Guideline on Controlled Goods Program registration

1.1 Eligibility for registration

Individuals are eligible to register in the program provided they carry on business in Canada, give their consent to a security assessment and are a Canadian citizen or a permanent resident ordinarily residing in Canada.

Businesses are eligible to register in the program provided they are incorporated under federal, provincial or territorial laws or are authorized by federal, provincial or territorial laws to carry on business in Canada.

1.2 Exemptions

To be exempted from registration in the program, one must be a visitor, a temporary worker or international student of a person registered in the program, or an officer, director or employee of a person registered under the United States’ International Traffic in Arms Regulations (ITAR).

1.3 Persons excluded from registration

Part 2 of the act does not apply to a person who either:

• occupies a position in the federal public administration, including a position in a federal crown corporation, or is employed by Her Majesty in right of a province, who acts in good faith in the course of their duties and employment
• is a member of a class of persons prescribed by regulation

In accordance with the regulations, the following classes of persons are excluded from registration:

• Canadian public officers (as defined in section 117.07(2) of the Criminal Code)
• elected or appointed officials of the Canadian federal or provincial government
• members of a visiting military force (as defined in section 2 of the Visiting Forces Act) present in Canada in connection with official duties, including, in some cases, the civilian personnel component of the visiting force, as outlined in the Visiting Forces Act

1.4 Security assessments

In addition to submitting a complete application for registration form as outlined in section 3 of the Controlled Goods Regulations, applicants must also submit security assessment applications for the authorized individual, all owners of 20% or more of the voting shares or interests of the business and designated officials.

1.5 Justification for registration

As part of the registration process, applicants will be asked to provide a description of their business activities relating to controlled goods and a description of the controlled goods they intend to possess, examine or transfer. Applicants are encouraged to ensure that there is a need to be registered before submitting an application. Information regarding contractual or work commitments involving controlled goods may be requested.

1.6 Registration scope

The registration of a person extends to each officer, director or employee of the registrant who has been security assessed and authorized by the designated official to examine, possess or transfer controlled goods. Such extension of registration only applies when the security assessed individual acts in the course of their duties with the registrant.

Once security assessed, the individual has a significant level of responsibility in regards to safeguarding controlled goods at the registrant’s place of business and is subject to the requirements of subsection 37(2) of the Defence Production Act. For example, it is an offence to knowingly transfer a controlled good to an individual or business that is not registered or to an individual who is not exempt from registration. A business or an individual may be prosecuted under the act.

1.7 Period of registration validity

The maximum period of validity of a certificate of registration is 5 years. Registration is valid until the expiry date indicated on the certificate of registration. If an extension has been provided, the expiry date is indicated in that organization’s entry in the program’s registration search. An extension to the certificate of registration cannot exceed the maximum period of validity of 5 years. The certificate of registration is not transferable.

1.8 Registration renewals

The standard processing time for the program to renew a certificate of registration is 32 business days once the application validation is completed. An application for registration (PDF, 592KB) form (select renewal in section B—type of application) must be submitted no less than 90 calendar days prior to the expiry date indicated on the certificate of registration. This is to allow sufficient time for processing.

The application for registration for renewal must include the following additional information:

• a copy of the evidence of the legal status of the business if there has been a change since the copy was submitted to the program with the original application
• a copy of the registrant’s security plan(s) if there has been a change since the last submission to the program

A renewal of registration does not automatically require the renewal of the security assessments for key personnel (the authorized individual, the designated official and owners of 20% or more of the voting shares or interests of the business). Security assessments of individuals are valid for a period of up to 5 years as long as the individual remains employed with the same business. Therefore, it is not necessary to renew individual security assessments if they have not reached their 5-year expiry date.

2.1 Report any change in the application for registration form

The applicant has an obligation to report any and all changes to the information provided in the application for registration (PDF, 592KB) form within 10 business days, be it a phone number change, a civic address change or other information, as per section 9 of the Controlled Goods Regulations. This section also includes the requirement to inform the Controlled Goods Program of the name and address of any person that will, as a result of an acquisition, own 20% or more of the outstanding voting shares or interests of the business by the later of 32 business days before the date of an acquisition or 1 business day after the day on which they become aware of an acquisition.

2.2 Maintain records

A recordkeeping system must be established, implemented and effectively applied over the period of registration, and kept for 5 years after the person ceases to be a registrant. The recordkeeping system in place at the registrant’s place of business must only be accessed by individuals who are authorized to do so by the registrant. Records may be kept electronically or in paper format. Registrants must ensure that records are legible, that all changes are tracked and documented and that they are safe from modification by unauthorized persons. The registrant should review their recordkeeping system periodically to ensure it continues to meet the security needs for safeguarding controlled goods and reflects any regulatory or legislative changes.

The recordkeeping system implemented and established at the registrant's place of business is subject to inspection by the program at any time over the period of registration and for 5 years after the person ceases to be registered in the program.

