Work site security requirements

Learn how the Contract Security Program will guide your organization through the requirements to secure your work site and obtain a document safeguarding capability (DSC).

Why you need to secure your work site

A secure work site is designed to prevent, delay and respond to unauthorized access to sensitive work sites, information and assets.

If your organization is required by contract to store sensitive government information and assets, you will need to obtain a DSC through the Contract Security Program.

Site inspections

The program will conduct a site inspection before granting clearance for DSC. This will identify what is required to secure your work site, information and assets.

Before the inspection: what to expect

In preparation for the inspection, the field industrial security officer (FISO) with the program will review the following documents:

  • security requirements checklist
  • request for private sector organization screening
  • contract security clauses
  • statement of work

You will be asked to review and complete a security guideline package, the required forms, and a pre-inspection questionnaire. The FISO will also request a detailed floor plan in order to perform the security inspection.

Consult the floor plan and hierarchy of zones diagram.

During the inspection: what to expect

Note

Although there is no cost for the inspection, organizations must pay for the cost of any equipment or construction required to safeguard information and assets at their work sites.

The FISO will identify:

Photographs

During the inspection, the FISO will require authorization and access from your organization to photograph the following:

  • all interior and exterior access points, including locking hardware
  • storage cabinets and their location
  • access control doors to operations or security zone (if applicable)
  • server room(s)

After the inspection: what to expect

Note

Inspections may be conducted at any time throughout the life of the contract. If your organization does not comply with contract requirements, security clearance may be denied or terminated.

Your organization can begin work on the contract once the:

  • inspection process is complete
  • organization has been notified in writing that they possess the required security level

Security orders for personnel

Note

Security orders are required for organizations with DSC. It must be submitted to the FISO before being granted clearance.

Security orders are a document that your organization will create and use to:

It must state that employees:

All employees of the organization are required to carefully read these security orders before signing the acknowledgment at the end of the document.

Learn about security orders in Annex A: Guidelines on company security officer and alternate company security officer responsibilities – section V. Security awareness content of the Contract Security Manual.

Access controls

Access controls are a type of physical security used to safeguard information and assets. The program provides guidance and advice on what types of access controls are required for specific work sites.

Some access controls include:

Organizations must ensure that all employees, contractors and subcontractors such as cleaners and maintenance workers are properly cleared and are escorted at all times when they enter security zones.

Storage and cabinets

The FISO from the program will provide storage recommendations. If necessary, the FISO will assist you in ordering cabinets approved by the Royal Canadian Mounted Police (RCMP). These cabinets are required for storage of classified and Protected C federal government information and assets.

Floor plan and hierarchy of zones

A detailed floor plan must be completed before an inspection can take place.

Your detailed floor plan should identify the following:

  • all exterior and perimeter access points to the facility, including doors and windows (ground level)
  • all interior and access control points within your facility (operations zone and security zone)
  • all locations where protected and classified material, information and assets will be viewed, processed, produced or stored
  • all restricted areas
  • location of storage cabinets and temporary holding areas
  • location of any intrusion alarm components such as motion sensors, keypad, door contacts, closed-circuit television
  • location of servers, information technology systems and peripherals

You will need to create a hierarchy of zones to control who can, and cannot, access sensitive information and assets at your work site. These zones must be shown on your floor plan, as illustrated in the images below.

Organization of zones and example of a floor plan

Organization of zones and example of a floor plan - Description of the image is in the text following the image.

Description of the organization of zones and example of a floor plan

The organization of zones is depicted by circles. The outer circle is the largest and it encloses the other circles. As the circles get smaller, the security requirements for the zone increase.

The outermost circle represents the public access zone. This is an area where the public has unimpeded access, such as the grounds surrounding a building or its public corridors.

The second outermost circle represents the reception zone. This is an area where the transition from a public zone to a restricted-access area is demarcated and controlled.

The third outermost circle represents the operation zone. This is an area where access is limited to personnel who work there and to properly-escorted visitors, such as a typical open office space or an electrical room.

The fourth outermost circle is also the second innermost circle. It represents the security zone. This is an area to which access is limited to authorized personnel and to authorized and properly-escorted visitors, such as an area where secret information is processed or stored.

The innermost circle represents the high security zone. This is an area to which access is limited to authorized, appropriately-screened personnel and authorized and properly-escorted visitors, such as an area where high-value assets are handled by selected personnel.

The example of a floor plan is depicted by a bird's-eye view of a rectangular room. The room contains the following zones:

  • operation zones
  • a reception zone
  • a security zone within the operation zones
  • a high security zone within the security zone

Access to the security zone is for personnel within the operation zones only. The high security zone is contained within the security zone. Access to the high security zone is restricted to personnel within the security zone.

Access in and out of the room is provided by the following access points:

  • a doorway for public access:
    • leads immediately to a reception zone inside the room
    • access beyond the reception zone is restricted by a control access point
  • a personnel door that is access-controlled:
    • access in and out of this door is for personnel within operation zones only
  • emergency exits, where access is not recommended and should permit emergency exiting only:
    • access out of this door is for personnel within operation zones only

More information about security zones

Learn more about:

Security markings

Information, whether paper or electronic, should be marked to identify it as protected or classified. Organizations should follow government standards for marking protected and classified information.

Learn about marking protected and classified information in Annex C: Guidelines for safeguarding information and assets – section III. Security markings of the Contract Security Manual

Destruction and shredding

Sensitive information and assets are destroyed at the end of their life cycle to preserve their confidentiality. This is required for original documents, copies, drafts and notes—any document that includes protected and classified information.

