Public Accounts Committee on Feb. 26th, 2008

No, it is only if there's a requirement, but it is not overall.

Our policy is actually consistent with Treasury Board's policy in the sense that individuals who have access to facilities or information, either at a classified or designated level, require the necessary clearance or reliability status. That depends, again, on the information they would have access to. So if it were even a casual employee coming into a particular job--and normally, if it's casual, it's a reliability screening--that would probably be done, in most cases, through PWGSC. We would ensure that the individual had at least a reliability screening for designated information or the proper security clearance if the person had access to classified information.

That's the latest version of it.

It's been through a number of changes over time. I think 1986 was the original timeframe. It was modified in 1986, 1994, and 2002.

It predates the current version. It was implemented in 1996.

It was not modified in 2002.

A lot of things were changed in 2002 as a result of 9/11. That is one of the reasons the policy was reissued. The policy is the overarching piece that covers many different standards. Many new things went into place, like protection of personnel, identification of assets, and delivery of critical systems. Those all relate to, in many ways, the events of 9/11. IT security was implemented. Some changes were implemented to recognize the changes on the Internet, and so on.

Security screening changed a little bit. Although this particular standard didn't change, the requirement for security screening changed. Initially the standard had been at a basic level, which meant no criminal check. The change that occurred in 2002 was to increase it to include criminal checks. That also covered the contracting standard.

I agree with you. Frankly I try to look at it as the glass half full, but on sensitive contracts I don't question the point you're making.

In the course of assembling the sample, we did pick one area that was different from high sensitivity. This was secret/top secret. It has to do with protected information, which is different, as you may imagine. It was the same pattern, which is that a contract had been awarded, work had proceeded, and we screened the person to the right protected level: protected B.

The point I'm making is that in certain circumstances there's more risk tolerance. But in other cases, I agree with you. When you're talking secret/top secret, the margin of error for documents missing or not following procedures should be close to zero. Now, that does not bring risk to zero--that's another issue--but our procedure should be followed correctly.

It's different in three ways.

First, for those contracts that we generate, our acquisition branch now systematically flags, per a policy, the requirement for security. That is not only done manually, it's going to be done through our IT system. So that's the first thing. We have reinforced the need for that through communication and discussion with our staff.

Second, the program, headed by the director general, is more systematic in making sure that security clearances have been obtained at the time of contract award, which was the issue for the 24 that were singled out. That is the second thing we are doing.

Third, as I said, we're trying to find a long-term resource base that will ensure we have continuity in the program, so that the investments we're making in people and systems today are not lost as people leave.

All the recommendations made by the OAG have been implemented. The so-called “requirement for security checklist” is happening. Resources have come from Treasury Board in the amount of $11.2 million, so that has augmented the base of $6.7 million. These things are happening today. This is over and above what we're doing vis-à-vis the active contracts, which is looking into them to make sure they're all okay.

So new contracts are going through what I described, and we're going through past and active contracts very systematically to make sure nothing is missing. That goes back to the point made by Mr. Hubbard in terms of whether we have a level of assurance that things are okay. We're doing that.

When we completed our audit, the department indicated to us that a number of measures could be taken to ensure that the facilities could be used for their intended purposes. We asked them what mitigation measures had to be taken, as well as their cost and the plan to be used. We did not have that information at the time of the audit. I trust the word of the department officials, but I would of course like to have more details on the measures that were implemented.