Thank you for the question.
We come up with the various information security standards that are out there: protected A, protected B, protected C. We communicate those standards. They are sort of promulgated through Treasury Board. With each of these levels of classification, departments are aware of what information is classified as protected B or protected C, or what is secret and what is top secret. The departments themselves have to live by those standards. We don't audit them per se.
Sometimes we get pulled into specific projects. At that point, we provide some security advice to the project and ensure that the information security of the project is commensurate with the classification of the information. We don't review on a contract-by-contract basis what information is being provided to the contractor. I'm talking about it from an IT perspective, because my primary concern is cybersecurity and IT security.