Shared Services Canada: Standing Committee on Government Operations and Estimates—March 4, 2022

Document navigation for "Standing Committee on Government Operations and Estimates: March 4, 2022"

On this page

Cyber security overview

Key messages

If pressed on SSC’s responsibility vs. that of CSE:

Key data points



The Government of Canada (GC) works continuously to enhance cyber security in Canada by preventing attacks through robust security measures, identifying cyber threats and vulnerabilities, and by preparing for and responding to all kinds of cyber incidents to better protect Canada and Canadians.

The GC has improved its enterprise capacity to detect, defend and respond to cyber threats; centralized Internet access points; launched an enterprise security architecture program; established the foundation of a Government Cyber Security Program and implemented a whole-of-government incident response plan.

Given the cross-cutting nature of cyber security, a number of other federal departments and agencies play a role in various aspects of cyber security including:

GC departments and agencies play an integral role in establishing governance to ensure the integrated management of service, information, data, IT, and cyber security within their departments.

Roles and responsibilities

GC departments and agencies have a responsibility to ensure cyber security within their organization.

TBS, SSC, and CSE are the primary stakeholders with responsibility for ensuring the government’s cyber security posture is effective and able to respond to evolving threats.

TBS provides strategic oversight of government cyber security event management to ensure effective coordination of major security events and support government-wide decision-making. The GC Cyber Security Event Plan provides an operational framework which outlines the stakeholders and actions required to ensure that cyber security events are addressed in a consistent, coordinated and timely fashion across the government. The chief information officer for the GC, at TBS, sets Information Technology Security Policy along with other delegated powers.

SSC provides IT security infrastructure (procure, design, deploy and operate). In conjunction with TBS and CSE, SSC also provides security and privacy by design as part of the establishment of new services.

Although most of the security systems used to protect the government are designed and managed by SSC, the Canadian Centre for Cyber Security (CCCS) also uses an array of its own complimentary solutions to supplement the SSC-managed security systems (for example, host-based sensor for monitoring and protection of GC endpoints).

CSE houses the CCCS which monitors government systems and networks for malicious activities and cyber-attacks, as well as leads the government's operational response to cyber security events. The CCCS works to protect and defend the country’s valuable cyber assets and works side-by-side with the private and public sectors, including critical infrastructure, to solve Canada’s most complex cyber issues.

Public Safety Canada leads national cyber security policy and strategy by, for example: coordinating the overall response to significant national cyber events through the Government Operations Centre working closely with TBS; and working with Canadian and international governments, associations, academia and industry to continually advance cyber security both domestically and internationally.

Public Safety Canada is also lead on developing a new policy pertaining to how the GC supports non-government entities; the draft policy is currently called Government of Canada Coordination Policy for Cyber Security Incidents and Events Affecting Non-Government of Canada Cyber Systems. SSC’s role under that policy will need to be defined.

The RCMP is the primary investigative department on all cyber security incidents dealing with actual or suspected cybercrime of non-state origin on the GC infrastructure. They also lead the investigative response to suspected criminal national security cyber incidents and assist domestic and international partners with advice and guidance on cybercrime threats.

CSIS is the primary department responsible for investigating threats against information systems and critical infrastructure posed by foreign state actors and terrorists.

National Defence/Canadian Armed Forces is the primary department responsible for addressing cyber threats, vulnerabilities or security incidents against or on military systems.

Each department has responsibilities under the TBS Policy on Service and Digital for specific aspects of cyber security, such as:

Government of Canada readiness for return to worksite

Key messages

If pressed:

Key data points


Videoconferencing technologies use much more network bandwidth. As a result, maintaining the same user experience for a home user is not currently supported from within Government of Canada buildings given infrastructure limitations.

There are in excess of 3,500 buildings connected to the GC network. Therefore, SSC is prioritizing, with partner departments, the most critical sites requiring digital communication and collaboration tools to support Canadians and government operations. This will allow the GC to increase its efficiency and effectiveness in providing these tools to those employees and worksites that will continue to leverage these modern tools going forward.

