Information technology security requirements
Information technology (IT) security requirements are designed to safeguard the confidentiality, integrity and availability of protected and classified information. IT security is required for organizations that access, store, save, process, transmit, view or back up protected or classified information electronically for government contracts. Learn how the Contract Security Program (CSP) can help your organization obtain the Authority to process information technology designation, and how IT inspections work.
On this page
About information technology security requirements
IT security requirements are specific to each contract. The security level required is based on the sensitivity of the information involved.
To obtain the authority to access, store, save, process, transmit, view or back up sensitive information electronically organizations must first hold a valid:
Other organization clearances may be required, such as:
- production capability
- communications security and information security
- shredding capability and bulk storage capability
Learn about work site security requirements.
Your organization will need to:
- ensure their company security officer (CSO) or alternate company security officer (ACSO) understands IT requirements and/or have a qualified IT technician present with them during the inspection
- complete an IT security inspection by an IT security inspector of the CSP
- ensure all personnel, including IT personnel working on the contract are screened to the appropriate security level
- obtain approval in writing from the CSP before protected or classified Government of Canada information is accessed electronically
Information technology security inspections
The IT security inspection focuses on the IT systems your organization will be using to access, store, save, process, transmit, view or back up protected or classified contractual information. It is conducted after the contract has been awarded and physical security requirements have been met but before your organization begins to access, store, save, process, transmit, view or back up sensitive electronic information.
Information technology security inspection: What to expect
An IT security inspector assigned by the CSP will contact your organization's CSO or ACSO. Your CSO will be required to complete an IT security checklist and submit a data flow diagram illustrating where the protected or classified information will be accessed, stored, saved, processed, transmitted, viewed or backed up.
These documents will be used by the inspector to assess the security posture of your organization’s IT systems. Your CSO or ACSO will be required to complete a new checklist for each contract with IT security requirements.
The IT inspector will also review technical documentation provided by the client department. The technical documentation will identify contract-specific IT related requirements and safeguards which your organization will be required to meet.
During the information technology security inspection: What to expect
The IT security inspector will evaluate your organization’s IT system to ensure that the appropriate safeguards are in place. Your organization is expected to demonstrate the ability to securely access, store, save, process, transmit, view or back up sensitive government information electronically on the day of the inspection.
All personnel working on the contract must be screened to the appropriate level and maintain a need-to-know principle. The need-to-know principle restricts access to sensitive information and assets. Employees are entitled to access based only on their duties.
Any personnel working on the contract may be interviewed during the IT security inspection.
Given the travel restrictions implemented by the CSP in reference to COVID-19, all document safeguarding capability and IT inspections are currently done virtually. Once the program-wide travel restrictions are lifted, your organization may be subject to an on-site inspection to validate the security requirements. Your organization may also be required to implement additional security requirements in accordance to the on-site inspection to ensure compliance.
After inspection: What to expect
The IT security inspector will provide your CSO or ACSO with corrective measures in a declaration letter after the inspection is completed. Once your organization has implemented the corrective measures, your CSO or ACSO must return the declaration letter to the IT security inspector. In the letter, your organization must state that all corrective measures have been implemented.
After receiving and approving the declaration letter, the IT security inspector will issue an IT approval letter to your CSO or ACSO. Upon receipt, your organization can begin work on the associated contract and use its IT systems to access, store, save, process, transmit, view or back up, produce, process or store sensitive information.
IT approvals are contract specific, and are valid for the life of the contract or until any changes are made to the IT system that was inspected during the IT security inspection. Your CSO and ACSO are responsible for advising the CSP of any changes to their IT systems by email at firstname.lastname@example.org.
Your CSO or ACSO must immediately report to the CSP suspected or confirmed security incidents involving IT information or assets, specifically those used to access, store, save, process, transmit, view or back up information related to a sensitive government contract.
Learn how to report security incidents.
The CSP does not assess or approve cloud solutions in support of any contract. For the use of the cloud, the CSP requires the following confirmation from your organization or from the client department prior to contract award:
- the cloud solution is assessed by the Canadian Centre for Cyber Security (CCCS) (Information Technology Security Assessment Program and the Supply Chain Integrity assessment)
- the client department has performed their location IT verification or assessment against the required controls and proper cloud profiles
Both assessments must be approved and signed by the chief security officer of the client department.
Learn more about the CCCS Cloud service provider information technology security assessment process.
Organizations screened by the CSP will find information on how to apply IT security standards for government contracts in:
- Chapter 7: Information technology security of the Contract Security Manual
- Royal Canadian Mounted Police G1-026 Guide to the application of physical security zones
- Date modified: