Information technology security requirements

Information technology (IT) security requirements are designed to safeguard the confidentiality, integrity and availability of protected and classified information. IT security is required for organizations that produce, process and store protected or classified information electronically for government contracts. Learn how the Contract Security Program can help your organization obtain the authority to process information technology designation, and how IT inspections work.

On this page

Information technology security requirements: authority to process information technology

Information technology (IT) security requirements are specific to each contract. The security level required is based on the sensitivity of the information involved.

To obtain the authority to process information technology designation organizations must first hold a valid:

Other organization clearances may be required, such as:

Your organization will need to:

Information technology security inspections

The information technology (IT) security inspection focuses on the information technology systems your organization will be using to produce, process and store protected or classified contractual information. It is conducted after the contract has been awarded and physical security requirements have been met—but before your organization begins to produce, process and store sensitive electronic information.

Information technology security inspection: what to expect

Your company security officer will be required to complete an IT security checklist and submit a detailed picture of your organization’s IT environment to the IT security inspector.

The IT security checklist will be used by the inspector to assess your organization’s ability to produce, process and store sensitive government information technology at your work site. You will be required to complete a new checklist for each contract with IT security requirements.

The IT inspector will also review technical documentation provided by the client department. The technical documentation will identify contract specific IT related requirements and safeguards which your organization will be required to meet.

During the information technology security inspection: what to expect

The IT security inspector will evaluate your IT system to ensure that the appropriate safeguards are in place. You are expected to demonstrate the ability to securely produce, process and store sensitive government information on the day of the inspection.

All personnel working on the contract must be cleared to the appropriate level and maintain a need-to-know. The need-to-know principle restricts access to sensitive information and assets. Employees are entitled to access based only on their duties.

Any personnel working on the contract may be interviewed during the IT security inspection.

After inspection: what to expect

The recommendations of the IT security inspector will be provided in a declaration letter after the inspection is completed. In the declaration letter you must state that you have implemented the recommendations.

Once the declaration letter has been received and approved by the IT security inspector, your organization will be issued an Authority to Process Information Technology approval letter.

Your organization can begin to process IT for the contract when the Contract Security Program has issued your approval letter.

IT approvals are contract specific, and are valid for the life of the contract.

Security incidents

Your company security officer must immediately report suspected or confirmed security incidents involving IT information or assets—specifically those used to produce, process and store information related to a sensitive government contract—to the Contract Security Program.

Learn how to report security incidents

Reference sheet: Information technology security

Information technology security reference sheet - long description below
Description of the reference sheet: Information technology security

The title of the image is “Contract Security Program: Information technology security—Reference sheet.” The Public Services and Procurement Canada corporate signature appears at the top of the image. A disclaimer the reads “Note: Subject to change based on program updates” appears at the top of the image.

Authority to process

To obtain the authority to process information technology (IT) designation, organizations must hold a valid:

Your organization will need to:

Inspection process

The IT security inspection focuses on the IT systems the organization will be using to produce, process and store protected or classified GC information.

It is conducted after the contract has been awarded and physical security requirements have been met.

Before the inspection

During the inspection

The IT security inspector evaluates the organization’s IT system to ensure that the appropriate safeguards are in place. The organization is expected to demonstrate the ability to securely produce, process and store sensitive GC information.

All personnel working on the contract including IT personnel must be cleared to the appropriate security level.

Only employees who have a need-to-know based on their duties are authorized to access sensitive GC information and assets.

Any personnel working on the contract may be interviewed during the IT security inspection.

After the inspection

The recommendations of the IT security inspector must be validated in a declaration letter after the inspection is completed.

Once the declaration letter has been received and approved by PSPC’s IT security inspector, the organization will be issued an Authority to Process IT approval letter.

The organization can only begin work once PSPC has issued the approval letter.

IT approvals are contract-specific, and are valid for the life of the contract.

Contact us

National Capital Region: 613-948-4176

Toll-free: 1-866-368-4646

Email: ssi-iss@tpsgc-pwgsc.gc.ca

Website: Security requirements for contracting with the Government of Canada

At the bottom of the image, there is a link that reads “Return to the Contract Security Program roadmap.”

More information

Organizations registered in the program will find information on how to apply IT security standards for government contracts in:

Date modified: