Security plan template for controlled goods

This template is an optional tool for Controlled Goods Program (the program) registrants when developing their respective security plans for each place of business, including individual registered sites. Use this template to help your organization comply with the guideline for developing a security plan for safeguarding controlled goods.

About your organization

Location of controlled goods

Please provide the civic address(es) of registered site(s) where the controlled goods are kept.

Definitions

The following definitions apply to this security plan:

Access

To be in a position to examine, possess or transfer controlled goods.

Authorized individual

An owner or senior official of the organization who is identified as a business official and has signed section H. Certification and consent of the application for registration (PDF, 592KB) for that organization.

Controlled goods

Controlled goods are primarily goods, including components and technical data that have military or national security significance, which are controlled domestically by the Government of Canada and defined in the schedule to the Defence Production Act. Controlled goods can be in the form of tangible items such as parts or components, printed material or electronic data.

Designated official

A business official or other employee of the organization who has been appointed by the authorized individual and has successfully completed the mandatory training for designated officials.

Examine

To consider in detail or subject to an analysis in order to discover essential features or meaning.

International student

An individual who is authorized by a study permit or by the Immigration and Refugee Protection Regulations to engage in studies in Canada and who is not an officer, director or employee of a company registered in the program.

Possess

Either actual possession, where the person has direct physical control over a controlled good at a given time, or constructive possession, where the person has the power and the intention at a given time to exercise control over a controlled good, either directly or through another person or persons.

Shall and must

A firm and bonding requirement.

Temporary worker

An officer, director or employee of a company registered in the program who is neither of the following:

  • a Canadian citizen, ordinarily a resident in Canada
  • a permanent resident, ordinarily a resident in Canada

Transfer

With respect to a controlled good, to dispose of it or disclose its content in any manner.

Visitor

An individual, other than an international student, who is not an officer, director or employee of a company registered in the program and who is neither of the following:

  • a Canadian citizen, ordinarily a resident in Canada
  • a permanent resident, ordinarily a resident in Canada

Security organization

The following people are responsible for the safeguarding of controlled goods:

Responsibilities of the security organization

The authorized individual must:

  • ensure that a designated official is appointed for each place of business in Canada where controlled goods are kept
  • inform the program within 10 business days of any change of information contained in, or accompanying, the application for registration by approving by his/her signature of the change

The designated official, in accordance with section 13 of the Controlled goods Regulations must:

  • in respect of each officer, director and employee who is not a temporary worker of this company and who requires in the course of their duties access to controlled goods:
    • conduct a security assessment in accordance with section 15 of the Controlled goods Regulations at least once every 5 years
    • decide the extent to which the individual concerned shall be authorized to examine, possess or transfer controlled goods
  • verify the information provided to him/her by temporary workers, international students and visitors for the purpose of submitting applications for exemption to the program in accordance with  section 18 of the Controlled goods Regulations
  • submit to the program every 6 months, the name of each individual in respect of whom the designated official conducted a security assessment during the previous 6 months, as well as the individual's date of birth and an indication of the extent to which they were authorized to access controlled goods

is responsible to keep and maintain, during the period of registration and for a period of 5 years after the day on which the company ceases to be registered, records that contain a description of:

  • any controlled goods received, the date of their receipt and an identification of the company from whom they were transferred
  • any controlled goods transferred, the date of the transfer and the identity and address of the company to whom they were transferred
  • the manner and date of disposition of the controlled good

is responsible to collect and keep, for a period of 2 years after the day on which the individual who is exempt ceases to have access to the controlled goods, evidence of:

  • the individual's status as a director or an employee of the company registered to access controlled goods under the International Traffic in Arms Regulations (ITAR)
  • the registration and eligibility of that company under ITAR
  • the eligibility of the individual under ITAR

Description of the controlled goods

Procedures to control the examination, possession and transfer of controlled goods

  • only officers, directors and employees who have been security assessed and approved by the designated official are authorized to have access to controlled goods
  • describe how controlled goods are received
  • describe how and where controlled goods are stored at your site
  • describe how and where controlled goods in printed format are protected
  • describe how controlled goods in electronic format are protected:
    • location of the computer and/or network server
    • how the computer/network server is protected
    • how the controlled goods are stored on the computer and/or network server
    • measures to safeguard laptop computers or other portable devices that contain controlled goods when travelling
    • procedures that are in place for remote access to controlled goods, for example, a secure means of access such as virtual private network (VPN). Outline if the controlled goods are downloaded when they are accessed or if the controlled goods are not downloaded and remain on the server
    • procedures in place for the protection of controlled goods that are stored on a cloud-based server. Identify the service provider and the physical location of the server
    • the location of back-up data containing controlled goods. (Back-up data containing controlled goods must be kept at a registered site)
  • describe how access to controlled goods is monitored. For example, contract workers who are not accessing controlled goods, such as cleaners, are not afforded access to controlled goods. They are escorted in areas where controlled goods are present
  • describe the safeguards in place for the shipping/transportation of controlled goods
  • describe the safeguards when controlled goods are temporarily removed from the registered site. This would include, but is not limited to; when travelling, deployed in the field, etc.

Breaches: Investigating and reporting

Security breaches can be categorized as the loss, unauthorized examination/possession/transfer, theft, willful damage or tampering of controlled goods. The following procedures shall be followed in the event of a security breach involving controlled goods.

Instructions for employees

Report the security breach to the local police if it is criminal in nature

Advising of a potential security breach

Advise the Controlled Goods Program within 3 days upon discovery of a potential security breach in relation to controlled goods.

Investigative steps

Investigative steps must be initiated with regards to a security breach involving controlled goods.

Determine the following:

  • when the breach occurred
  • where the breach took place
  • what controlled goods were involved
  • how the breach occurred
  • why the breach occurred

Complete the security breach form

Security breach report form (PDF, 203KB)

Corrective measures

Implement corrective measures to ensure that similar security breaches do not occur in the future.

Inform the Controlled Goods Program

Advise the program of a security breach via:

Phone: 1‑866‑368‑4646

Email: dmc-cgd@tpsgc-pwgsc.gc.ca

Mail:

Controlled Goods Program
2745 Iris Street, 3rd floor
c/o PSPC Central Mail Room
Place du Portage, Phase III, 0B3
11 Laurier Street
Gatineau, QC  K1A 0S5

Training program

All officers, directors, employees and temporary workers must undergo initial training prior to accessing controlled goods. This training must take into account the contents of this security plan and establish:

  • an understanding of the definitions of examine, possess and transfer, and how they relate to the safeguarding of controlled goods
  • familiarity with the procedures for safeguarding the controlled goods
  • knowledge of the procedures for reporting any potential security breaches involving controlled goods

Refresher training must consist of an annual review of the above mentioned training.

Security briefings

The following security briefings must apply to visitors who are visiting this company to examine, possess or transfer controlled goods:

  • visitors who have received registration exemption from the program must be reminded of any limitations that may be imposed on the exemption certificate as well as any conditions that may be imposed by this company
  • visitors who have not received registration exemption from the program must be informed that they will not be allowed to examine, possess, or transfer controlled goods in the course of their visit

More information

Date modified: