Disclaimer: The following information and guidance has been provided for information purposes only and does not constitute legal advice. Readers should contact their own institutional legal services with respect to developing specific requirements to ensure they are compliant with any applicable legal, regulatory or other requirements including international trade agreements.
There are a variety of routes threat actors may take to acquire Canadian research and data. One such route is through the supply of goods and services. Threat actors, for example, may seek to offer extremely low-cost, and/or gifted equipment, materials, and services in an effort to gain access to sensitive physical (i.e., facilities, people, materials) or digital assets (i.e., research data, intellectual property, IT systems).
The Government of Canada acknowledges that supply chains are a vector for the theft of, interference with, or unauthorized transfer of, knowledge or data. Threat actors may seek access to assets to gain the ability to deliberately disrupt critical systems, or gain control over supply chains to exert future control or direction over research activities. Protecting your supply chain security supports other elements of your overall security posture, such as cyber security and research security.
The inclusion of risky vendors in a supply chain could limit opportunities for partnerships with other international collaborators who may require your compliance with their own countries’ policies and regulations (e.g., export controls or sanctions). Beyond regulatory controls, including potentially risky vendors in a supply chain may lead to reputational damage. Considering risk associated with a given vendor protects research and data as well as current and potential future international collaboration opportunities with other researchers globally. These pages include materials and guidance related to the procurement of goods and services for your institution or research project to help manage risks related to the procurement of research goods and services.
This guidance was developed in consultation with the Canadian Centre for Cyber Security (CCCS). The CCCS has released a collection of threat bulletins related to supply chain security:
- Cyber threat to operational technology
- Protecting your organization from software supply chain threats
- Contracting with managed service providers
- Cyber supply chain: An approach to assessing risk
National security risks can develop at any point in a procurement lifecycle. Ideally, considerations to supply chain security will begin prior to the selection of a vendor or purchase of equipment or services and should be incorporated into the Request for Proposal (RFP). Security considerations should be included as a criterion that bidders must meet to be awarded the contract.
The following guidance has been developed in consultation with relevant departments and agencies across the Government of Canada and with academic institutions, to aid in identifying risk within a procurement, as well as develop security criteria for a procurement, to help individuals responsible for procurement related to research projects mitigate risk.