Qualifying for a software as a service supply arrangement
Explore how suppliers can qualify to provide goods and/or services under the software as a service supply arrangement (SaaSSA).
On this page
About the qualification process
The SaaSSA is a method of supply in which a pool of pre-qualified suppliers is established to provide goods and/or services under specific terms and conditions which are pre-defined. The Government of Canada (GC) may use this pool of pre-qualified suppliers to solicit bids for a specific requirement.
The SaaSSA method of supply is a 2-phased procurement process.
Phase 1: Suppliers are assessed against the requirements of the software as a service (SaaS) request for supply arrangement (RFSA), are pre-qualified and are issued a supply arrangement (SA) on the basis of meeting all of the RFSA requirements and accepting all of the terms and conditions of the RFSA.
Phase 2: a contract can be awarded to an SA holder following a selection process in accordance with the SaaSSA procurement processes which are defined in Software as a service method of supply on CanadaBuys.
Steps to becoming pre-qualified
Follow the following steps to pre-qualify as a supplier in the SaaS method of supply.
Step 1
- Download and respond to our RFSA. The opportunity for suppliers to pre-qualify is ongoing. Explore the software as a service method of supply on CanadaBuys
- Download and review all amendments and attachments to the RFSA to become familiarized with questions and answers and previous changes
Step 2
If your company does not yet have a business number, enroll using the Supplier registration information system. This will be your unique identifier to sell to the GC. Visit the system website for more information about registration.
Step 3
- Public Services and Procurement Canada (PSPC) will perform evaluations of technical and financial submissions on an ongoing basis
- The Canadian Centre for Cyber Security (CCCS) is responsible for all Information Technology Security (ITS) and Supply Chain Integrity (SCI) assessments, and onboarding to these assessments occurs in waves. Onboarding to the CCCS ITS and SCI assessment processes will occur approximately every 6 months. The timelines for onboarding will be posted to software as a service method of supply on CanadaBuys on an ongoing basis. This process is not required for submissions under Stream 4: Client departments who have a requirement to procure solutions under Stream 4 will be responsible for conducting their own IT Security and Supply Chain Integrity Assessments. For further information on the CCCS IT Security Assessment Program, please refer to Annex L: SaaSSA ITS Assessment Program: Onboarding process qualification requirements of the RFSA
- The RFSA is a collaborative process in that suppliers who do not qualify for an SA initially will have the opportunity to resubmit missing information or documents for qualification. Suppliers who do not meet all of the criteria to qualify will be contacted by PSPC (for the technical, financial and additional requirements detailed in section 4.2 Technical and financial evaluation of the RFSA or CCCS (for the ITS and SCI requirements) in order to request additional documentation or clarification. If all required documentation is not provided to CCCS prior to the end of the Onboarding Wave closing date, Suppliers will be directed to re-apply during the next onboarding period
- Suppliers’ submissions are to be submitted via email to the software as a service supply arrangement authority or to the bid receiving unit (BRU) using epost connect. For more information, suppliers can refer to Part 2: Supplier instructions of the RFSA
Application process
Explore which documents should be sent to PSPC or CCCS during RFSA application process, using the following summary:
| Documents/certifications | Stream 1: Tier 2—Up to Protected B—SaaS publishers | Stream 2: Tier 1—Up to Protected A—SaaS publishers | Stream 3: Tier 1—Up to Protected A—Value-added reseller | Stream 4: Unclassified—SaaS publisher or Value-added reseller |
|---|---|---|---|---|
| PSPC assessment: Technical requirements | ||||
| Form 1: RFSA submission form (Mandatory) | Applies | Applies | Applies | Applies |
| Form 2: SaaS publisher certification form (Mandatory) | Applies | Applies | n/a | Applies (if applicable) |
| Form 3: SaaS publisher authorisation form (Mandatory) | n/a | n/a | Applies | Applies (if applicable) |
| Form 4: Certification requirement for the set-aside programs for aboriginal business (if applicable) | Applies | Applies | Applies | Applies |
| Form 5: Submission completeness review check list (Mandatory) | Applies | Applies | Applies | Applies |
| Annex A: Qualification requirements tier 1 (Mandatory) | n/a | Applies | Applies | n/a |
| Annex A: Qualification requirements tier 2 (Mandatory) | Applies | n/a | n/a | n/a |
| Annex D: SaaS solution service level agreements (SLA) (Mandatory) | Applies | Applies | Applies | Applies |
| PSPC assessment: Financial requirements | ||||
| Annex C: SaaS solutions and professional services ceiling prices (Mandatory) | Applies | Applies | Applies | Applies |
| Price support (Mandatory) | Applies | Applies | Applies | Applies |
| Financial viability (if required) | Applies | Applies | Applies | Applies |
| PSPC assessment: Certifications and additional information | ||||
| Forms for the integrity: Declaration of convicted offences (if applicable) | Applies | Applies | Applies | Applies |
| Canadian Centre for Cyber Security assessment: Supply Chain Integrity and IT security requirements | ||||
| International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 27001:2013 or System and Organization Control (SOC) 2 Type II (M5 tier 1) (Mandatory) | n/a | Applies | Applies | n/a |
| Cloud security alliance (CSA) cloud controls matrix (CCM) version 3.01 or subsequent version (M5 tier 1) (Mandatory) | n/a | Applies | Applies | n/a |
| ISO/IEC 27017:2015 and ISO/IEC 27001:2013 and (SOC) 2 Type II (M8 tier 2) (Mandatory) | Applies | n/a | n/a | n/a |
| ISO/IEC 27018:2014 certification and assessment report (M12 tier 2) (Mandatory) | Applies | n/a | n/a | n/a |
| ISO/IEC 27036, or National Institute of Standards and Technology (NIST) special publication 800-161, or ITSG-33 security control (M7 tier 1–M11 tier 2) (Mandatory) | Applies | Applies | Applies | n/a |
| Shared Services Canada (SSC) invitation to qualify (ITQ) pre-qualified cloud service provider assessment report (if available) | Applies | Applies | Applies | n/a |
Step 4 (not applicable for stream 4)
- As part of the ITS assessment conducted by CCCS, suppliers will be required to obtain security clearances through the Contract Security Program or the International Industrial Security Directorates for personnel and organizational screening
- Per the instructions of the solicitation, in order to be awarded a SaaSSA, the supplier must hold, at minimum, a valid designated organization screening, a document safeguarding capabilities screening, and personnel security screenings for users with privileged access rights, issued by the Contract Security Program (CSP) or International Industrial Security Directorate (IISD), as applicable. Suppliers who have not already obtained clearances through the CSP or IISD will require sponsorship, which will be provided by PSPC. Suppliers are strongly encouraged to initiate these security screenings as soon as possible in order to avoid delays in receiving an SA
- In order to proceed with the sponsorship for your company’s security, please contact the software as a service supply arrangement authority for more information about the process
For additional information about the CSP, please:
- visit Security requirements for contracting with the Government of Canada
- send an email at: ssi-iss@pwgsc-tpsgc.gc.ca
Step 5
- Once a supplier is assessed as having met the requirements of the SaaS RFSA, a SaaSSA will be awarded on the basis of having met all of the requirements of the and accepting all of the terms and conditions of the RFSA and resulting contracts
- The award of a SA does not guarantee a contract with the GC. The guarantee is that the legal names of all pre-qualified suppliers will appear in search results for clients where search parameters are met
- Date modified: