Chapter 3: Organization screening

Document navigation for "Contract Security Manual"

Use this chapter in conjunction with Annex A: Guidelines on company security officer and alternate company security officer responsibilities.

On this page

3.1 Overview

To be screened by Public Services and Procurement Canada’s (PSPC) Contract Security Program (CSP), a Canadian organization must either:

This source must be one of the following:

By obtaining a security clearance with the CSP, the organization agrees with the Government of Canada to:

Pre-contract negotiations, involving protected or classified information and assets, cannot start before an organization has been security screened through the CSP, unless specified by the contracting authority. This also applies when a security-cleared organization wishes to award a subcontract with security requirements to another organization.

3.2 Organization clearance

There are 3 types of organization clearances:

A provisional security clearance is a temporary clearance approved for a specific solicitation process for organizations requiring access to sensitive information prior to responding to a solicitation with security requirements. It allows an organization to obtain personnel security screening for individuals who are part of their bid preparation team.

As for a DOS or an FSC, it is not awarded in perpetuity; it is granted to organizations for a specific contract or subcontract, and to organizations that bid on federal government solicitations with security requirements with a complete Application for registration (AFR) form. A DOS or an FSC allows an organization to obtain personnel security screening for their employees at the required level as indicated in the awarded contract or subcontract.

If an organization needs to possess or store protected or classified information and assets, an additional safeguard capability authorization is required. Please see Subsection 3.2.2 Safeguards.

During the organization screening process, certain individuals in the organization must be security screened. Please see Chapter 4: Personnel screening. These individuals include:

The security officers must be employed by the organization or a KSO, be physically located in Canada and be a Canadian citizen Footnote 1.

The CSO and CCSO must be security screened at least at the security level of the organization. The ACSO can be security screened at the level of the organization or lower, depending on its location and specific roles and responsibilities in regards to the other security officers.

The CCSO, CSO and ACSO must sign the security appointment, acknowledgement and undertaking form that describes their responsibilities. Information about these responsibilities can also be found in Annex A: Guidelines on company security officer and alternate company security officer responsibilities.

3.2.1 Types of organization clearances

The request for organization screening will indicate the type of organization clearance needed for the pre-solicitation, contract or subcontract.

A provisional security clearance is temporary. It is required to access protected or classified information or assets during the pre-solicitation and/or bid preparation phases of a solicitation process. At a minimum, the CSO and the identified employees that need access to the information require a personnel security screening at the level of the provisional clearance.

A DOS is required to access Protected A or B information or assets. A DOS is also necessary to obtain a site access status. Please see Section 4.3 Site access screening. At a minimum, the CSO will require a reliability status. In some cases selected KSOs may also require a reliability status.

An FSC is required to access classified information or assets: Confidential, Secret or Top Secret, North Atlantic Treaty Organization (NATO) Confidential, NATO Secret, or Control of Secret Material in an International Command (COSMIC) Top SecretFootnote 2 or other foreign equivalent classified information. An FSC must also obtain a site access clearance. Before an FSC is granted, the CSO and KSOs identified by the CSP must be security screened, as a minimum.

A subsidiary is considered a separate legal entity requiring a separate DOS or FSC. A more detailed evaluation of the organization’s ownership may also be required. Please see Section 3.3 Foreign ownership, control or influence.

The CSP may require security screenings of all owners, directors, partners, and officers in positions of influence of organizations screened with the CSP, regardless of the security level required.

A provisional security clearance is valid for the duration of the bid solicitation stage only. During the bid evaluation stage, confirmed bidders are invited to complete the screening process to obtain either a DOS or FSC.

Once the clearance is granted, a DOS may be valid for up to 2 years and an FSC may be valid for up to 1 year as long as the organization complies with the requirements of the CSP. At the end of this period, the DOS or FSC will either be administratively terminated, if it is no longer required, or if it will be maintained and renewed by the CSP. A DOS or an FSC is valid if the organization is:

  • executing an active contract or subcontract with security requirements
  • participating in an international program with security requirements
  • holding a PSPC-issued standing offer or supply arrangement with security requirements
  • bidding on federal or foreign government or international organization solicitations with security requirements with a complete AFR form

It is the organization’s responsibility to keep the CSP informed of any changes following the screening process. PSPC also reserves the right to request an update or a renewal at any time following the screening process.

Note

Access to Protected C information and assets requires enhanced screening. Please contact the Contract Security Program for information if you require access to Protected C information and assets.

PSPC’s CSP will suspend or, as applicable, revoke a DOS or an FSC if the organization fails to maintain the required security standards of the CSP, consistent with the requirements of the security agreement and this manual. Suspension or revocation of a DOS or an FSC by the CSP could lead to a decision by the contract authority to cancel existing contracts.

3.2.2 Safeguards

There are different types of safeguards granted under a DOS or FSC.

Document safeguarding capability (DSC) allows an organization to view, possess and store protected and/or classified information and assets at their facilities for a specific contract or subcontract. In exceptional cases only, they can be kept for a specific solicitation process.

The CSP inspects and assesses the physical security of the organization's facilities. All sites with a document safeguarding requirement must be screened.

The additional safeguards listed below may be required depending on the requirements of the contract or subcontract. These safeguards are granted only after an organization has received a DSC. These include:

  • production capability allows an organization to build, manufacture, repair, modify or work on sensitive products at a work site in conjunction with a DSC
  • shredding capability allows an organization to destroy sensitive information and assets
  • bulk storage capability allows an organization to store bulk information or assets at their work site, to the level for which they are authorized
  • information technology (IT) authorization allows an organization to store, process or transmit sensitive information electronically
  • communications security (COMSEC) is the discipline of preventing unauthorized access to telecommunications information in readable form, while still delivering the information to the intended recipients
    • COMSEC is comprised of multiple disciplines such as cryptographic security, emission security (EMSEC), transmission security (TRANSEC), and physical security

A DSC will be granted for successful bidders only after their organization's facility has met the physical and administrative security requirements identified in the contract and has been inspected and approved by the CSP.

In the case of DSC for classified information and assets, a parent organization must also possess an FSC at the same level or it must be excluded from having access to classified information or assets held by the subsidiary organization. Parental exclusions may be recommended in certain cases in consultation with the CSP.

3.2.3 Reciprocal facility security clearances

Under a number of international bilateral security instruments (such as between Canada and the United States), the CSP can ask a foreign government to grant a reciprocal FSC to a foreign organization located in another country for access to Canadian, NATO and/or foreign classified information. This is useful if the organization becomes a subcontractor in a Canadian classified contract. Please email the CSP at tpsgc.dgsssiprojetintl-dobissintlproject.pwgsc@tpsgc-pwgsc.gc.ca for information related to subcontracting to foreign organizations.

3.3 Foreign ownership, control or influence

A foreign ownership control or influence (FOCI) evaluation assesses the degree of authority, ownership, control or influence that foreign interests may have over a Canadian organization. This helps determine and mitigate the risk that unauthorized third parties may exert undue influence over a Canadian organization to access government classified information and assets.

FSCs do not exempt an organization from further evaluation. In addition, having a Confidential, Secret or Top Secret clearance does not exempt an organization from a FOCI evaluation, if it is required. The FOCI evaluation is generally triggered by the type of information being accessed. A FOCI evaluation must be done for contracts involving access to NATO, foreign or COMSEC classified information or assets, or as directed by the CSP.

The existence of foreign ownership, control or influence does not, in itself, prohibit an organization from holding an FSC. Each case is assessed individually based on the particular risk profile associated with the goods or services being procured to the government or foreign government client. In cases of an adverse assessment, the CSP will discuss with the organization and the client department whether certain measures can reduce the risk to an acceptable level by the CSP and the client department.

A FOCI evaluation must generally be completed before access to sensitive information, assets or sites is granted. The determination of FOCI risks is contract specific and remains valid during the contract as long as the degree of potential foreign control or influence of the organization does not change. Re-evaluations are conducted when a new FOCI requirement is identified or when the factors at the time of the evaluation change (for example, a new ownership or corporate restructuring).

3.4 Site inspections

Site inspections are a key component of the security screening process. An organization must allow the CSP field industrial security officer (FISO) to inspect all relevant facilities or sites to ensure that existing security measures protect information and assets.

Scheduled and unscheduled access by the CSP security inspectors is a normal condition of a contract with security requirements.

During the inspection, the FISO will also assess:

The organization cannot hold or store protected or classified information associated with the contract until the inspection process is completed and the CSP has notified it in writing that the DSC has been granted.

Inspections may be conducted at any time while the organization is security-cleared with the CSP. Inspection timeframes vary based on:

Learn more about site inspections.

3.5 Government of Canada security agreement

Before an organization receives a provisional security clearance, a DOS or an FSC, a KSO must complete and sign a security agreement with the Government of Canada. The security agreement outlines the terms and conditions of the organization’s security clearance as well as grounds for the suspension or revocation of the organization’s security clearance. After signing the agreement, the organization agrees to abide by all security requirements of the CSP. This agreement is signed as part of the security screening process.

3.6 Compliance and enforcement for private sector organizations with an organization clearance

Private sector organizations have an obligation to maintain compliance with the requirements of the CSP at all times throughout the performance of procurement instrumentsFootnote 3 that contain security requirements.

3.6.1 Compliance with the requirements of the Contract Security Program

Organizations must comply with the policies and directives outlined in the Contract Security Manual (CSM), the Security Agreement (SA), and any other Government of Canada policies related to the CSP. The CSP will address unethical business practicesFootnote 4 as well as non-compliance with contract security requirements for Government of Canada contracts.

The CSP will adopt a systematic approach to deal with non-compliance issues in procurement instruments, in addition to unethical business practices, to ensure that all situations receive a fair and consistent application.

Outcomes from the compliance assessment may include a suspension and a revocation of an organization’s security clearance. Contracting authorities (CAs) and client departments will be informed of any changes to an organization’s security clearance status. This may ultimately result in the termination or amendment of an existing procurement instrument by the CAs or the client departments. Furthermore, as individual personnel security screenings are dependent upon the status of the organization to which they belong. Should an organization’s clearance be revoked, all personnel security screenings tied to that organization will be terminated.

3.6.2 Contract Security Program process for non-compliant organizations

The CSP will apply a two-step approach when it determines that an organization:

  • has engaged in unethical business practices, or
  • has not complied with the policies and directives outlined in the CSM, the SA, and any other Government of Canada policies related to the CSP, or
  • has failed to implement corrective measures recommended by the CSP
  • The KSO, the CSO of the organization, and any other persons, who could have information pertaining to the non compliance, can be interviewed by representatives of the CSP

Step 1: Suspension letter—Issued by Director, Industrial Organization Security Services

Upon confirmation of non-compliance or a violation, the CSP will send the organization’s CSO a suspension letter, by email, detailing the reasons for the organization’s security clearance suspension. Unless otherwise notified by the CSP, the organization will have 30 days to submit its reply, by email, to the suspension letter to outline the corrective measures it is taking in order to meet the requirements, or address the concerns which led to the suspension, in order to maintain a valid organization clearance. If the CSP determines that the organization has clearly demonstrated it still meets the requirements and that there are no security concerns, their organization clearance will be reinstated.

If the organization’s response does not address or mitigate the reasons for the suspension, or if no mitigation measures are provided to address the situation, including a non response to the suspension letter, the CSP will proceed to issuing a revocation letter.

It should be noted that when an organization’s security clearance is suspended by the CSP, the organization may be able to retain the ability to continue working on existing procurement instruments that had been awarded to the organization, prior to the suspension. This decision will be at the discretion of the CAs and the client department, and not of the CSP. The clearance of the organizations' employees will remain active pending the outcome of the assessment, unless notified otherwise by the CSP. However, the organization’s suspension could impact their ability to continue working on existing procurement instruments, being awarded new procurement instruments, or be considered for any new procurement opportunities. Organizations must validate their status and their ability to work on a sensitive contract when suspended by the CSP.

