How do I handle controlled goods information?

Answer

Handle controlled goods information by registering with the Controlled Goods Program and implementing CGP requirements alongside CPCSC cyber security controls.

Defining Controlled Goods

Under the Defence Production Act and its Controlled Goods Regulations, controlled goods are items included in the Defence and Security Items list that have military or security significance.

This includes weapons and weapon systems, military electronics and communications equipment, explosives and propellants, nuclear materials and technology, encryption technology, military aircraft and aerospace systems, naval vessels and marine systems, armoured vehicles, and components and technology related to these items.

Information about controlled goods—such as technical specifications, designs, performance characteristics, manufacturing processes, or operational details—is controlled goods information requiring protection under the Controlled Goods Program (CGP).

The Controlled Goods Program

The CGP is administered by the Controlled Goods Directorate within Public Services and Procurement Canada's Industrial Security Sector. Organizations that examine, possess, or transfer controlled goods must register with the CGP and comply with detailed security requirements.

Registration involves the following requirements:

• Submitting an application demonstrating the organization's need to access controlled goods
• Appointment of a Controlled Goods Program Officer (CGPO) responsible for administering the organization's CGP compliance
• Security plan approval detailing how controlled goods and information will be protected
• Registration of key officials who will have access to controlled goods information

Once registered, organizations must maintain ongoing compliance with these requirements:

• Securing controlled goods and information
• Registering all individuals who access controlled goods before providing access
• Maintaining records of controlled goods and who accesses them
• Reporting security incidents or breaches
• Submitting to periodic compliance audits by the Controlled Goods Directorate

Relationship Between CGP and CPCSC

The Controlled Goods Program and CPCSC address related but distinct aspects of defence contractor security. CGP predates CPCSC and has been protecting controlled goods information for years through its own requirements and audit program.

CPCSC provides a broader cyber security framework extending beyond just controlled goods to all specified information that defence contractors handle.

Controlled goods information is a subset of specified information—all controlled goods information is specified information, but not all specified information is controlled goods information (some specified information includes unclassified but sensitive procurement details, business information, or other data not meeting controlled goods criteria).

Organizations handling controlled goods information must comply with both CGP requirements and CPCSC requirements, which are complementary rather than duplicative. CPCSC's cyber-focused controls complement CGP's broader security requirements including physical security, personnel security, and information management.

Intersection of Requirements

For organizations registered with the CGP and pursuing CPCSC certification, there is significant overlap. Both programs require the following:

• Access controls limiting who can access sensitive information
• Physical security protecting where information is stored and processed
• Personnel security including background checks for individuals with access
• Information handling procedures
• Incident reporting when breaches or security events occur
• Periodic audits or assessments verifying compliance

CPCSC adds specific cyber security controls not explicitly detailed in historical CGP requirements, such as detailed requirements for multifactor authentication, network segmentation, audit logging, configuration management, and incident response capabilities aligned with international standards like NIST SP 800-171.

Organizations should view these as complementary layers—CGP provides foundation security requirements with long-established processes, while CPCSC adds contemporary cyber security rigor addressing modern threats and aligning with international defence procurement requirements like U.S. CMMC.

Handling Controlled Goods Information in Practice

Organizations working with controlled goods information must implement strict handling procedures that include the following:

• Access restrictions limit controlled goods information to registered individuals with verified need-to-know, enforced through technical access controls and physical controls
• Marking requirements clearly identify controlled goods information with appropriate labels and markings so users recognize sensitivity
• Storage requirements specify that controlled goods information be stored in secured locations meeting prescribed standards when not in active use
• Transmission controls protect controlled goods information moving between locations or transmitted electronically through encryption, secure networks, or approved methods
• Disposal procedures ensure controlled goods information is destroyed properly using approved methods (shredding, degaussing, incineration) with documented certificates of destruction
• Visitor controls restrict access to areas containing controlled goods information and require escort of visitors who lack CGP registration

These procedures should be documented in the organization's security plan, which the Controlled Goods Directorate reviews and approves as part of CGP registration.

The Role of the Controlled Goods Program Officer

The CGPO is pivotal in an organization's controlled goods compliance. This individual must complete the following responsibilities:

• Complete CGP training provided by the Controlled Goods Directorate
• Maintain registration status through ongoing compliance and periodic renewal
• Administer the organization's security plan by implementing and enforcing procedures
• Register individuals who need access to controlled goods by verifying eligibility and maintaining registration records
• Conduct internal audits to verify ongoing compliance
• Investigate security incidents involving controlled goods or information
• Serve as primary contact with the Controlled Goods Directorate for inspections and compliance matters
• Provide training to employees who access controlled goods information

Many defence contractors designate their security officer, security manager, or senior IT security personnel as CGPO given the intersection of responsibilities with broader security functions. The CGPO should be a senior position with appropriate authority to enforce security requirements across the organization.

Personnel Security and Background Checks

Both CGP and CPCSC involve personnel security considerations. Individuals registered to access controlled goods must undergo specific background checks and screening appropriate to the sensitivity of goods they'll access.

Depending on the controlled goods involved, this may range from basic identity verification to enhanced reliability screening to security clearances at protected or classified levels.

CPCSC doesn't prescribe specific personnel security screening levels, leaving this to organizational determination based on specified information sensitivity and contract requirements, but Level 2's Personnel Security requirements include screening individuals prior to authorizing access to specified information based on assessed risk.

Organizations should ensure their personnel security procedures satisfy both CGP and CPCSC requirements cohesively rather than maintaining separate redundant processes.

Audit and Compliance Verification

Organizations registered with CGP undergo periodic compliance inspections by the Controlled Goods Directorate, which examine the following areas:

• Security plan implementation
• Access control effectiveness
• Handling and storage procedures
• Record-keeping accuracy and completeness
• Incident reporting compliance

Findings from CGP inspections may range from compliant status to minor deficiencies requiring corrective action to major deficiencies that could result in suspension or revocation of CGP registration.

Similarly, CPCSC Level 2 organizations undergo tri-annual external assessments that examine cyber security controls implementation, which may overlap with aspects of controlled goods protection like access controls, logging, and incident response.

Organizations should coordinate between CGP compliance and CPCSC certification, ensuring assessors and inspectors from both programs can access relevant documentation and that remediation efforts address any overlapping issues identified by either program.

Consequences of Non-Compliance

Failing to properly protect controlled goods information has serious consequences under both CGP and CPCSC.

CGP violations can result in the following:

• Suspension or revocation of registration, preventing the organization from accessing controlled goods and effectively ending their ability to perform affected defence contracts
• Administrative monetary penalties for regulatory violations
• Criminal prosecution under the Defence Production Act for serious violations
• Loss of defence contract opportunities

CPCSC violations can result in the following:

• Loss of certification preventing bidding on contracts requiring CPCSC
• Contract performance failures and potential termination of existing contracts
• Debarment from federal contracting
• Reputational damage affecting business development

For organizations working with controlled goods, diligent compliance with both programs is essential business continuity risk management, not just bureaucratic overhead.

Export Control Considerations

Controlled goods regulation intersects with export control requirements under the Export and Import Permits Act, which restricts export of military and security-sensitive items and technology.

Electronic transmission of controlled goods information to foreign locations, cloud storage of controlled goods information on servers located outside Canada or controlled by non-Canadian entities, or access by foreign nationals (even within Canada in some cases) may constitute "exports" requiring permits or triggering prohibitions.

Defence contractors must carefully evaluate cloud service providers, remote access arrangements, and personnel with access to ensure controlled goods information isn't inadvertently exported.

CPCSC requirements regarding use of external systems and evaluation of cloud service providers should incorporate export control considerations for organizations handling controlled goods information.

Integration with Broader Security Programs

Effective organizations integrate controlled goods handling into comprehensive security programs rather than treating it as isolated compliance. The following elements should be integrated:

• Security awareness training addresses controlled goods recognition and handling alongside general security topics
• Incident response procedures incorporate controlled goods-specific reporting requirements to the Controlled Goods Directorate
• Access control systems tag controlled goods information appropriately and enforce access restrictions automatically
• Physical security zones accommodate controlled goods storage requirements
• Security governance structures ensure CGPO coordinates with security teams, IT teams, and business leaders

This integration creates efficient, cohesive security operations rather than disjointed compliance activities competing for resources and attention.

Assistance and Resources

Organizations navigating controlled goods requirements can access several resources:

• The Controlled Goods Directorate provides guidance documents, training for CGPOs, consultation on security plan development, and support interpreting requirements
• The Defence and Security Items list published by Global Affairs Canada defines what items are considered controlled goods
• Legal counsel experienced in defence and export control helps navigate complex regulatory requirements and develop compliant procedures
• Security consultants with CGP expertise can assist with security plan development, internal audits, and compliance preparation
• Industry associations representing defence contractors provide peer support, best practice sharing, and advocacy on CGP issues

Engaging these resources proactively during security program development helps ensure comprehensive compliance rather than discovering gaps during inspections.

Looking Forward

As CPCSC implementation proceeds, the relationship between CGP and CPCSC will continue to evolve. There may be opportunities for increased coordination or harmonization between the programs to reduce duplicative requirements while maintaining rigorous protection.

Organizations should monitor developments from both the Controlled Goods Directorate and the CPCSC program office for guidance on how these programs interact and any initiatives to streamline compliance for organizations subject to both.

Maintaining membership in defence industry associations and participating in government consultations helps contractors stay informed and influence policy development in ways that support both security objectives and practical implementation.

Learn More

Additional resources are available from the following sources:

• Controlled Goods Program - Public Services and Procurement Canada
• Defence and Security Items - Global Affairs Canada
• Protecting Specified Information (ITSP.10.171)