Public Works and Government Services Canada
Symbol of the Government of Canada

Common menu bar links

Cyber Protection Supply Arrangement Statement of Work Writing Guide

This SOW Writing Guideline was developed to assist departments in the preparation of Statements of Work (SOWs) for acquiring the services of IT Security Professional Services as described in the Cyber Protection Supply Arrangement (CPSA). Departments should tailor any SOW developed to meet their specific needs. Consult the Contracting authority assigned to the file for further guidance.

Disclaimer of Responsibility

This document was prepared by Public Works and Government Services Canada (PWGSC) for convenience of reference, is provided "as is", and may be used by other parts of the Government of Canada. Anyone referring to or relying upon this document or its content does so at their own risk and no guarantee is made as to its accuracy, reliability or applicability. Under no circumstance is PWGSC responsible for any direct or indirect damages, losses or problems that may arise from the use of this document or its content. Any use of this document or its content constitutes the acceptance of the terms of this disclaimer.


Write the Statement of Work (SOW) using language that will explain what is needed to a non-expert. Address the Who, What, When, Where and sometimes How of what must be done. Use plain language, proper grammar and numbering systems (Avoid using sentence fragments and bullets).

The SOW should provide Bidders with enough information to:

  1. understand the nature and extent of the work;
  2. determine if they are qualified to bid; and
  3. formulate a fully priced proposal.

The SOW must be limited to describing what the winning bidder is required to do after it has been awarded the contract. Refer to the vendor as the Contractor within the SOW.

Do not include the following information in the SOW:

  1. information regarding the available budget and Fiscal Year (FY) budgetary constraints;
  2. costing information;
  3. information regarding the proposed Basis of Payment and payment schedule;
  4. sole source justification, name and address of the proposed contractor (when sole source);
  5. proposed evaluation criteria and contractor selection method (when competitive);
  6. Security or Travel clauses;
  7. details concerning the ownership of Intellectual Property (IP); and
  8. the client organization, contact name, address and telephone/facsimile numbers.



Describe briefly what is needed. Example: The <Department name> requires services under <Insert CPSA Work Stream # > on an "as and when requested" basis (Note: do not use the phrase "as and when requested" for firm price contracts). If this is a task based contract, include a statement to that effect.


If required, give context that will orient the Bidder as to the nature of the requirement. The information provided here should aid bidders in costing a proposal.

Put yourself in the Bidder's position and ask:

  1. Will this information better situate me to understand the context and relative complexity of the requirement?
  2. Do I need to know this in order to decide if I will bid?
  3. Can I use this information to aid in determining my price?

Information relating to the project or the departmental program that this contract supports may be provided here. Avoid including information that is superfluous, misleading or contradictory to the objective of this contract.


Describe the expected result of the work to be performed under this contract, not the project or departmental program as a whole. Example: The objective of this contract is to obtain a risk assessment and risk mitigation plan for systems A, B and C in order to obtain certification of these systems.


The Scope should detail the high-level areas of endeavor required to complete the work. Example: The scope of work includes risk assessment, risk mitigation and certification for system A, System B and System C. For each system, the following work is required:

  1. Preliminary Statement of Sensitivity
  2. Privacy Impact Assessment
  3. Final Certification Plan
  4. Security Requirements Definition
  5. Concept of Operations
  6. Security Architecture
  7. Threat and Risk Assessment
  8. Safeguard Implementation Plan
  9. Technical Vulnerability Assessment
  10. Certification Report

Each of these points constitutes its own sub-section of the Scope of work and must be adequately detailed either here or at section 6.

Note: A Transition Plan must be developed if a dependence on a vendor is created for an on-going requirement that must be re-competed after this contract expires. The Contractor's obligations should be included in the scope of work.


If the Technical Authority has devised a technical solution and work plan (this is called Design based contracting), identify the resources required to perform the work detailed in the SCOPE section of the SOW. Use of a table enhances clarity. Example:

5.1 CPSA WS3 - IT Security
TRA and C&A Analyst
Senior 2 Secret
5.2 CPSA WS3 - Privacy Impact Assessment Specialist Senior 1 Secret
5.3 CPSA WS3 - IT Security Design Specialist Senior 1 Secret
5.4 CPSA WS3 - IT Security Vulnerability Assessment (VA) Specialist Senior 1 Secret

Note: This section may not always be required - The scope alone may suffice in instances where the vendor is asked to determine the solution and how to best address It (This is called Performance based Contracting).


For each of the resources identified, create a generalized work description supported by a list of the tasks that the resource(s) are expected to perform. The task list should follow the same order as the resources are presented in section 5. If this a performance based contract and section 5 has been omitted, specific tasks that have been identified can be included under the scope element they address at section 4.


Deliverables are the result of tasks performed. Individual deliverables do not require any further action for completion by the contractor. "Developing a Statement of Sensitivity" is not a deliverable, it is a task, as further action is still required to produce the end state - a "Statement of Sensitivity".

Consider the following when formulating a description of the deliverables:

  1. Indicate the format that deliverables should be in, e.g. MS Word.
  2. Do you want electronic copy, hard copy or both?
  3. What language(s) should be used?
  4. Where will it be delivered?
  5. How will it be assessed - Are acceptance criteria required? Acceptance criteria could be based on standards and policies cited under the Applicable Documents at section 11 of this template.

A schedule for the deliverables can be included. It is preferable to build timelines from contract award when possible. Example: The report should be received 1 month from contract award.


If applicable, provide details of any imposed constraints that the bidder must consider (i.e. factors that set parameters, limiting the contractor's options or choices in the way the work can be carried out).


Specify the language that work will be performed and delivered in.


If possible, indicate where, how often and by whom travel is required. This will help the Bidder cost a proposal or even decide if they will bid. If three resources are needed and only one must travel, indicate which one must travel.


List the documents the Contractor will require to understand and perform the work. They must be made available to all Bidders - Not just the contractor awarded the contract. There are occasions where restricted documents will only be made available to the Bidder selected for Contract.


If applicable, list what Canada will provide the Contractor to aid in performing the work. Consider whether the resource(s) require access to departmental IT systems and what must be done to facilitate this.


Indicate where the work is to be performed. If the work is to be performed on PWGSC premises, consider if accommodation is required.

Quick Check: If all the deliverables indicated in the SOW have been received, will the Contract objective be met?