solicitation closes - l'invitation prend fin at - à 02:00

1 1

RETURN BIDS TO:RETOURNER LES SOUMISSIONS À:Bid Receiving - PWGSC / Réception des

�soumissions TPSGCEpost Connect / PostelRefer to section 2.2 in the ITQ /Référez-vous à la section 2.2 decette ISQ

Title - Sujet ITQ for DEMS/Body Worn Cameras

Solicitation No. - N° de l'invitationM7594-212120/FClient Reference No. - N° de référence du clientM7594-212120File No. - N° de dossier001xv.M7594-212120

CCC No./N° CCC - FMS No./N° VME

LETTER OF INTERESTLETTRE D'INTÉRÊT

F.O.B. - F.A.B.Plant-Usine: Destination: Other-Autre:

Address Enquiries to: - Adresser toutes questions à:Cummings, KentTelephone No. - N° de téléphone FAX No. - N° de FAX(613) 866-3745 ( ) ( ) - Destination - of Goods, Services, and Construction:Destination - des biens, services et construction:Royal Canadian Mounted Police1200 Vanier PkwyOttawa (Ontario)K1A 0R2

Solicitation Closes - L'invitation prend finat - à 02:00 PM

2021-06-22on - le

Issuing Office - Bureau de distribution�Technology-Enabled Business Transformation Team 5

XV/Division de la transformation des activités axées sur la technologie équipe 5Terrasses de la Chaudière 4th FlooTerrasses de la Chaudière 4e étage10 Wellington Street10, rue WellingtonGatineauQuébecK1A 0S5

Comments - Commentaires

Vendor/Firm Name and AddressRaison sociale et adresse dufournisseur/de l'entrepreneur

GETS Ref. No. - N° de réf. de SEAGPW-$$XV-001-39525

Buyer Id - Id de l'acheteur001xv

Date 2021-05-28

Delivery Required - Livraison exigée Delivery Offered - Livraison proposée

Vendor/Firm Name and Address

Signature Date

Name and title of person authorized to sign on behalf of Vendor/Firm(type or print)Nom et titre de la personne autorisée à signer au nom du fournisseur/de l'entrepreneur (taper ou écrire en caractères d'imprimerie)

Instructions: Voir aux présentes

Instructions: See Herein

See Herein – Voir ci-inclus

Raison sociale et adresse du fournisseur/de l'entrepreneur

Telephone No. - N°de téléphoneFacsimile No. - N° de télécopieur

Heure Avancée de l'Est HAE

Eastern Daylight Saving Time EDT

of - de 1

Solicitation No. - N° de l'invitation Amd. No. - N° de la modif. Buyer ID - Id de l'acheteur M7594-212120/F 001XV Client Ref. No. - N° de réf. du client File No. - N° du dossier CCC No./N° CCC - FMS No./N° VME M7594-212120 001XV.M7594-212120

______________________________________________________________________________________

Page 1 of - de 86

Invitation to Qualify (ITQ)

TABLE OF CONTENTS

PART 1 - GENERAL INFORMATION ............................................................................................................... 3 1.1 INTRODUCTION............................................................................................................................................... 3 1.2 KEY TERMS .................................................................................................................................................... 3 1.3 SCOPE ........................................................................................................................................................... 4 1.4 POTENTIAL CLIENT USERS ............................................................................................................................ 4 1.5 OVERVIEW OF THE PROCUREMENT PROCESS .............................................................................................. 4 1.6 TRADE AGREEMENTS, COMPREHENSIVE LAND CLAIMS AGREEMENTS, NUNAVUT AGREEMENT ................ 8 1.7 ITQ SECURITY REQUIREMENTS .................................................................................................................... 9 1.8 DEBRIEFINGS (ITQ) ....................................................................................................................................... 9 1.9 CONFLICT OF INTEREST ................................................................................................................................. 9 1.10 FAIRNESS MONITOR .................................................................................................................................... 10

PART 2 – INSTRUCTIONS FOR RESPONDENTS ....................................................................................... 11 2.1 STANDARD INSTRUCTIONS, CLAUSES AND CONDITIONS ............................................................................ 11 2.2 SUBMISSION OF RESPONSE ........................................................................................................................ 12 2.3 ENQUIRIES ................................................................................................................................................... 12 2.4 SUBMISSION OF ONLY ONE RESPONSE ...................................................................................................... 13 2.5 APPLICABLE LAWS ....................................................................................................................................... 14 2.6 LANGUAGE ................................................................................................................................................... 14

