ARCHIVED – Chapter 7: Classified and protected contracts

700. General

1. Contracts or formal agreements will contain security clauses when access to protected or classified information or assets is required. This may include pre-contractual enquiries and negotiations.

There may also be instances whereby the contract or formal agreement (the document) may be marked as protected or classified even though there is no requirement for access to protected or classified information or assets.

2. The security requirements associated with a contract are identified to the contractor in the security requirements checklist (SRCL) issued with bid solicitation documents and subsequent contract, and are contained in one or more security clauses included in the contract document itself. The SRCL, the "Security and Protection of Work" clause contained in the general conditions and any accompanying remarks and security clauses in the contract all form a legally binding part of that contract. Organizations are cautioned to ensure that the provisions and implications of the contract security requirements, including the cost of providing necessary security arrangements, are fully understood before the contract is signed. The onus is on the contractor to determine, by contacting the program management office or the appropriate technical authority, the specific details required when applying the SRCL to the contract.

3. The organization must ensure that a copy of the contract, including the SRCL, is given to the contractor's company security officer (CSO), who is responsible for ensuring that all its requirements are adhered to.

For more information, refer to ARCHIVED - Chapter 1: General introduction of this manual.

4. Protected or classified information or assets provided by the Government of Canada to contractors must only be provided to contractor personnel who:

1. are cleared under the contractor's organization
2. have a need-to-know for the performance of the contract
3. have the reliability status or security clearance required to access the level of information or assets granted by Public Services and Procurement Canada’s (PSPC) Contract Security Program (CSP)

701. Contract responsibility

1. According to Canada's Policy on Government Security, provisions for safeguarding protected and classified information and assets apply equally to both the contracting process and to internal government operations. The policy further states that the contracting authority is responsible for ensuring that contracts involving access to protected and classified information and assets comply with the appropriate requirements and for ensuring that contract documentation includes the necessary clauses.

2. PSPC's CSP is responsible for:

1. ensuring compliance with the Policy on Government Security in contracts that are outside the delegated contracting responsibilities of departments and providing access to protected and classified assets as well as to critical government assets
2. on request, ensuring compliance with this policy in contracts that are within delegated contracting responsibilities of departments and providing access to protected and classified assets as well as to critical government assets
3. screening private sector employees, inspecting the organization's facilities and coordinating inspection or testing of the organization's information technology (IT) facilities

3. Scheduled and unscheduled access by government security inspectors is a normal condition of a contract that requires access to protected and classified information and assets.

702. Contract security instructions

1. The security requirements that apply to a contract will be identified in bid solicitation documents or in any resulting contract. These requirements will be detailed in one or all of the following: the SRCL and accompanying instructions and the security requirements clause or clauses in the bid documents and contract.

2. In cases where, following a review by the department or agency (that is, the office of primary interest, or OPI) with respect to a contract (that is, the client), the OPI determines that a change in the security requirement is necessary:

1. the contractor will be notified by way of a revised SRCL or revised security clauses, issued under cover of an amended request for proposal or contract amendment
2. the client will identify the changes in security requirements to the PSPC's CSP, that will issue specific written instructions to the contractor
3. the contractor's CSO must then ensure that the revised security requirements are met

703. Subcontracts

1. Prime contractors must ensure the secure safeguarding of work assigned to subcontractors.

2. Contractors may subcontract work to only those organizations holding a current designated organization screening (DOS) or a facility security clearance (FSC), of the type and at the level appropriate to the work to be performed under the subcontract. The DOS or FSC must be valid for the specific sites where the work will be performed.

For more information, refer to ARCHIVED - Chapter 3: Facility security clearances, Part II—Facility security clearance (classified) of this manual.

3. PSPC approval of the subcontractor must be obtained before award of the subcontract. The DOS or FSC for the proposed subcontractor(s) must be verified by PSPC's CSP before bid solicitation documents are issued. Upon receipt of a written registration request and a completed SRCL from the prime contractor, PSPC's CSP will initiate DOS or FSC actions on the potential subcontractor(s).

Refer to ARCHIVED - Annex 7-A: Instructions for completing the security requirements checklist (SRCL) in this chapter.

4. Contractors must ensure the secure safeguarding of work assigned to subcontractors, and must issue as part of the subcontract either a copy of the SRCL and any additional security guidance that forms an integral part of the prime contract, or a new SRCL and any additional security guidance appropriate to the work covered by the subcontract. A copy of the subcontract containing the SRCL and any additional security guidance, forming part of a subcontract and including the PSPC file number of the prime contract, must be sent to PSPC's CSP.

704. Subcontracting to organizations outside Canada

1. Contractors may not assign a subcontract to organizations located outside of Canada without the prior written approval of PSPC and the PSPC contracting authority. The security status of foreign organizations must be re-verified through PSPC before entering into any commercial commitments. In addition, release authorization must be received through PSPC before the transfer of protected and classified information to a foreign government can take place.

2. Where defence work is carried out in the United States (U.S.), one of the services of the U.S. Armed Forces (for example, Army, Navy or Air Force) must assume security responsibility over the U.S. organization selected. Transmittal of material between the Canadian contractor and the proposed or actual U.S. subcontractor may be necessary. Therefore, it is essential that PSPC's CSP be consulted before award of subcontracts to ensure that the provisions of the U.S.—Canada Industrial Security Agreement are observed. In all cases of subcontracts to U.S. organizations where information is involved, the prime contractor must supply PSPC's CSP with 3 copies of the relevant subcontract together with the SRCL and any additional guidance for the particular subcontract item(s).

For more information, refer to ARCHIVED - Annex 5-C: Standard for the transmittal of classified and protected information and assets of this manual.

3. Where it is proposed that there be an award of subcontracts containing protected or classified security requirements to the U.S. (for non-defence production), to other North Atlantic Treaty Organization (NATO) member nations or to other foreign governments, the contracting authority and PSPC's CSP must be consulted for guidance and approval before the proposed award

Refer to the procedure outlined in paragraph 4 of section 703. Subcontracts in this chapter.

705. Standing offers

1. A standing offer is not a contract. It is an agreement whereby government departments and agencies may deal directly with suppliers on an as-and-when ordered basis, at a prearranged price, under fixed terms and conditions. Security requirements, such as security screening, may form part of the fixed terms and conditions of the agreement.

2. A call-up (order or requisition) against the standing offer constitutes a contract. Contractors providing goods and services under a call-up against the standing offer must observe the same security measures that are applicable to any other contract of the same security classification. If a contractor is offered a call-up with a security requirement that is at a higher level of security than that which the organization holds at that time, the offer must be declined. In addition, the security requirements identified in the standing offer fixed terms and conditions are the minimum security requirements applicable to all call-ups against that particular standing offer.

706. Publicity

The following security criteria apply to organizations registered in PSPC's CSP and to all contracts, Canadian or foreign, for which PSPC is responsible.

Although having a security status or clearance is not a secret in and of itself, there is an expectation of good judgment regarding sharing that information. Security information must be adequately safeguarded to mitigate the risk that cleared organizations might become targets for security infiltration or terrorism activity:

• organizations should not make public any specific information about their security status or clearance in any advertising or promotional activities such as on the organization's website, in videos, or photos
• employees of organizations should not make public their level of security status or clearance on business cards, curriculum vitae, or the internet, including social media, as this could draw attention to the security status of the organization for which they work
• any enquiries received by organizations concerning their security status are to be directed to PSPC's CSP

General information about a contract can be released as this is already public knowledge:

• organizations must get clarification and/or approval from the contracting authority before releasing information related to a contract
• organizations must not make public any specific information about the security requirements of a government contract

Protected or classified information cannot be made public or advertised in any manner.

707. Release of information to foreign entities

Approval requirement

The release of protected and classified information or assets to foreign countries must comply with Canada's international bilateral security instruments and foreign legislation, and must have the approval of PSPC's CSP.

Procedures

Requests must be reviewed by PSPC's CSP to ensure adherence to Policy on Government Security and to international bilateral security instruments with Canada. Where Canadian, foreign, NATO or European Union classified information must be released to foreign entities, as is frequently the case, the concurrence of such nations or international organizations must be obtained by PSPC and the respective foreign partner. It normally takes several months to get concurrence from foreign entities. Applications for such release must be submitted to PSPC's CSP well in advance with the following details:

1. title of documents or nomenclature of assets to be released
2. copies of the documents and copies of brochures or other documentary data of the assets
3. name or organization of the originator of the items to be released
4. security classification of the items to be released
5. approval letter with date from the originator stating the concurrence to release such items to foreign entities
6. contract or solicitation request number, where applicable
7. country or countries to which the release is proposed
8. purpose of the release

Annex

ARCHIVED - Annex 7-A: Instructions for completing the security requirements checklist