What is “Specified Information” and why does it need protection?

Answer

Specified Information is sensitive Canadian government data requiring safeguarding by private contractors, needing protection to prevent harm to operations, security, or privacy.

Specified Information (SI) is the Canadian term for sensitive, non-classified government information that requires safeguarding when handled, processed, or stored by private sector organizations outside the federal government.

Think of it as information that isn't classified as "Secret" or "Top Secret" but still needs protection because its compromise could harm government operations, national security interests, or the privacy of individuals.

What Makes Information Specified

A Government of Canada authority identifies and qualifies in a contract exactly which information requires safeguarding. This designation is formal and contractual—you'll know from your contract documents whether you're handling Specified Information.

The classification system follows the Treasury Board of Canada Secretariat's "Directive on Security Management, Appendix J: Standard on Security Categorization," which defines protected information and its safeguarding requirements.

Types of Specified Information

In defence contracting, SI may include several categories of sensitive information:

• Unclassified information with contract details not intended for public release between contractors and the Department of National Defence
• Controlled goods information (details about weapons, military equipment, or technology subject to export controls)
• Protected information categorized as Protected A, Protected B, or Protected C based on sensitivity levels

Protected A might include personnel information or procurement details. Protected B could include medical records or financial information that could cause serious injury if disclosed.

Protected C involves information where disclosure could cause extremely grave injury to individuals or national interests.

Real-World Examples

Consider a defence contractor developing a new communications system for the Canadian Armed Forces.

The technical specifications, testing results, project timelines, budget details, and personnel assignments would likely be SI even though they aren't classified.

If adversaries obtained this information, they could understand vulnerabilities in the system, identify key personnel to target, or gain competitive intelligence that harms Canadian interests.

The Protection Challenge

Unlike classified information which is handled in highly controlled government facilities, Specified Information often resides on contractors' regular business networks and systems.

Employees might work with it on laptops, store it in cloud services, or share it via email.

This creates numerous potential vulnerabilities that don't exist in classified environments, making formal security requirements like CPCSC essential.

Confidentiality, Integrity, and Availability

CPCSC focuses primarily on confidentiality—preventing unauthorized access to SI.

However, the broader cybersecurity approach also considers integrity (ensuring information isn't altered without authorization) and availability (ensuring legitimate users can access information when needed).

All three principles work together to protect the value and trustworthiness of information throughout its lifecycle.

Learn More

For additional guidance on protecting Specified Information, refer to the following resource:

• Protecting Specified Information in Non-Government of Canada Systems and Organizations (ITSP.10.171)