The way it works is if NSERC identifies a potential risk, that information is provided to the Department of Public Safety. The Department of Public Safety then either conducts its internal assessment or, if it feels it needs more specific security analysis and depending on the nature of the issue, it would go either to CSIS or to the Communications Security Establishment if it's sort of signals-related information. That assessment goes back to Public Safety, which then conveys the relevant information back to NSERC within the scope of their policies.
On November 20th, 2023. See this statement in context.