HTML version of the form: Security Requirements Check List (SRCL)

Part A - Contract Information

Part B - Personnel (Supplier)

Part C - Safeguards (Supplier)

Information / Assets

Production

Information Technology (IT) Media

For users completing the form manually use the summary chart below to indicate the category(ies) and level(s) of safeguarding required at the supplier’s site(s) or premises.

For users completing the form online (via the Internet), the summary chart is automatically populated by your responses to previous questions.

Summary Chart
Category PROTECTED CLASSIFIED NATO COMSEC
A B C CONFIDENTIAL SECRET TOP SECRET NATO RESTRICTED NATO CONFIDENTIAL NATO SECRET COSMIC TOP SECRET PROTECTED CONFIDENTIAL SECRET TOP SECRET
A B C
Information / Assets                                
Production                                
IT Media                                
IT Link                                

Part D - Authorization

Instructions for completion of a Security Requirements Check List (SRCL)

The instruction sheet should remain attached until Block #17 has been completed.

General - Processing this Form

The project authority shall arrange to complete this form.

The organization security officer shall review and approve the security requirements identified in the form, in cooperation with the project authority.

The contracting security authority is the organization responsible for ensuring that the suppliers are compliant with the security requirements identified in the SRCL.

All requisitions and subsequent tender / contractual documents including subcontracts that contain PROTECTED and/or CLASSIFIED requirements must be accompanied by a completed SRCL.

It is important to identify the level of PROTECTED information or assets as Level “A,” “B” or “C,” when applicable; however, certain types of information may only be identified as “PROTECTED”. No information pertaining to a PROTECTED and/or CLASSIFIED government contract may be released by suppliers, without prior written approval of the individual identified in Block 17 of this form.

The classification assigned to a particular stage in the contractual process does not mean that everything applicable to that stage is to be given the same classification. Every item shall be PROTECTED and/or CLASSIFIED according to its own content. If a supplier is in doubt as to the actual level to be assigned, they should consult with the individual identified in Block 17 of this form.

Part A - Contract Information

Contract Number (top of the form)

This number must be the same as that found on the requisition and should be the one used when issuing an RFP or contract. This is a unique number (i.e. no two requirements will have the same number). A new SRCL must be used for each new requirement or requisition (e.g. new contract number, new SRCL, new signatures).

  1. Originating Government Department or Organization

    Enter the department or client organization name or the prime contractor name for which the work is being performed.

  2. Directorate / Branch

    This block is used to further identify the area within the department or organization for which the work will be conducted.

  3.  
    1. Subcontract Number

      If applicable, this number corresponds to the number generated by the Prime Contractor to manage the work with its subcontractor.

    2. Name and Address of Subcontractor

      Indicate the full name and address of the Subcontractor if applicable.

  4. Brief Description of Work

    Provide a brief explanation of the nature of the requirement or work to be performed.

  5.  
    1. Will the supplier require access to Controlled Goods?

      The Defence Production Act (DPA) defines “Controlled Goods” as certain goods listed in the Export Control List, a regulation made pursuant to the Export and Import Permits Act (EIPA). Suppliers who examine, possess, or transfer Controlled Goods within Canada must register in the Controlled Goods Directorate or be exempt from registration. More information may be found at www.cgd.gc.ca.

    2. Will the supplier require access to unclassified military technical data subject to the provisions of the Technical Data Control Regulations?

      The prime contractor and any subcontractors must be certified under the U.S./Canada Joint Certification Program if the work involves access to unclassified military data subject to the provisions of the Technical Data Control Regulations. More information may be found at www.dlis.dla.mil/jcp.

  6. Indicate the type of access required

    Identify the nature of the work to be performed for this requirement. The user is to select one of the following types:

    1. Will the supplier and its employees require access to PROTECTED and/or CLASSIFIED information or assets?

      The supplier would select this option if they require access to PROTECTED and/or CLASSIFIED information or assets to perform the duties of the requirement.

    2. Will the supplier and its employees (e.g. cleaners, maintenance personnel) require access to restricted access areas? No access to PROTECTED and/or CLASSIFIED information or assets is permitted.

      The supplier would select this option if they require regular access to government premises or a secure work site only. The supplier will not have access to PROTECTED and/or CLASSIFIED information or assets under this option.

    3. Is this a commercial courier or delivery requirement with no overnight storage?

      The supplier would select this option if there is a commercial courier or delivery requirement. The supplier will not be allowed to keep a package overnight. The package must be returned if it cannot be delivered.

  7. Type of information / Release restrictions / Level of information

    Identify the type(s) of information that the supplier may require access to, list any possible release restrictions, and if applicable, provide the level(s) of the information. The user can make multiple selections based on the nature of the work to be performed.

    Departments must process SRCLs through PWGSC where:

    • contracts that afford access to PROTECTED and/or CLASSIFIED foreign government information and assets;
    • contracts that afford foreign contractors access to PROTECTED and/or CLASSIFIED Canadian government information and assets; or
    • contracts that afford foreign or Canadian contractors access to PROTECTED and/or CLASSIFIED information and assets as defined in the documents entitled Identifying INFOSEC and INFOSEC Release.
    1. Indicate the type of information that the supplier will be required to access

      Canadian government information and/or assets

      If Canadian information and/or assets are identified, the supplier will have access to PROTECTED and/or CLASSIFIED information and/or assets that are owned by the Canadian government.

      NATO information and/or assets

      If NATO information and/or assets are identified, this indicates that as part of this requirement, the supplier will have access to PROTECTED and/or CLASSIFIED information and/or assets that are owned by NATO governments. NATO information and/or assets are developed and/or owned by NATO countries and are not to be divulged to any country that is not a NATO member nation. Persons dealing with NATO information and/or assets must hold a NATO security clearance and have the required need-to-know.

      Requirements involving CLASSIFIED NATO information must be awarded by PWGSC. PWGSC / CIISD is the Designated Security Authority for industrial security matters in Canada.

      Foreign government information and/or assets

      If foreign information and/or assets are identified, this requirement will allow access to information and/or assets owned by a country other than Canada.

    2. Release restrictions

      If Not Releasable is selected, this indicates that the information and/or assets are for Canadian Eyes Only (CEO). Only Canadian suppliers based in Canada can bid on this type of requirement. NOTE: If Canadian information and/or assets coexists with CEO information and/or assets, the CEO information and/or assets must be stamped Canadian Eyes Only (CEO).

      If No Release Restrictions is selected, this indicates that access to the information and/or assets are not subject to any restrictions.

      If ALL NATO countries is selected, bidders for this requirement must be from NATO member countries only.

      NOTE: There may be multiple release restrictions associated with a requirement depending on the nature of the work to be performed. In these instances, a security guide should be added to the SRCL clarifying these restrictions. The security guide is normally generated by the organization’s project authority and/or security authority.

    3. Level of information

      Using the following chart, indicate the appropriate level of access to information/assets the supplier must have to perform the duties of the requirement.

      PROTECTED CLASSIFIED NATO
      • PROTECTED A
      • PROTECTED B
      • PROTECTED C
      • CONFIDENTIAL
      • SECRET
      • TOP SECRET
      • TOP SECRET (SIGINT)
      • NATO UNCLASSIFIED
      • NATO RESTRICTED
      • NATO CONFIDENTIAL
      • NATO SECRET
      • COSMIC TOP SECRET
  8. Will the supplier require access to PROTECTED and/or CLASSIFIED COMSEC information or assets?

    If Yes, the supplier personnel requiring access to COMSEC information or assets must receive a COMSEC briefing. The briefing will be given to the "holder" of the COMSEC information or assets. In the case of a "personnel assigned" type of contract, the customer department will give the briefing. When the supplier is required to receive and store COMSEC information or assets on the supplier’s premises, the supplier’s COMSEC Custodian will give the COMSEC briefings to the employees requiring access to COMSEC information or assets. If Yes, the Level of sensitivity must be indicated.

  9. Will the supplier require access to extremely sensitive INFOSEC information or assets?

    If Yes, the supplier must provide the Short Title of the material and the Document Number. Access to extremely sensitive INFOSEC information or assets will require that the supplier undergo a Foreign Ownership Control or Influence (FOCI) evaluation by CIISD.

Part B - Personnel (Supplier)

10. a) Personnel security screening level required

Identify the screening level required for access to the information/assets or client facility. More than one level may be identified depending on the nature of the work. Please note that Site Access screenings are granted for access to specific sites under prior arrangement with the Treasury Board of Canada Secretariat. A Site Access screening only applies to individuals, and it is not linked to any other screeninglevel that may be granted to individuals or organizations.

If multiple levels of screening are identified, a Security Classification Guide must be provided.

b) May unscreened personnel be used for portions of the work?

Indicating Yes means that portions of the work are not PROTECTED and/or CLASSIFIED and may be performed outside a secure environment by unscreened personnel. The following question must be answered if unscreened personnel will be used:

Will unscreened personnel be escorted?

If No, unscreened personnel may not be allowed access to sensitive work sites and must not have access to PROTECTED and/or CLASSIFIED information and/or assets.

If Yes, unscreened personnel must be escorted by an individual who is cleared to the required level of security in order to ensure there will be no access to PROTECTED and/or CLASSIFIED information and/or assets at the work site.

Part C - Safeguards (Supplier)

11. Information / Assets

a) Will the supplier be required to receive and store PROTECTED and/or CLASSIFIED information and/or assets on its site or premises?

If Yes, specify the security level of the documents and/or equipment that the supplier will be required to safeguard at their own site or premises using the summary chart.

b) Will the supplier be required to safeguard COMSEC information or assets?

If Yes, specify the security level of COMSEC information or assets that the supplier will be required to safeguard at their own site or premises using the summary chart.

Production

c) Will the production (manufacture, repair and/or modification) of PROTECTED and/or CLASSIFIED material and/or equipment occur at the supplier’s site or premises?

Using the summary chart, specify the security level of material and/or equipment that the supplier manufactured, repaired and/or modified and will be required to safeguard at their own site or premises.

Information Technology (IT)

d) Will the supplier be required to use its IT systems to electronically process and/or produce or store PROTECTED and/or CLASSIFIED information and/or data?

If Yes, specify the security level in the summary chart. This block details the information and/or data that will be electronically processed or produced and stored on a computer system. The client department and/or organization will be required to specify the IT security requirements for this procurement in a separate technical document. The supplier must also direct their attention to the following document: Treasury Board of Canada Secretariat - Operational Security Standard: Management of Information Technology Security (MITS).

e) Will there be an electronic link between the supplier’s IT systems and the government department or agency?

If Yes, the supplier must have their IT system(s) approved. The Client Department must also provide the Connectivity Criteria detailing the conditions and the level of access for the electronic link (usually not higher than PROTECTED B level).

Summary Chart

For users completing the form manually use the summary chart below to indicate the category(ies) and level(s) of safeguarding required at the supplier’s site(s) or premises.

For users completing the form online (via the Internet), the Summary Chart is automatically populated by your responses to previous questions.

PROTECTED CLASSIFIED NATO
  • PROTECTED A
  • PROTECTED B
  • PROTECTED C
  • CONFIDENTIAL
  • SECRET
  • TOP SECRET
  • TOP SECRET (SIGINT)
  • NATO UNCLASSIFIED
  • NATO RESTRICTED
  • NATO CONFIDENTIAL
  • NATO SECRET
  • COSMIC TOP SECRET

12. a) Is the description of the work contained within this SRCL PROTECTED and/or CLASSIFIED?

If Yes, classify this form by annotating the top and bottom in the area entitled “Security Classification”.

b) Will the documentation attached to this SRCL be PROTECTED and/or CLASSIFIED?

If Yes, classify this form by annotating the top and bottom in the area entitled “Security Classification” and indicate with attachments (e.g. SECRET with Attachments).

Part D - Authorization

13. Organization Project Authority

This block is to be completed and signed by the appropriate project authority within the client department or organization (e.g. the person responsible for this project or the person who has knowledge of the requirement at the client department or organization). This person may on occasion be contacted to clarify information on the form.

14. Organization Security Authority

This block is to be signed by the Departmental Security Officer (DSO) (or delegate) of the department identified in Block 1, or the security official of the prime contractor.

15. Are there additional instructions (e.g. Security Guide, Security Classification Guide) attached?

A Security Guide or Security Classification Guide is used in conjunction with the SRCL to identify additional security requirements which do not appear in the SRCL, and/or to offer clarification to specific areas of the SRCL.

16. Procurement Officer

This block is to be signed by the procurement officer acting as the contract or subcontract manager.

17. Contracting Security Authority

This block is to be signed by the Contract Security Official. Where PWGSC is the Contract Security Authority, Canadian and International Industrial Security Directorate (CIISD) will complete this block.

Security Classification:

TBS 350-103(2004/12)

Date modified: