Colleagues, I think we'll begin. It's 8:45 a.m. We are missing one of our witnesses, but I'm sure Madam Campbell is on her way.
I have a couple of quick notes before we begin our testimony. First, with your permission, colleagues, I would like to take about 10 minutes, perhaps 15 minutes, at the end of this meeting to discuss future business and potential future witnesses as we continue our study on the whistle-blowers protection act.
Second, I want to announce that Mr. Clarke will not be with us for the next two to three weeks. He is at home in his riding awaiting the arrival of his second child, so Monsieur Gourde will be with us for the next few weeks. Monsieur Gourde is an experienced parliamentarian, and also an experienced parliamentarian in government operations. He sat on the previous government operations and estimates committee for about four years, so his learning curve is not quite as steep as it would be for others.
To our witnesses, thank you very much for being here.
Colleagues, today's meeting is pursuant to Standing Order 108(2), Briefing on the Use of National Security Exceptions.
I understand all of our witnesses here have brief opening statements.
Mr. Breton, if you have your opening statement, the floor is yours.
Shared Services Canada, or SSC, was created in 2011 to build a modern, secure and reliable information technology infrastructure for the digital delivery of programs and services to Canadians.
After its creation, SSC began reviewing the security requirements that would be necessary to meet its mandate and the needs of its customers.
At the time, Canada’s security and intelligence community had recognized the strategic importance of SSC’s procurements to establish a secure, centralized IT infrastructure for the Government of Canada. This includes procurements related to email, data centre infrastructure, and network and telecommunications systems and services.
Ultimately, the department concluded that these types of procurements are indispensable to national security, and that steps were necessary to protect Canada’s national security interests, including invoking the national security exception.
A main justification was that email, networks and data centres play a central role in every aspect of the government's operations, and that these systems have repeatedly been the target of hostile cyber threats.
I would underline that the decision was made together with a number of other federal partners, including Public Services and Procurement Canada, the Canadian Security Intelligence Service, the Communications Security Establishment, the Treasury Board Secretariat, the Department of National Defence and the Privy Council Office.
These organizations all endorsed SSC’s request to seek a national security exception in support of its mandate. This endorsement is not normally part of the already rigorous process that my colleagues will describe from PSPC, but it was added to ensure that our rationale was supported by the key departments responsible for protecting Canada’s national security. Canada’s decision to invoke the NSE for all procurements of goods and services related to email, networks, and data centre infrastructure was announced on the government electronic tendering service in May 2012. SSC also invoked the NSE for procurements related to workplace technology devices, software, and related services, which were added later to the department’s mandate.
In our notice to suppliers, it was explained that workplace technology devices and software are the gateway to most of the government’s infrastructure and are the means by which employees send and receive email, transmit information across networks, and access information stored in data centres. This therefore makes them attractive targets for those intent on exploiting the government’s infrastructure. The invocation related to these types of procurements was announced on the government electronic tendering service in 2014.
Let me now turn to some of the steps Shared Services Canada is able to take to protect Canada’s national security by invoking the NSE. This includes applying the supply chain integrity assessment process. This security screening process, which involves analysis by the Communications Security Establishment, is intended to ensure that no equipment, software, or services procured by Shared Services Canada, or used in the delivery and support of services, could compromise the security of Canada’s systems, software, or information.
Other steps include “in-Canada” requirements for housing data to protect Canada's sovereignty over its data.
Shared Services Canada is also able to direct the architecture of its network or other systems to ensure the design achieves appropriate security standards and controls.
These are just some examples of how the NSE enables Shared Services Canada to procure the goods and services required to fulfill its mandate in a way that protects national security in the face of increasing cyber threats.
I would like to state at this point that the invocation of the NSE does not mean that procurements will be non-competitive. To illustrate this, for fiscal year 2015-16, Shared Services Canada conducted 725 procurements that were subject to the NSE for a total value of $1 billion. Of that total, $920 million was sourced competitively. This volume represents 29% of all of SSC's procurement transactions for 2015-16. It also represents about 77% of the total dollar amount we procured in that fiscal year.
In addition, the invocation of the NSE is not intended to insulate Shared Services Canada from challenges by suppliers. Challenges to the Federal Court and to the provincial superior courts remain available with respect to all of the department's procurements.
Let me close by emphasizing that Shared Services Canada is committed to conducting fair, equitable, and competitive procurement processes.
We recognize that market-based competition is the best vehicle to deliver the highest value solutions and best value for Canadian taxpayers. This includes procurements conducted under a national security exception.
Thank you, Mr. Chair.
Thank you, Mr. Chair and committee members.
I'm sorry for being late this morning, Mr. Chair. There was some confusion about the room we were supposed to be in.
Thank you for the opportunity to appear here today to discuss how PSPC invokes the national security exceptions.
PSPC procures goods and services on behalf of departments and agencies at the best value for Canadians. Our acquisitions program provides federal organizations with procurement solutions such as specialized contracts, standing offers, supply arrangements, and memoranda of understanding for acquiring a broad range of goods and services, including construction services.
This program delivers acquisitions and related common services using procurement best practices, early engagement, effective governance, independent advice. It benefits Canadians through an open, fair, and transparent process to ensure best value for Canadians in the federal government.
In order to ensure that Canada's national security interests are not compromised when procuring goods and services, the trade agreements allow all parties to take whatever action they consider necessary by invoking the national security exception.
By including national security exception provisions, signatories to the trade agreements made a conscious decision to allow discretion in determining their national security requirements. This discretion is essential in view of the evolving and shifting nature of sources of threat to national security. Recognizing that it's very difficult to predict how threats to national security will evolve and change, the trade agreements give Canada and its trading partners the flexibility to invoke NSE when they consider it necessary.
A national security exception is considered when the procurement is essential for any of the following: national defence and military threat, sovereignty, protection of security intelligence, environmental security, human security, and economic security. Invoking an NSE, as my colleague said, does not remove procurements from the obligations of the government contract regulations to compete the requirement unless there is a valid reason to direct the procurement. Canada's contracting framework and laws favour robust competition as a way of ensuring choice and innovation for the government.
When PSPC is the contracting authority, an NSE can only be invoked by either myself in my capacity as assistant deputy minister of defence and marine procurement, or by my colleague Arianne Reza, assistant deputy minister of procurement. This is because matters pertaining to national security must be addressed at the senior management level.
PSPC's acquisition program invokes on average 20 national security exceptions per year. A total of 55 NSEs have been invoked over the past three fiscal years, with the Department of National Defence being our major client, representing 45% of the total number of invocations. Other client departments include the Royal Canadian Mounted Police with 16%; Canada Border Services Agency with 7%; Immigration, Refugees and Citizenship Canada with 5%; and PSPC with 4%.
To date, for the current fiscal year, PSPC has invoked a total of 18 NSEs.
The process for invoking an NSE is rigorous and sound. A client department determines the national security risks to be managed and mitigated in a procurement.
A request must be in the form of a letter from the responsible assistant deputy minister at the client department that explains the nature of the proposed procurement and shows a clear rationale of why an NSE should be invoked in relation to the trade agreements.
PSPC implements a rigorous review process to vet the client department's request in consultation with our legal services and the relevant procurement sector. We also follow Treasury Board's guidelines in this respect. As with any other procurement process, this is done with great diligence and scrutiny.
Procurements for which an NSE is invoked remain subject to all other relevant government regulations and policies, including the industrial and technological benefits policy and the value proposition. The NSE is invoked only when the crown considers the procurement indispensable for the protection of Canada's national security interests. As well, invoking an NSE is not by definition meant to restrict competition to Canadian suppliers.
There may, however, be a legitimate need to maintain or establish a Canadian source of supply.
For example, when Canada contracted for a pandemic vaccine supplier, the government was required to invoke the NSE for various reasons, including ensuring a domestic supply of the vaccine was readily available and manufactured within its borders.
Typically, an NSE is invoked for a project or a specific procurement. However, there are situations in which an omnibus NSE may be required. For example, in November 2015, I invoked an omnibus national security exception to assist in the relocation of 25,000 Syrian refugees to Canada. This NSE applied to all procurements carried out by my department on behalf of all federal government departments, agencies, and crown corporations.
In 2008, PSPC invoked an omnibus NSE on behalf of the Department of National Defence to support Canada's military operations in Afghanistan. In this situation, invoking this NSE ensured that the Department of National Defence met its immediate operational requirements in an active war zone, and protected our national security interests.
To conclude, PSPC recognizes the seriousness of invoking an NSE, and, as I have previously mentioned, the department has a rigorous process to ensure that any request meets the high standard we have established for invoking the exception and managing our overall procurement responsibilities for the Crown.
Thank you, Mr. Chair and committee members. My colleagues from other departments also have remarks to offer, after which we'd be pleased to answer your questions.
Good morning, Mr. Chair and distinguished committee members.
My name is Dennis Watters and I am the acting chief financial administration officer for the Royal Canadian Mounted Police.
Thank you for the opportunity to speak with you today about the RCMP's procurement activities, and more specifically the use of national security exceptions as they relate to providing Canada's national police service with the most appropriate and effective equipment to ensure the safety and security of Canadians.
The RCMP's procurement activities are conducted directly in support of the RCMP's operational priorities, including but not limited to the following: enable RCMP members to detect and prevent organized crime, ensure Canada's security interests, and protect Canada's economic integrity, while also providing for the safety of RCMP officers who are entrusted with the security of Canadians.
The RCMP uses the services of PSPC and Shared Services Canada for procurement requirements that exceed the contracting authority of the RCMP and for specialized requirements. The RCMP also procures goods, services, and constructions under its own delegated authorities through open, fair, and transparent processes to ensure best value for Canadians while meeting the RCMP's operational priorities.
In order to meet these and other operational priorities, the RCMP requires a wide range of goods and services. The bulk of these items are procured through open and competitive processes. As reported against the 2015–16 management accountability framework, the RCMP used competitive processes for 84% of contracts valued at over $25,000.
For calendar year 2014, the RCMP had more than 7,000 contracts awarded, for a total value of $395 million. As indicated by my colleague from PSPC, the number of NSEs invoked by PSPC for the RCMP is very low in each fiscal year. I believe it was 16%. In addition, the RCMP invokes the NSE for some of the procurements that it carries out under its own authorities. However, the use is very limited.
Even though the use is quite limited, the RCMP has a robust framework in place for the use of NSE, including an internal guideline for national security exceptions. All requests to PSPC to apply the NSE must first be approved at the deputy commissioner level at the RCMP, and they are reviewed by the corporate procurement branch that reports to me. In addition, for contracts within the RCMP's own delegated authority, the requests have to be approved by the chief financial officer, me. Invoking the NSE does not by itself allow the RCMP to sole-source procurement.
The RCMP does rely on the national security exception from the application of trade agreements, generally for two main reasons. The first is when the requirement cannot be published on the public-facing government electronic tendering systems because revealing technical requirements or specifications would compromise the operational requirements of the equipment being procured. Furthermore, depending on the purchase, disclosing the specifications of the equipment could have serious consequences on the safety of our members.
The second is when the minimum publication timeline under Canada's trade agreements cannot be met due to the urgent nature of the requirement. For example, solicitations subject to the North American Free Trade Agreement must be published for a minimum of 40 calendar days. Due to the operational nature of the RCMP, it is not always possible to plan procurement requirements in sufficient time to meet these posting requirements. As an example, the national security exception was invoked in advance of the North American leaders' summit in 2016. The rationale for using the exception was in part to protect the details of the operations to ensure the security of leaders, but also because of the short timelines that were available to procure the equipment ahead of the summit.
The national security exception is a key tool that enables the RCMP to meet its operational requirements for the protection of Canada's national security.
Mr. Chair and honourable members of the committee, I thank you for inviting the RCMP here today, and I would be pleased to answer any of your questions.
Good morning, Mr. Chair and members of the committee.
My name is Karen Robertson and I am the assistant director of finance and administration at the Canadian Security Intelligence Service. I am responsible for managing CSIS' financial functions as well as administrative functions pertaining to acquisitions, asset management, disposals and infrastructure requirements.
As my colleagues from Public Services and Procurement Canada, PSPC, and Shared Services Canada, SSC, have already provided an explanation of national security exceptions, I hope to provide you some insight into the rationale for applying these exceptions to CSIS' procurement contracts.
Although CSIS' procurement-related expenditures constitute a relatively small piece of the government's overall procurement budget, our mandate and operational activities create distinct requirements as they relate to the procurement of goods and services. As such, to contextualize my statements today, I would like to provide the committee with a brief overview of CSIS' authorities and why special consideration is required to protect the integrity of our work.
Everything we do at CSIS is grounded in the CSIS Act, which clearly articulates our mandate and authorities. Pursuant to section 12, CSIS is authorized to collect information, to the extent that is strictly necessary, on activities suspected of being threats to the security of Canada. These threats are explicitly defined in section 2 of the act, and are limited to terrorism, espionage, sabotage, and foreign interference.
CSIS collects information to detect, assess, and respond to threats to the security of Canada. A core function of our mandate is to report to and advise government on matters of national security. In principle, competitive and transparent government procurement practices are a healthy component of a democratic society. However, given CSIS' duties and functions, members of the committee will understand that the goods and services we acquire to support our activities are sensitive in nature and, as a result, must be protected from becoming widely known.
The main reason CSIS applies national security exceptions to the majority of our procurement contracts is to limit the disclosure of information about our practices, transactions, and vendors. If the targets of our investigations knew details about the equipment we procure and our technological capabilities, they could defeat or counter our investigative efforts.
In addition, knowledge of CSIS' procurement needs, even of seemingly innocuous contracts, may enable hostile actors to better understand our existing capabilities and resources. This is due to the potential mosaic effect of aggregating publicly released information about our procurement requirements, costs, and practices. As such, protecting how CSIS purchases goods and services matters just as much as protecting what we procure. Revealing any link to CSIS in a public tender may reveal our operational techniques, jeopardize our operations, and endanger employee safety. It could also risk the reputation and safety of those entities that supply us with goods and services.
The ability to apply national security exceptions to CSIS' procurement permits us the flexibility to define the requirements for a particular contract or vendor in light of our operational considerations and awareness of the threat environment.
Given these considerations, CSIS actually procures the majority of its contracts in-house as a result of exceptional contracting authorities that have been granted to us by the Treasury Board. CSIS has operated using these exceptional authorities since 1987. Very few goods and services are procured through the regular government process managed by PSPC and SSC. There are, however, certain circumstances in which we would manage contracts through PSPC and SSC, such as when the purchase exceeds our contracting authorities. National security exceptions would apply to all these contracts because of CSIS involvement.
CSIS is excluded from SSC's email, data centre, and network mandate. A minimal proportion of CSIS' network services and IT-related infrastructure are procured through SSC. With regard to SSC's mandate for end-user IT, CSIS works very closely with SSC to process IT procurements in a manner that aligns with security requirements.
CSIS does not apply national security exceptions to avoid undertaking competitive methods of procurement. While I cannot enter into much detail, it is important to note that CSIS' associated exceptional procurement authorities are backed by a rigorous internal control framework and oversight.
We leverage government-wide best practices to ensure the appropriate management of government resources. Our procurement practices are also subject to internal audit and evaluation functions, as well as to external review by the Office of the Auditor General.
Ladies and gentlemen, the application of national security exceptions is one way of adapting government-wide standards to accommodate the realities of CSIS' work. These exceptions allow us to be more responsive and agile in acquiring what we need to better investigate threats to the security of Canada. Keeping Canadians safe is our foremost concern and responsibility.
And with that, Mr. Chair, I will conclude my remarks and welcome any questions committee members may have.
I would just like to add that this is my first time appearing in front of a committee in Canada, and it's truly an honour to be here with you today.
I should explain how the NSEs work.
I talked about the statistics regarding specific requests we've received over the past year, but I want to make sure that I'm clear for committee members. There are those requests that we receive from government departments as well as the omnibus ones, which you've heard described, that apply broadly.
When an NSE is granted, it applies to an entire project. For example, for Canadian surface combatants, which some of you have heard about, a national security exception has been invoked, and it will apply throughout the life of that project.
There are also blanket NSEs that apply for a certain duration of time. It's not that these exist forever; they are for the needs of a specific project. They simply ensure, as my colleagues were saying, integrity of the process and supply chain throughout, and you also avoid having to go back and ask every time you're issuing a contract.
It's very rare that the RCMP does invoke the NSE. I was mentioning the amount of procurement we've done. Through our system I tried to get the numbers for what we spent on NSE the last fiscal year, for example, but my system didn't track by NSE. It was a manual effort, so I don't want anybody to rely totally on this number, but in 2015 it was about $1.8 million and I think in 2016 it was $3 million. It was quite low relative to all our procurement.
I can honestly say that it's really the exception. Before an NSE gets requested, the deputy commissioner, for example, in charge of the IT sector or the federal policing that oversees organized crime and national security must provide a business case, a rationale, a justification, as to why in that case it is needed. For example, for the North American leaders' summit, there were some issues about buying some fences.
This is about making sure our vulnerabilities are not disclosed, are not out there, so that other people, citizens as well as our officers, remain well protected. With body armour, for example, sometimes we don't want everybody to know what it's made out of, what the components are, in order to not give the other people an advantage.
Thank you for the question.
In my view, the answer is no. As my colleagues have explained, the national security exception ensures the integrity of the supply chain and protects Canada's national interests. Furthermore, competition is very important to us. I think I should first explain one thing about it.
Before we acquire most of our procurements, we consult with Industry Canada to find out who the suppliers are, which ones can supply us and what their finances are. Our goal is to find out whether there is a wide range of suppliers who could help us meet our needs.
Afterwards, we try to find the best way for the procurement to occur. What is our procurement strategy? As I mentioned, in 97% of cases, the competition plays a role, despite the national security exception.
Good morning, everyone. I have a few questions.
My first question is for Mr. Breton.
I want to talk a bit about process, and I hope I have time to ask all of you this question. First of all, I think there's some confusion in our committee in terms of distinguishing between the NSEs and the sole-sourcing or non-competitive process. They're obviously not the same thing. There's some overlap, I suspect.
We were talking about invoking an NSE, and I want to get at the crux of it. How does that process work in your department? Who is making the decision? What test is applied to that request for an NSE? Obviously, “national security exception” is not readily defined in any legislation. What test does your department put on it before determining whether or not to invoke it?
Ms. Robertson, you're off the hook, so it was easy with me.
I understand why CSIS and RCMP would invoke NSE. You are security organizations, so I completely understand.
Ms. Campbell and Mr. Breton, help me understand. When sole-sourcing a contract, there are a few conditions. If they are under $25,000, you can do that. If nobody else in the business can claim that they're doing that, you can issue an advance contract award. Then, if it's deemed in the national interest, you can invoke the national security exemption, which allows you to sole-source, but it doesn't mean that you have to sole-source.
National security exceptions have nothing to do with competing or non-competing out. If there's anything we can achieve today, I really want to leave the committee with that. It's an important message that we all want to convey.
I'm looking now at the government contracting regulations. Our default is competition in Canada. We will always compete. There are certain exceptions, which are the needs of pressing emergency in which delay would be injurious to the public interest. This is a very high test. There's jurisprudence on this that cannot be abused.
Next is that the expenditure doesn't exceed $25,000, or $100,000 where it's for architectural engineering. There are certain different financial limits if it's Privy Council and the rest of it. The nature of the work is such that it wouldn't be in the public interest to solicit bids, so there are some where there's a lot of national security interest in play, and it has to be justified, or where there's only one person capable of performing a contract. You mentioned an advanced contract award notification, ACAN. We issue those often just to make sure there is no other person who can do it.
As I said, directed sourcing or sole-sourcing is rare for us. Our default is competition also when a national security exception is applied, so they are two distinct things. National security exceptions are applied, and we go ahead and compete, and I've given you many recent instances.
For NSEs, again, we do industry engagement, and a client department may start to form the opinion that, because of the nature of the procurement, because of what they're buying, because of concerns about national security, they may want to invoke a national security exception.
Our lawyers are involved. We have a group dedicated to reviewing these requests, to looking at precedents, and to making sure that this is in line with government policy. They look at the Treasury Board guidelines and they will challenge it all along the way. If they are satisfied that the request is valid, it will go all the way to the assistant deputy minister or equivalent in that organization who will then write to me and make the request, setting out all of the reasons for it and seeking my permission to invoke.
I will also then do my own challenge function and, if satisfied, I will invoke the NSE.
To answer your question about a request to sole-source, that is also challenged very vigorously. If a government department wishes to sole-source, they have to provide a rationale to us that is challenged very vigorously. In many instances, we will go back to industry and say that there are other business solutions out there, and this should be competed.
Certainly. The process begins with an initial sourcing strategy conversation between our business line, our internal client or even our external clients, the procurement officer, and other elements of our organization that are relevant stakeholders.
At that point in time, a needs assessment is done, including a landscape analysis of what the market offers, to determine whether there is a competitive marketplace, or whether it is a specific need that only one supplier could satisfy. As my colleagues mentioned, if it is one supplier, that is challenged internally quite vigorously. It is often in the public's best interest to have an open and competitive procurement. We have seen evidence of a very competitive marketplace from an IT and IT services standpoint.
Once that procurement strategy is established, the procurement then goes through an internal governance framework where it is reviewed. Quite often, our complex enterprise procurements are subject to the open collaborative procurement process, in which we begin with either a request for information, RFI, or an invitation to qualify.
Then, as mentioned previously, we work with those pre-qualified bidders to establish the RFP, and then publish it.