The COVID Pandemic required nearly everyone to move to a work-from-home environment. For the lucky few, this was a straightforward process; for most, significant reorganization and restructuring of business operations was required.
Confidentiality and security of information is an important element of the "new normal." However, for government contractors subject to the Contract Security Program (CSP) or the Controlled Goods Program (CGP) – the two main federal government security programs for government contractors – there are additional and significant considerations.
The two programs have similar underlying objectives – to protect sensitive government assets, data and information (government information and assets) – but each has distinct and specific requirements that are also material terms of any government contract. Failure to comply with these requirements is deemed a breach of contract that can result in an immediate contract termination for default.
The Contract Security Program (CSP)
Operated by the Canadian Industrial Security Directorate, the CSP:
- Protects Canadian and foreign government sensitive assets and information entrusted to private sector businesses under government contracts
- Provides security screening of organizations and their personnel who require access to sensitive government information and assets
- Decides which security terms and conditions are included in government contracts
- Ensures contractor compliance with the security requirements of their contracts
- Issues suspensions and revocations of CSP registration
Obligations will vary with the level of security assigned to the government information and assets, but will always include:
- Mandatory management, access, safeguarding and information destruction processes/protocols
- Reliability checks and security clearances for organizations, their personnel and appointed company security officials prior to access to government information or assets
- Reporting obligations, including notification of change of ownership or control
- Facility assessments and (if required) inspections prior to government information or assets being transferred to such facility
- Registration of subcontractors that will receive, process, store or access government information or assets for each subcontract (e.g. if a government contractor uses the same subcontractor for more than one contract, the subcontractor must have a valid security clearance for each contract)
The Controlled Goods Program (CGP)
Operated by the Controlled Goods Directorate, the CGP:
- Regulates the import, export and access to goods and technical data that have military or national security significance
- Manages individual and organization registrations or exemptions
- Performs security assessments, conducts inspections, investigates security breaches
- Issues suspensions and revocations of CGP registration
Obligations of the CGP will depend on the specific individual or organization, but will always include:
- Registration in the CGP unless exempt or excluded from registration and receipt of clearances prior to access
- Conduct of clearances of employees and maintaining employee training and preparation and execution of security plans in relation to possession, examination and transfer of controlled goods
- Reporting obligations, including notification of any changes to original registration information such as change of ownership or control
What do we need to do now?
If your business is subject to the CSP:
- Your CSP registration and Company Security Orders will identify whether work-from-home is permissible with respect to the government information and assets
- If the CSP registration and Company Security Orders do not permit employees in a work-from-home situation to access government information or assets, individual and facility security clearances must be received in advance of any access to government information or assets
Public Services and Procurement Canada (PSPC) has confirmed that in light of government office closures due to the pandemic, remote work may be allowed if security requirements can still be met. The Client Technical Authority is responsible for these decisions.
If your business is subject to the CGP:
- The facility where controlled goods are examined, possessed or transferred to must be assessed and cleared by the CGP in advance
- Remote access must be reviewed by the CGP registrant's designated official prior to being approved (and will only be granted when required). Note that any remote access must be provided for in the CGP registrant's security plan for each individual who may examine, possess or transfer controlled goods (and this security plan must be approved by the CGP)
- The security plan must provide protocols to prevent unauthorized examination, possession or transfer of controlled goods for WFH scenarios
The requirements for each program have to be carefully examined in light of each registrant's circumstance and obligations, including particular and specific obligations imposed by the program and the applicable contract. The ramifications of non-compliance can be severe – a breach of the requirements of either program is an automatic breach of contract, and the Contracting Authority is not required to provide a cure period before terminating the contract. In addition, a breach of the CGP requirements may constitute a summary or indictable offense under the Defence Production Act, resulting in significant fines and/or imprisonment.
As of the publication date, government services related to the CSP and CGP continue to be delayed. Up-to-date information for each program can be accessed here: Public Services and Procurement Canada.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.