Chapter 3: Organization screening
Use this chapter in conjunction with Annex A: Guidelines on company security officer and alternate company security officer responsibilities.
On this page
3.1 Overview
To be screened by Public Services and Procurement Canada’s (PSPC) Contract Security Program (CSP), a Canadian organization must either:
- meet the eligibility criteria for organization screening
- be sponsored by a Government of Canada approved source
This source must be one of the following:
- a federal government procurement, security or project officer
- an eligible organization who is:
- already screened with the CSP
- working on an active contract
- has a requirement to subcontract
- a foreign national or designated security authority
By obtaining a security clearance with the CSP, the organization agrees with the Government of Canada to:
- meet the security requirements of this manual and any other security requirements in a federal government contract awarded to the organization
- allow PSPC, or other government authority at the request of PSPC, to conduct security inspections at any time
- please see Section 3.4 Site inspections
- cover all security related costs
Pre-contract negotiations, involving protected or classified information and assets, cannot start before an organization has been security screened through the CSP, unless specified by the contracting authority. This also applies when a security-cleared organization wishes to award a subcontract with security requirements to another organization.
3.2 Organization clearance
There are 3 types of organization clearances:
- a provisional security clearance
- a designated organization screening (DOS)
- a facility security clearance (FSC)
A provisional security clearance is a temporary clearance approved for a specific solicitation process for organizations requiring access to sensitive information prior to responding to a solicitation with security requirements. It allows an organization to obtain personnel security screening for individuals who are part of their bid preparation team.
As for a DOS or an FSC, it is not awarded in perpetuity; it is granted to organizations for a specific contract or subcontract, and to organizations that bid on federal government solicitations with security requirements with a complete Application for registration (PDF, 202KB) (AFR) form. A DOS or an FSC allows an organization to obtain personnel security screening for their employees at the required level as indicated in the awarded contract or subcontract.
If an organization needs to possess or store protected or classified information and assets, an additional safeguard capability authorization is required. Please see Subsection 3.2.2 Safeguards.
During the organization screening process, certain individuals in the organization must be security screened. Please see Chapter 4: Personnel screening. These individuals include:
- key senior officials (KSO)
- an individual owner as well as any officer, director (of the board), executive and/or partner
- in a position of control or influence over an organization
- company security officer (CSO)
- appointed by the chief executive officer or the designated KSO
- reports to KSOs on security matters
- alternate company security officer (ACSO)
- appointed by the CSO to be the CSO’s back up
- assumes any specific duties the CSO requires
- corporate company security officer (CCSO)
- appointed by the chief executive officer or the designated KSO when an organization has one or more security assessed subsidiaries in Canada
- has a requirement to oversee government contract security matters for the entire corporation
- does not replace the requirement to have a CSO at each security assessed subsidiary
The security officers must be employed by the organization or a KSO, be physically located in Canada and be a Canadian citizen Footnote 1.
The CSO and CCSO must be security screened at least at the security level of the organization. The ACSO can be security screened at the level of the organization or lower, depending on its location and specific roles and responsibilities in regards to the other security officers.
The CCSO, CSO and ACSO must sign the security appointment, acknowledgement and undertaking form that describes their responsibilities. Information about these responsibilities can also be found in Annex A: Guidelines on company security officer and alternate company security officer responsibilities.
3.2.1 Types of organization clearances
The request for organization screening will indicate the type of organization clearance needed for the pre-solicitation, contract or subcontract.
A provisional security clearance is temporary. It is required to access protected or classified information or assets during the pre-solicitation and/or bid preparation phases of a solicitation process. At a minimum, the CSO and the identified employees that need access to the information require a personnel security screening at the level of the provisional clearance.
A DOS is required to access Protected A or B information or assets. A DOS also must obtain a site access status. Please see Section 4.3 Site access screening. At a minimum, the CSO will require a reliability status. In some cases selected KSOs may also require a reliability status.
An FSC is required to access classified information or assets: Confidential, Secret or Top Secret, North Atlantic Treaty Organization (NATO) Confidential, NATO Secret, or Control of Secret Material in an International Command (COSMIC) Top SecretFootnote 2 or other foreign equivalent classified information. An FSC must also obtain a site access clearance. Before an FSC is granted, the CSO and KSOs identified by the CSP must be security screened, as a minimum.
A subsidiary is considered a separate legal entity requiring a separate DOS or FSC. A more detailed evaluation of the organization’s ownership may also be required. Please see Section 3.3 Foreign ownership, control or influence.
The CSP may require security screenings of all owners, directors, partners, and officers in positions of influence of organizations screened with the CSP, regardless of the security level required.
A provisional security clearance is valid for the duration of the bid solicitation stage only. During the bid evaluation stage, confirmed bidders are invited to complete the screening process to obtain either a DOS or FSC.
Once the clearance is granted, a DOS may be valid for up to 2 years and an FSC may be valid for up to 1 year as long as the organization complies with the requirements of the CSP. At the end of this period, the DOS or FSC will either be administratively terminated, if it is no longer required, or if it will be maintained and renewed by the CSP. A DOS or an FSC is valid if the organization is:
- executing an active contract or subcontract with security requirements
- participating in an international program with security requirements
- holding a PSPC-issued standing offer or supply arrangement with security requirements
- bidding on federal or foreign government or international organization solicitations with security requirements with a complete AFR form
It is the organization’s responsibility to keep the CSP informed of any changes following the screening process. PSPC also reserves the right to request an update or a renewal at any time following the screening process.
Note
Access to Protected C information and assets requires enhanced screening. Please contact the Contract Security Program for information if you require access to Protected C information and assets.
PSPC’s CSP will suspend or, as applicable, revoke a DOS or an FSC if the organization fails to maintain the required security standards of the CSP, consistent with the requirements of the security agreement and this manual. Suspension or revocation of a DOS or an FSC by the CSP could lead to a decision by the contract authority to cancel existing contracts.
3.2.2 Safeguards
There are different types of safeguards granted under a DOS or FSC.
Document safeguarding capability (DSC) allows an organization to view, possess and store protected and/or classified information and assets at their facilities for a specific contract or subcontract. In exceptional cases only, they can be kept for a specific solicitation process.
The CSP inspects and assesses the physical security of the organization's facilities. All sites with a document safeguarding requirement must be screened.
The additional safeguards listed below may be required depending on the requirements of the contract or subcontract. These safeguards are granted only after an organization has received a DSC. These include:
- production capability allows an organization to build, manufacture, repair, modify or work on sensitive products at a work site in conjunction with a DSC
- shredding capability allows an organization to destroy sensitive information or assets
- bulk storage capability allows an organization to store bulk information or assets at their work site, to the level for which they are authorized
- information technology (IT) authorization allows an organization to store, process or transmit sensitive information electronically
- IT security requirements are specific to each contract and are granted only after PSPC’s CSP conducts an IT inspection of the facility
- please see Chapter 7: Information technology security
- communications security (COMSEC) is the discipline of preventing unauthorized access to telecommunications information in readable form, while still delivering the information to the intended recipients
- COMSEC is comprised of multiple disciplines such as cryptographic security, emission security (EMSEC), transmission security (TRANSEC), and physical security
A DSC will be granted for successful bidders only after their organization's facility has met the physical and administrative security requirements identified in the contract and has been inspected and approved by the CSP.
In the case of DSC for classified information and assets, a parent organization must also possess an FSC at the same level or it must be excluded from having access to classified information or assets held by the subsidiary organization. Parental exclusions may be recommended in certain cases in consultation with the CSP.
3.2.3 Reciprocal facility security clearances
Under a number of international bilateral security instruments (such as between Canada and the United States), the CSP can ask a foreign government to grant a reciprocal FSC to a foreign organization located in another country for access to Canadian, NATO and/or foreign classified information. This is useful if the organization becomes a subcontractor in a Canadian classified contract. Please email the CSP at tpsgc.dgsssiprojetintl-dobissintlproject.pwgsc@tpsgc-pwgsc.gc.ca for information related to subcontracting to foreign organizations.
3.3 Foreign ownership, control or influence
A foreign ownership control or influence (FOCI) evaluation assesses the degree of authority, ownership, control or influence that foreign interests may have over a Canadian organization. This helps determine and mitigate the risk that unauthorized third parties may exert undue influence over a Canadian organization to access government classified information and assets.
FSCs do not exempt an organization from further evaluation. In addition, having a Confidential, Secret or Top Secret clearance does not exempt an organization from a FOCI evaluation, if it is required. The FOCI evaluation is generally triggered by the type of information being accessed. A FOCI evaluation must be done for contracts involving access to NATO, foreign or COMSEC classified information or assets, or as directed by the CSP.
The existence of foreign ownership, control or influence does not, in itself, prohibit an organization from holding an FSC. Each case is assessed individually based on the particular risk profile associated with the goods or services being procured to the government or foreign government client. In cases of an adverse assessment, the CSP will discuss with the organization and the client department whether certain measures can reduce the risk to an acceptable level by the CSP and the client department.
A FOCI evaluation must generally be completed before access to sensitive information, assets or sites is granted. The determination of FOCI risks is contract specific and remains valid during the contract as long as the degree of potential foreign control or influence of the organization does not change. Re-evaluations are conducted when a new FOCI requirement is identified or when the factors at the time of the evaluation change (for example, a new ownership or corporate restructuring).
3.4 Site inspections
Site inspections are a key component of the security screening process. An organization must allow the CSP field industrial security officer (FISO) to inspect all relevant facilities or sites to ensure that existing security measures protect information and assets.
Scheduled and unscheduled access by the CSP security inspectors is a normal condition of a contract with security requirements.
During the inspection, the FISO will also assess:
- potential targets or risks for physical attacks
- intrusion detection systems
- physical security zones
- how information and assets are handled
The organization cannot hold or store protected or classified information associated with the contract until the inspection process is completed and the CSP has notified it in writing that the DSC has been granted.
Inspections may be conducted at any time while the organization is security-cleared with the CSP. Inspection timeframes vary based on:
- the contracts
- the security levels
- the length of time an organization needs to comply with the CSP security requirements
- the organization’s history of compliance with the CSP
Learn more about site inspections.
3.5 Government of Canada security agreement
Before an organization receives a provisional security clearance, a DOS or an FSC, a KSO must complete and sign a security agreement with the Government of Canada. The security agreement outlines the terms and conditions of the organization’s security clearance as well as grounds for the suspension or revocation of the organization’s security clearance. After signing the agreement, the organization agrees to abide by all security requirements of the CSP. This agreement is signed as part of the security screening process.
3.6 Investigations
The CSP may conduct investigations of organizations for cause, in cases of non-compliance and for security breaches and/or violations. For example:
- non-compliance: failure to comply with the CSP’s requirements as outlined in this manual and the terms and conditions of the security agreement
- security breaches: the unauthorized disclosure, destruction, removal, modification, interruption or use of information and assets
- security violations: any act or omission that contravenes any provision of the Policy on Government Security and associated Treasury Board security standards, such as:
- failure to categorize information as classified or protected
- categorizing information in a way that conflicts with the Policy on Government Security
- unauthorized modification, retention, destruction or removal of protected or classified information
- unauthorized access to restricted work sites
- unauthorized interruption of the flow of protected and/or classified information
Non-compliance, security breaches and security violations could result in the revocation of personal and/or organization clearances.
Information about procedures for investigations can be found in Annex A: VIII. Investigations.
- Date modified: