Public Accounts Committee on Feb. 26th, 2008

Thank you, Mr. Chair.

We thank you for this opportunity to present the results of chapter 1 of our October 2007 report, entitled “Safeguarding Government Information and Assets in Contracting”.

Joining me today are Ronnie Campbell, assistant auditor general, and Bruce Sloan, senior principal, who were responsible for this audit.

The Government of Canada's ability to protect sensitive information and assets it entrusts to Canadian industry is critical to ensuring the health, safety, security, and economic well-being of Canadians, both at home and abroad. This ability is also important for maintaining Canada's international reputation and ensuring the continued growth of international trade.

We found serious weaknesses at almost all levels in the processes set up to ensure the security of government information in assets entrusted to industry. These weaknesses range from incomplete policies, an unclear mandate, poorly defined roles and responsibilities for industrial security, to a willingness of some officials to circumvent key security procedures in order to reduce costs and avoid delays in completing projects.

We found that many who play a role in industrial security are not sure of their responsibilities. All stages of the process rely on the assumption that the proper procedures were followed at the earlier stages, but there are few mechanisms to provide assurance that this is so.

As a result of weaknesses in the system, many federal contracts providing access to sensitive government information and assets have been awarded to contractors whose personnel and facilities had not been cleared to the appropriate security levels. These include a number of contracts awarded by the Department of Public Works and Government Services on behalf of other government departments, and thousands of contracts for national defence construction and maintenance projects awarded by Defence Construction Canada.

Of particular concern was the failure by officials at National Defence to properly incorporate contract security requirements for the construction of the above-ground complex in North Bay, Ontario. Contracts for this project were awarded by Defence Construction Canada to unscreened contractors. As a result, Canadian and foreign workers had virtually unlimited access to the construction plans and the construction site.

I am pleased to note that Defence Construction Canada has begun to address some of the issues raised in our report. We received a detailed management action plan that outlines the actions the entity will take to address our recommendations. The committee may wish to ask the entity about the progress it has made.

National Defence has also provided us with an action plan to address our recommendations. The committee may wish to ask the department what progress has been made to date and what steps have been taken to ensure that the NORAD above-ground complex can be used for its intended purpose.

PWGSC's Industrial Security Program plays a major role in ensuring that contracts with security requirements comply with the government security policy. We found that the program's operating procedures were in draft form and did not cover key activities essential to ensuring security in contracting . In addition, the program did not have stable funding, thus limiting its ability to hire and retain enough qualified security professionals.

I'm very pleased to note that Public Works and Government Services Canada has provided us with its management action plan. Although we have not audited the plan, we did review it. We believe that if it is carried out, the plan should address the concerns raised in our report. The committee may wish to ask the department about its strategies and the progress it has made to date, particularly its progress in obtaining stable funding for the program.

We found that the government did not know to what extent it is exposed to risks as a result of less than adequate industrial security. A concerted effort to strengthen accountability, to clarify policies, and to better define roles and responsibilities for security in contracting is required to help reduce these potential risks to the national interest.

Mr. Chair, this concludes my opening statement. We would be pleased to answer any questions the committee members may have.

Thank you.

Mr. Chair, members of the committee, thank you for this opportunity to appear before you today.

The Industrial Security Program plays an important role in keeping government information and assets secure when these are entrusted to the private sector as a result of a government contract. In a nutshell, we do this by screening individuals and firms for all contracts for which PWGSC is the contracting authority, and when requested by other government departments exercising their own contracting authority.

The program processes about 2,000 security-related contracts a year, 75 % for which PWGSC is the contracting authority. We carry out this role for federal contracts and for contracts awarded to Canadian firms by the foreign governments with which we have security agreements.

While PWGSC is not the only department to perform contract security functions, as the main purchasing arm of the Government of Canada we handle many large contracts involving sensitive information and assets.

I was briefed on the initial observations and findings of the Auditor General last June, shortly after I began my duties as deputy minister of PWGSC. As the accounting officer, I took these observations seriously and began work in earnest to address the concerns raised. We did not wait until the Auditor General tabled her report.

Let me say before going any further that we agree with all of the Auditor General's recommendations. Our action plan has been reviewed by the Auditor General and tabled with the committee. It has four key elements that directly address her concerns.

First, we instituted a certification process to ensure that client departments clearly identify for every contract request whether there is a security requirement or not.

Second, we completed and issued an industrial security standard operating procedure that has been in draft form, and we train our people to ensure it is consistently followed.

Third, the industrial security program's information and technology systems were certified as mandated under government security policy.

Fourth, our business continuity plan now calls for daily, rather than weekly, backup of our security data.

Furthermore, recognizing the program's importance, we took additional steps. The program is undergoing an independent third party management review of its mandate, roles and responsibilities, and program delivery to be completed by March 31. IT upgrades are being made to improve the exchange of information between the department's contracting and security systems. And an advisory board comprising senior officials with experience in the security area has been struck to provide advice on the direction and policies of the program and to advance coordination and improvement of contract security across government. It held its first meeting in January.

We are also conducting a detailed review of all 3,000 current contracts with security requirements to verify that the program has fulfilled its security obligations. This review will be completed some time in August.

Finally, on the issue of resources to fully carry out the program's activities, the department has, year over year, reallocated resources on top of the existing base. In 2007-2008, an additional $11.2 million was allocated to contract security-related activities.

I am working diligently with my colleagues at Treasury Board Secretariat and the Privy Council Office to secure an increase in our permanent funding base for the program.

Thank you, Mr. Chair. I would be happy to answer your questions.

Mr. Chair, honourable committee members, I am very pleased to be able to speak to you today. As some of you are not very familiar with Defence Construction Canada, I would like to take this opportunity to tell you a bit more about the company.

Defence Construction's mandate pursuant to the Defence Production Act is to deliver defence projects related to physical infrastructure. The corporation's been doing this for 56 years and has developed a recognized expertise in real property contracting, contract management, and in certain related areas.

Defence Construction supports the Canadian Forces and the Department of National Defence in meeting their operational requirements at site, across Canada and abroad. We currently have an office in Afghanistan supporting the mission there.

The management of industrial security for defence projects is a joint responsibility of National Defence and Defence Construction. We are accountable for ensuring the security of sensitive information and assets once the security requirements have been identified by the Department of National Defence. The corporation has always implemented measures consistent with the government security policy to safeguard those assets and information.

Furthermore, we have agreed with Treasury Board Secretariat to apply the government security policy to all our operations related to the delivery of defence projects. Defence Construction uses the industrial security division of Public Works and Government Services Canada to provide the contractual clauses appropriate for identified security requirements and to process clearances for individuals and firms that are contracted to work on defence projects.

Defence Construction proactively implemented procedures to strengthen its management of industrial security during the Auditor General's audit activity. When the report was published, we accepted her recommendations to further strengthen the security management framework.

As Madam Fraser pointed out, Defence Construction shared with her its action plan to deal with her recommendations, and the plan was made available to the committee in advance of this meeting.

I would be very pleased to discuss our progress against this plan or any other aspect of the report that interests members. I'm confident that Defence Construction does its part as an integral member of Canada's defence and security team to safeguard sensitive assets and information related to defence projects.

Thank you.

Thank you, Mr. Chairman.

Mr. Chairman and members of the committee, thank you very much for the invitation to brief you today on the Department of National Defence's response to the Auditor General's October 2007 audit of security and contracting.

As you know, my name is Scott Stevenson and I'm the acting assistant deputy minister for infrastructure and environment. I'm joined today by Major-General Glynne Hines, the chief of staff of the information management group at National Defence, and our departmental security officer, Lieutenant Colonel Dave Shuster.

As you know, the audit contained two recommendations directed at National Defence. The first recommendation involved ensuring that our industrial security policies and procedures are up to date and complete and that they accurately reflect our roles and responsibilities under government security policy.

The second recommendation states that we should establish an integrated framework for managing industrial security on defence projects.

In the time given me today, I would like to give you an outline of the measures that have already been adopted by National Defence to follow up on those two points.

We have already drafted a new industrial security chapter for our departmental security manual. At the same time, our departmental security officer is working with stakeholders within the department and other government departments to ensure that our adjustable security policy and procedures are consistent with government security policy.

Mr. Chairman, this will help to address any current misconceptions or ambiguities on the part of project authorities.

We have also reviewed our procurement administration manual, which details our departmental procurement procedures. The responsibility of procurement and contracting authorities to identify security requirements in any procurement activity has been explicitly defined. These changes will also be reflected in our project approval guide.

To ensure coherence within the department, we have established a working group, co-chaired by senior managers responsible for material acquisition and construction, to ensure that our procurement policies and procedures are both workable and consistent with government security policy.

In order to improve security awareness at all levels, we are developing a new unit security supervisor course, which will include an industrial security module. The information contained in this module will be widely communicated across the department, which will further mitigate any potential misunderstanding or misapplication of the departmental security policy and the procedures relating to the contracting process.

The department has initiated staffing action to improve oversight and compliance with our industrial security program. The additional manpower will permit us to implement a regular verification program, and we are also investigating improvements to our information systems in order to enhance oversight.

Finally, we are working with Defence Construction Canada, which acts as the contracting authority for the majority of defence construction projects, in order to develop an integrated framework to ensure that security requirements are met during all phases of the contractual process.

I have just outlined a number of specific actions the department has undertaken or will undertake to address the concerns raised by the audit. I can assure you that the Department of National Defence is committed to ensuring that sensitive information and assets entrusted to industry through contracting are properly safeguarded. As a result of the Auditor General's report, the Department of National Defence is making significant improvements to our security provisions.

Thank you, Mr. Chairman.

Thank you, Mr. Chair, and good morning, committee members.

Thank you for the invitation to appear before your committee today to discuss the Auditor General's chapter on safeguarding government information and assets in contracting.

In chapter 1 of her 2007 report, the Auditor General makes several recommendations aimed at the Treasury Board Secretariat. We have taken action to address those concerns through our review of all management policies, known as “policy suite renewal”. My remarks today will highlight the progress we are making in this matter.

As part of policy suite renewal, the policy, standards, and guidelines on government security are currently under review, which should be competed before the end of this year. We are addressing the Auditor General's recommendations under three overarching themes.

Firstly, the new government security policy will clarify the requirements under the standard on security in contracting. This will ensure that the project authorities who originate the contracts will be the ones who certify the security requirements needed. By putting the burden of certifying the security requirements on the originator versus the contracting authority, we will increase the accountability of the group requesting the service, which has better knowledge of the specific security requirements.

Secondly, responding to another important recommendation of the Auditor General, the Treasury Board Secretariat will also require that departmental security officers implement quality assurance procedures. These procedures will be put into force by all departments and agencies and will provide for the ongoing review of contract files to ensure that they meet industrial security requirements.

Thirdly, through the renewed government security policy, standards, and guidelines, the Treasury Board Secretariat will ensure that deputy ministers have the information they need to satisfy themselves that they are fulfilling their accountabilities under the policy. Furthermore, the Treasury Board Secretariat has added an indicator under MAF, the management accountability framework, to assess the compliance of departments and agencies with security requirements.

The management accountability framework now provides for the assessment of departments' performance and effectiveness in safeguarding information, assets, and employees, as well as in ensuring the continued availability of critical services. We will assess key policy elements and ensure that security programs and systems of coordination are in place across government and that they are being administered effectively.

As we move forward in developing our new policy and standards, we are working closely with institutions to clarify requirements and guarantee that sound management practices for safeguarding government information and assets in contracting are in place.

This concludes my remarks. At this time, I would be pleased to answer questions that the committee has.

Yes, I am.

Yes, that is correct, Chair.

No, I am not.

If I could clarify this, Chair, it would not be the departmental security officer, but the people managing the specific project, and there would be separate responsibilities from the departmentals who were there.

That is correct.

If I can, I'd like to pass that question over to Major-General Hines, who is actually our subject matter expert on the above-ground complex.

Mr. Chair, as far as the above-ground complex in North Bay goes, the original design was conceived in the late 1990s and the tendering process went on in the 2002 and beyond timeframe. For the initial construction activity that took place, there was an original threat risk assessment done relating to that facility, and it was determined at that time that a security requirements checklist was not required to initiate the construction of the building. During the construction of the building, as is normal, a security review was conducted, and it was determined that additional security would be required, as the building envelope had been constructed, and as we were getting ready to do the fit-up of equipment, which would cause the building to go from an unclassified, no-clearance-required nature to a classified, clearance-required nature. At that time, when the security requirement became evident during the construction, and prior to installing the systems, contractors with security clearances were required to be on site or workers on site were required to be under escort.

There was not a security requirements checklist required at that point of the construction. Appropriate security measures were taken once the building envelope had been completed and the building became a sensitive area from an operational standpoint. The contractors—

I'd actually probably refer it back to Mr. Stevenson to refer specifically to those 8,500 files.

Now, I'm in charge of administering the security program for the department, and whether or not the project-initiating authority actually submits a security requirements checklist is at the discretion of the project-initiating authority. So in some cases we don't necessarily know in my office that a project is even ongoing at a small base, if it's a maintenance project—

Mr. Chairman, if I may respond to that and help put the question and the observation about the 8,500 contracts between 2002 and 2007 into context, National Defence has more than 20,000 buildings, more than 13,000 works, and more than 5,000 kilometres of roads, so the construction and upkeep of those are what generates the volume of contracting.

A fraction of that has a security requirement, and I can tell you, sir, that as part of the action plan to follow up on the audit, we're reviewing those contracts to determine where there may have been any weaknesses in terms of security procedure and in fact in terms of security impacts, and so we're following up on those.

I can answer that, or at least the first part of that question, Mr. Chairman.

The NORAD facility is currently being used for its intended purpose, without any restrictions. As far as the cost of the building goes, it is my understanding, and I would have to refer to Mr. Stevenson--

There are no additional costs for the security lapses. There were additional security measures taken in that building that are consistent with the evolving threat. If we go back to when this building was designed in the late 1990s, subsequent to the contracting for that facility and the commissioning of that facility as a NORAD air defence centre, the threat has changed. The threat to North America, the threat that NORAD is responding to, has changed, and that has required some additional measures to be taken from an operational perspective, not related to the security of the building.

Those changes in the operational posture of that building, as a result of the post-9/11 environment that we're working in, warranted a number of both physical and technical means to be put in place to ensure the continued integrity of that facility. Those means were put in place before the building was commissioned for use by NORAD and the Canadian Air Defence Sector, and they continue to be in place and monitored today.

Thank you, Mr. Chairman.

In the course of the audit, we noted that for the majority of construction contracts, the check list or security control list had not been completed. That was not a requirement. We believe that an analysis must be done and that there needs to be some form of assurance that an analysis was conducted. However, someone decided that additional security measures were not needed. In fact, we do not know why there is no check list; it could be because additional security measures are not needed or because of an oversight.

There was some confusion between the roles and responsibilities of Defence Construction Canada and those of the department. Who is truly responsible? Today, the corporation indicated that the responsibility to determine the security needs rested with National Defence, and that they, obviously, build according to the plans and requirements set out by the department.

We recommend that the check list be completed for all projects and that, even in those cases where there are no additional or heightened security needs, that be clearly indicated, in order to ensure that someone has reviewed the project and then come to that conclusion.

We reviewed the action plans and they seemed to be appropriate. If the measures are taken, they will satisfy our recommendations. Of course, we will have to conduct an audit at a later date to ensure that the actions have indeed been implemented.

In our opinion, there is a risk that security was breached.

We have no assurance for projects that were carried out in the past. For example, we see that work has started on a number of contracts, even with contracts classified “secret”, without all the clearances having been completed. We are talking about several months of work. In other cases, there was no security assessment. Needless to say, in such cases, security might have been compromised.

Mr. Chair, as I said earlier, the Minister of National Defence has accepted all of the Auditor General's findings, whether regarding the North Bay project or those of a more general nature. We are taking this very seriously.

The paragraph you mentioned, Mr. Laforest, states that the other security measures were taken. Security guards escorted those contractors who had not received clearances. So, all other measures were taken. We did take good note of these issues, however, and our action plan states that measures are being taken to correct the problem.

We are reviewing all those contracts as part of our action plan. We have begun to...

The Department of National Defence had and still has a multi-party security program. This means that everywhere National Defence is present, whether in Canada or abroad, a security system is in place.

Mr. Shuster is a key element of that system, but there are also military police officers and members of each unit's security services. If and when problems occur, a system is in place to identify and remediate them. That is all part of risk management, which is a component of the government's security framework policy. That is part of the program that we are continuing to implement.

Coming up with an answer to that question is one of the goals of our action plan. Most of the 8,500 projects I spoke about deal with things like home roofing. We are looking to find an answer to that question.

That is correct, sir.

That's correct.

Yes, sir.

Earlier last year the facility was occupied by the military members from the Canadian Air Defence Sector. They are conducting the NORAD mission from there. The United States Air Force and the Department of Defense in the U.S. did their own independent inspection of the facility to warrant that it was suitable for the installation of their sensitive information systems, as is the norm in any of the facilities they use that we share in the domestic role. They did their inspections, they were satisfied, and they have given us the authority to operate their systems within the NORAD facility in North Bay.

Yes. Essentially, yes, from now on. We started that some months ago through an amendment to our form. They have to clearly indicate that in this contract there is no requirement. Before, that was not done, and it led to confusion. This is now done systematically.

Actually, I would answer the following way.

Departments have to comply with the government's security policy that my colleague Mr. Cochrane spoke about. So it outlines the requirements. They have to have a departmental security officer, we heard in DND, and it's the same thing for Public Works and any other department. So it essentially sets the framework against which they have to be doing business as it relates to security requirements.

We in Public Works generate our own contracts, about 1,500 per annum. Therefore, it is a side of my department in proceeding with contracts—so-called contract authority—that this person has to say there is a requirement. When the requirement is identified, it goes to the industrial securities program segment of my department and things are done.

We also carry out so-called assessment work for departments for about 500 contracts. So per annum overall, for 2,000 contracts, 1,500 were generated by Public Works, and in 500 a department tells us it has a security requirement and would like the industrial security program to carry out the work needed to clear these individuals or companies.

That relationship, by the way, can exist between me and DCC. If DND flags a requirement and DCC says it will look into it, it can do it or come to me and I'll do it on its behalf. That is a sub-segment of the so-called 2,000 contracts we do per annum.

The point I'm making here is that departments have responsibilities under the government security policy. They can come to us in certain cases and we will do it. I generate a fair amount of work myself through the contracts that I issue.

Yes, essentially the terminology we use in government is the departmental security officer, and when we deal with a company we call them company security officers. So it has essentially, as an image, pretty much the same responsibilities. When there's a requirement for a company to meet certain demands, we as Public Works expect those demands to be carried out as a point of entry through the company security officers.

So that's the relationship that exists.

Yes, I understand your question.

Essentially the point you're making speaks to our enforcement and compliance responsibilities, which are discharged in part through inspections. It's not only that, frankly. The Auditor General did also pick up on certain documentation that was missing. When you look at it, we had an onus to ask the company to provide this information. I'm thinking about the security briefing, the so-called security agreement, but it's also the onus of the company to provide this information proactively.

So I'm not going to start sharing blame here. These documents should have been on file.

Normally our inspections allow us to make sure that the company security officer meets the requirements. I will give you examples. Certain sections of the company, where sensitive information may be dealt with, would have padlocks. Their ID systems will be pressure-tested to certain standards. There will be security officers with badges. I'm giving you examples of requirements that may be part of a contract clause, and we expect the company to discharge that. Our way to check this is through inspections to make sure things are happening the way they should. In the past we've carried on inspections, and we are augmenting that in other inspections that we're carrying on.

This has been at the core of the issues we face in this audit.

To be very clear with you, the basic financial base of that program is about $6.7 million per annum. In my career I've rarely seen a program being doubled by reallocation within a department. I guess someone can point to an exception, I'm sure, but normally a reallocation to a program is a top-up. You add 10% or a 20% because of workload, complexity, or a special project being asked of the manager.

In this case the reallocation, on average, in the last couple of years was $6 million--a $6 million reallocation, a $6.7 million base. What it speaks to is two things. First of all, the program experienced a significant workload increase as a result of 9/11. The second point is more contracting activity as a result of the economy growing.

Nobody should be surprised by that. I don't know what the curve is, but it's normal that as you have a growth in economy you can have more contracts, more activities. So that's another element.

This is compounded by the fact that if you reallocate, you reallocate on a yearly basis. So if I am the manager, I have my base of about $6.7 million, and the department, through the deputy minister, reallocates on a yearly basis about $6 million, but I can't use that base, which is a reallocation, to plan long-term staffing. It creates a vicious circle. The cash is there. The cash can be used, but you're trying to attract talent. You say, “Well, yes, I would like you to come over. We have good important work. It's actually interesting work, to be honest, but I'm giving you 12 months because we're trying to stabilize the workforce and the budget.” So it creates a bit of a conundrum, where we try to staff and people come. Because it is a 12-month assignment with a potential window--it's a 12-month assignment vis-à-vis the budget you have that year--people do come and leave.

Secondly, some people have other options than having to work for 12 months. That's another thing. With people leaving, you lose corporate memory. You train them, you prepare them, they do good work, and then they potentially leave. The numbers that the Auditor General picked up are accurate: 28%, 29%, 30%. It's a significant part of the workforce that is unstable, if you wish, in the sense of contributing in a steady fashion to the outcomes they're trying to achieve.

I'm trying to explain here the dynamic vis-à-vis the resources. Now, the answer for me as the accounting officer is to work hard at getting a stable long-term multiple-year base. I've been working at this with Treasury Board, at Privy Council Office.

Since 1941.

Essentially the answer lies in what I explained vis-à-vis resources. We have a program that has not been resourced at the right level.

I think the department really made efforts to top up that budget in a very responsible fashion. To give $6 million, on average, in the last couple of years to a base of $6.7 million is quite telling. It's not like $100,000 or $1 million was given. It was a substantial amount. So that's the first thing.

With regard to your point about draft policies and procedures, frankly this speaks to the fact that people were going to the more pressing and the higher priority. I am not saying that finalizing the procedures and policies is not important, but they did exist. They were in draft form, not finalized. And they have been finalized, very quickly. This was taken on as being a priority, picked up by the OAG--

I don't really disagree with you, frankly; it's a very good point. As the accounting officer, when I sat down with my staff, I was a bit surprised that since 1941.... But setting that aside, in recent years the program had not been audited, because probably some of these things would have been picked up.