The regulations identify 3 recordkeeping requirements:

• the registrant must keep records of all transfers, receipts or dispositions of controlled goods to another registrant for a period of 5 years after they cease to be registered in the program
• the registrant must keep records of the most recent security assessments and supporting documentation of each officer, director, employee, temporary worker, international student and visitor who examines, possesses or transfers controlled goods for a period of 2 years after leaving the company
• the registrant must keep records of the evidence referred to in subsection 16(2) of the Controlled Goods Regulations regarding ITAR-exempt individuals

2.3 Appointing a designated official

Either a company or an individual can be registered in the Controlled Goods Program. As a condition of registration in the program, the applicant must appoint at least 1 designated official.

The designated official must be either a Canadian citizen ordinarily living in Canada or a permanent resident ordinarily living in Canada. If an applicant is an individual and does not have employees, that individual is considered the designated official, and will undergo a security assessment by the program and is not required to complete the Designated Official Certification Program, as this individual will not be performing security assessments of employees.

If a company is applying for registration, the proposed designated official must be an employee who consents to undergo a security assessment and completes the Designated Official Certification Program. The Controlled Goods Program will not approve the registration of the company unless their designated official(s) have successfully completed the certification program.

Learn about mandatory training for designated officials through the Designated Official Certification Program.

2.4 Ensure the designated official fulfills their duties

Every registrant shall ensure that the designated official carries out their duties as stipulated under section 13 of the Controlled Goods Regulations.

The key responsibility of a designated official is to perform security assessments of officers, directors, employees including domestic students of the registrant every 5 years. As an on-site representative of the registrant, a designated official is well-positioned to evaluate these individuals having access to controlled goods, and to make a determination as to the extent to which each may pose a risk of transferring a controlled good to an unauthorized person (business or individual).

2.5 Establishing and maintaining a security plan

Registrants must develop, implement and maintain a security plan. An effective security plan ensures that adequate measures are in place to protect against the unauthorized examination, possession or transfer of controlled goods by persons not registered or exempt from registration in the program.

A security plan must be developed and implemented for each place of business in Canada where controlled goods are kept. A unique security plan for each location; or a single security plan that will cover all locations can be implemented. If a single security plan is chosen, the company must ensure that the procedures used to safeguard the controlled goods reflect the conditions at each site. This may require separate sections within the plan to cover the conditions and procedures for each site.

The security plan for each place of business of a registrant must set out the:

• procedures used by the registrant to control the examination, possession or transfer of controlled goods. This includes the procedures related to the transportation of controlled goods and the procedures related to information technology (IT) security
• description of the responsibilities of the registrant's security organization and the identity of individuals who are responsible for the security of controlled goods
• procedures for reporting and investigating security breaches in relation to controlled goods
• contents of security briefings and training programs given to visitors, officers, directors, employees, temporary workers and international students

A security plan not only has to be implemented and maintained, it also has to be effectively applied over the period of registration. The security plan must be handwritten or electronic and in a format that can be easily understood by the individuals who are subject to it. Each registrant is uniquely placed to determine the security plan they require in light of the nature of the controlled goods they examine, possess or transfer. Controlled goods are to be afforded a sufficient level of protection to prevent their unauthorized examination, possession or transfer.

2.6 Provide training to officers, directors, employees, temporary workers and international students

A registrant must provide training programs for the secure handling of controlled goods to officers, directors, employees, temporary workers and international students who are authorized to examine, possess, or transfer those goods.

Every officer, director, employee temporary worker and international student authorized to examine or possess controlled goods must undergo the mandatory training program which has to be established, implemented and effectively applied over the period of registration. Training programs must specifically set out the criteria for the secure handling of controlled goods. Each registrant is uniquely placed to determine the content of their training programs in light of the nature of controlled goods that they examine, possess or transfer.

A training program should be more extensive than a security briefing because it applies to those authorized persons who will examine, possess or transfer controlled goods on a regular basis (employees, officers, directors, temporary workers and international students of the registrant).

The training program must:

• detail the requirements of the regulations and the act to ensure the proper safeguarding of controlled goods
• include a comprehensive and detailed overview of the security plan in place
• identify the authorized person’s reporting obligations and requirements and the security procedures and duties applicable to the person’s job
• be explicit in what steps should be taken in the event of a security breach
• be included in the registrant’s security plan and contain a log of the date, names and signatures of the authorized person(s) who have received the training and the person who conducted the training

The frequency of training sessions will depend on the size of the organization, the rate of turnover, updates to the registrant’s security plan or changes to the program’s legislation or regulations. The training should be ongoing and performed periodically for those persons authorized to examine, possess or transfer controlled goods. Periodic refresher training should reinforce the information provided during the initial training and inform of any changes in the security plan.

The effectiveness of the training program in ensuring the secure handling of controlled goods by those authorized to possess, examine or transfer those goods, is subject to inspection by the program.

2.7 Provide security briefings to visitors

All visitors must receive a security briefing prior to examining controlled goods. Security briefings may vary depending on whether or not the program has placed any conditions on the visit. If conditions have been placed on the visit, then the standard security briefing will also include any conditions specific to that visit.

