances (valid):

Note: A DSC clearance level cannot exceed that of the organization clearance.

DSC is site-specific and may result in a physical inspection by a field industrial security officer (FISO).

There is no cost for inspections, but organizations must pay for the cost of any equipment or construction required to safeguard information and assets at their worksite as per the CSP and contract security requirements.

Organizations are required to develop security orders with the assistance of the FISO. They must be submitted to the FISO appointed to their organization. 

Document safeguarding subsets

Information technology (IT): The authority to produce, process and store protected or classified information electronically is subject to PSPC approval.

Consult the reference sheet: Information technology security for further details.

For organizations with DSC, a minimum of 2 security officers, cleared to the level of DSC are required at each of the secure work sites.

Production: Production is a broad term that can encompass organizations required to build, manufacture, repair, retrofit or reproduce sensitive material or products at its site or sites.

COMSEC: COMSEC stands for communications security. COMSEC material is designed to secure or authenticate telecommunications information.

The Communications Security Establishment is Canada's national COMSEC authority and is involved in granting COMSEC clearances.

IT security, production and COMSEC are contract-specific and only valid for the duration of the contract.

Inspection process

Before the inspection

A FISO with PSPC will review the following documents:

During the inspection

The FISO will identify:

The FISO will take or request photographs of:

After the inspection

The organization can begin work on the contract once the inspection process is complete and the organization has been notified by PSPC in writing that they possess the required security level.

Inspections may be conducted at any time throughout the life of the contract.

Inspection timeframes will vary based on security levels and an organization's ability to comply with PSPC's recommendations.

Contact us

National Capital Region:
613-948-4176
Toll-free:
1-866-368-4646
Email:
ssi-iss@tpsgc-pwgsc.gc.ca
Website:
Security requirements for contracting with the Government of Canada

At the bottom of the image, there is a link that reads "next step: information technology," which links to the next reference sheet: Information technology security"

More information

Date modified: