Work site security requirements
Learn how the Contract Security Program (CSP) will guide your organization through the requirements to secure your work site and obtain a document safeguarding capability (DSC).
On this page
Why you need to secure your work site
A secure work site is designed to prevent, delay and respond to unauthorized access to sensitive work sites, information and assets.
If your organization is required by contract to store sensitive government information and assets at 1 or more work sites, it will need to obtain a DSC through the CSP before contract award.
Learn more about document safeguarding capability.
Physical security inspections
The CSP inspects the business locations of eligible organizations as part of the DSC approval process. The physical security inspection will identify what your organization is required to do to secure its work site and protect sensitive information and assets.
For competitive solicitations, the inspection is completed during the bid evaluation stage for all confirmed bidders. Once the successful bidder has been selected, the CSP will grant them a DSC for the duration of the contract.
Learn more about the physical and information technology security inspection process.
Before the inspection: What to expect
In preparation for the inspection, the field industrial security officer (FISO) with the CSP will review the following documents:
- Security requirements check list form (TBS/SCT 350-103)
- contract security clauses
- statement of work
- company information
Your company security officer (CSO) or alternate company security officer (ACSO) will be asked to review and complete a security guideline package, pre-inspection questionnaire as well as any other required forms. The FISO will also request a detailed floor plan in order to perform the security inspection.
For more information consult the diagram about the organization of zones and example of a floor plan.
During the inspection: What to expect
The FISO will identify:
- potential targets or risks for physical attacks
- intrusion detection systems
- physical security zones in accordance with the Royal Canadian Mounted Police (RCMP) G1-026 Guide to the application of physical security zones
- how information and assets are handled
Note
Although there is no cost for the inspection, your organization must pay for the cost of any equipment or construction required to safeguard information and assets at its work sites.
Photographs
During the inspection, the FISO will require authorization and access from your organization to photograph the following:
- all interior and exterior access points, including locking hardware
- storage cabinets and their location
- access control doors to operations or security zone (if applicable)
- server room(s)
- additional photos related to physical security
Recommendations
During the inspection, the FISO will provide recommendations to your CSO or ACSO on how to properly secure your organization’s work site.
After the inspection: What to expect
Your organization must implement the CSP’s recommendation to qualify for DSC. Once your organization has implemented the recommendations and has been selected as the successful bidder, the CSP will:
- complete the inspection process
- grant the DSC
- notify your CSO or ACSO in writing that your organization possess the required security level
- authorize your organization to begin work on the contract
Inspection timeframes will vary based on security levels and your organization's ability to comply with the CSP’s recommendations.
Learn more about the implementation of recommendations and corrective measures during the bid evaluation stage of a federal procurement process.
Security orders for personnel
Security orders are presented in a document that your organization will create and use to:
- inform employees of their security responsibilities
- prevent unauthorized disclosure, destruction, removal, modification or interruption of sensitive government information and assets
It must state that employees:
- may access sensitive information and assets only if they
- hold a valid security status or clearance at the appropriate level
- have a valid need to access sensitive information and assets, in accordance with the need-to-know principle
- are responsible for controlling access to their area and for ensuring that unauthorized persons do not gain access
All employees of the organization are required to carefully read the security orders before signing the acknowledgment at the end of the document.
Note
Security orders are required for organizations with DSC. It must be submitted to the FISO before DSC can be granted.
Learn about security orders in Annex A: Guidelines on company security officer and alternate company security officer responsibilities—Section V. Security awareness content of the Contract Security Manual (CSM).
Access controls
Access controls are a type of physical security used to safeguard information and assets. The CSP provides guidance and advice on what types of access controls are required for specific work sites.
Some access controls include:
- progressively restricted security zones
- locked doors
- access control systems
- intrusion alarm systems
- approved safety containers
Organizations must ensure that all employees, contractors and subcontractors such as cleaners and maintenance workers are properly cleared or are escorted at all times when they enter security zones.
Storage and cabinets
The FISO from the CSP will provide storage recommendations. If necessary, the FISO will assist you in ordering RCMP-approved cabinets. These cabinets are required for storage of classified and Protected C federal government information and assets.
Floor plan and hierarchy of zones
A detailed floor plan must be completed before an inspection can take place.
Your detailed floor plan should identify the following:
- all exterior and perimeter access points to the facility, including doors and windows (ground level)
- all interior and access control points within your facility (operations zone and security zone)
- all locations where protected and classified material, information and assets will be viewed, processed, produced or stored
- all restricted areas
- location of storage cabinets and temporary holding areas
- location of any intrusion alarm components such as motion sensors, keypad, door contacts, closed-circuit television
- location of servers, information technology systems and peripherals
You will need to create a hierarchy of zones to control who can and cannot access sensitive information and assets at your work site. These zones must be shown on your floor plan, as illustrated in the images below.
Organization of zones and example of a floor plan
Description of the organization of zones and example of a floor plan
The organization of zones is depicted by circles. The outer circle is the largest and it encloses the other circles. As the circles get smaller, the security requirements for the zone increase.
The outermost circle represents the public access zone. This is an area where the public has unimpeded access, such as the grounds surrounding a building or its public corridors.
The second outermost circle represents the reception zone. This is an area where the transition from a public zone to a restricted-access area is demarcated and controlled.
The third outermost circle represents the operation zone. This is an area where access is limited to personnel who work there and to properly-escorted visitors, such as a typical open office space or an electrical room.
The fourth outermost circle is also the second innermost circle. It represents the security zone. This is an area to which access is limited to authorized personnel and to authorized and properly-escorted visitors, such as an area where secret information is processed or stored.
The innermost circle represents the high security zone. This is an area to which access is limited to authorized, appropriately-screened personnel and authorized and properly-escorted visitors, such as an area where high-value assets are handled by selected personnel.
The example of a floor plan is depicted by a bird's-eye view of a rectangular room. The room contains the following zones:
- operation zones
- a reception zone
- a security zone within the operation zones
- a high security zone within the security zone
Access to the security zone is for personnel within the operation zones only. The high security zone is contained within the security zone. Access to the high security zone is restricted to personnel within the security zone.
Access in and out of the room is provided by the following access points:
- a doorway for public access:
- leads immediately to a reception zone inside the room
- access beyond the reception zone is restricted by a control access point
- a personnel door that is access-controlled:
- access in and out of this door is for personnel within operation zones only
- emergency exits, where access is not recommended and should permit emergency exiting only:
- access out of this door is for personnel within operation zones only
More information about security zones
Learn more about:
- applying physical security zones in accordance with the RCMP G1-026 Guide to the application of physical security zones
- Chapter 5—Section 5.4 Access control of secure zones of the CSM
Security markings
Information, whether paper or electronic, should be marked to identify it as protected or classified. Your organization should follow government standards for marking protected and classified information.
Learn about marking protected and classified information in Annex C: Guidelines for safeguarding information and assets—Section III. Security markings of the CSM.
Destruction and shredding
Sensitive information and assets are destroyed at the end of their life cycle to preserve their confidentiality. This is required for original documents, copies, drafts and notes, any document that includes protected and classified information.
Shredding
As identified in the contract clauses, protected and classified information and assets can be destroyed using an approved third-party destruction company or your organization can shred on site if they have an approved shredder. Your organization's shredder will be inspected by the FISO during the DSC inspection if a company indicates that they will be shredding at its business location.
Refer to Appendix A: Government of Canada paper shredding standard of the RCMP equipment selection guide for paper shredders.
Protected A and Protected B shredding capability
With permission from the client department, your organization may shred Protected A and Protected B information at its business location. Shredding equipment must be located in the “operation zone” of the organization of zones and meet the RCMP shred size requirements for the level of information being destroyed.
Secret shredding capability
With permission from the client department, your organization may shred Secret information at its business location. Shredding equipment must be located in the “security zone” of the organization of zones and meet the RCMP shred size requirements for the level of information being destroyed.
For information technology, the shredder must be approved by the Communications Security Establishment.
Protected C, Top Secret, communications security, North Atlantic Treaty Organization and foreign classified information and assets
With permission from the client department, your organization may shred sensitive information at its business location’s applicable zone from the organization of zones, using shredding equipment that meets the shred size requirements for the level of information being destroyed.
Shredding facilities
The CSP inspects shredding companies annually. They must be cleared for shredding capability to the level of the information being stored at their facility.
If your organization is using services of a third-party shredding facility, your CSO or ACSO will need to initiate a subcontract.
Learn more about subcontracting security requirements.
Mobile shredding
Mobile shredding trucks can be approved to shred protected level information and higher if they meet RCMP standards. In addition, cleared employees of your organization must be present to:
- accompany the documents at all times
- watch the entire destruction process
- inspect the shredded waste
Your CSO or ACSO must ensure that the shredding company is cleared to the appropriate level with the CSP.
A certificate of destruction must be obtained from the shredding company after the materials are destroyed.
If your organization is using services of a third-party mobile truck, your CSO or ACSO will need to initiate a subcontract.
Learn more about subcontracting security requirements.
Incineration
Destruction by incineration may only be done by an RCMP-approved incinerator. Simply burning information is not an approved method of destruction by incineration.
Minimum standards for storage, transmittal and destruction
In this section
Protected A
Applies to information or assets that, if compromised, could cause injury to an individual, organization or government.
Storage
- Paper: lock in an operations zone, such as in a locked overhead bin, locked drawer or locked office
- Electronic: save on a secure network drive
Transmittal
- Facsimile: send and receive by regular facsimile in an operations zone
- Email: send on a secure internal network
Destruction
- Paper: shredding equipment must meet the RCMP’s paper shredding standard for Protected A
- Electronic: delete files and empty recycling bin
Protected B
Applies to information or assets that, if compromised, could cause serious injury to an individual, organization or government.
Storage
- Paper: store information in a locked cabinet in an operations zone
- Electronic: save on a USB stick, external hard drive or compact disc (CD) and store in a locked cabinet in an operations zone
Transmittal
- Facsimile: send and receive by regular facsimile in an operations zone with physical controls at both ends of the facsimile transaction
- Email: use public key infrastructure (PKI) encryption or other approved encryption
Destruction
- Paper: shredding equipment must meet the RCMP’s paper shredding standard for Protected B
- Electronic: contact the Contract Security Program
Confidential
Applies to information or assets that, if compromised, could cause injury to the national interest.
Storage
- Paper: store information in an RCMP-approved security container in an operations zone
- Electronic: must be stored in an RCMP-approved security container in an operations zone
Transmittal
- Facsimile: send and receive by secure facsimile and telephone equipment with an approved encryption device in a security zone
- Email: do not use email
Destruction
- Paper: shredding equipment must meet the RCMP’s paper shredding standard for Confidential
- Electronic: contact the Contract Security Program
Protected C
Applies to information or assets that, if compromised, could cause extremely grave injury to an individual, organization or government.
Storage
- Paper: store information in an RCMP-approved security container in a security zone
- Electronic: store information in an RCMP-approved security container in a security zone
Transmittal
- Facsimile: send and receive by secure facsimile and telephone equipment with an approved encryption device in a security zone
- Email: do not use email
Destruction
- Paper: shredding equipment must meet the RCMP’s paper shredding standard for Protected C
- Electronic: contact the Contract Security Program
Secret
Applies to information or assets that, if compromised, could cause serious injury to the national interest.
Storage
- Paper: store information in an RCMP-approved security container in a security zone
- Electronic: store information in an RCMP-approved security container in a security zone
Transmittal
- Facsimile: send and receive by secure facsimile and telephone equipment with an approved encryption device in a security zone
- Email: do not use email
Destruction
- Paper: shredding equipment must meet the RCMP’s paper shredding standard for Secret
- Electronic: contact the Contract Security Program
Top Secret
Applies to information or assets that, if compromised, could cause exceptionally grave injury to the national interest.
Storage
- Paper: store information in an RCMP-approved security container in a high security zone
- Electronic: store information in an RCMP-approved security container in a high security zone
Transmittal
- Facsimile: send and receive by secure facsimile and telephone equipment with an approved encryption device in a high security zone
- Email: do not use email
Destruction
- Paper: shredding equipment must meet the RCMP’s paper shredding standard for Top Secret
- Electronic: contact the Contract Security Program
More information
- Consult the RCMP G1-026 Guide to the application of physical security zones
- Consult the following chapters of the CSM