The standard security briefing should be updated to reflect any changes to the registrant’s security plan or to the program legislation or regulations.

The security briefing must:

• detail the requirements of the regulations and the act to ensure the safeguarding of controlled goods
• be specific to the visitor as to the controlled goods that they will be examining
• advise the visitor of the access requirements and limits of the visit
• be set out in writing and be included in the registrant’s security plan
• be recorded in a log with the visitor’s name, contact information and signature acknowledging their responsibilities with respect to the safeguarding of controlled goods and the applicable security restrictions at the registrant’s place of business
  • the log must also contain the name of the security official who conducted the security briefing

The program will ensure, by site inspection if necessary, that the security briefings meet the regulatory criteria and are effective in ensuring the secure handling of controlled goods by those authorized to possess, examine or transfer those goods. Registrants should review their security briefings periodically to ensure that they continue to meet the security needs for safeguarding controlled goods and reflect any regulatory or legislative changes to the program.

2.8 Report confirmed and potential security breaches

Registrants must contact the Controlled Goods Program within 3 days upon discovering a potential security breach. Security breaches must be properly investigated by the registrant’s security organization and corrective action must be taken to prevent any re-occurrence. The registrant is best placed to determine the nature of a security incident and whether it constitutes a breach. Security breaches can be categorized as loss, destruction, modification, removal or disclosure, of a controlled good. For example, a security breach can be a known theft or disappearance, appearance of willful damage to or tampering with a controlled good and/or the witnessing of unauthorized persons examining controlled goods.

Any breach of a criminal nature that can be subject to conviction under the Criminal Code must be reported immediately to the authorities having jurisdiction, and in turn, within 3 days upon discovery to the program.

The security breach report must include at minimum the information listed below:

• date, time and place of the security breach
• name and contact information (phone, address, fax) of the person making the report
• nature of event (for example, theft)
• detailed description of incident
• list of controlled goods involved, including name, description, the controlled goods list entry to the most accurate sub-entry, any identifiers and the quantity involved
• name and contact information of the person or organization investigating the incident
• remedial action taken

The program will use the information provided to track the incident and take corrective action as required.

2.9 Make available all records to the Controlled Goods Program

The regulations stipulate that all records and documents maintained by the registrant must be made available, at any reasonable time, to the Controlled Goods Program for examination.

2.10 Report a change in a security assessed individual’s criminal history

Section 15(5) of the Controlled Goods Regulations stipulates that an individual subject to a security assessment must inform the Controlled Goods Program or the designated official, as the case may be, of any changes concerning their criminal history within 5 business days.

2.11 Report any change in an application for exemption

Section 19(3) of the Controlled Goods Regulations stipulates that registrants must inform the Controlled Goods Program within 5 business days of any changes in an application for exemption.

2.12 Provide a report of security assessed employees to the Controlled Goods Program

In accordance with section 10(j) of the Controlled Goods Regulations, registrants must complete and submit to the Controlled Goods Program a security assessments report every 6 months that includes:

• the name of each individual security assessed by their designated official(s) during the previous 6 months
• the individual’s date of birth
• the date that the security assessment was completed
• the risk level
• whether or not the individual was authorized to access controlled goods

If no security assessments are carried out during that time period, the registrant should complete the security assessments 6-month report template by checking the box “No security assessments were conducted during the last six months” and submit the report to the Controlled Goods Program.

Learn about the security assessments 6-month report including information and submission requirements.

2.13 Consider recommendations provided by the Controlled Goods Program in regards to high-risk employees

The Controlled Goods Program, on behalf of the Minister, will make a recommendation to the designated official in instances where a security assessment of a high-risk individual is referred by the designated official for further verifications. The designated official must consider this recommendation in their assessment. The final decision, of whether or not to grant access to an employee, director, or officer, remains with the designated official.

3.1 Contractual workers who are registrants

A contractual worker who is a registrant must provide his or her certificate of registration to the client. The registrant client must then confirm the identity of the contractual worker and the validity of the certificate of registration. The registrant client can do a registration search, if a company does not come up in the search result, you should contact the company directly for further verification.

3.2 Contractual workers who are employees of a registrant

If a contractual worker is the employee of a registrant company, the registrant client must then confirm the:

• company’s registration
• contractual worker’s identity and employment
• validity of the contractual worker’s security assessment with the registrant company

The registrant client can do a registration search. If a company does not come up in the search result, the registrant client should contact the company directly for further verification. The individual’s identity and employment can be confirmed by communicating with the contractual worker’s own designated official.

3.3 Security assessments of contractual workers

An individual under a contract for work or services with a registered person, including a contractor, subcontractor and independent service provider, is not an employee and therefore must not be security assessed by the client company. The contractor must either be registered in the Controlled Goods Program or be security assessed by their employer if they have a requirement to examine, possess or transfer controlled goods in the context of their duties.