Evidence of meeting #50 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was security.
A recording is available from Parliament.
5 p.m.
Conservative
The Chair Conservative John Brassard
That's perfect. Thank you.
I'm going to restart your time, Matt. I'm giving you six minutes, okay?
5 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Thank you.
I'll go back to those earlier comments, sir. You're hearing some confusion around your role in this. Intuitively, it feels to me like an opening comment that.... Perhaps if the government had been better in communicating the nature of this particular contract, we would not be here today. This being unpacked months later is a testament to the lack of our ability to come to terms with the total price and what that means.
I'm going to ask some basic questions for my own edification, some of which have been asked.
You talked about a “task-based contract”, and about an omnibus contract in referring to all the other scope of work you had. To be clear, you have not received $8 million. That's just the scope of work for which you would have sign-off from the government, task by task, which you identified as being at $180,000.
Is that correct?
5 p.m.
President, IBISKA
No. The only thing is that the $8 million is on a piece of paper. That's where it is.
5 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
In other words, it's like a retainer or scope of work. Piece by piece, you would go through it and bill back to the government, then receive the payment.
5 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Okay.
Were you provided any direction from the government on what your scope of work must include?
5 p.m.
President, IBISKA
No.
The only thing we get is a statement of work from the government. Since it's omnibus, they cannot put in every application or system they're going to develop in the future. They're asking about the people who are qualified to do this particular task and are who are applicable to almost every application or system. Who are those people? We provide those people, and then they will assign the work to them while they are there.
The first thing they do is meet with them. “This is where you are, and tell us how much time you're going to need to do this." When you're finished with this particular project, you move to the next one, then the next one.
5 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Okay. That satisfies me. Thank you.
You mentioned that cybersecurity was the subject-matter expertise you provided for this contract. Is that correct?
5 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Are there any other parts of the $8-million contract, outside of the $110,000 used for development, that are used for costs related to other aspects of ArriveCAN, such as updates, maintenance, operations or indirect costs?
5:05 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Initially, in this procurement, the government contemplated that ArriveCAN would require $8 million set aside for cybersecurity. Is that your testimony here today?
5:05 p.m.
President, IBISKA
No. As I said, our contract had nothing to do with ArriveCAN. As I said, this is omnibus, which means that the CBSA issued a requirement that they needed resources so they could do cybersecurity for any of the requirements they would have over the next five years.
5:05 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Correct, so that's inclusive of all products that you're offering the government.
5:05 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
It was the CBSA. My apologies; that makes sense.
When fulfilling your contract, what considerations for privacy did you have within the contract or the Government of Canada in relation to ArriveCAN?
5:05 p.m.
President, IBISKA
As I have said, many of our consultants have “secret” security clearance, and most of them have “top secret” security clearance.
5:05 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
You were offering them the highest level of privacy and security in terms of the service.
5:05 p.m.
President, IBISKA
Definitely we do, yes.
Most of our people working within the cybersecurity area are either top secret or secret. We don't have anybody.... Most of them are at that level.
5:05 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
I might jump off the technological diving board here for a moment. I'm not a technical expert, but I would ask if you would be willing to share with us some examples of the types of tasks that your consultant would have done for the initial $100,000-plus.
5:05 p.m.
President, IBISKA
I can read it to you, but this is a very generic kind of thing. It says what a task will be:
Tasks Activities may include, but are not limited to, the following: Attend a kick-off meeting with CBSA Technical Authority to discuss the objectives and requirements;
Provide advice and guidance in a meeting discussion forum or in writing, regarding IT security topics, as required;
Develop IT Security vision papers, strategic assessments and policies/standards;
Collect, collate and prioritize IT security and information infrastructure protection requirements;
Perform Information System Security Implementation Process (ISSIP) activities for CBSA Protected and Classified information systems as identified in Communications Security Establishment Canada (CSEC) IT Security Risk Management: A Lifecycle Approach (ITSG-33) https://cyber.gc.ca/en/guidance/overview-itsg-33
Develop and prepare project management documents to support ITSCD projects using PWGSC/Shared Services Canada procurement tools/services, such as:
Collaborative Procurement Solution Process;
Joint Procurement Solution;
SMART Procurement Process;
Analysis and integration of IT security controls throughout the technical solution architectural design process; and
Conduct oral presentations and briefings to ITSCD and CBSA senior management.