The Canadian federal government purchases a large amount of diverse software for its operations and public programs. In 2023 the government published data indicating a total of $15.6 B was spent on science and technology, including software, while the School of Public Policy and Administration at Carlton University reports that $4.6 B of this was spent on IT contracts. Given the amount, the government should be on any mature software vendors list of ideal customers to have.
However, in order to sell software (or other digital products or services) to the Canadian government, vendors must follow the applicable federal procurement processes and comply with national information security standards and guidelines. The primary focus of procurement standards is to protect the confidentiality of sensitive information belonging to both the Canadian government and private citizens, safeguard critical infrastructure, ensure that public sector programs are operational, and achieve good value for the Canadian taxpayer. Another factor that comes into play is setting a fair playing field for all vendors to compete for government tenders.
While Canada has its own regulatory frameworks, it also aligns with broader international standards to ensure that entities selling to the government are operating inline with core IT security best practices and are protected against current cyber threats. Government entities and the third party companies that contract with the government are high value targets of cyber military campaigns conducted by rival nation-state threat actors, hacktivists, and other Advanced Persistent Threat (APT) threat actors.
Here are some key areas that prospective software vendors should be familiar with when seeking to participate in Canadian government procurement programs:
Canadian government procurement is governed by several laws and regulations that control the process at the highest level. These include:
The Financial Administration Act (FAA): At the highest level the FAA guides federal procurement practices, ensuring compliance with financial regulations and promoting sound stewardship of government contracts.
Government Contracts Regulations (GCRs): GCRs (SOR/87-402) set out the rules for federal procurement and contracting in Canada and dictate that contracts must be awarded through a competitive process whenever possible to ensure fairness and best value. They also define the limited circumstances in which non-competitive (sole-source) contracts can be used, such as in cases of emergencies or when only one supplier can meet the requirements.
Supply Manual and Standard Acquisition Clauses and Conditions (SACC Manual): The SACC Manual provides detailed guidance on how to conduct government procurement in compliance with Canadian regulations. It outlines procurement policies, procedures, and processes for Public Services and Procurement Canada (PSPC) and the standard clauses and conditions that must be included in government contracts.
Contracting Policy issued by the Treasuring Board of Canada: The Contracting Policy issued by the Treasury Board of Canada (2021-3) provides a framework to guide federal departments and agencies in carrying out procurement. This policy emphasizes the need for transparency, competition, and best value in government contracts.
When it comes to selling IT software, hardware, or services to the Canadian government, here are the most relevant departments that play a role in setting standards and managing procurement activities:
Public Services and Procurement Canada (PSPC) is a key department of the Canadian government responsible for managing the procurement of goods and services that are critical for all operations. This department manages the acquisition of goods and services and sets general standards that vendors must meet to demonstrate that their products are secure and reliable. PSPC recently launched the Canada Buys program which includes a getting started support for both sellers and departments of the Canadian government who will purchase goods and services.
The Canada Buys program also offers a list of policies and guidelines and relevant laws that are relevant for those selling products and services to the Canadian government and an overview of the procurement process including how to plan, bid for, and manage available contracts.
The procurement process involves several steps and methods to ensure transparency, competition, and fairness in government purchasing. The process can be divided into two main types: competitive and non-competitive procurement. Here is a brief explanation of both as well as the Advance Contract Award Notice (ACAN).
Competitive Procurement Process: This is the primary method used to the best value for Canadians while promoting access, competition, and fairness. This method benefits small and medium enterprises (SMEs). For goods and services valued over $25,000, and construction contracts over $40,000, procurement opportunities are posted on the Government Electronic Tendering Service (GETS). These contracts are non-binding agreements that enable the government to procure goods and services on an as-needed basis from pre-qualified suppliers.
Non-Competitive Procurement Process: Also known as sole-sourcing, this method is only used under specific circumstances, such as emergencies, when the contract value is below a certain threshold, or when only one supplier is capable of performing the work (e.g., due to exclusive intellectual property rights).
Advance Contract Award Notice (ACAN): An ACAN is a notice published when the government intends to award a contract to a specific supplier, providing other suppliers an opportunity to submit their statement of capabilities. If no other suppliers can meet the requirements, the contract is awarded to the initially chosen supplier.
The Shared Services Canada (SSC) is responsible for procuring IT services across federal government departments and the Canadian public sector. This includes supporting government-wide programs and digital services for the Canadian public sector and related to key IT services.
This includes critical IT technologies (such as telecommunications and data-centers), cybersecurity, cloud services, accessibility, and adaptive computer technology (AACT), human resources management and payment systems, digital collaboration, AI, and email.
Enterprise IT Procurement (EITP): SSC Enterprise IT Procurement (EITP) centralizes contract administration and the acquisition of IT goods and services, ensuring best value, quality, and timely delivery. EITP emphasizes procurement governance, strong oversight, and negotiation strategies for large contracts, along with volume discounts. It also incorporates agile procurement contracts with prequalified vendors.
Agile Procurement: SSC simplifies procurement through its Agile Procurement Process 3.0 (APP 3.0), focusing on outcomes-based methods and agile project management to streamline and increase vendor participation. The ScaleUp initiative, launched in 2021, further simplifies bidding processes for micro and small businesses, especially those led by women, visible minorities, people with disabilities, and Indigenous Canadians.
Green Procurement: SSC contributes to the Greening Government Strategy by purchasing IT products that meet sustainability certifications. From 2014 to 2020, these industry-certified products helped reduce energy consumption, leading to significant cost savings, reduced electricity usage, and lower greenhouse gas emissions, comparable to removing thousands of cars from the road for a year.
The Communications Security Establishment (CSE) plays a central role securing federal government systems and collecting and managing international cybersecurity intelligence. The CSE is authorized to conduct both defensive and active (offensive) cyber operations to help protect Canada and Canadian citizens. Selling IT products and services to the CSE requires meeting the highest degree of standards and adhere to the CSE’s guidelines including Common Criteria certification.
Common Criteria evaluation is conducted by a competent IT security evaluation laboratory according to the Common Evaluation Methodology for Information Technology Security Evaluation. Certified products must include a certification report detailing the evaluation and which use cases the product has been considered for, as well as a Security Target, which outlines the product's evaluated security features. The CSE is part of an international agreement, the Arrangement on the Recognition of Common Criteria Certificates (CCRA), which enables mutual recognition of certificates issued by other member countries.
The Canadian Centre for Cybersecurity contributes to improving the cyber security ecosystem by releasing some of its cyber defense tools and by tracking certified products verified as meeting the highest cybersecurity standards. The Canadian Centre for Cyber Security also issues cybersecurity guidance, standards, which vendors should follow when offering products to government agencies.
Vendors must ensure their products align with the Cyber Centre’s recommendations for mitigating evolving threats, such as ransomware, malware, and phishing as well as the Top 10 IT Security Actions for government systems and cybersecurity products which includes endpoint security, patch management, and encryption.
Cybersecurity vendors selling to the Canadian government must also comply with general government procurement policies, including:
Directive on the Management of Procurement: This directive ensures that all types of products procured by the Canadian government are effective and good value. The expected outcomes include managing procurement to meet operational goals and align with socio-economic and environmental objectives, using risk management and life-cycle cost assessments, ensuring strong governance and oversight, promoting collaboration, developing workforce capacity, and maintaining fairness, openness, and transparency in procurement actions.
Security Requirements Check List (SRCL): When bidding for contracts, vendors may need to complete an SRCL to demonstrate their product’s security features, including encryption, incident management, and data protection.
Canada has launched a Cybersecurity Certification Program (CSPC) under its National Standard of Canada which will enforce mandatory certification requirements in select federal defense contracts as early as winter 2024.
This program certifies cybersecurity technologies and products to ensure they meet a set of security controls defined by the government. Products certified under this program are better positioned to sell to public sector organizations in Canada.
ITSG-33 is the key cybersecurity standard used by the Canadian government for assessing the security of information systems. ITSG-33 provides a structured approach to managing risks by defining security controls and guidelines based on system categorization (low, medium, or high sensitivity).
Cybersecurity products must meet ITSG-33 standards, ensuring they can implement proper controls for federal government systems. This is particularly important for cloud-based products and any services that handle sensitive government data.
While Canada does not have a single cybersecurity law like the U.S. or EU, it has strict privacy regulations that cybersecurity products must comply with, particularly when dealing with personal information.
PIPEDA (Personal Information Protection and Electronic Documents Act): PIPEDA governs how private sector organizations handle personal data. However, vendors selling cybersecurity products to the Canadian government should also ensure their products and organizational governance can comply with PIPEDA, particularly in areas like encryption, access control, and breach notification.
Canada's National Cyber Security Strategy is designed to protect government systems and critical infrastructure from cyber threats. Cybersecurity products sold to the Canadian government must support the objectives of this strategy, which include:
Resilience: Products should help federal systems remain resilient against attacks.
Incident Response: Vendors must ensure their products support fast and effective incident response.
Data Protection: Products must incorporate strong data loss prevention (DLP) features like encryption, access control, backups, and secure communications.
Many cybersecurity products sold to the Canadian government must adhere to national and international standards, ensuring consistency in security practices:
ISO/IEC 27001: Similar to other countries, Canada recognizes ISO/IEC 27001 certification as a key standard for information security management systems (ISMS). Vendors offering cybersecurity products to government departments are often required to meet ISO 27001 standards.
FIPS 140-3: The Canadian government often requires compliance with FIPS 140-3 for encryption-related products. This standard ensures that cryptographic modules meet stringent security requirements.
National Institute of Standards and Technology (NIST) Standards: While Canada has its own cybersecurity frameworks, it often aligns with U.S. NIST guidelines, especially when it comes to cryptography, risk management, and security controls. Many cybersecurity products intended for federal use in Canada must meet or exceed NIST standards.
Suppliers must adhere to the Integrity Provisions and the Ineligibility and Suspension Policy, which outline conditions that can render a supplier ineligible.
Suppliers must comply with the Lobbying Act, which regulates communications with public officials.
The PSPC Code of Conduct and Code of Conduct for Procurement address conflict of interest and ethics in procurement.
Anti-corruption laws, including sections of the Conflict of Interest Act, prohibit offering benefits to public officials for securing contracts.
Suppliers should ensure data localization provisions such as ITSP.50.105, to meet the standards of data sovereignty and privacy for cloud-based applications in government contracts.
The Access to Information Act allows the public disclosure of some procurement information, except for sensitive commercial data.
The Policy on Service and Digital outlines how Government of Canada organizations manage service delivery, information technology, data, and cybersecurity, integrating key requirements such as privacy, accessibility, and official languages. It promotes a client-focused, enterprise-wide approach to governance and planning, supporting the government’s digital transition by adhering to best practices.
Selling software to the Canadian government involves navigating a complex procurement process governed by multiple laws, regulations, and standards. By adhering to applicable regulations and guidelines, vendors can ensure their software products and services are eligible for procurement by the Canadian government.
Adhering to these standards ensures compliance and increases the vendor's chance of securing contracts. Properly aligning with these regulations and best practices is essential for any company wishing to succeed in Canada’s public sector market.
Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
August 15 - Blog
It's official: Packetlabs is a partner and attendee of Info-Tech LIVE 2024 in Las Vegas. Learn more about event dates and registration today.