Shredding

Protected shredding capability

Organizations can shred protected information at their work site using shredding equipment purchased from an office supply store

Secret shredding capability

  • For paper, the shredder must be approved by the RCMP
  • For information technology, the shredder must be approved by the Communications Security Establishment

Classified shredding capability

Organizations must use the services of a company with classified shredding capability, and obtain a certificate of destruction once completed

Protected C, Top Secret, communications security, North Atlantic Treaty Organization and foreign classified information and assets

Return to the program for disposal or shredding

Shredding facilities

The Contract Security Program inspects shredding companies annually. They must be cleared for shredding capability to the level of the information being stored at their facility.

Mobile shredding

Mobile shredding trucks can be approved to shred protected level information and higher if they meet RCMP standards. In addition, cleared employee of the organization must be present to:

  • accompany the documents at all times
  • watch the entire destruction process
  • inspect the shredded waste

The company security officer (CSO) must ensure that the shredding company is cleared to the appropriate level with the program.

A certificate of destruction must be obtained from the shredding company after the materials are destroyed.

Incineration

Destruction by incineration may only be done by an RCMP-approved incinerator.

Minimum standards for storage, transmittal and destruction

Protected A

Storage

  • Paper: Lock in an operations zone, such as in a locked overhead bin, locked drawer or locked office
  • Electronic: Save on a secure network drive

Transmittal

  • Facsimile: Send and receive by regular facsimile in an operations zone
  • Email: Send on a secure internal network

Destruction

  • Paper: Use a commercial shredder, up to a maximum of 10 metres
  • Electronic: Delete files and empty recycling bin

Protected B

Storage

  • Paper: Store information in a locked cabinet in an operations zone
  • Electronic: Save on a universal serial bus (USB) stick, external hard drive or compact disc (CD) and store in a locked cabinet in an operations zone

Transmittal

  • Facsimile: Send and receive by regular facsimile in an operations zone with physical controls at both ends of the facsimile transaction
  • Email: Use public key infrastructure (PKI) encryption or other approved encryption

Destruction

Protected C

Storage

  • Paper: Store information in a RCMP-approved security container in a security zone
  • Electronic: Store information in a RCMP-approved security container in a security zone

Transmittal

  • Facsimile: Send and receive by secure facsimile and telephone equipment with an approved encryption device in a security zone
  • Email: Do not use email

Destruction

Confidential

Storage

  • Paper: Store information in a RCMP-approved security container in an operations zone
  • Electronic: Must be stored in a RCMP-approved security container in an operations zone

Transmittal

  • Facsimile: Send and receive by secure facsimile and telephone equipment with an approved encryption device in a security zone
  • Email: Do not use email

Destruction

Secret

Storage

  • Paper: Store information in a RCMP-approved security container in a security zone
  • Electronic: Store information in a RCMP-approved security container in a security zone

Transmittal

  • Facsimile: Send and receive by secure facsimile and telephone equipment with an approved encryption device in a security zone
  • Email: Do not use email

Destruction

Top Secret

Storage

  • Paper: Store information in a RCMP-approved security container in a high security zone
  • Electronic: Store information in a RCMP-approved security container in a high security zone

Transmittal

  • Facsimile: Send and receive by secure facsimile and telephone equipment with an approved encryption device in a high security zone
  • Email: Do not use email

Destruction

Reference sheet: Secure worksites

The title of the image is "Reference sheet: Secure worksites". The Public Services and Procurement Canada corporate signature appears at the top of the image. A disclaimer that reads "Note: Subject to change based on program updates" appears at the top of the image.

Document safeguarding

When your organization is required to store sensitive Government of Canada (GC) information and assets, it needs to obtain a document safeguarding capability (DSC) through the Public Services and Procurement Canada (PSPC) Contract Security Program (CSP).

Before an organization can obtain a DSC, it requires 1 of the following 2 clearances (valid):

  • designated organization screening (DOS)
  • facility security clearance (FSC)

Note: A DSC clearance level cannot exceed that of the organization clearance.

DSC is site-specific and may result in a physical inspection by a field industrial security officer (FISO).

There is no cost for inspections, but organizations must pay for the cost of any equipment or construction required to safeguard information and assets at their worksite as per the CSP and contract security requirements.

Organizations are required to develop security orders with the assistance of the FISO. They must be submitted to the FISO appointed to their organization. 

Document safeguarding subsets

Information technology (IT): The authority to produce, process and store protected or classified information electronically is subject to PSPC approval.

Consult the reference sheet: Information technology security for further details.

For organizations with DSC, a minimum of 2 security officers, cleared to the level of DSC are required at each of the secure work sites.

Production: Production is a broad term that can encompass organizations required to build, manufacture, repair, retrofit or reproduce sensitive material or products at its site or sites.

COMSEC: COMSEC stands for communications security. COMSEC material is designed to secure or authenticate telecommunications information.

The Communications Security Establishment is Canada's national COMSEC authority and is involved in granting COMSEC clearances.

IT security, production and COMSEC are contract-specific and only valid for the duration of the contract.

Inspection process

Before the inspection

A FISO with PSPC will review the following documents:

During the inspection

The FISO will identify:

The FISO will take or request photographs of:

  • all interior and exterior access points, including locking hardware
  • storage cabinets and their location
  • access control doors to operations or security zone (if applicable)
  • server room(s)

After the inspection

The organization can begin work on the contract once the inspection process is complete and the organization has been notified by PSPC in writing that they possess the required security level.

Inspections may be conducted at any time throughout the life of the contract.

Inspection timeframes will vary based on security levels and an organization's ability to comply with PSPC's recommendations.

Contact us

National Capital Region:
613-948-4176
Toll-free:
1-866-368-4646
Email:
ssi-iss@tpsgc-pwgsc.gc.ca
Website:
Security requirements for contracting with the Government of Canada

Next step: reference sheet: Information technology security.

More information

Date modified: