Public Accounts Committee on Feb. 26th, 2008

To the best of our knowledge, the facility has not been compromised. We would not be conducting the operations we are conducting from that facility if we had any doubt as to the operational and technical integrity of the above-ground facility.

We've conducted extensive physical and technical inspections of the North Bay facility, both during the construction and subsequent to the construction but prior to the commissioning of the facility. We continue to have procedural and technical means to ensure that the integrity of the facility is such that it can be used for its intended purpose.

Absolutely.

When the construction contract was awarded, a threat risk assessment was done to determine whether or not the facility required people with security clearances to work on the initial construction phase of the building. It was deemed by the operational authority of the day that it was not required.

There was no circumvention at that point. Subsequently, during the construction of the facility, it was determined that the security measures had to be in place. Security measures were put in place to either have cleared contractors working on the facility or have those contractors working on the facility under escort. As the construction of the facility went on and we got ready to install systems, additional security measures were put in place.

It was a phased approach from the standpoint of starting from bare ground, where there were no security concerns, threats, or risks identified, to the point where systems were installed and the facility became secure and sensitive.

During these processes we continued to do testing through a variety of technical means, and we continued to do physical security inspections to ensure that the integrity of the building was maintained throughout.

I hate to do this, but as you are aware, we did a report in May 2007 that commented on the NORAD project. When we did that audit--as we mention in the text box on page 25--there were serious concerns raised by National Defence about the security of that project and the ability to close the below-ground project. They were not sure at that time if they could move all the systems up. I'd be interested to know if that below-ground complex has actually been closed, because that was what the above-ground one was for.

We have summarized in this text box the concerns about whether it could be used for the intended purposes and the access that contractors, both Canadian and foreign, had to the site. When we completed this audit, they indicated that they could, with certain modifications, use the building for the intended purpose.

We had asked for details on what those modifications were. As you will see here, at the time of our audit we did not receive any detailed plans or schedules. All of this text, as is our standard process, has been agreed with by National Defence, and they have agreed with the validity of the facts.

So there seems to be a little confusion here, but certainly when we did that original audit there were concerns about the use of that building.

As I stated in response to one of the earlier questions, the department has accepted the findings. That is clear and is normal practice. I would also say that we have accepted the responsibility for resolving any of the shortcomings and weaknesses that are there.

On the specific question as to whether we can prove with 100% certainty, I think that's akin to proving the negative. On that basis we continue to do ongoing security assessments. I think that is a part of the overall approach to security, which is more of a risk management process. To arrive at a position of zero risk is the objective, but it is not necessarily an attainable one.

Mr. Chairman, I'm sorry if I haven't gone as far as what you're looking for.

The government security policy lays out the broad elements of security that departments need to follow. The standard goes in and looks specifically at what is required when we're looking at the contracting of resources. It is a much more focused piece of material. It goes deeper into that information and talks about the requirements departments have to--

Yes. They must identify if there are security requirements, so that responsibility is clearly with the departments. They need to complete a checklist, if they are going to Public Works, to have Public Works do the contracting for them. If they're doing their own contracting they don't necessarily need to complete a checklist, but they're still responsible for identifying security requirements.

So that's really what it does. It just narrows that and focuses in on that aspect.

The Public Works workload is generated by Public Works. I would have to assume that the differential between 100% would be coming from other departments to Public Works for assessment.

Security requirement. So essentially what they are asking us to do is this. A requirement is identified, and we carry out either the clearances or the screening and we provide them with the clause that is required in order to cover the requirement that is identified.