An audit is not a bad thing. An audit says you have problems here and problems there. I'm not going to pass judgment on that. It was not audited. I would like to have seen it audited in the context of a big department. You have a risk-based approach, and someone somewhere--your own people, not the OAG--says you should be looking at that program. I think a lot of these things would have been picked up and corrected.

I just want to leave with you the thought that when people are trying to work in an environment where both the complexity and the workload have increased, they will go to the more pressing. They're trying to do a good job, and things like websites and going from a draft to a final policy will be of lesser priority even if they are, to my mind, important, critical.

There is one last point: it was done, and it was done quickly. They were draft. It's not as if they didn't exist. They were polished up, buffed up, and finalized.

I will answer the question--

In the same way as I looked at the 24 contracts, I also looked at the overall sample of 86, and quite a number of them were done correctly. It was important to me because I wanted to understand if there was something systemic or systematic in the industrial security program. The answer to that is probably no, because the majority were done correctly.

In the case of those contracts that were done ahead of time--contracts awarded before security clearance was awarded correctly--the OAG picked up that at least in six cases some measures were put in place to mitigate risk. That's the first thing.

In the second phase of our action plan we looked at all those 24 contracts to see if measures had been taken. I know it was after the fact to see if measures had been taken to minimize risk, but for the 24, they had been. In the same way as the OAG looked at six, we looked at the 24. In some cases resources that had access to certain information were escorted; in some other cases the contract had started, but the sensitive information had not been used by the contractor.

To pick up on that point, all 24 contracts were security cleared, so I want to leave that very clear image with you.

What I'm saying here has been said by the OAG. She acknowledges that in all those cases the clearance was given; the issue was totally timing--i.e., the contract was given before clearance--but I want to leave the very clear statement with you that clearances were provided. What I'm telling you is that for the 24 contracts, while it was not perfect because it was clearance after the fact, during that period of time there were mitigating measures. Although they were not perfect, there were mitigating measures.

We have the four-phase action plan. We have it addressing, first, all the recommendations made by the OAG. That is done. I'm not talking about a month from now or two months from now; we've done that.

There is one component related to IT that we will have completed sometime next October. This is to have a better cross-log of information between our contracting authority and the industrial security program database, which were disconnected for reasons of security. That is going to be done in October. That is the first phase.

The second phase is that we have looked at the 24 contracts to make sure we were satisfied that we would be at a low risk for breaches of security, and we're satisfied that is the case. The people in the 24 contracts were cleared. After the fact is not the ideal situation, but that is the reality.

On top of that, we've decided to look at active contracts, 3,000 of them, to make sure the elements picked up by the OAG don't replicate themselves into the active contracts. We are proceeding with that. It's a three-stage approach, and it will be completed in August. We are doing this very systematic wall-to-wall approach to make sure we're minimizing risk for the contracts. These measures are in addition to the procedures and policies we're putting in place and the management review we're carrying out on the program overall.

We are certainly pleased with the action plans that have been presented. As was mentioned, we did review the action plan of Public Works, and it does address our recommendations. I say that, of course, under reserve. We will eventually go back and re-audit this to make sure these things are being put in place.

On this particular question, though, it would be easy to say that all the clearances have to be in place before the work begins. But sometimes that isn't the reality. What we would expect in that case is that there would be a very detailed and complete risk mitigation plan, so it would be clear up front that if the clearances aren't all in place, yes, the project may start. But what information do those contractors not get access to? What other risk mitigation techniques would be used until the security clearances come through?

I think that would be the way to probably handle that kind of situation.

I must admit that I came prepared for this discussion today, so I'm not.... I will go by memory here to the extent possible, if you can bear with me.

I think it would probably be more appropriate, if you don't mind.

I know exactly what you're talking about. I know the file. My level of detail will probably not satisfy your questions.

Yes.

To the best of our knowledge, the facility has not been compromised. We would not be conducting the operations we are conducting from that facility if we had any doubt as to the operational and technical integrity of the above-ground facility.

We've conducted extensive physical and technical inspections of the North Bay facility, both during the construction and subsequent to the construction but prior to the commissioning of the facility. We continue to have procedural and technical means to ensure that the integrity of the facility is such that it can be used for its intended purpose.

Absolutely.

When the construction contract was awarded, a threat risk assessment was done to determine whether or not the facility required people with security clearances to work on the initial construction phase of the building. It was deemed by the operational authority of the day that it was not required.

There was no circumvention at that point. Subsequently, during the construction of the facility, it was determined that the security measures had to be in place. Security measures were put in place to either have cleared contractors working on the facility or have those contractors working on the facility under escort. As the construction of the facility went on and we got ready to install systems, additional security measures were put in place.

It was a phased approach from the standpoint of starting from bare ground, where there were no security concerns, threats, or risks identified, to the point where systems were installed and the facility became secure and sensitive.

During these processes we continued to do testing through a variety of technical means, and we continued to do physical security inspections to ensure that the integrity of the building was maintained throughout.

I hate to do this, but as you are aware, we did a report in May 2007 that commented on the NORAD project. When we did that audit--as we mention in the text box on page 25--there were serious concerns raised by National Defence about the security of that project and the ability to close the below-ground project. They were not sure at that time if they could move all the systems up. I'd be interested to know if that below-ground complex has actually been closed, because that was what the above-ground one was for.

We have summarized in this text box the concerns about whether it could be used for the intended purposes and the access that contractors, both Canadian and foreign, had to the site. When we completed this audit, they indicated that they could, with certain modifications, use the building for the intended purpose.

We had asked for details on what those modifications were. As you will see here, at the time of our audit we did not receive any detailed plans or schedules. All of this text, as is our standard process, has been agreed with by National Defence, and they have agreed with the validity of the facts.

