I'd say the CBSA did this in-house. However, it used staff augmentation to assist it.
I think one of the lessons learned is we were relying too much on staff augmentation. Staff augmentation is not a bad thing. You need to bring in people who are technical experts and, in particular, cloud experts, who we may not have in place, as well as other experts in technology architecture and security accessibility.
It's not a bad thing to bring in contractors and consultants. The issue here is whether we overuse them.