Thank you, Mr. Chair.
We thank you for this opportunity to further discuss our work related to chapter 1 in our October 2007 report, the chapter entitled “Safeguarding Government Information and Assets in Contracting”, in particular, the issues we raised about the construction of the NORAD above-ground complex at the Canadian Forces base in North Bay.
As you mentioned, I am accompanied today by Hugh McRoberts, Assistant Auditor General; and Bruce Sloan, principal.
Perhaps I can begin by providing the committee with a quick summary of our audit findings since we first raised this issue. We first reported our concerns about the construction of the NORAD building in North Bay in chapter 6 of our May 2007 report. At that time, we noted that several questions about the security of the building remained, and we highlighted four important security issues, that: there was no security requirements checklist, and the department acknowledged that the review had not been done; the blueprints for the building had been placed in the public domain when they were made available to any interested contractor; there was limited physical control of the building and access to the site during construction; and finally, the workers on site had not been security cleared to work there.
We were also concerned because questions about the security of the building were delaying the move from the underground complex and delaying the realization of any savings that this move was to generate for National Defence.
At the time of our May report, National Defence was in the process of assessing possible weaknesses caused by the lack of security during construction. The department was also determining the steps it needed to take to insure that the building was secure for NORAD and other base operations.
In chapter one of our October 2007 report, on “Safeguarding Government Information and Assets in Contracting”, we decided to follow up on the progress the department had made in insuring the security of the building. The department informed us that after investigating, it had determined that the building could be used as intended if modifications were made. These modifications were due to be made by mid-September 2007.
I believe that National Defence has since informed this committee that modifications were made to fix construction defects and install monitoring equipment. The modifications, the details of which I understand to be classified, were intended to mitigate any potential security compromises. As our audit work was substantively completed in August 2007, we cannot comment on the actions the department has taken since then.
The department has also indicated to this committee that the nature of threats is such that eliminating risks is likely impossible. However, the department is satisfied that its mitigation measures addressed security concerns. Nevertheless, the department has also informed the committee that it is still assessing the best way to move two systems used for NORAD operations from the underground complex into the new building. We believe that one indicator of how well security concerns have been addressed is whether all the systems that were to be moved into the building are, in fact, there. The committee may wish to ask the department when it expects to be able to relocate those systems.
Our audit showed that many of the problems we identified may have been avoided if the government security policy had been adhered to more strictly at the beginning of construction. For example, completing a security requirements checklist might have helped the department identify security concerns before they became problems.
In its action plan, the department has committed to putting in place an interim policy on the responsibilities and obligations of all members of the department for security requirements checklists.
It appears that most buildings are treated as unclassified structures when construction begins. In testimony before this committee, departmental officials said that as building construction progresses, security requirements can change from those needed at a bare-ground, unclassified work site to those needed at a classified, clearance-required site. Although the purpose of the facility remains the same throughout the project, security may only be considered fully later when the department is preparing to make the building operational. The committee may want to ask the department how and when it determines the security levels of its buildings and what risks it accepts in that process.
As well in previous testimony, there was discussion about whether the roles and responsibilities for construction security were clear between National Defence and Defence Construction Canada. In its action plan, National Defence committed to revising the memorandum of understanding it has with Defence Construction Canada and to putting a framework in place to manage industrial security on defence projects. I understand that a revised memorandum of understanding has been signed.
The department has put together an action plan and, as you know, has shared it with the committee and with us. We believe that it represents a reasonable plan to address the concerns raised in our chapter, and we were pleased to know that the department has set for itself specific deliverables with deadlines for implementation.
Mr. Chair, this concludes my opening remarks. We would be pleased to answer any questions.