When you're bidding on contracts involving sensitive technology, classified information, or national security interests, you'll need to open up your supply chain for scrutiny. This evaluation process examines where your components come from, who your subcontractors are, and whether any of these relationships could pose security threats to Canadian government operations. It's not optional—and it can determine whether your bid moves forward.
How It Works
The process starts before any contract is awarded. Project authorities complete a Security Requirements Checklist (TBS/SCT 350-103) at the beginning of the procurement process, as outlined in the Contract Security Manual. This identifies what security measures your contract needs. Here's the thing: there's no specific monetary threshold that triggers this assessment. Any procurement with potential security implications can require it, whether you're bidding on a $50,000 contract or a multi-million dollar project.
For technology procurements specifically, the requirements get more detailed. Under the Technology Supply Chain Guidelines (TSCG-01), you must submit a threat and risk assessment to the Contracting Authority and the Chief Information Security Division within a specified number of days after contract award. This assessment must cover your supply chain risks—meaning you need to document your suppliers, their locations, and any potential vulnerabilities. The Canadian Centre for Cyber Security has published specific guidance (ITSAP.10.070) showing how these assessments feed into the broader ITSG-33 security control framework.
In practice, you're answering three core questions: What are the security risks in what you're providing? Who in your supply chain might pose a risk? And how will you address those risks? As guidance from Innovation, Science and Economic Development makes clear, you need to assess vendor reliability, review third-party assessments, and demonstrate your risk mitigation strategies. Your assessment should consider everything from the country of origin for critical components to the security practices of your tier-two and tier-three suppliers.
Key Considerations
- Documentation requirements extend deep into your supply chain. You can't just list your direct suppliers. Depending on the sensitivity level, you may need to trace components and services several tiers down, including international sources that might raise flags.
- PSPC can inspect your facilities at any time. Once you're awarded a contract with security requirements, you've agreed to allow security inspections without advance notice. This applies to your premises and potentially your subcontractors' locations as well.
- The Government of Canada Supply Manual doesn't contain a dedicated section on supply chain security assessments. Instead, these requirements are scattered throughout security requirements for contracting and appear in various policy instruments like the Contract Security Manual (updated August 13, 2020) and agency-specific guidelines.
- Changes to your supply chain during contract performance require disclosure. You can't simply switch suppliers mid-contract if doing so introduces new security considerations. Any material changes need to be reported and potentially reassessed.
Related Terms
Controlled Goods Program, Security Requirements for Contracting, Threat and Risk Assessment
Sources
- Contract Security Manual - Security Requirements Checklist
- Technology Supply Chain Guidelines (TSCG-01)
- Supply Chain Security – Assessing Your Risk Profile (ISED)
Start mapping your supply chain now, before you bid. The assessment process takes time, and discovering a problematic supplier after you've submitted your proposal creates complications you don't want.