Government Operations Committee on Feb. 23rd, 2017

Thank you, Mr. Chair.

Shared Services Canada, or SSC, was created in 2011 to build a modern, secure and reliable information technology infrastructure for the digital delivery of programs and services to Canadians.

After its creation, SSC began reviewing the security requirements that would be necessary to meet its mandate and the needs of its customers.

At the time, Canada’s security and intelligence community had recognized the strategic importance of SSC’s procurements to establish a secure, centralized IT infrastructure for the Government of Canada. This includes procurements related to email, data centre infrastructure, and network and telecommunications systems and services.

Ultimately, the department concluded that these types of procurements are indispensable to national security, and that steps were necessary to protect Canada’s national security interests, including invoking the national security exception.

A main justification was that email, networks and data centres play a central role in every aspect of the government's operations, and that these systems have repeatedly been the target of hostile cyber threats.

I would underline that the decision was made together with a number of other federal partners, including Public Services and Procurement Canada, the Canadian Security Intelligence Service, the Communications Security Establishment, the Treasury Board Secretariat, the Department of National Defence and the Privy Council Office.

These organizations all endorsed SSC’s request to seek a national security exception in support of its mandate. This endorsement is not normally part of the already rigorous process that my colleagues will describe from PSPC, but it was added to ensure that our rationale was supported by the key departments responsible for protecting Canada’s national security. Canada’s decision to invoke the NSE for all procurements of goods and services related to email, networks, and data centre infrastructure was announced on the government electronic tendering service in May 2012. SSC also invoked the NSE for procurements related to workplace technology devices, software, and related services, which were added later to the department’s mandate.

In our notice to suppliers, it was explained that workplace technology devices and software are the gateway to most of the government’s infrastructure and are the means by which employees send and receive email, transmit information across networks, and access information stored in data centres. This therefore makes them attractive targets for those intent on exploiting the government’s infrastructure. The invocation related to these types of procurements was announced on the government electronic tendering service in 2014.

Let me now turn to some of the steps Shared Services Canada is able to take to protect Canada’s national security by invoking the NSE. This includes applying the supply chain integrity assessment process. This security screening process, which involves analysis by the Communications Security Establishment, is intended to ensure that no equipment, software, or services procured by Shared Services Canada, or used in the delivery and support of services, could compromise the security of Canada’s systems, software, or information.

Other steps include “in-Canada” requirements for housing data to protect Canada's sovereignty over its data.

Shared Services Canada is also able to direct the architecture of its network or other systems to ensure the design achieves appropriate security standards and controls.

These are just some examples of how the NSE enables Shared Services Canada to procure the goods and services required to fulfill its mandate in a way that protects national security in the face of increasing cyber threats.

I would like to state at this point that the invocation of the NSE does not mean that procurements will be non-competitive. To illustrate this, for fiscal year 2015-16, Shared Services Canada conducted 725 procurements that were subject to the NSE for a total value of $1 billion. Of that total, $920 million was sourced competitively. This volume represents 29% of all of SSC's procurement transactions for 2015-16. It also represents about 77% of the total dollar amount we procured in that fiscal year.

In addition, the invocation of the NSE is not intended to insulate Shared Services Canada from challenges by suppliers. Challenges to the Federal Court and to the provincial superior courts remain available with respect to all of the department's procurements.

Let me close by emphasizing that Shared Services Canada is committed to conducting fair, equitable, and competitive procurement processes.

We recognize that market-based competition is the best vehicle to deliver the highest value solutions and best value for Canadian taxpayers. This includes procurements conducted under a national security exception.

Thank you, Mr. Chair.

Thank you, Mr. Chair and committee members.

I'm sorry for being late this morning, Mr. Chair. There was some confusion about the room we were supposed to be in.

Thank you for the opportunity to appear here today to discuss how PSPC invokes the national security exceptions.

PSPC procures goods and services on behalf of departments and agencies at the best value for Canadians. Our acquisitions program provides federal organizations with procurement solutions such as specialized contracts, standing offers, supply arrangements, and memoranda of understanding for acquiring a broad range of goods and services, including construction services.

This program delivers acquisitions and related common services using procurement best practices, early engagement, effective governance, independent advice. It benefits Canadians through an open, fair, and transparent process to ensure best value for Canadians in the federal government.

In order to ensure that Canada's national security interests are not compromised when procuring goods and services, the trade agreements allow all parties to take whatever action they consider necessary by invoking the national security exception.

By including national security exception provisions, signatories to the trade agreements made a conscious decision to allow discretion in determining their national security requirements. This discretion is essential in view of the evolving and shifting nature of sources of threat to national security. Recognizing that it's very difficult to predict how threats to national security will evolve and change, the trade agreements give Canada and its trading partners the flexibility to invoke NSE when they consider it necessary.