The work required to improve user experience for a hybrid workforce relies on SSC and partners to ensure IT performance through proactive testing and analysis of operations, devices and tools. SSC continues to work with partners to ensure their business requirements are addressed.

Government outsourcing of information technology services

Key messages


On January 17, 2022, a report appeared in the Globe and Mail, stating that the federal government spending on outsourcing contracts in the fiscal year 2020 to 2021 increased by 40% when compared to fiscal year 2015 to 2016. This came from information publicly available in the Public Accounts of Canada, tabled in the House of Commons on December 14, 2021.

Though these recent media reports make no mention of Shared Services Canada, there has been past criticism of government departments, including SSC, in regards to the outsourcing of IT services.

Examples of information technology service contracts

In 2019, Shared Services Canada in consultation with Treasury Board of Canada Secretariat, the Communications Security Establishment established the Microsoft Enterprise Agreement for the Government of Canada as the basis for replacing a multi-year contract for a fully vendor-managed email service. This enabled the transition to a GC-managed email service hosted on cloud components allowed the GC to close-out the vendor-managed service in December 2021. 

In addition, the Microsoft Enterprise Agreement also provided a digital collaboration toolset, delivered via a cloud provider (Software-as-a-Service), which was fundamental to allowing the GC’s quick response to pivot to a mobile workforce throughout the pandemic and continue to provide programs and services to Canadians.

The next generation human resources and pay (NextGen HR and Pay) initiative is an example of where the GC has strategically chosen to outsource. This initiative is part of the government’s modernization effort, where legacy IT systems are being replaced with modern digital solutions. For the NextGen HR and Pay solution, the GC has chosen to explore a Software as a Service (SaaS) model, that is configured to the GC environment, but not customized through fundamental changes to the software. SaaS tools come with a standard configuration aligned with international best practices (including for managing HR and pay).

Therefore, by pursuing a commercially available SaaS solution, the GC is adopting a world-leading solution, without the need for extensive customization. In the case of NextGen HR and Pay, by choosing to outsource, the GC is getting access to proven product with a solid international reputation that will align its approach to HR and Pay with global best practices. It also means that the software is rigorously tested and that users have access to extensive support.

Response to National Security and Intelligence Committee of Parliamentarians Report

Key messages

If pressed on small departments and agencies:

If pressed on SSCs role on cyber security:


The National Security and Intelligence Committee of Parliamentarians (NSICOP) was established under the National Security and Intelligence Committee of Parliamentarians Act, which received royal assent in June 2017. It is not a parliamentary committee, but rather a committee of parliamentarians, composed of both members of Parliament and senators. All members hold top secret security clearances and are permanently bound to secrecy under the Security of Information Act.

In July 2020, the Honorable David McGuinty, Chair of the NSICOP, wrote to the president of the Treasury Board Secretariat to advise that the committee will review the Government of Canada’s framework and activities to defend its systems and networks from cyberattacks.

NSICOP completed its review of the Government of Canada’s activities to defend its systems and networks from cyberattack. This included reviewing the:

In the report, tabled in the House of Commons on February 14, 2021, recommendation 2 of annex A recommended the leveraging of SSC managed enterprise internet services by all small departments and agencies (SDAs), and read as follows:

To the greatest extent possible, the government will extend advanced cyber defence services, notably Enterprise Internet Service of Shared Services Canada and the cyber defence sensors of the Communications Security Establishment, to all federal organizations.

Five SDAs were chosen to participate in pilots aimed at elevating security protection and visibility. The Office of the Chief Information Officer at the Treasury Board Secretariat has continued to investigate measures required to apply those same cyber and IT security policies and directives to all federal entities, which are currently not under Treasury Board Secretariat’s purview.

TBS, SSC and CSE continue to work to ensure that cyber defence is applied equally across departments and agencies to the greatest extent possible, including alignment between the scope of the Policy on Government Security and the Policy on Service and Digital.

Document navigation for "Standing Committee on Government Operations and Estimates: March 4, 2022"

Date modified: