Thank you again for the question.
I would defer to PSPC on anything that has to do with contracting. Our role is very much to review the security architecture sometimes, and we would work with them.
Departments have the responsibility to do the SA and A of their systems. They review the security accreditation of their systems, and we get involved in those accreditations. Before the system goes live, obviously if it contains sensitive information the department will have to accredit that it has met the security baseline that the cyber centre has established. Sometimes we are part of the project, so we get involved in that.
On repeat offenders and contracting issues, I would respectfully defer that to PSPC.