Common Centralized Professional Services: Security Requirement Checklists (SRCLs)
The Common Centralized Professional Services Security Requirement Checklists (SRCLs) represent a standardized national approach for professional services procurement in Canada. These checklists, developed by the Industrial Security Program (ISP), provide consistent security guidance across various methods of supply (MoS). This document addresses frequently asked questions such as "What are Security Requirement Checklists (SRCLs) in government contracting?" and "How do SRCLs streamline the procurement process?"
Overview of the Security Requirement Checklists (SRCLs)
Why Are SRCLs Important?
Security Requirement Checklists ensure:
Proper handling of protected and classified information.
Compliance with national security policies.
Streamlined and consistent security practices for professional services procurement.
What Do SRCLs Cover?
The SRCLs outline security requirements related to:
Supplier and personnel security screening.
Access to protected/classified information or assets.
Document safeguarding and IT system security.
Key Notification for SRCL Usage:
Contractual documentation (e.g., call-ups, contracts, standing offers) containing security requirements must be submitted to the Public Services and Procurement Canada (PSPC) Contract Security Program (CSP) at tpsgc.ssicontrats-isscontracts.pwgsc@tpsgc-pwgsc.gc.ca.
What Are the 39 Common SRCLs?
The 39 common SRCLs provide predefined security scenarios to support contracting authorities. These SRCLs reduce the need for customized checklists by offering standardized templates for common security requirements. Note that SRCLs for Protected C information have been temporarily removed and require enhanced reliability status.
Example SRCLs:
Common SRCL #1: Reliability Screening
Supplier/Personnel Access: Restricted areas.
Controlled Goods Access: No.
Document Safeguarding: Not required.
Common SRCL #9: Protected B Information
Access Level: Protected information up to Protected B.
Additional Requirements: Supplier to receive and store information; use IT systems to process data.
Document Safeguarding: Protected B.
Common SRCL #25: Secret-Level Security
Access Level: Classified information up to Secret.
Additional Requirements: Unclassified military technical data (TDCR) access.
Document Safeguarding: Secret.
For a complete list of the 39 SRCLs and their summaries, visit the PSPC Contract Security Program website or consult the SRCL directory.
Instructions for SRCL Compliance
Key Steps for Contracting Authorities:
Verify Supplier Security Clearance: Ensure the vendor holds the appropriate level of facility security clearance and document safeguarding capability.
Initiate Private Sector Organization Screening (PSOS): For unscreened contractors, submit a request to the Industrial Security Sector (ISS).
Submit Documentation: Provide contractual documents containing security requirements to CSP for processing.
Email Submission: tpsgc.ssicontrats-isscontracts.pwgsc@tpsgc-pwgsc.gc.ca.
Hard Copy Submission: Mail contracts to: Public Services and Procurement Canada Contract Division 2745 Iris Street Gatineau, QC K1A 0S5
Considerations for IT Security Requirements:
Suppliers must not process IT systems electronically on their site without prior approval from ISS. IT inspections will commence only after contract award.
For Contracts Involving Foreign Suppliers:
Contact ISS for appropriate international security clauses. Protected/classified information or assets for foreign suppliers must be transmitted via government-to-government channels.
SRCL Use for Professional Services Procurement
How to Select the Right SRCL:
Contracting officers can refer to the SRCL summaries to determine the appropriate checklist based on:
Level of personnel and facility security clearance.
Type of information or asset access required.
Need for document safeguarding or IT system processing.
Professional Services Methods of Supply:
The SRCLs support the following MoS:
Task-Based Informatics Professional Services (TBIPS).
Solutions-Based Informatics Professional Services (SBIPS).
ProServices.
Task and Solutions Professional Services (TSPS).
Frequently Asked Questions (FAQs)
What Should Be Done for Contracts Involving IT Security?
Suppliers must wait for ISS approval before processing IT systems electronically. IT inspections begin only after contract award and receipt of relevant documentation.
What Happens If a Supplier Lacks Security Clearance?
If a contractor or subcontractor is not screened, the contracting authority must initiate a PSOS request through ISS.
Can SRCLs Be Used for Protected C Information?
No. Common SRCLs cannot be used for Protected C information. Enhanced reliability status is required, which is approved by ISS on a case-by-case basis.
Conclusion
The Common Centralized Professional Services SRCLs are vital tools for ensuring consistent security compliance in government procurement. By following the standardized guidelines, contracting authorities and suppliers can safeguard sensitive information and assets while adhering to Canada’s national security policies. For more information or support with SRCL compliance, contact the PSPC Contract Security Program at tpsgc.ssicontrats-isscontracts.pwgsc@tpsgc-pwgsc.gc.ca.