A national security exception is considered when the procurement is essential for any of the following: national defence and military threat, sovereignty, protection of security intelligence, environmental security, human security, and economic security. Invoking an NSE, as my colleague said, does not remove procurements from the obligations of the government contract regulations to compete the requirement unless there is a valid reason to direct the procurement. Canada's contracting framework and laws favour robust competition as a way of ensuring choice and innovation for the government.

When PSPC is the contracting authority, an NSE can only be invoked by either myself in my capacity as assistant deputy minister of defence and marine procurement, or by my colleague Arianne Reza, assistant deputy minister of procurement. This is because matters pertaining to national security must be addressed at the senior management level.

PSPC's acquisition program invokes on average 20 national security exceptions per year. A total of 55 NSEs have been invoked over the past three fiscal years, with the Department of National Defence being our major client, representing 45% of the total number of invocations. Other client departments include the Royal Canadian Mounted Police with 16%; Canada Border Services Agency with 7%; Immigration, Refugees and Citizenship Canada with 5%; and PSPC with 4%.

To date, for the current fiscal year, PSPC has invoked a total of 18 NSEs.

The process for invoking an NSE is rigorous and sound. A client department determines the national security risks to be managed and mitigated in a procurement.

A request must be in the form of a letter from the responsible assistant deputy minister at the client department that explains the nature of the proposed procurement and shows a clear rationale of why an NSE should be invoked in relation to the trade agreements.

PSPC implements a rigorous review process to vet the client department's request in consultation with our legal services and the relevant procurement sector. We also follow Treasury Board's guidelines in this respect. As with any other procurement process, this is done with great diligence and scrutiny.

Procurements for which an NSE is invoked remain subject to all other relevant government regulations and policies, including the industrial and technological benefits policy and the value proposition. The NSE is invoked only when the crown considers the procurement indispensable for the protection of Canada's national security interests. As well, invoking an NSE is not by definition meant to restrict competition to Canadian suppliers.

There may, however, be a legitimate need to maintain or establish a Canadian source of supply.

For example, when Canada contracted for a pandemic vaccine supplier, the government was required to invoke the NSE for various reasons, including ensuring a domestic supply of the vaccine was readily available and manufactured within its borders.

Typically, an NSE is invoked for a project or a specific procurement. However, there are situations in which an omnibus NSE may be required. For example, in November 2015, I invoked an omnibus national security exception to assist in the relocation of 25,000 Syrian refugees to Canada. This NSE applied to all procurements carried out by my department on behalf of all federal government departments, agencies, and crown corporations.

In 2008, PSPC invoked an omnibus NSE on behalf of the Department of National Defence to support Canada's military operations in Afghanistan. In this situation, invoking this NSE ensured that the Department of National Defence met its immediate operational requirements in an active war zone, and protected our national security interests.

To conclude, PSPC recognizes the seriousness of invoking an NSE, and, as I have previously mentioned, the department has a rigorous process to ensure that any request meets the high standard we have established for invoking the exception and managing our overall procurement responsibilities for the Crown.

Thank you, Mr. Chair and committee members. My colleagues from other departments also have remarks to offer, after which we'd be pleased to answer your questions.

Good morning, Mr. Chair and distinguished committee members.

My name is Dennis Watters and I am the acting chief financial administration officer for the Royal Canadian Mounted Police.

Thank you for the opportunity to speak with you today about the RCMP's procurement activities, and more specifically the use of national security exceptions as they relate to providing Canada's national police service with the most appropriate and effective equipment to ensure the safety and security of Canadians.

The RCMP's procurement activities are conducted directly in support of the RCMP's operational priorities, including but not limited to the following: enable RCMP members to detect and prevent organized crime, ensure Canada's security interests, and protect Canada's economic integrity, while also providing for the safety of RCMP officers who are entrusted with the security of Canadians.

The RCMP uses the services of PSPC and Shared Services Canada for procurement requirements that exceed the contracting authority of the RCMP and for specialized requirements. The RCMP also procures goods, services, and constructions under its own delegated authorities through open, fair, and transparent processes to ensure best value for Canadians while meeting the RCMP's operational priorities.

In order to meet these and other operational priorities, the RCMP requires a wide range of goods and services. The bulk of these items are procured through open and competitive processes. As reported against the 2015–16 management accountability framework, the RCMP used competitive processes for 84% of contracts valued at over $25,000.

For calendar year 2014, the RCMP had more than 7,000 contracts awarded, for a total value of $395 million. As indicated by my colleague from PSPC, the number of NSEs invoked by PSPC for the RCMP is very low in each fiscal year. I believe it was 16%. In addition, the RCMP invokes the NSE for some of the procurements that it carries out under its own authorities. However, the use is very limited.

Even though the use is quite limited, the RCMP has a robust framework in place for the use of NSE, including an internal guideline for national security exceptions. All requests to PSPC to apply the NSE must first be approved at the deputy commissioner level at the RCMP, and they are reviewed by the corporate procurement branch that reports to me. In addition, for contracts within the RCMP's own delegated authority, the requests have to be approved by the chief financial officer, me. Invoking the NSE does not by itself allow the RCMP to sole-source procurement.

The RCMP does rely on the national security exception from the application of trade agreements, generally for two main reasons. The first is when the requirement cannot be published on the public-facing government electronic tendering systems because revealing technical requirements or specifications would compromise the operational requirements of the equipment being procured. Furthermore, depending on the purchase, disclosing the specifications of the equipment could have serious consequences on the safety of our members.

The second is when the minimum publication timeline under Canada's trade agreements cannot be met due to the urgent nature of the requirement. For example, solicitations subject to the North American Free Trade Agreement must be published for a minimum of 40 calendar days. Due to the operational nature of the RCMP, it is not always possible to plan procurement requirements in sufficient time to meet these posting requirements. As an example, the national security exception was invoked in advance of the North American leaders' summit in 2016. The rationale for using the exception was in part to protect the details of the operations to ensure the security of leaders, but also because of the short timelines that were available to procure the equipment ahead of the summit.

The national security exception is a key tool that enables the RCMP to meet its operational requirements for the protection of Canada's national security.

Mr. Chair and honourable members of the committee, I thank you for inviting the RCMP here today, and I would be pleased to answer any of your questions.

Thank you.

Good morning, Mr. Chair and members of the committee.

My name is Karen Robertson and I am the assistant director of finance and administration at the Canadian Security Intelligence Service. I am responsible for managing CSIS' financial functions as well as administrative functions pertaining to acquisitions, asset management, disposals and infrastructure requirements.

As my colleagues from Public Services and Procurement Canada, PSPC, and Shared Services Canada, SSC, have already provided an explanation of national security exceptions, I hope to provide you some insight into the rationale for applying these exceptions to CSIS' procurement contracts.

Although CSIS' procurement-related expenditures constitute a relatively small piece of the government's overall procurement budget, our mandate and operational activities create distinct requirements as they relate to the procurement of goods and services. As such, to contextualize my statements today, I would like to provide the committee with a brief overview of CSIS' authorities and why special consideration is required to protect the integrity of our work.

Everything we do at CSIS is grounded in the CSIS Act, which clearly articulates our mandate and authorities. Pursuant to section 12, CSIS is authorized to collect information, to the extent that is strictly necessary, on activities suspected of being threats to the security of Canada. These threats are explicitly defined in section 2 of the act, and are limited to terrorism, espionage, sabotage, and foreign interference.

CSIS collects information to detect, assess, and respond to threats to the security of Canada. A core function of our mandate is to report to and advise government on matters of national security. In principle, competitive and transparent government procurement practices are a healthy component of a democratic society. However, given CSIS' duties and functions, members of the committee will understand that the goods and services we acquire to support our activities are sensitive in nature and, as a result, must be protected from becoming widely known.

The main reason CSIS applies national security exceptions to the majority of our procurement contracts is to limit the disclosure of information about our practices, transactions, and vendors. If the targets of our investigations knew details about the equipment we procure and our technological capabilities, they could defeat or counter our investigative efforts.

In addition, knowledge of CSIS' procurement needs, even of seemingly innocuous contracts, may enable hostile actors to better understand our existing capabilities and resources. This is due to the potential mosaic effect of aggregating publicly released information about our procurement requirements, costs, and practices. As such, protecting how CSIS purchases goods and services matters just as much as protecting what we procure. Revealing any link to CSIS in a public tender may reveal our operational techniques, jeopardize our operations, and endanger employee safety. It could also risk the reputation and safety of those entities that supply us with goods and services.

The ability to apply national security exceptions to CSIS' procurement permits us the flexibility to define the requirements for a particular contract or vendor in light of our operational considerations and awareness of the threat environment.

Given these considerations, CSIS actually procures the majority of its contracts in-house as a result of exceptional contracting authorities that have been granted to us by the Treasury Board. CSIS has operated using these exceptional authorities since 1987. Very few goods and services are procured through the regular government process managed by PSPC and SSC. There are, however, certain circumstances in which we would manage contracts through PSPC and SSC, such as when the purchase exceeds our contracting authorities. National security exceptions would apply to all these contracts because of CSIS involvement.

CSIS is excluded from SSC's email, data centre, and network mandate. A minimal proportion of CSIS' network services and IT-related infrastructure are procured through SSC. With regard to SSC's mandate for end-user IT, CSIS works very closely with SSC to process IT procurements in a manner that aligns with security requirements.

CSIS does not apply national security exceptions to avoid undertaking competitive methods of procurement. While I cannot enter into much detail, it is important to note that CSIS' associated exceptional procurement authorities are backed by a rigorous internal control framework and oversight.

We leverage government-wide best practices to ensure the appropriate management of government resources. Our procurement practices are also subject to internal audit and evaluation functions, as well as to external review by the Office of the Auditor General.

Ladies and gentlemen, the application of national security exceptions is one way of adapting government-wide standards to accommodate the realities of CSIS' work. These exceptions allow us to be more responsive and agile in acquiring what we need to better investigate threats to the security of Canada. Keeping Canadians safe is our foremost concern and responsibility.

And with that, Mr. Chair, I will conclude my remarks and welcome any questions committee members may have.

I would just like to add that this is my first time appearing in front of a committee in Canada, and it's truly an honour to be here with you today.

Thank you.

Mr. Chair, there have been a few publicized episodes within the federal government over the last number of years where, from an IT perspective, our systems have been compromised. Most recently, I could mention the National Research Council. There have been some examples, yes.

Mr. Chair, getting into root cause analysis from a cybersecurity perspective is a little far afield from a procurement perspective, but I can comment on the general nature of the question.

The work of SSC, in terms of transforming the government's infrastructure, is a work in progress. We are slowly evolving different facets, whether from a network or a data centre perspective. As this committee is aware, through previous testimony, we are also maintaining legacy infrastructure and legacy systems. We are doing our utmost to secure the perimeter as we go.

Absolutely. I think the national security exception is vital in protecting CSIS infrastructure, as well as its employees, its vendors, and everyone in the supply chain, but I can't sit here today and assure you that there has never been a compromise. I am not aware of a compromise, but it's hostile actors and a heightened threat environment right now, so I wouldn't want to guarantee you that.

I am very confident that we use the national security exception appropriately, and it's necessary.

I think our discussion here today illustrates why procurement is a complex business. I'll just give you a sense of how we apply it. The total value of procurement awarded by the Government of Canada amounted to about $23 billion annually; over 75% of that was managed by our department. We navigate applying the trade agreements and dealing with requests for invocation of NSEs. As we said earlier, the request for invocation of NSEs, and their invocation, doesn't mean we don't still compete. We still apply Canada's contracting framework.

About 87% of our business value—the money that was procured—was awarded competitively by us. The vast majority of our work, even with the application of NSEs, is competed. It is a complex job for procurement officers. They're specialized, and we train them rigorously. We bring them through a development program, and it takes five to six years to get them to the stage where they are handling these big procurements and dealing with NSE invocations.

Again, it's $23 billion annually that the Government of Canada awards in procurement, which is a slice of the $100 billion at all levels of government in Canada. Of that, 75% is managed by PSPC, and the rest is delegated to government departments. As you're aware, the lower-level, higher-volume contracts are delegated to other government departments. We handle 12% of the contracts, but that's 80% of the money.

No, it does not at all.

Au contraire, we are very interested in competition. Invoking the NSE doesn't for a moment mean that the government contracting regulations, the default for which is competition, don't apply. In fact, I can give you several recent examples in which we have had an NSE invoked, and there has been competition.

Fixed-wing search and rescue, as you'll see in the news this morning, was competed. One of the unsuccessful bidders has brought some legal action.

We competed the Arctic offshore patrol ships and joint support ships contract. A national security exception was invoked. We had four bidders. We have a successful bidder with whom we've concluded negotiations, and we're waiting to award the contract.

There have been a number of recent examples in which an NSE was in play and we competed successfully.

I should explain how the NSEs work.

I talked about the statistics regarding specific requests we've received over the past year, but I want to make sure that I'm clear for committee members. There are those requests that we receive from government departments as well as the omnibus ones, which you've heard described, that apply broadly.

When an NSE is granted, it applies to an entire project. For example, for Canadian surface combatants, which some of you have heard about, a national security exception has been invoked, and it will apply throughout the life of that project.

There are also blanket NSEs that apply for a certain duration of time. It's not that these exist forever; they are for the needs of a specific project. They simply ensure, as my colleagues were saying, integrity of the process and supply chain throughout, and you also avoid having to go back and ask every time you're issuing a contract.