ARCHIVED – Annex 7-A: Instructions for Completing the Security Requirements Check List
Archived information
This information has been archived and replaced by the Contract Security Manual.
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived.
General: Processing this form
The project authority must make arrangements for the completion of this form.
The organization or company security officer (CSO) must review and approve the security requirements identified in the form, in cooperation with the project authority.
The contracting security authority is the organization responsible for ensuring that the suppliers are compliant with the security requirements identified in the security requirements checklist (SRCL).
Note
All requisitions and subsequent tender and contractual documents including subcontracts that contain protected and/or classified requirements must be accompanied by a completed SRCL.
It is important to identify the level of protected information or assets (A, B or C), when applicable; however, certain types of information may only be identified as protected. No information pertaining to a protected and/or classified government contract may be released by suppliers, without prior written approval of the individual identified in block 17 of this form.
The level of security assigned to a particular stage in the contractual process does not mean that everything applicable to that stage is to be given the same classification. Every item must be protected and/or classified according to its own content. If a supplier is in doubt as to the actual level to be assigned, they may consult with the individual identified in block 17 of this form.
Completing this form
- Part A: Contract information
- Part B: Personnel (supplier)
- Part C: Safeguards (supplier)
- Part D: Authorization
Part A: Contract information
Contract number (top of the form)
This number must be the same as that found on the requisition and should be the one used when issuing a request for proposal (RFP) or contract. This is a unique number (no two requirements will have the same number). A new SRCL must be used for each new requirement or requisition (for example: new contract number, new SRCL or new signatures).
1. Originating government department or organization
Enter the department or client organization name or the prime contractor name for which the work is being performed.
2. Branch or directorate
Use this block to further identify the area within the department or organization for which the work will be conducted
3. a) Subcontract number
If applicable, this number corresponds to the number generated by the prime contractor to manage the work with its subcontractor.
3. b) Name and address of subcontractor
Indicate the full name and address of the subcontractor, if applicable.
4. Brief description of work
Provide a brief explanation of the nature of the requirement or work to be performed.
5. a) Will the supplier require access to controlled goods?
The Defence Production Act (DPA) defines controlled goods as certain goods listed in the Export Control List, a regulation made pursuant to the Export and Import Permits Act (EIPA). Suppliers who examine, possess, or transfer controlled goods within Canada must register in the Controlled Goods Program or be exempt from registration.
5. b) Will the supplier require access to unclassified military technical data subject to the provisions of the Technical Data Control Regulations?
The prime contractor and any subcontractors must be certified under the Joint Certification Program if the work involves access to unclassified military data subject to the provisions of the Technical Data Control Regulations.
6. Indicate the type of access required
Identify the nature of the work to be performed for this requirement. Select 1 of the types of access described in 6 a, b or c.
6. a) Will the supplier and its employees require access to protected and/or classified information or assets?
The supplier would select this option if they require access to protected and/or classified information or assets to perform the duties of the requirement.
6. b) Will the supplier and its employees (for example: cleaners and maintenance personnel) require access to restricted access areas? No access to protected and/or classified information or assets is permitted
The supplier would select this option if they require regular access to government premises or a secure work site only. The supplier will not have access to protected and/or classified information or assets under this option.
6. c) Is this a commercial courier or delivery requirement with no overnight storage?
The supplier would select this option if there is a commercial courier or delivery requirement. The supplier will not be allowed to keep a package overnight. The package must be returned if it cannot be delivered.
7. Type of information, release restrictions, level of information
Identify the type(s) of information that the supplier may require access to, list any possible release restrictions, and if applicable, provide the level(s) of the information. The user may make multiple selections based on the nature of the work to be performed.
Departments must process SRCLs through Public Services and Procurement Canada (PSPC) where contracts that afford:
- access to protected and/or classified foreign government information and assets
- foreign contractors access to protected and/or classified Canadian government information and assets
- foreign or Canadian contractors access to protected and/or classified information and assets as defined in the documents entitled Identifying information security (INFOSEC) and INFOSEC Release
7. a) Indicate the type of information that the supplier will be required to access
Canada
If Canadian government information and/or assets are identified, the supplier will have access to protected and/or classified information and/or assets that are owned by the Canadian government.
North Atlantic Treaty Organization
If North Atlantic Treaty Organization (NATO) information and/or assets are identified, this indicates that as part of this requirement, the supplier will have access to protected and/or classified information and/or assets that are owned by NATO governments. NATO information and/or assets are developed and/or owned by NATO countries and are not to be divulged to any country that is not a NATO member nation. Persons dealing with NATO information and/or assets must hold a NATO security clearance and have the required need-to-know.
Requirements involving classified NATO information must be awarded by PSPC. PSPC's Canadian Industrial Security Directorate (CISD) is the designated security authority for industrial security matters in Canada.
Foreign
If foreign information and/or assets are identified, this requirement will allow access to information and/or assets owned by a country other than Canada.
7. b) Release restrictions
If "No release restrictions" is selected, this indicates that access to the information and/or assets are not subject to any restrictions.
If "Not releasable" is selected, this indicates that the information and/or assets are for Canadian eyes only (CEO). Only Canadian suppliers based in Canada can bid on this type of requirement.
Note: If Canadian information and/or assets coexist with CEO information and/or assets, the CEO information and/or assets must be stamped ‘'Canadian Eyes Only".
If "All NATO countries" is selected, bidders for this requirement must be from NATO member countries only.
Note: There may be multiple release restrictions associated with a requirement depending on the nature of the work to be performed. In these instances, a security guide should be added to the SRCL clarifying these restrictions. The security guide is normally generated by the organization's project authority and/or security authority.
7. c) Level of information
Using the chart, indicate the appropriate level of access to information/assets the supplier must have to perform the duties of the requirement.
8. Will the supplier require access to protected and/or classified communication security information or assets?
If "Yes," the supplier personnel requiring access to communication security (COMSEC) information or assets must receive a COMSEC briefing. The briefing will be given to the holder of the COMSEC information or assets. In the case of a personnel assigned contract, the customer department will give the briefing.
When the supplier is required to receive and store COMSEC information or assets on the supplier's premises, the supplier's COMSEC custodian will give the COMSEC briefings to the employees requiring access to COMSEC information or assets.
If "Yes," the level of sensitivity must be indicated.
9. Will the supplier require access to extremely sensitive information security information or assets?
If "Yes," the supplier must provide the short title of the material and the document number. Access to extremely sensitive INFOSEC information or assets will require that the supplier undergo a Foreign Ownership Control or Influence (FOCI) evaluation by CISD.
Part B: Personnel (supplier)
10. a) Personnel security screening level required
Identify the screening level required for access to the information, assets or client facility. More than one level may be identified depending on the nature of the work. Please note that site access screenings are granted for access to specific sites under prior arrangement with the Treasury Board of Canada Secretariat. A site access screening only applies to individuals, and it is not linked to any other screening level that may be granted to individuals or organizations.
Security screening level(s):
- Reliability status
- Secret
- NATO Secret
- Top Secret
- Top Secret Signal Intelligence (SIGNIT)
- control of secret material in an international command (COSMIC) Top Secret
If multiple levels of screening are identified, a security classification guide must be provided.
10. b) May unscreened personnel be used for portions of the work?
Indicating "Yes" means that portions of the work are not protected and/or classified and may be performed outside a secure environment by unscreened personnel. The following question must be answered if unscreened personnel will be used:
Will unscreened personnel be escorted?
If "No," unscreened personnel may not be allowed access to sensitive work sites and must not have access to protected and/or classified information and/or assets.
If "Yes," unscreened personnel must be escorted by an individual who is cleared to the required level of security in order to ensure there will be no access to protected and/or classified information and/or assets at the work site.
Part C: Safeguards (supplier)
Information/Assets
11. a) Will the supplier be required to receive and store protected and/or classified information and/or assets on its site or premises?
If "Yes," specify the security level of the documents and/or equipment that the supplier will be required to safeguard at their own site or premises using the summary chart (see below).
11. b) Will the supplier be required to safeguard COMSEC information or assets?
If "Yes," specify the security level of COMSEC information or assets that the supplier will be required to safeguard at their own site or premises using the summary chart.
Production
11. c) Will the production (manufacture, repair and/or modification) of protected and/or classified material and/or equipment occur at the supplier's site or premises?
Using the summary chart, specify the security level of material and/or equipment that the supplier manufactured, repaired and/or modified and will be required to safeguard at their own site or premises.
Information technology media
11. d) Will the supplier be required to use its information technology systems to electronically process and/or produce or store protected and/or classified information and/or data?
If "Yes," specify the security level in the summary chart. This block details the information and/or data that will be electronically processed or produced and stored on a computer system. The client department and/or organization will be required to specify the information technology (IT) security requirements for this procurement in a separate technical document. The supplier must also direct their attention to the following document: ARCHIVED - Operational Security Standard: Management of Information Technology Security (MITS).
11. e) Will there be an electronic link between the supplier's information technology systems and the government department or agency?
If "Yes," the supplier must have their IT system(s) approved. The client department must also provide the connectivity criteria detailing the conditions and the level of access for the electronic link (usually not higher than Protected B level).
Summary chart
For users completing the form manually use the summary chart to indicate the category(ies) and level(s) of safeguarding required at the supplier's site(s) or premises.
For users completing the SRCL form online, the summary chart is automatically populated by your responses to previous questions.
12. a) Is the description of the work contained within this Security Requirements Check List protected and/or classified?
If "Yes," classify this form by annotating the top and bottom in the area entitled "Security classification".
12. b) Will the documentation attached to this Security Requirements Check List be protected and/or classified?
If "Yes," classify this form by annotating the top and bottom in the area entitled "Security classification" and indicate with attachments (for example: Secret with attachments).
Part D: Authorization
13. Organization project authority
This block is to be completed and signed by the appropriate project authority within the client department or organization (for example: the person responsible for this project or the person who has knowledge of the requirement at the client department or organization). This person may, on occasion, be contacted to clarify information on the form.
14. Organization security authority
This block must be signed by either the:
- departmental security officer (DSO)
- delegate of the department identified in block 1
- security official of the prime contractor
15. Are there additional instructions (for example: security guide or security classification guide) attached?
A security guide or security classification guide is used in conjunction with the SRCL to identify additional security requirements which do not appear in the SRCL, and/or to offer clarification to specific areas of the SRCL.
16. Procurement officer
This block is to be signed by the procurement officer acting as the contract or subcontract manager.
17. Contracting security authority
This block is to be signed by the contract security official. Where PSPC is the contract security authority, CISD will complete this block.