Directive on Security Management

The procedures and subsections are as follows:

• F.2.2.1Define department-wide security requirements that should apply to all contracts or arrangements;
• F.2.2.2Establish a process for identifying security requirements for a specific contract or arrangement;
• F.2.2.3Establish a process for verifying and monitoring continued compliance with security requirements, including any permitted exceptions and risk mitigation measures, as applicable; and
• F.2.2.4Integrate security considerations into departmental procurement processes and into information management, asset management and program management processes, while considering information- and asset-sharing arrangements.

• F.2.3.1Determine security requirements based on the sensitivity of information, assets or sites to which individuals will require access; the location and the type of work to be performed; the need for the supplier, partner or department to safeguard, process or produce sensitive information or assets at its facilities or in its information systems; and other relevant factors:
  • F.2.3.1.1Security screen individuals who require access to sensitive information, assets or sites in the performance of their work; individuals who need to be relied on to produce and deliver the goods and services being procured; and individuals who, because of their position, could gain access to sensitive information, assets or sites or could adversely affect the delivery of goods and services, including supplier security points of contact and, for certain contracts, suppliers’ key senior officials;
  • F.2.3.1.2Verify and obtain assurance of the appropriate implementation of;
    1. Physical security controls in facilities that are used to store or produce sensitive information or assets or that need to be relied on to produce or deliver the goods or services being procured;
    2. Security controls to protect information systems that are used to electronically process or transmit sensitive information or that are relied on to produce or deliver the goods or services being procured;
    3. Administrative and operational security controls (including designation of security points of contact, governance, planning, management of subcontracts or arrangements with third parties, security awareness and training, and security event monitoring, reporting and response, as applicable);
    4. Any other specific security requirements to meet statutory, regulatory or other obligations (for example, requirements for the management of COMSEC material; international or defence contracts that are subject to negotiated treaties, international agreements and multinational arrangements; and requirements where duties or access to information, assets or facilities are related to or directly support security and intelligence functions); and
    5. Risk-based approach for verifying and monitoring supplier, partner and departmental compliance with security requirements, as applicable.
• F.2.3.2Identify security requirements in the documentation associated with a contract or arrangement:
  • F.2.3.2.1For contracts and other arrangements with suppliers, document security requirements in the Security Requirements Check List or an equivalent document and in other documentation associated with the contract or arrangement;
  • F.2.3.2.2For other types of arrangements, document security requirements in the arrangement;
  • F.2.3.2.3For contracts or arrangements involving a subcontractor or another third party, identify in the contract or arrangement the need for the supplier or partner to extend applicable security requirements to any other entity involved in fulfilling the contract or arrangement; and
  • F.2.3.2.4For contracts or arrangements that do not involve any security requirements, include an attestation to that effect in the documentation of the contract or the arrangement.

• F.2.4.1Verify compliance with, and obtain assurance of the implementation of, the security requirements using the risk-based approach defined for the contract or arrangement. To avoid duplication, where possible and in accordance with privacy requirements and other legal or policy obligations:
  • F.2.4.1.1Provide the security records of Government of Canada suppliers to internal enterprise service organizations and other departments; and
  • F.2.4.1.2Consult the security records of Government of Canada suppliers when verifying supplier compliance;
• F.2.4.2Implement and document risk mitigation measures when security requirements to limit access to sensitive information, assets or sites cannot be fully met before awarding a contract or entering into an arrangement, subject to approval by an individual who has the required authority; and
• F.2.4.3Establish documented arrangements that define respective security responsibilities for contracts or arrangements managed for or by another organization.