So there seems to be a little confusion here, but certainly when we did that original audit there were concerns about the use of that building.

As I stated in response to one of the earlier questions, the department has accepted the findings. That is clear and is normal practice. I would also say that we have accepted the responsibility for resolving any of the shortcomings and weaknesses that are there.

On the specific question as to whether we can prove with 100% certainty, I think that's akin to proving the negative. On that basis we continue to do ongoing security assessments. I think that is a part of the overall approach to security, which is more of a risk management process. To arrive at a position of zero risk is the objective, but it is not necessarily an attainable one.

Mr. Chairman, I'm sorry if I haven't gone as far as what you're looking for.

The government security policy lays out the broad elements of security that departments need to follow. The standard goes in and looks specifically at what is required when we're looking at the contracting of resources. It is a much more focused piece of material. It goes deeper into that information and talks about the requirements departments have to--

Yes. They must identify if there are security requirements, so that responsibility is clearly with the departments. They need to complete a checklist, if they are going to Public Works, to have Public Works do the contracting for them. If they're doing their own contracting they don't necessarily need to complete a checklist, but they're still responsible for identifying security requirements.

So that's really what it does. It just narrows that and focuses in on that aspect.

The Public Works workload is generated by Public Works. I would have to assume that the differential between 100% would be coming from other departments to Public Works for assessment.

Security requirement. So essentially what they are asking us to do is this. A requirement is identified, and we carry out either the clearances or the screening and we provide them with the clause that is required in order to cover the requirement that is identified.

No good reason that I can think of. Frankly, I've been there for years...and I will look at my colleague Gerry. I would like to think that probably the majority of sensitive contracts emanating from a department come our way for assessment. So most of the highly sensitive ones would.

No, this was contained within Defence and DCC, so we were not involved in the NORAD....

I would say if a requirement had been identified, the program would have carried out the necessary assessment and clearances and all that. If the requirement had not been identified, we would not have known.

We haven't gone that far. We are recommending that this checklist be used and that there be a clear indication of whether a security clearance is required or not. The problem now is that the checklist is optional. So when, for example, the industrial security program gets the checklist indicating that security clearance is required, they carry it out. But if they are never advised or there's no indication, they would not know.

We think there needs to be a better system of clearly identifying if a security clearance is required or not and that this checklist not be optional.

Mr. Chairman, the checking out of the “no requirement”, which is what Madam Fraser and I are making reference to, was not a requirement clearly stated in the government security policy. At the time of the audit, we were of the opinion that what we had done--and probably my colleagues around the table would say that as well--was consistent with the intent of the government security policy, and I think the board would probably confirm that. We thought we were consistent.

In the dialogue with the auditors and Madam Fraser, we also concluded that there's nothing like greater certainty. For the purposes of greater certainty, say you don't have a requirement and then you thought about it, so at that time--

Yes, it is mandatory now.

I was getting there, but I'll cut to the chase. We have already put in our form, in Public Works, a requirement for a “no” box. It's there.

Maybe, Mr. Chair, I could respond to this.

You would look at the efficiency within the system and ask that question, which I think is a legitimate one.

One of the things the Treasury Board Secretariat is actually engaged in with Public Works and the PCO is leading an initiative to look at personnel screening across the entire system. As a result of looking at personnel screening—that would be the folks who work inside the government, contractors, and other programs where screening occurs—the opportunity exists for us to look at efficiency. So that's an initiative that's under way. We haven't responded and indicated that we think we should centralize that capability, but it certainly allows us to assess the whole system of screenings in government, because a lot of this has to do with the screening of people and assurance levels to determine how we might want to manage that differently.

So a final decision hasn't been arrived at, but we are looking at it holistically across the government, partially for efficiency but also partially to ensure there are standard approaches to security screening.

The responsibility of the Treasury Board Secretariat, in many different policy areas, is to fundamentally establish the management policies of the Government of Canada. What we've been doing over the course of the last two years is going through what we call policy suite renewal. The reason for that, I think, is that fundamentally when you look at the range of management policies that existed, there were some 180 management policies in the Government of Canada prior to policy suite renewal. We're actually refining that down to about 44 policies. So one of the jobs is to try to undo this web of rules and clarify what people are responsible for. That's a big part of our role, to try to clarify things much more substantially for departments.

Part of the policy suite renewal is also structuring things so that when you look at the policy you get an instant indication of whether there is something that you need to do for contracting. It's not buried somewhere. It's very clear and consistent that there's something I need to do for physical security.

So I would say that the policy material that was there was probably difficult to work with overall. We're implementing many elements that will add to the controls. One of those is to monitor—that's probably not exactly the right word—or work with departments through the management accountability framework to do regular assessments on an annual basis to determine if the policies are being followed. We can carry that to very deep levels of assurance if we choose to do so.

I think it's a big integrated system, so if there's some lack of clarity in the work that we've done in the past, then we obviously have a role to play in this overall.

Thank you, Mr. Chair.

This discussion always comes back to the relative weight of responsibilities among the central agencies, the Treasury Board Secretariat and the deputy ministers and their own departments. It is up to the Treasury Board Secretariat to establish those management policies. They should be doing some monitoring, but I think at the end of the day we also have to say that it is up to the departmental heads to make sure their departments are meeting and respecting the policies that are put in place. The burden isn't only on the Treasury Board Secretariat.

Certainly in this case there is confusion in the policy. There was confusion about roles and responsibilities. I think that underlying a lot of the problems was perhaps the lack of--and I hate to use these words--importance or significance that a lot of people put on this whole area. People allowed contracts to go on for 11 months before security clearances were in place. For the program itself, I'm sure those people there did the very best they could, but when half of your funding is the temporary reallocation each year, it's very difficult. I would expect Treasury Board to perhaps ask where programs like those getting these temporary reallocations are.

If you don't have stable funding in government, it's very difficult to run these programs. If you don't have the people there to do the job.... You have to almost commiserate with these people who are trying to do the workload if they have...I think it was 28% vacancy and another 30% who are temporary people.

At the end of the day, I think there were a lot of factors that came into it. Certainly stable funding is one of the major factors in the problems that we saw.

Mr. Chair, essentially the answer falls into two areas.

When a requirement is identified, there's an assessment carried out, and a contract clause is put forward. In order for the successful bidder to be able to get the contract, he or she or the company has to be able to meet the security requirements. That is a requirement. In some cases we do, at the request of certain companies, provide for pre-clearances. That doesn't happen in the majority of cases, but it does happen. Therefore, a potential bidder, on a contract yet to come related to certain security requirements, may say that it's probably a good thing for them to get some clearances, approaches, or industrial securities program, and ask for a clearance. Frankly, we say there's a potential for that company to be a bidder down the road, and we will carry out a process.

No, it is only if there's a requirement, but it is not overall.

Our policy is actually consistent with Treasury Board's policy in the sense that individuals who have access to facilities or information, either at a classified or designated level, require the necessary clearance or reliability status. That depends, again, on the information they would have access to. So if it were even a casual employee coming into a particular job--and normally, if it's casual, it's a reliability screening--that would probably be done, in most cases, through PWGSC. We would ensure that the individual had at least a reliability screening for designated information or the proper security clearance if the person had access to classified information.

That's the latest version of it.

It's been through a number of changes over time. I think 1986 was the original timeframe. It was modified in 1986, 1994, and 2002.

It predates the current version. It was implemented in 1996.

It was not modified in 2002.

A lot of things were changed in 2002 as a result of 9/11. That is one of the reasons the policy was reissued. The policy is the overarching piece that covers many different standards. Many new things went into place, like protection of personnel, identification of assets, and delivery of critical systems. Those all relate to, in many ways, the events of 9/11. IT security was implemented. Some changes were implemented to recognize the changes on the Internet, and so on.

Security screening changed a little bit. Although this particular standard didn't change, the requirement for security screening changed. Initially the standard had been at a basic level, which meant no criminal check. The change that occurred in 2002 was to increase it to include criminal checks. That also covered the contracting standard.

I agree with you. Frankly I try to look at it as the glass half full, but on sensitive contracts I don't question the point you're making.

In the course of assembling the sample, we did pick one area that was different from high sensitivity. This was secret/top secret. It has to do with protected information, which is different, as you may imagine. It was the same pattern, which is that a contract had been awarded, work had proceeded, and we screened the person to the right protected level: protected B.

The point I'm making is that in certain circumstances there's more risk tolerance. But in other cases, I agree with you. When you're talking secret/top secret, the margin of error for documents missing or not following procedures should be close to zero. Now, that does not bring risk to zero--that's another issue--but our procedure should be followed correctly.

It's different in three ways.

First, for those contracts that we generate, our acquisition branch now systematically flags, per a policy, the requirement for security. That is not only done manually, it's going to be done through our IT system. So that's the first thing. We have reinforced the need for that through communication and discussion with our staff.

Second, the program, headed by the director general, is more systematic in making sure that security clearances have been obtained at the time of contract award, which was the issue for the 24 that were singled out. That is the second thing we are doing.

Third, as I said, we're trying to find a long-term resource base that will ensure we have continuity in the program, so that the investments we're making in people and systems today are not lost as people leave.

All the recommendations made by the OAG have been implemented. The so-called “requirement for security checklist” is happening. Resources have come from Treasury Board in the amount of $11.2 million, so that has augmented the base of $6.7 million. These things are happening today. This is over and above what we're doing vis-à-vis the active contracts, which is looking into them to make sure they're all okay.

So new contracts are going through what I described, and we're going through past and active contracts very systematically to make sure nothing is missing. That goes back to the point made by Mr. Hubbard in terms of whether we have a level of assurance that things are okay. We're doing that.

When we completed our audit, the department indicated to us that a number of measures could be taken to ensure that the facilities could be used for their intended purposes. We asked them what mitigation measures had to be taken, as well as their cost and the plan to be used. We did not have that information at the time of the audit. I trust the word of the department officials, but I would of course like to have more details on the measures that were implemented.

Yes.

I was not a party to the discussions on this project involving the Office of the Auditor General and the department. If possible, I would like to gather more information on the key questions that the OAG raises in points 1.74 or 1.75.

Nevertheless, I can tell you that the expected cost of construction was $25.3 million. The final cost of construction was $24.9 million. The project's budget covered all construction costs.

Did the budget provide for additional security expenses? If possible, I would like to provide you with that information at a later date.

Until we have a stable funding formula for the program, it will be difficult to establish a multi-year formula. So there will be constraints. Let me be very clear. I want the program to be as stable as possible, but I want to do so within the financial constraints. There has been a new allocation of approximately $6 million, but this, simply put, always impacts other departmental priorities. We of course have to ensure that we have the resources to implement our action plan.

Basically, there are three figures. Base funding for the program is $6.7 million. Over the past few years, we allocated another $6 million on average within the department. Recently, in September, we received $11.3 million from Treasury Board for the contract security program. There was an increase from Treasury Board, but those funds run out at the end of the fiscal year. On March 31, I will have to find either a long-term or short-term solution to ensure continued progress with the program.

I absolutely agree that we don't want to burden the system with a lot of unnecessary consideration, but if people are going out to buy flags or whatever, it's pretty clear that there are no security issues there. It's when you get into defence construction contracts, for example, where we noted that for 99% of them there was no checklist done. At a minimum, there could be an indication that someone has considered the security aspects and has made a clear determination that there is no security. Previously that wasn't obvious, and so you didn't know if people had considered the security aspects.

At the risk of getting into a debate, in the NORAD project the security checklist was not completed, and there was no indication about security requirements, and so the people who were doing the contracting wouldn't know what clearances people should have. It's really up to the people who are running the projects to make that determination. Otherwise the people in Public Works, the contracting authorities, have no way of knowing--

It can be a pretty simple thing to do. When we do our own contracting—and you would suspect that in my office we don't have a lot—we have access to protected information. There is just a drop-down thing and people just have to do it. It's not a long process that they have to go through. It's simply checking another box.

I very much agree with Madam Fraser. It's not one-size-fits-all, and this is important for committee members to appreciate.

I'll give you an example. If, for instance, someone requires a contract, they require a screening, a reliability check, at the lowest level--protected A--it can be done in days. If I remember, it is three days. It can be a bit more complicated, but it's measured in days. Obviously, to be clear--and this is where Madam Fraser is--if it's run-of-the-mill we can be pretty efficient and therefore not create a burden on either business or capacity for the government to issue contracts.

Where it gets to be more difficult--and this is where the OAG focused--is when you get into the more sensitive files. There, clearly, when we're talking about clearances at a secret or top secret level, we are now measuring progress in months. So this is very different.

It is very important for whoever decides there is a security requirement to make the right call, because if the call is one of top secret or secret, there will be an impact. It's not a negative impact. It's going to be a period of time to do the job correctly.

The majority of so-called screenings taking place for government activity are done at the screening level, which often is done in days. We're talking in thousands. If I remember, going on memory, it's like 50,000 clearances or reliability checks per annum. The workload is measured in days.

I don't minimize that. It has to be done, but I would like to think it is not creating a huge burden vis-à-vis the benefits.

What delay are we talking about?

I'm not aware what the timeline was for any delay; however, modifications that are performed and reworking that has to be done are regrettably all part of normal construction practices.

Some things were not put in right. We had cases where the locks were put on the wrong side of doors. We had places where conduit wasn't terminated properly in accordance with either good construction practices or the security rules we put on for the facilities. As you can appreciate, we have to make sure we know where any electrical conduit goes and that it's terminated correctly at both ends, because we're going to put communications or power cabling through that. In some cases it wasn't terminated correctly or there were junction boxes where they shouldn't have been, contrary to designs that had been approved.

So a certain amount of rework was required from a construction practices standpoint and a security standpoint, and that would have been picked up as part of the normal construction activity. The contractor would have been held responsible for fixing those things because they were implementation deficiencies, not design deficiencies.

I'm not saying they were all minor. They were what would be considered, on a $25 million construction project, oversights that weren't done correctly and had to be reworked.

Chair, if you agree, perhaps we could discuss this with the department. That was certainly not the impression we had when we completed our work, but we have not done a follow-up since then. Perhaps we can work with the Department of National Defence and come back to the committee with a response to that question.

I believe in our audit we were aware of two. One of course was the NORAD project. The other one mentioned in paragraph 1.77 was the Shearwater hangars.

I would be glad to do that.

I have not heard from General Hillier.

Yes. In a follow-up to the Auditor General's report, all of the responsible officials were directed by the Chief of the Defence Staff and the deputy minister in the development of the action plan. I am here today partly because of the seriousness that the head of the Canadian Forces and the head of the department, the accounting officer--

It was in October, in following up on the report, when the department wrote to the Auditor General with the action plan and our response to it.

I'm sorry, I have been involved in the action plan, but as to your question, I have not personally heard from General Hillier.

The correspondence I'm referring to was addressed to the Vice-Chief of the Defence Staff, who in the chain of command is above Lieutenant-Colonel Shuster. So that would explain in part why he wasn't a personal addressee on that.

Again, just to clarify, I was an addressee on the action plan. With regard to the action plan, I have received it, but coming from the Vice-Chief of the Defence Staff.

I don't have that information myself at this time.

Yes.

The corporation, not myself. I don't have 56 years; the corporation has 56 years of experience.

The corporation has operated for 56 years under a series of memoranda of understanding with the Department of National Defence. In those memoranda—

Absolutely. In accordance with our mandate and our working arrangement with the department, Defence Construction has always taken responsibility for industrial security on defence projects once those security requirements have been identified. The instant the department identifies the requirements, we safeguard the sensitive information—

No. We have now signed an agreement with—

Since 1986, when the policy was around. However—

Yes, we do.

At the time of the audit, we did not find an agreement.

To clarify, we've entered into the formal agreement with Treasury Board since the audit. Prior to that time, we always implemented the measures required by the government security—

Sir, I suggest that you look back, and you will not find a situation where we have not complied.

Right.

The Auditor General quite rightly pointed out that our policies and processes were not documented or formalized in the way that they should be. By the end of March, they will be.

Once again, as suggested, our practices were in compliance. However, she quite rightly points out that they should have been more formal.

The building was designed as a NORAD control centre, and it was built as a NORAD control centre, and it is currently being used for that intended purpose.

I'd just like to thank the committee for its interest in this work and say that we are very pleased with the response from the departments. They have agreed with the recommendations. They have developed action plans. And in fact, in many cases they have already taken action on the issues that have been raised.

Briefly, Mr. Chairman, we are working hard on an action plan, on a way-forward basis, on the so-called 3,000 contracts. In my remarks I committed to keeping the committee informed of what we find. I know there is interest in this, so we will be doing that.

Yes, Mr. Chairman. And like my colleagues, I would also like to thank the committee and all the members for their interest in this, and the Auditor General, again, for this audit, which has raised some significant issues that we are working to address.

Oh, oh!