Chapter 2: Contracts with security requirements
On this page
2.1 Overview
A contract contains security requirements when access to any of the following is required:
- Canadian protected or classified information, assets or sites
- Canadian, North Atlantic Treaty Organization (NATO) or foreign classified information, assets or sites
The requirements may also include contract promotion, pre-contract enquiries and negotiations. Clauses containing the security requirements are written into federal government contracts. Any amendments or extensions to a Public Services and Procurement Canada contract with security requirements must be provided to the Contract Security Program (CSP) by email at tpsgc.ssicontrats-isscontracts.pwgsc@tpsgc-pwgsc.gc.ca.
The CSP must also receive the following items by email at tpsgc.dgsssiprojetintl-dobissintlproject.pwgsc@tpsgc-pwgsc.gc.ca:
- any awards of contracts or subcontracts with security requirements from NATO or foreign entities
- any amendments or extensions to contracts with security requirements involving NATO or foreign entities
2.2 Security requirements check list
At the beginning of the procurement process, the project authority completes a Security requirements check list form (TBS/SCT 350-103) outlining the security requirements in a contract. This is part of the bid solicitation documents. The contracting authority ensures that all requirements, approved security clauses and supplementary remarks are included in the contract documentation. These are legally binding.
Organizations should not sign a contract until they understand the implications and potential cost of the security requirements. Once the contract is signed, the organization must give a copy of the security requirements of the contract and the security requirements check list (SRCL) form to its company security officer (CSO). Please see Section 3.2 Organization clearance. The CSO must make sure that all security requirements are met throughout the lifecycle of the contract and before accessing protected and/or classified information.
2.3 Pre-contract award
The CSP will begin the organization security screening process upon receipt of a complete and valid request from the contracting authority. Before the contract is awarded, parts of the screening process must be completed, such as the designated organization screening and facility security clearance. Other requirements, such as Information Technology Security, production capability and communication security (COMSEC) are typically met after awarding the contract but before starting work.
If the contract has a document safeguarding capability (DSC) requirement, work on the contract at the supplier’s location cannot start until the full inspection process is completed. Please see Section 3.4 Site inspections.
2.4 Subcontracting
The prime contractor is the organization that wins the bid to work on a contract for the Government of Canada, a foreign government or an international organization. This prime contractor hires the subcontractor to work on a specific part of the contract. The subcontractor is not an employee of the prime contractor’s organization and must be security screened with the CSP. The prime contractor must contact the Contract Security Program for approval before awarding a subcontract with security requirements to a subcontractor and the CSP’s approval is required for each successive level of subcontracting.
To request approval, the prime contractor must submit a completed SRCL to obtain security clauses for the subcontract. If the subcontractor is not already security-cleared, the prime contractor must also submit a Request for private sector organization screening form to the CSP to sponsor the organization. The CSP and the prime contractor will ensure the subcontractor meets the security aspects of the intended subcontract and/or obtains the appropriate security screening. The subcontract can be awarded after the CSP provides the prime contractor with:
- the approval letter
- a signed copy of the SRCL
- security clauses that must be inserted into the subcontract
The prime contractor must provide a copy of the subcontract to the CSP once awarded. The subcontractor cannot start until the subcontract is awarded and their organization has been granted the required security status or clearance.
Learn more about the subcontracting security requirements.
2.4.1 Subcontracting simplification options
Contractors can leverage the following options to request a security screening for their respective subcontractors.
Option 1
The prime contractor requests and holds personnel security screenings for employees of their subcontractors. This option can be used by organizations:
- that subcontract work to sole proprietors or small organizations
- where a small number of individual resources, residing in Canada, are required
Protected or classified information and assets cannot be received or stored at the subcontractor’s location. Work on the subcontract can only be performed at the government work site or at the prime contractor’s business location if it is authorized for DSC.
Option 2
The prime contractor collects the organization security screening forms from their subcontractors, reviews them for quality assurance and submits them to the CSP for processing. This option can be used for subcontractors that:
- do not already hold an organization security clearance with the CSP
- provide written consent to the prime contractor for the collection and sharing of their forms with the CSP
This consent can be emailed to the prime contractor’s CSO. Under this option, the prime contractor must still obtain approval and security clauses from the CSP prior to awarding a subcontract.
Learn more about the subcontracting simplification options.
2.4.2 Subcontracting to organizations outside Canada
Contractors must get prior written approval from the CSP by email at tpsgc.dgsssiprojetintl-dobissintlproject.pwgsc@tpsgc-pwgsc.gc.ca and the contracting authority before awarding a subcontract to organizations outside of Canada. The CSP must:
- verify the security status of a foreign organization and its personnel
- ensure its compliance with the bilateral security instrument between Canada and that country
- authorize the release and transfer of Canadian classified and sensitive information to and from the foreign organization
- please see Section 9.3 Foreign disclosure
Contractors must contact the CSP by email at tpsgc.dgsssiprojetintl-dobissintlproject.pwgsc@tpsgc-pwgsc.gc.ca when transferring sensitive information or assets to or from Canada. They must also provide a copy of the subcontract to the CSP once it is awarded.
Learn more about international contract security requirements.