A G: CSE gets an A- on Contracting Sec
Communications Security Establishment Canada complies with the Policy
2.74 We found that Communications Security Establishment Canada (CSEC) is consistent with the Policy on Government Security. It uses the Security Requirements Check List to identify security requirements, has implemented a quality assurance program, and has approved its departmental security plan. CSEC’s requirement for clearances of firms went beyond the requirements in the Policy on Government Security. CSEC recently approved a policy on key activities related to security in contracting, which will help ensure that the process is carried out uniformly.
2.75 From our interviews and file review, we found that individual contractors had been granted security clearances at the appropriate levels before contracts began. We also reviewed the security in place for CSEC’s Long-Term Accommodation Project (Exhibit 2.9).
Exhibit 2.9—Security has been well considered in Communications Security Establishment Canada’s Long-Term Accommodation Project
We looked at a major project currently under construction to replace Communications Security Establishment Canada’s (CSEC’s) facilities and consolidate its workforce. For this project, Defence Construction Canada is the contracting authority. We found that security had been well considered and integrated into project planning and delivery. The projected cost of this Long-Term Accommodation Project is $880 million, with completion planned for 2014. Given the highly classified nature of CSEC’s business, the design and construction of the new facility took security considerations into account with a view to enhancing monitoring and eliminating the need for costly retrofits.
CSEC conducted the personnel screening and provided the results to the Industrial Security Program for inclusion in the Program’s database. It also signed a service-level agreement with Public Works and Government Services Canada (PWGSC) to conduct the facility security clearances. At the same time, CSEC conducted contractor clearances and requested clearances of firms from PWGSC. Until a firm was cleared, there was no access to the site and no work was permitted. Together, these procedures ensured that both firms and contractors would be appropriately cleared. CSEC cleared or provided site access clearance to more than 6,000 individuals, from truck drivers to consultants—no individual was allowed on site without first being cleared.
CSEC also took additional precautions, such as the following:
- It ensured that firms providing construction materials and equipment were granted access only to specific sections of the work site as necessary.
- It restricted access to drawings of the building and the building site.
- It established verification procedures to ensure that there were no unobserved breaches of security.
While the cost of these additional procedures was considerable, in CSEC’s opinion they provided the assurance that its Chief needed—that risks had been mitigated appropriately.
2.76 We also reviewed 18 CSEC contracts unrelated to the Long-Term Accommodation Project. We found that for 14 contracts entered into with six firms, the firm had not been cleared when the contract was awarded. While CSEC had a security clause in these contracts for firms to be cleared, clearance was obtained only after the work had started.
2.77 Recommendation. Communications Security Establishment Canada should ensure that all contract security requirements related to firm clearances are met prior to awarding the contract.
The Agency’s response. Agreed. Communications Security Establishment Canada acknowledges the audit’s finding that CSEC met all requirements of government policy. With respect to the additional requirements that CSEC put in place over and above the policy, CSEC accepts the findings of the Auditor General, although additional risk mitigation measures were put in place. CSEC’s guidelines have been amended accordingly.