Public Accounts Committee on Feb. 26th, 2008
A recording is available from Parliament.
On the agenda
- Sheila Fraser Auditor General of Canada, Office of the Auditor General of Canada
- François Guimont Deputy Minister, Department of Public Works and Government Services
- Ross Nicholls President and Chief Executive Officer, Defence Construction Canada
- Scott Stevenson Acting Assistant Deputy Minister, Infrastructure and Environment, Department of National Defence
- Ken Cochrane Chief Information Officer, Treasury Board Secretariat
- Dave Shuster Director, Deputy Provost Marshal Security, Department of National Defence
- Glynne Hines Chief of Staff, Assistant Deputy Minister, Information Management, Department of National Defence
The Chair Shawn Murphy
I'd like to call the meeting to order.
I want to extend to everyone here a very warm welcome. We have a large crowd here this morning, so hopefully everyone is comfortably seated and in their places.
Ladies and gentlemen, we are here today, pursuant to Standing Order 198(3)(g), to discuss chapter 1, “Safeguarding Government Information and Assets in Contracting”, of the October 2007 Report of the Auditor General of Canada.
We are pleased to have with us the Auditor General of Canada, Sheila Fraser. She is accompanied by the assistant auditor, Ronnie Campbell; and principal, Bruce Sloan.
From the Department of Public Works and Government Services we have the accounting officer, François Guimont. He is accompanied by Jane Meyboom-Hardy, the assistant deputy minister; and Gerry Deneault, the director general, industrial security sector.
From Defence Construction Canada we have Mr. Ross Nicholls, president and chief executive officer.
From the Department of National Defence we have Scott Stevenson, acting assistant deputy minister. We have Major-General Glynne Hines, chief of staff, assistant deputy minister, information management; and Lieutenant-Colonel Dave Shuster, director, deputy provost marshal, security.
From the Treasury Board Secretariat we have Mr. Ken Cochrane, chief information officer. He is accompanied by Mr. Pierre Boucher, senior director, identity management and security.
As I said, we have a very large crowd. They're not all at the table, but they can be called to the table should the need arise. Hopefully everyone is ready to go.
John Williams Edmonton—St. Albert, AB
On a point of order, Mr. Chairman, I have a letter here addressed to you from the Minister of Public Safety regarding your letter to him and Commissioner Elliot, and a response on the Canadian Firearms Centre and the information system. As you know, I always think these things should be entered into the minutes, so if anybody wants to know what happened to any response to your letter--they didn't ignore us--we finally got it six months later. Here it is.
The Chair Shawn Murphy
Thank you very much, Mr. Williams.
Mrs. Fraser, I understand you have some opening comments, so I'm going to turn the floor over to you.
Sheila Fraser Auditor General of Canada, Office of the Auditor General of Canada
Thank you, Mr. Chair.
We thank you for this opportunity to present the results of chapter 1 of our October 2007 report, entitled “Safeguarding Government Information and Assets in Contracting”.
Joining me today are Ronnie Campbell, assistant auditor general, and Bruce Sloan, senior principal, who were responsible for this audit.
The Government of Canada's ability to protect sensitive information and assets it entrusts to Canadian industry is critical to ensuring the health, safety, security, and economic well-being of Canadians, both at home and abroad. This ability is also important for maintaining Canada's international reputation and ensuring the continued growth of international trade.
We found serious weaknesses at almost all levels in the processes set up to ensure the security of government information in assets entrusted to industry. These weaknesses range from incomplete policies, an unclear mandate, poorly defined roles and responsibilities for industrial security, to a willingness of some officials to circumvent key security procedures in order to reduce costs and avoid delays in completing projects.
We found that many who play a role in industrial security are not sure of their responsibilities. All stages of the process rely on the assumption that the proper procedures were followed at the earlier stages, but there are few mechanisms to provide assurance that this is so.
As a result of weaknesses in the system, many federal contracts providing access to sensitive government information and assets have been awarded to contractors whose personnel and facilities had not been cleared to the appropriate security levels. These include a number of contracts awarded by the Department of Public Works and Government Services on behalf of other government departments, and thousands of contracts for national defence construction and maintenance projects awarded by Defence Construction Canada.
Of particular concern was the failure by officials at National Defence to properly incorporate contract security requirements for the construction of the above-ground complex in North Bay, Ontario. Contracts for this project were awarded by Defence Construction Canada to unscreened contractors. As a result, Canadian and foreign workers had virtually unlimited access to the construction plans and the construction site.
I am pleased to note that Defence Construction Canada has begun to address some of the issues raised in our report. We received a detailed management action plan that outlines the actions the entity will take to address our recommendations. The committee may wish to ask the entity about the progress it has made.
National Defence has also provided us with an action plan to address our recommendations. The committee may wish to ask the department what progress has been made to date and what steps have been taken to ensure that the NORAD above-ground complex can be used for its intended purpose.
PWGSC's Industrial Security Program plays a major role in ensuring that contracts with security requirements comply with the government security policy. We found that the program's operating procedures were in draft form and did not cover key activities essential to ensuring security in contracting . In addition, the program did not have stable funding, thus limiting its ability to hire and retain enough qualified security professionals.
I'm very pleased to note that Public Works and Government Services Canada has provided us with its management action plan. Although we have not audited the plan, we did review it. We believe that if it is carried out, the plan should address the concerns raised in our report. The committee may wish to ask the department about its strategies and the progress it has made to date, particularly its progress in obtaining stable funding for the program.
We found that the government did not know to what extent it is exposed to risks as a result of less than adequate industrial security. A concerted effort to strengthen accountability, to clarify policies, and to better define roles and responsibilities for security in contracting is required to help reduce these potential risks to the national interest.
Mr. Chair, this concludes my opening statement. We would be pleased to answer any questions the committee members may have.
The Chair Shawn Murphy
Thank you very much, Ms. Fraser.
Before going to Mr. Guimont, I want to point out that we were exceptionally late starting this meeting, so I plan to go until a quarter after one due to the importance of the meeting.
I understand, Mr. Guimont, you have an opening statement. Go ahead.
François Guimont Deputy Minister, Department of Public Works and Government Services
Mr. Chair, members of the committee, thank you for this opportunity to appear before you today.
The Industrial Security Program plays an important role in keeping government information and assets secure when these are entrusted to the private sector as a result of a government contract. In a nutshell, we do this by screening individuals and firms for all contracts for which PWGSC is the contracting authority, and when requested by other government departments exercising their own contracting authority.
The program processes about 2,000 security-related contracts a year, 75 % for which PWGSC is the contracting authority. We carry out this role for federal contracts and for contracts awarded to Canadian firms by the foreign governments with which we have security agreements.
While PWGSC is not the only department to perform contract security functions, as the main purchasing arm of the Government of Canada we handle many large contracts involving sensitive information and assets.
I was briefed on the initial observations and findings of the Auditor General last June, shortly after I began my duties as deputy minister of PWGSC. As the accounting officer, I took these observations seriously and began work in earnest to address the concerns raised. We did not wait until the Auditor General tabled her report.
Let me say before going any further that we agree with all of the Auditor General's recommendations. Our action plan has been reviewed by the Auditor General and tabled with the committee. It has four key elements that directly address her concerns.
First, we instituted a certification process to ensure that client departments clearly identify for every contract request whether there is a security requirement or not.
Second, we completed and issued an industrial security standard operating procedure that has been in draft form, and we train our people to ensure it is consistently followed.
Third, the industrial security program's information and technology systems were certified as mandated under government security policy.
Fourth, our business continuity plan now calls for daily, rather than weekly, backup of our security data.
Furthermore, recognizing the program's importance, we took additional steps. The program is undergoing an independent third party management review of its mandate, roles and responsibilities, and program delivery to be completed by March 31. IT upgrades are being made to improve the exchange of information between the department's contracting and security systems. And an advisory board comprising senior officials with experience in the security area has been struck to provide advice on the direction and policies of the program and to advance coordination and improvement of contract security across government. It held its first meeting in January.
We are also conducting a detailed review of all 3,000 current contracts with security requirements to verify that the program has fulfilled its security obligations. This review will be completed some time in August.