Step 2: Revocation letter—Issued by Director General, Industrial Security Services

If the organization does not address or mitigate the reasons for the suspension, or if no mitigation measures are provided to address the situation, the CSP will proceed with sending the organization a letter of revocation in situations where the CSP:

  • did not receive a response from the organization in 30 days, or
  • determines that the organization has not implemented the required corrective measures, or
  • determines that the organization failed to adequately provide evidence that would justify the reinstatement of the organization’s security clearance

The CSP will inform the organization in writing of the final decision, along with the rationale and the option for recourseFootnote 5.

The organization may decide to pursue a formal route to review the Director General, Industrial Security Services’ decision to revoke the organization’s security clearance. They must submit a request in writing to the CSP compliance inboxFootnote 6, to have the decision reviewed by the Assistant Deputy Minister, Departmental Oversight Branch of PSPC. This request must be made within 30 days from the date of the revocation letter. Upon request for reapplication into the CSP, there will be a review and examination of the organization’s file. The CSP reserves the right to validate, through assessment processes, that the minimum requirements and any additional conditions have been met by an organization.

When an organization’s security clearance is revoked, the CSP will recommend, to the CAs and the client departments, that all procurement instruments previously awarded to the organization should be terminated. All personnel security screenings held by this organization will also be terminated.

Notification to other parties

Any changes in the organization’s status will be shared immediately via e-mail with all applicable CAs, the client departments, and other stakeholders. If the non-compliant organization is a subcontractor, the aforementioned parties and the prime contractor will be notified.

3.6.3 Suspension or revocation of an organization security clearance

The following non-exhaustive circumstances are grounds which may lead the CSP to suspend or revoke an organization’s security clearance:

  1. The organization’s inability to obtain and confirm the personnel reliability status/security clearance for CSOs, ACSOs, and KSOs
  2. The CSP’s inability to reach the organization via email, telephone, or website due to the organization’s failure to advise the CSP of contact information updates
  3. Personnel from the organization accessing protected or classified information, assets or sites without the proper level of reliability status or security clearance and need-to-know
  4. KSOs of the organization, who have signed a KSO exclusion attestation, accessing protected or classified information, assets, or sites
  5. Information uncovered by the CSP that calls into question the integrity and honesty of the organization
  6. The CSP’s inability to adequately mitigate risks associated with foreign ownership, control, and influence on the Canadian organization
  7. The inability or refusal of the organization to provide complete and accurate foreign ownership, control, and influence information to the CSP for purposes of an evaluation, where the security requirements of the contract necessitate such information
  8. The inability or refusal of the organization to provide a valid proof of a permanent physical location and a principal place of business in Canada where the work is executed and where the business operates
  9. The organization refusing to grant access to an authorized representative of the CSP to either enter into its physical location, or to interview an identified key person of the organization
  10. The organization refusing to disclose procurement instruments awarded by foreign governments or international organizations involving foreign or Canadian classified information
  11. The organization refusing to provide security requirements identified in procurement instruments awarded by foreign governments or international organizations
  12. The organization providing inadequate physical security requirements or making unauthorized changes to the CSP-approved security zones
  13. Any criminal acts committed by CSOs, ACSOs or KSOs as a representation of the organization, while committing the act to benefit the organization or their standing in the organization
  14. Any acts of aggression or harassment against the Crown, by CSOs, ACSOs or KSOs, which may be considered a breach of the anti-harassment provisions found in the Code of Conduct for Procurement
  15. Any acts against the Crown, criminal convictions committed by the organization, or any acts which bring the trustworthiness or reliability of the organization or its procurement instruments into dispute
  16. Significant changes to the organization which bring the trustworthiness or reliability of the organization or its procurement instruments into dispute, including but not limited to changes in jurisdiction of registration, ownership, partners, bankruptcy, dissolution, or criminal convictions of the organization or of its KSOs
  17. Any suspension, termination, or revocation of a CSO, ACSO or KSO’s reliability status/security clearance, that may impact the security status of the organization
  18. Any attempt at providing false or misleading information, including by way of omission, to the CSP, to any government of Canada department or one of its authorized agents; or
  19. The inability of the CSP to interview a CSO, ACSO or KSO of the organization within the allotted deadline

For more information on compliance and enforcement visit Annexe A: VIII. Contract Security Program Compliance and Enforcement Guide.

Document navigation for "Contract Security Manual"

Date modified: