Cyber Protection Supply Arrangement CPSA

1
Cyber Protection Supply Arrangement (CPSA)
The Armed Forces Communications and Electronics
Association

• Stéphanie Dion
• Communications Security Establishment
• October 2, 2007

2
Summary

• Background
• What is the CPSA?
• Objective of CPSA
• The Work Streams
• Challenges
• CPSA refresh
• Upcoming Changes in Programs
• Annexes Supply arrangement holder lists

3
Background

• 2002- Government Security Policy (GSP)
• 2002- OAG report stated IT Security in the GOC
  was deplorable
• 2004 - Management of IT Security Standard (MITSS)
• 2004 - CPSA project initiated
• 2005- OAG Status Report stated TBS had not done
  enough to address concerns
• 2005- PAC recommendations to strengthen GOC IT
  Security posture
• 2006 - CPSA is issued
• 2007 - Aboriginal Set-Aside Supply Arrangement is
  issued

4
What is CPSA?

• CPSA Cyber Protection Supply Arrangement

• Procurement vehicle for pre-qualified Information
  Technology (IT) Security Services
• Available on demand
• Spans ten year period (3 years 7x1 year
  options)
• Lists multiple suppliers and
• Offers multiple security levels.

5
Objective of CPSA
A vehicle for helping GC departments to achieve
their IT Security goals
Advantages

• Pre-qualified companies
• Pre-qualified individuals
• Potential for information sharing
• Technical audits
• Streamlined competition process for RFPs and
• Addresses gaps in GC capacity or competencies

6
The CPSA Work Streams

• WS 1 IT Security Management Consulting Services
• WS 2 Comprehensive IT Security Risk Management
  Services
• WS 3 Skilled IT Security Services
• WS 4 Emission Security (EMSEC) Services
• ASA Skilled IT Security Services(separate
  Supply Arrangement)

7
Work Stream 1
IT Security Management Consulting Services
Firms able to provide GC with strategic
consulting in support of their IT security
business goals, including access to global
experience in IT security.
Goals

• Visioning
• Strategic assessment
• Strategic planning
• Feasibility studies
• Technology assessment
• RD strategy

• Assistance in technology selection
• Architecture vision-strategy-design and
• ITS program and service design

Typical activities
8
Work Stream 2
Comprehensive IT Security Risk Mgmt Services
Firms capable of providing Senior resources in
the four services listed below. They offer
sufficient experience and organizational capacity
in terms of team, methodology, and consistency.
Goals

• On-Site Technical Vulnerability Assessment
  (OTVA),
• Threat and Risk Assessment (TRA),
• Certification and Accreditation (CA),
• Business Continuity Planning (BCP) and Disaster
  Recovery Planning (DRP)

Typical activities
9
Work Stream 3 ASA
Skilled IT Security Services

• Firms and individuals competent to provide
  specialized services
• Focus more on resource experience than company
  capability.

Goals
See next page
Typical activities
10
Work Stream 3 ASA
Skilled IT Security Services
Individuals are qualified at the Senior,
Intermediate and Junior levels. The range of
skill groups includes
11
Work Stream 4
Emission Security Services from CITP approved
companies
To assist departments with emission security
solutions and secure Installation of Classified
Networks (Crypto and TEMPEST equipment).
Goals

• EMSEC services
• COMSEC services
• TEMPEST and engineering support services
• TEMPEST Test services performed by CTP I or CTP
  II at GCs or suppliers facilities.

Typical activities
12
Challenges

• Timeframe for the issue of contracts
• Selection criteria
• Qualified resources
• Security clearances
• Availability of government resources
• Flexibility of CPSA
• No products available

13
WS4 Challenges

• Requirement of raw materials
• PWGSC to handle these specific requirements on
  individual contracts under CITP guidelines
• Limited pool of expertise
• Encourage mentorship program to foster the
  development of new resources
• Issuance of contracts
• Assist dept in clearly defining requirements and
  submitting complete and concise documentation

14
CPSA Refresh

• Timeframe Every 2 years (Trade agreements)
• Benefits of a CPSA refresh
• Modification of the suppliers list.
• Modify, when requested, the standard terms and
  conditions of all Supply Arrangements (SA).
• Improve the CPSA in order to meet new policy
  direction.
• Improve processes to address short falls.

The first refresh is planned for 2008
15
Upcoming Changes in Programs

• Canadian Industrial TEMPEST Program, update on
  guidance documents
• ITSG-03 Disposal of TEMPEST equipment
• ITSG-11 COMSEC Installation Planning-TEMPEST
  Guidance and Criteria
• ITSG-12 Government of Canada, Facility Evaluation
  Procedures
• Modifications of CPSA
• WS4 will be adjusted to reflect these new
  requirements

16
Documentation on CSEs web site

• Familiarization session presentation
• The Business manager guide
• The procurement manager guide
• The skill groups definition and templates
• SRCLS
• SOW templates
• Scorecard

http//www.cse-cst.gc.ca/cpsa/
17
CPSA Technical Advisor
You can contact the technical advisor at
cpsa_at_cse-cst.gc.ca
www.cse-cst.gc.ca/cpsa
Tel 613-998-5755 Fax 613-991-7902
18
Supply Arrangement Authority
To be announced TPSGC / PWGSC 11 Laurier St.
Gatineau, Québec, K1A 0S5 819-956-2137 NCR.ACQB
CPSA_at_pwgsc.gc.ca
19
Conclusion
Questions?
20
Annex SA Holder list
Work stream 1

• Bell Canada and Bell Security Solutions Inc. - in
  joint venture
• CGI Information Systems and Management
  Consultants Inc.
• Computer Sciences Canada Inc.
• Deloitte Touche LLP and Electronic Warfare
  Associates-Canada Ltd. - in joint venture

Work stream 2

• AEPOS Technologies Corp.
• Bell Canada and Bell Security Solutions Inc. - in
  joint venture
• CGI Information Systems and Management
  Consultants Inc.
• Cistel Technology Inc.
• Computer Sciences Canada Inc.
• CYGNOS Corporation
• Deloitte Touche LLP and Electronic Warfare
  Associates-Canada Ltd. - in joint venture
• Elytra Enterprises Inc. and IBISKA Telecom Inc. -
  in joint venture
• IBM Canada Ltd
• IT/Net Ottawa Inc.
• Raven Security
• TRM Technologies Inc.

21
Annex SA Holder list
Work stream 3

• 2Keys Corporation
• AEPOS Technologies Corp.
• MTS Allstream Inc. and Excel Information
  Technology Resources, a division of Excel Human
  Resources Inc. - in joint venture
• Bell Canada and Bell Security Solutions Inc. - in
  joint venture
• CGI Information Systems and Management
  Consultants Inc.
• CNC Global Limited, Titus International Inc. and
  Valcom Consulting Group Inc. - in joint venture
• Computer Sciences Canada Inc.
• CSI Consulting Inc., Foxwise Technologies Inc.,
  DWP Solutions Inc., and Innovision Consulting
  Inc. - in joint venture
• CYGNOS Corporation
• Deloitte Touche LLP and Electronic Warfare
  Associates-Canada Ltd. - in joint venture
• Entrust Limited

22
Annex SA Holder list
Work stream 3

• General Dynamics Canada Ltd.
• Elytra Enterprises Inc. and IBISKA Telecom Inc. -
  in joint venture
• IBM Canada Ltd
• IPSS Inc.
• IT/Net Ottawa Inc.
• Raven Security
• Systematix IT Solutions, Komokoa Corporation, and
  I.M.C.B.S Corporation - in joint venture
• TPG Technology Consulting Ltd, Amita Corporation,
  DWP Solutions Inc., Komokoa Corporation,
  NortakSoftware Limited, Spearhead Management
  Canada Limited, The Devon Group Ltd, and Veritaaq
  Technology House Inc. - in joint venture.
• TRM Technologies Inc.

23
Annex SA Holder list
Work stream 4

• AEPOS Technologies Corp.
• EMCON Emanation Control Ltd.
• General Dynamics Canada Ltd.

ASA

• Dalian - JV
• Donna Conna - JV
• Foxwise - JV
• Innusec - JV
• IPSS inc
• Nighthawk - JV
• Raven Security
• Team Turtletech - JV
• Transpolar - JV