Finally, on the issue of resources to fully carry out the program's activities, the department has, year over year, reallocated resources on top of the existing base. In 2007-2008, an additional $11.2 million was allocated to contract security-related activities.
I am working diligently with my colleagues at Treasury Board Secretariat and the Privy Council Office to secure an increase in our permanent funding base for the program.
Thank you, Mr. Chair. I would be happy to answer your questions.
The Chair Shawn Murphy
Thank you very much, Mr. Guimont.
Mr. Nicholls, I understand you have some opening comments.
Ross Nicholls President and Chief Executive Officer, Defence Construction Canada
Mr. Chair, honourable committee members, I am very pleased to be able to speak to you today. As some of you are not very familiar with Defence Construction Canada, I would like to take this opportunity to tell you a bit more about the company.
Defence Construction's mandate pursuant to the Defence Production Act is to deliver defence projects related to physical infrastructure. The corporation's been doing this for 56 years and has developed a recognized expertise in real property contracting, contract management, and in certain related areas.
Defence Construction supports the Canadian Forces and the Department of National Defence in meeting their operational requirements at site, across Canada and abroad. We currently have an office in Afghanistan supporting the mission there.
The management of industrial security for defence projects is a joint responsibility of National Defence and Defence Construction. We are accountable for ensuring the security of sensitive information and assets once the security requirements have been identified by the Department of National Defence. The corporation has always implemented measures consistent with the government security policy to safeguard those assets and information.
Furthermore, we have agreed with Treasury Board Secretariat to apply the government security policy to all our operations related to the delivery of defence projects. Defence Construction uses the industrial security division of Public Works and Government Services Canada to provide the contractual clauses appropriate for identified security requirements and to process clearances for individuals and firms that are contracted to work on defence projects.
Defence Construction proactively implemented procedures to strengthen its management of industrial security during the Auditor General's audit activity. When the report was published, we accepted her recommendations to further strengthen the security management framework.
As Madam Fraser pointed out, Defence Construction shared with her its action plan to deal with her recommendations, and the plan was made available to the committee in advance of this meeting.
I would be very pleased to discuss our progress against this plan or any other aspect of the report that interests members. I'm confident that Defence Construction does its part as an integral member of Canada's defence and security team to safeguard sensitive assets and information related to defence projects.
The Chair Shawn Murphy
Thank you very much, Mr. Nicholls.
We're now going to hear from Mr. Scott Stevenson, the acting assistant deputy minister of the Department of National Defence. Mr. Stevenson.
Scott Stevenson Acting Assistant Deputy Minister, Infrastructure and Environment, Department of National Defence
Thank you, Mr. Chairman.
Mr. Chairman and members of the committee, thank you very much for the invitation to brief you today on the Department of National Defence's response to the Auditor General's October 2007 audit of security and contracting.
As you know, my name is Scott Stevenson and I'm the acting assistant deputy minister for infrastructure and environment. I'm joined today by Major-General Glynne Hines, the chief of staff of the information management group at National Defence, and our departmental security officer, Lieutenant Colonel Dave Shuster.
As you know, the audit contained two recommendations directed at National Defence. The first recommendation involved ensuring that our industrial security policies and procedures are up to date and complete and that they accurately reflect our roles and responsibilities under government security policy.
The second recommendation states that we should establish an integrated framework for managing industrial security on defence projects.
In the time given me today, I would like to give you an outline of the measures that have already been adopted by National Defence to follow up on those two points.
We have already drafted a new industrial security chapter for our departmental security manual. At the same time, our departmental security officer is working with stakeholders within the department and other government departments to ensure that our adjustable security policy and procedures are consistent with government security policy.
Mr. Chairman, this will help to address any current misconceptions or ambiguities on the part of project authorities.
We have also reviewed our procurement administration manual, which details our departmental procurement procedures. The responsibility of procurement and contracting authorities to identify security requirements in any procurement activity has been explicitly defined. These changes will also be reflected in our project approval guide.
To ensure coherence within the department, we have established a working group, co-chaired by senior managers responsible for material acquisition and construction, to ensure that our procurement policies and procedures are both workable and consistent with government security policy.
In order to improve security awareness at all levels, we are developing a new unit security supervisor course, which will include an industrial security module. The information contained in this module will be widely communicated across the department, which will further mitigate any potential misunderstanding or misapplication of the departmental security policy and the procedures relating to the contracting process.
The department has initiated staffing action to improve oversight and compliance with our industrial security program. The additional manpower will permit us to implement a regular verification program, and we are also investigating improvements to our information systems in order to enhance oversight.
Finally, we are working with Defence Construction Canada, which acts as the contracting authority for the majority of defence construction projects, in order to develop an integrated framework to ensure that security requirements are met during all phases of the contractual process.
I have just outlined a number of specific actions the department has undertaken or will undertake to address the concerns raised by the audit. I can assure you that the Department of National Defence is committed to ensuring that sensitive information and assets entrusted to industry through contracting are properly safeguarded. As a result of the Auditor General's report, the Department of National Defence is making significant improvements to our security provisions.
Thank you, Mr. Chairman.
The Chair Shawn Murphy
Thank you very much.
We're now going to hear from the Treasury Board Secretariat, Mr. Ken Cochrane, who is the chief information officer.
Ken Cochrane Chief Information Officer, Treasury Board Secretariat
Thank you, Mr. Chair, and good morning, committee members.
Thank you for the invitation to appear before your committee today to discuss the Auditor General's chapter on safeguarding government information and assets in contracting.
In chapter 1 of her 2007 report, the Auditor General makes several recommendations aimed at the Treasury Board Secretariat. We have taken action to address those concerns through our review of all management policies, known as “policy suite renewal”. My remarks today will highlight the progress we are making in this matter.
As part of policy suite renewal, the policy, standards, and guidelines on government security are currently under review, which should be competed before the end of this year. We are addressing the Auditor General's recommendations under three overarching themes.
Firstly, the new government security policy will clarify the requirements under the standard on security in contracting. This will ensure that the project authorities who originate the contracts will be the ones who certify the security requirements needed. By putting the burden of certifying the security requirements on the originator versus the contracting authority, we will increase the accountability of the group requesting the service, which has better knowledge of the specific security requirements.
Secondly, responding to another important recommendation of the Auditor General, the Treasury Board Secretariat will also require that departmental security officers implement quality assurance procedures. These procedures will be put into force by all departments and agencies and will provide for the ongoing review of contract files to ensure that they meet industrial security requirements.
Thirdly, through the renewed government security policy, standards, and guidelines, the Treasury Board Secretariat will ensure that deputy ministers have the information they need to satisfy themselves that they are fulfilling their accountabilities under the policy. Furthermore, the Treasury Board Secretariat has added an indicator under MAF, the management accountability framework, to assess the compliance of departments and agencies with security requirements.
The management accountability framework now provides for the assessment of departments' performance and effectiveness in safeguarding information, assets, and employees, as well as in ensuring the continued availability of critical services. We will assess key policy elements and ensure that security programs and systems of coordination are in place across government and that they are being administered effectively.
As we move forward in developing our new policy and standards, we are working closely with institutions to clarify requirements and guarantee that sound management practices for safeguarding government information and assets in contracting are in place.
This concludes my remarks. At this time, I would be pleased to answer questions that the committee has.
The Chair Shawn Murphy
Thank you very much, Mr. Cochrane.
David Sweet Ancaster—Dundas—Flamborough—Westdale, ON
Mr. Chair, this is a complex chapter, as it is, and I don't have any comments by Mr. Nicholls or Mr. Cochrane. Do we have copies of those?
The Chair Shawn Murphy
Mr. Sweet, I believe the staff is in the process of handing them out. You should have them momentarily. It's unfortunate that the meeting ahead of ours went over time.
I want to thank all the presenters. We're going to start with the first round of seven minutes.
Before we start, I would again urge all members of the committee to keep their questions relevant and to the point, and I urge all witnesses to keep their answers concise and relevant to the question being asked.
Mr. Wrzesnewskyj, you have seven minutes.