PART 3 - RESPONSE PREPARATION INSTRUCTIONS ............................................................................ 15 3.1 RESPONSE PREPARATION INSTRUCTIONS .................................................................................................. 15 3.2 SECTION I: ITQ QUALIFICATION RESPONSE .............................................................................................. 15 3.3 CERTIFICATION(S) AND ADDITIONAL INFORMATION .................................................................................... 16

PART 4 - EVALUATION PROCEDURES AND BASIS OF QUALIFICATION ............................................ 17 4.1 EVALUATION PROCEDURES ......................................................................................................................... 17 4.2 RESPONSE EVALUATION - PHASED BID COMPLIANCE PROCESS ............................................................... 18 4.3 REFERENCE CHECKS .................................................................................................................................. 20 4.4 BASIS OF QUALIFICATION ............................................................................................................................ 21

PART 5 – CERTIFICATIONS ........................................................................................................................... 23 5.1 CERTIFICATIONS REQUIRED WITH RESPONSE ............................................................................................ 23

PART 6 –- SECURITY REQUIREMENT ......................................................................................................... 24 6.1 FOCI SECURITY REQUIREMENT -- AT ITQ PHASE ..................................................................................... 24 6.2 ANTICIPATED FOCI SECURITY REQUIREMENT – AT BIDDING PHASE ....................................................... 25 6.3 GENERAL INFORMATION – ANTICIPATED SECURITY REQUIREMENT – AT BIDDING PHASE ...................... 26 6.4 SUPPLY CHAIN INTEGRITY (SCI) ASSESSMENT ......................................................................................... 31

ANNEX A ........................................................................................................................................................... 32 OVERVIEW AND HIGH LEVEL DESCRIPTION OF THE REQUIREMENT ................................................ 32 ANNEX B ........................................................................................................................................................... 51 MANDATORY EVALUATION CRITERIA ....................................................................................................... 51


______________________________________________________________________________________

Page 2 of - de 86

ANNEX C: SECURITY REQUIREMENT CHECK LIST (SRCL) .................................................................. 57 ANNEX D ........................................................................................................................................................... 69 SUPPLY CHAIN SECURITY INFORMATION ASSESSMENT PROCESS ................................................. 69 ANNEX E ........................................................................................................................................................... 77 ACTS AND POLICIES ...................................................................................................................................... 77 FORM 1 – RESPONDENT DECLARATION AND RESPONSE SUBMISSION FORM .............................. 80 FORM 2 – REFERENCE PROJECT CHECK FORM ..................................................................................... 83 FORM 3 - SAAS PUBLISHER CERTIFICATION FORM ............................................................................... 84 FORM 4 - GOVERNMENT OF CANADA CLOUD SERVICE PROVIDER AUTHORIZATION FORM ...... 85 FORM 5: SUPPLY CHAIN INTEGRITY INFORMATION ............................................................................. 86


______________________________________________________________________________________

Page 3 of - de 86

PART 1 - GENERAL INFORMATION 1.1 Introduction The Invitation to Qualify (ITQ) is divided into six parts plus attachments and annexes, as follows: Part 1 General Information: provides a general description of the requirement; Part 2 Instructions to Respondents: provides the instructions to the clauses and conditions applicable to

the ITQ phase; Part 3 Response Preparation Instructions: provides Respondents with instructions on how to prepare

the response to the ITQ; Part 4 Evaluation Procedures and Selection of Qualified Respondents: indicates how the evaluation will

be conducted, the evaluation criteria which must be addressed in the response and the basis of selection of the Qualified Respondents;

Part 5 Certifications and additional Information: includes the certifications and additional information to

be provided; and Part 6 Security Requirement: describes security requirements at the time of ITQ and anticipated security

requirements at the time of solicitation and contract. 1.2 Key Terms In this document, unless the context requires otherwise:

“ITQ” means this Invitation to Qualify “Interested Party” means the entity/entities that is interested in submitting a response to this

ITQ “Respondent” is an Interested Party that has submitted a response to this ITQ “Provisionally Qualified Respondent” means a Respondent that has been assessed by

Canada as meeting the evaluation criteria in Annex B, qualifications and conditions of the ITQ but has not yet been assessed under the Preliminary Supply Chain Integrity and Foreign Ownership Control or Influence process

”Qualified Respondent” or “QR” means a Provisionally Qualified Respondent that has been assessed as compliant under the Preliminary Supply Chain Integrity and Foreign Ownership Control or Influence process

“RFP” means Request for Proposal or solicitation “PWGSC” means Public Works and Government Services Canada “RCMP” means Royal Canadian Mounted Police


______________________________________________________________________________________

Page 4 of - de 86

1.3 Scope

1.3.1 Canada is seeking to award a contract(s) to a Contractor(s) who will provide a solution that delivers Body Worn Cameras (BWCs) and a national Software-as-a-Service (SaaS) Digital Evidence Management System (DEMS) as a fully managed service. Annex A –Overview and High Level Description of the Requirement contains an overview and scope of the requirement.

1.3.2 This ITQ is the first phase of the procurement process by Public Works and Government Services

Canada (PWGSC), on behalf of the Royal Canadian Mounted Police (RCMP) for the National Digital Evidence Management System (DEMS) and Body Worn Cameras (BWC) Managed Services. The ITQ is neither a Request for Proposal (RFP) nor a solicitation of bids or tenders. No contract will result from this ITQ. Canada reserves the right to modify, change, or terminate, at its sole discretion, any or all of the phases of the procurement process at any time during the procurement process. Given that this ITQ may be cancelled by Canada, it may not result in any of the subsequent procurement processes described in this document. Respondents may withdraw from the process at any time. This ITQ does not preclude Canada from using another method of supply.

1.3.3 Interested parties are invited to pre-qualify in accordance with the terms and conditions of this

ITQ in order to become Provisionally Qualified Respondents and “Qualified Respondents” for any later phase of the procurement process. Canada intends to pre-qualify Respondents based on the mandatory criteria listed in Annex B – Mandatory Evaluation Criteria. Those Respondents who meet all of the mandatory requirements of the ITQ through a formal evaluation conducted during the ITQ process will be hereinafter referred to as Provisionally Qualified Respondents.

1.4 Potential Client Users

Royal Canadian Mounted Police (RCMP) is the Initial Client and is the Technical Authority. The Contracting Authority may add additional Clients, which may include any department or Crown corporation as described in the Financial Administration Act (as amended from time to time), and any other party for which the Department of Public Works and Government Services may be authorized to act from time to time under section 16 of the Department of Public Works and Government Services Act. Although Canada may make the contract available to any or all Clients, this does not preclude Canada from using another method of supply.

1.5 Overview of the Procurement Process 1.5.1 The procurement process for the National Digital Evidence Management System (DEMS) and

Body Worn Cameras (BWCs) Managed Services began with Industry Engagement and is now in the Qualification Phase (Phase 1).

1.5.2 The details outlined in Table 1 below have been provided for information purposes only. Canada

reserves the right to delete or modify or add any named procurement phases, objectives and associated target dates as required.


______________________________________________________________________________________

Page 5 of - de 86

Table 1: Procurement Process

Procurement phases

Objectives Target Dates

Industry Engagement (Completed)

Three RFIs published on Government Electronic Tendering Services (GETS) (buyandsell.gc.ca website). RFI#1:https://buyandsell.gc.ca/procurement-data/tender-notice/PW-XU-005-38547 RFI#2: https://buyandsell.gc.ca/procurement-data/tender-notice/PW-XU-005-39080 RFI#3 : https://buyandsell.gc.ca/procurement-data/tender-notice/PW-XU-005-39339

Industry Day One-on-one sessions Published Summary of Feedback and Outcomes Reports

Completed

ITQ Qualification (Phase 1 – Step 1)

Issue ITQ on GETS (buyandsell.gc.ca website) Receive and evaluate ITQ responses to identify Provisionally

Qualified Respondents who meet the mandatory evaluation criteria to be invited to the Review & Refine Requirement (RRR) Phase.

Spring/Summer 2021

ITQ Qualification (Phase 1 – Step 2)

Conduct preliminary Supply Chain Integrity (SCI) assessment and Foreign Ownership, Control or Influence (FOCI) assessment for Provisionally Qualified Respondents in parallel with the RRR (Phase 2 below)

Determine the list of Qualified Respondents who pass the SCI and FOCI assessments to be invited to the Bidding Phase.

Spring/Summer 2021

Review and Refine Requirement (RRR) (Phase 2)

Provide the Qualified Respondents with a copy of the DEMS and BWC Managed Services’ draft solicitation documents

Provide the Provisionally Qualified Respondents with an opportunity to enhance their understanding of the DEMS and BWC Managed Services requirements

Provide Canada with an opportunity to obtain recommendations for improvements to the DEMS and BWC Managed Services requirements from Provisionally Qualified Respondents.

Summer 2021

Bidding (Phase 3)

Issue solicitation to Qualified Respondents Obtain complete bids from bidders Evaluate the bids in accordance with the RFP Proof of Proposal Demonstration as required Determine the list of responsive technical bid(s) Ranking of the bidders based on the methodology contained

in the solicitation

Contract Award (Phase 4)

Multi-phased Agile Contract Approach Select the winning bid(s) Award contract(s)

Implementation / Pilot Project (s)

Roll out of the DEMS and BWC Managed Services.


______________________________________________________________________________________

Page 6 of - de 86

1.5.3 Industry Engagement

Canada carried out the Industry Engagement by releasing a Request for Information (RFI) #1 on October 20, 2020 followed by holding an Industry Event, conducting one-on-one sessions and releasing RFI#2 on February 22, 2021 and RFI #3 on April 1, 2021. The Industry Engagement process has been completed on May 17, 2021.

1.5.4 Qualification Phase: Phase 1 – Step 1 (Provisional Qualification) and Step 2 (Final

Qualification of Provisionally Qualified Respondents)

The ITQ Qualification Phase is the first phase of the National DEMS and BWCs Managed Services multi-phase procurement process. Suppliers are invited to pre-qualify in accordance with the terms and conditions of this ITQ in order to become "Qualified Respondents" for the later phases of the procurement process.

1.5.4.1 Phase 1 – Step 1 (Provisional Qualification): Refer to Part 4 – Evaluation Procedures and Basis of Qualification for a more detailed explanation of the ITQ evaluation procedures and basis of selection for Qualified Respondents.

1.5.4.2 Phase 1 – Step 2 (Final Qualification of Provisionally Qualified Respondents): Canada will

commence the SCI and FOCI assessments as part of the ITQ process, Preliminary SCI and FOCI assessments will be conducted in parallel with the RRR Phase. Provisionally Qualified Respondents may be disqualified during Step 2 of Qualification Phase if they do not meet Canada’s security requirements.

1.5.5 Review and Refine Requirement Phase (Phase 2):

1.5.5.1The objectives of the Requirement Refinement Phase include: (i) Ensuring that the Provisionally Qualified Respondents have an opportunity to conduct a

thorough review and provide feedback relating to the draft solicitation documents; and

(ii) Obtaining recommendations from Provisionally Qualified Respondents for improvements to the draft solicitation documents. At its sole discretion, Canada will decide if changes are required and the nature of such changes.

1.5.5.2 During this phase Canada may contact the Provisionally Qualified Respondents seeking written

feedback on drafts, conduct working sessions or one-on-one meetings with the intent of refining solicitation documents. Details will be communicated at the appropriate time. (i) Canada may conduct one-on-one meetings with individual Provisionally Qualified

Respondents after the kick-off meeting. These meetings will provide a forum for Canada and Provisionally Qualified Respondents to work together to review the preliminary requirements for the solicitation so that Canada can refine the content and the way it is expressed and the Provisionally Qualified Respondents can better understand the requirements for the Project.

(ii) PWGSC will provide the Project Lead for each Provisionally Qualified Respondents with a preliminary schedule and logistics for any one-on-one meetings at least 5 working days before the first meeting. Given the tight schedule, some one-on-one meetings may run in parallel with Provisionally Qualified Respondents.


______________________________________________________________________________________

Page 7 of - de 86

(iii) The one-on-one meetings are intended to be open and collaborative discussions between Provisionally Qualified Respondents and Canada. Teleconferencing will be used by Canada due to the Covic-19 restrictions. Canada does not expect to hold face-to-face meetings. If one-on-one face-to-face meetings are held, it will be in the National Capital Region.

(iv) The number of representatives from each Provisionally Qualified Respondents who may

attend each one-on-one meeting will be provided at a later date. Provisionally Qualified Respondents will be requested at that time to submit the names, contact information, titles and security clearance levels of their representatives who will be attending each one-on-one meeting by email to the Contracting Authority by the time stipulate by the Contracting Authority.

1.5.5.3 Whether Provisionally Qualified Respondents may be allowed to choose to bring representatives from potential subcontractors to one-on-one meetings is at the sole discretion of Canada and the in the total number of representatives permitted for that Provisionally Qualified Respondents. Also, Respondents should be aware that the presence of a subcontractor may compromise the confidentiality of the one-on-one meetings, if the subcontractor is a potential subcontractor to other Provisionally Qualified Respondents as well or is itself a Provisionally Qualified Respondent. Canada is not responsible for identifying to any Provisionally Qualified Respondents that a subcontractor is working with one or more other Provisionally Qualified Respondents.

1.5.5.4 The collaborative nature of the one-on-one meetings will be such that the content covered in

meetings with one Provisionally Qualified Respondents may be quite different from the content in a meeting with another Provisionally Qualified Respondents, even though the same general topic is being discussed. Every Provisionally Qualified Respondents has the opportunity to ask questions during these meetings. Information provided to one Provisionally Qualified Respondents in response to oral questions asked during one-on-one meetings will not automatically be provided to other Provisionally Qualified Respondents. Instead, it is the responsibility of each Provisionally Qualified Respondents to determine what information it requires and ask questions accordingly.

1.5.5.5 Additional one-on-one meetings may be scheduled at the sole discretion of Canada on an ad hoc

basis, either on its own initiative or at the request of a Provisionally Qualified Respondents, if the Contracting Authority considers the request to be reasonable and consistent with the project schedule. At the sole discretion of Canada, Canada may consider requests from all Provisionally Qualified Respondents for additional meetings, but the timing of different requests or the subject matter may lead to some requests being granted, but others being denied.

1.5.5.6 If a Provisionally Qualified Respondent is disqualified as a result of Phase 1 Step 2, and the Review and Refine Requirement Phase has not completed, the Provisionally Qualified Respondent must discontinue its activities in this Phase immediately upon being notified by Canada.

1.5.5.7 Canada reserves the right, at its sole discretion, not to conduct the Review and Refine Requirement Phase and proceed with the subsequent phase of the procurement process. Canada also reserves the right to modify the requirements and incorporate any changes in future solicitation documents.

1.5.6 Phase 3 – Bidding Phase:

The Phase include:


______________________________________________________________________________________

Page 8 of - de 86

1.5.6.1 Issuing a solicitation to the Qualified Respondents for the acquisition of the National DEMS and BWCs Managed Services;

1.5.6.2 Receiving and evaluating the bids submitted in response to the solicitation; and 1.5.6.3 Determining the responsive bidder(s) and bid(s) in accordance with requirements outlined in the

solicitation. 1.5.6.4 The approach for the Bidding Phase will be defined in the solicitation document. The Bidding

Phase may or may not include a Proof of Proposal (PoP) demonstration requirement. 1.5.7 Phase 4 – Contract Award Phase: 1.5.7.1 The objective of the Contract Award Phase is for Canada to award contract(s) to the top-ranked

responsive bidder(s) in accordance with the solicitation for the acquisition of the National DEMS and BWCs Managed Services.

1.5.7.2 Multi-phased Agile Contract Approach: Canada may award multiple contracts to top ranked

Bidders to implement a limited pilot rollout of DEMS and BWC within a stipulated period in accordance with the Work that will be detailed in the Statement of Work in the solicitation. It is anticipated that long term contract(s) will be awarded based on the performance of the Contractor(s) during the pilot rollout. Details of the approach will be set out in the solicitation.

1.6 Trade Agreements, Comprehensive Land Claims Agreements, Nunavut Agreement 1.6.1 Trade Agreements 1.6.1.1 This procurement process is subject to the Canadian Free Trade Agreement (CFTA). In addition,

it is subject to the procurement disciplines contained within the following international trade agreements:

World Trade Organization-Agreement on Government Procurement (WTO-AGP) Canada-United Kingdom Trade Continuity Agreement (Canada-UK TCA) Canada-Korea Free Trade Agreement (CKFTA) Canadian Free Trade Agreement (CFTA) Comprehensive Economic and Trade Agreement (CETA) Canada-Ukraine Free Trade Agreement (CUFTA)

1.6.1.2 Legitimate Objectives and Non-Disclosure

In order to ensure that this procurement allows the RCMP to achieve its legitimate objectives of protecting national security, public safety, public order and human life, Canada will be applying measures surrounding the protection of Canada’s Data. Canada has identified technical and security requirements (detailed in this ITQ and any subsequent RFP) as measures that are necessary to allow the RCMP to protect national security, public safety, public order and human life. To the extent that any of these measures may be inconsistent with the obligations under any applicable trade agreements, Canada relies on the legitimate objectives provisions of the trade agreements. In addition, Canada relies on the non-disclosure provisions of each trade agreement, which provide that Canada is not required to disclose confidential information where that disclosure would be contrary to the public interest.


______________________________________________________________________________________

Page 9 of - de 86

These measures allow for a competitive process that will offer best value to the Crown and to Canadians, while providing the required security protections that will allow the RCMP to achieve its legitimate objectives.

1.6.2 Comprehensive Land Claims Agreements (CLCAs)

This ITQ is to establish a list of Qualified Respondents that will be allowed to bid on a solicitation for the delivery of the requirement described in this ITQ, to the areas including those that are subject to Comprehensive Land Claims Agreements.” The applicable CLCAs, if any, will be identified in the Bidding Phase.

1.6.3 Nunavut Agreement

This ITQ is to establish a list of Qualified Respondents that will be allowed to bid on a solicitation for the delivery of the requirement described in this ITQ, to areas including those that are subject to Nunavut Agreements. The applicability of the Agreement will be identified in the Bidding Phase. For advice and guidance on how to apply federal government procurement in the Nunavut Settlement Area and the Directive on Government Contracts, Including Real Property Leases, in the Nunavut Settlement Area, contact the Strategic Policy Sector’s Indigenous Involvement in Procurement Division at: PA Contrats Nunavut / AP Nunavut Contracts (TPSGC/PWGSC)

1.7 ITQ Security Requirements 1.7.1 The security requirements for the ITQ, and anticipated future security requirements associated

with this requirement are found in Part 6 – Security Requirement. 1.7.2 For information on personnel and organization security screening or security clauses,

Respondents should refer to the Contract Security Program of Public Works and Government Services Canada (http://www.tpsgc-pwgsc.gc.ca/esc-src/introduction-eng.html) website.

1.8 Debriefings (ITQ)

Respondents may request a debriefing on the results of the ITQ. Respondents should make the request to the Contracting Authority within fifteen (15) working days of receipt of the results of the ITQ. At Canada’s discretion the debriefing may be in writing, or by telephone/ videoconference. 1.9 Conflict of Interest 1.9.1 Respondents must refer to Conflict of Interest provisions at section 18 of SACC 2003 (2020-05-

28) Standard Instructions - Goods or Services - Competitive Requirements (as amended by Article 2.1.2) available on the following PWGSC Website:

https://buyandsell.gc.ca/policy-and-guidelines/standard-acquisition-clauses-and-conditions-manual/1/2003/25.

1.9.2 Without limiting in any way the provisions described in 1.9.1 above, Respondents are advised that Canada has engaged the assistance of the following private sector contractors and resources who have provided services including the review of the content in preparation of this


______________________________________________________________________________________

Page 10 of - de 86

ITQ and/or who have had, or may have had, access to information related to this ITQ or other documents related to the National DEMS and BWCs Managed Services:

Contractors Resources

Modis Canada Inc. Vojinovic, Dragana Duffy, Kristen

PricewaterhouseCoopers LLP

Kuta, Dave Kaegi, Erin deCotret, Michael Lesarge, Aaron Lotan, Ryan Young, Rachel

Veritaaq Technology House Inc. Osipenko, Larry 1.9.3 Any Response that is received from one of the above-noted contractors, whether as a sole

Respondent, joint venture or as a subcontractor to a Respondent; or for which one of the above-noted resources provided any input into the Response, will be considered to be in contravention of the Conflict of Interest clauses identified in sub article 1.9.1, and the Response will be declared non-responsive.

1.9.4 By submitting a Response, the Respondent represents that it does not consider itself to be in

conflict of interest nor to have an unfair advantage. The Respondent acknowledges that it is within Canada's sole discretion to determine whether a conflict of interest, unfair advantage or an appearance of conflict of interest or unfair advantage exists.

1.9.5 The experience acquired by a Respondent who is providing or has provided the goods and

services described in the ITQ (or similar goods or services) to Canada will not, in itself, be considered by Canada as conferring an unfair advantage or creating a conflict of interest. Each Respondent remains, however, subject to the criteria established above.

1.9.6 If Canada intends to disqualify a Response under this Article, the Contracting Authority will inform

the Respondent and provide the Respondent an opportunity to make representations before making a final decision. Respondents who are in doubt about a particular situation should contact the Contracting Authority before the closing date.

1.10 Fairness Monitor 1.10.1 Canada has engaged the services of RFPSolutions Inc. to act as an independent third party

Fairness Monitor (FM) for the National DEMS and BWCs Managed Services procurement process. The role of the FM is to provide an attestation of assurance on the fairness, openness and transparency of the monitored activities.

1.10.2 The Fairness Monitor will not be part of the evaluation team, but will be granted access to any

response submitted in response to this ITQ and any related correspondence received by Canada pursuant to this ITQ. The FM will observe the evaluation of the ITQ responses with respect to Canada’s adherence to the evaluation process described in this ITQ and will observe the response debriefings.


______________________________________________________________________________________

Page 11 of - de 86

PART 2 – INSTRUCTIONS FOR RESPONDENTS 2.1 Standard Instructions, Clauses and Conditions 2.1.1 All instructions, clauses and conditions identified in the ITQ by number, date and title are set out

in the Standard Acquisition Clauses and Conditions Manual (https://buyandsell.gc.ca/policy-and-guidelines/standard-acquisition-clauses-and-conditions-manual) issued by Public Works and Government Services Canada.

2.1.2 The SACC 2003 (2020-05-28) Standard Instructions - Goods or Services - Competitive

Requirements (as amended by this Article 2.1.2), are incorporated by reference into and form part of the ITQ as though they were expressly set out here in full, except that: i) Wherever the term “bid solicitation” is used, substitute “Invitation to Qualify (ITQ)”; ii) Wherever the term “bid” is used, substitute “response”; iii) Wherever the term “Bidder(s)” is used, substitute “Respondent(s)”; iv) Subsection 05 (4), which discusses a validity period, does not apply, given that this ITQ

invites firms to qualify. Canada will assume that all Respondents who submit a response continue to wish to qualify unless they advise the Contracting Authority in writing that they wish to withdraw their response.

v) The title of Section 10 is amended to read “Legal Capacity and Ownership and Control Information”, the first paragraph is numbered as 1 and the following is added: 2. The Respondent must provide, if requested by the Contracting Authority, the

following information as well as any other requested information related to the ownership and control of the Respondent, its owners, its management and any related corporations and partnerships:

a) An organization chart for the Respondent showing all related

corporations and partnerships; b) A list of all the Respondent’s shareholders and/or partners, as

applicable; if the Respondent is a subsidiary, this information must be provided for each parent corporation or partnership, up to the ultimate owner; and

c) A list of all the Respondent’s directors and officers, together with each individual’s home address, date of birth, birthplace and citizenship(s); if the Respondent is a subsidiary, this information must be provided for each parent corporation or partnership, up to the ultimate owner.

3. In the case of a joint venture Respondent, this information must be provided for each member of the joint venture. The Contracting Authority may also require that this information be provided in respect of any Subcontractors specified in a response.

4. For the purposes of this section, a corporation or partnership will be considered

related to another party if:

a) they are “related persons” or “affiliated persons” according to the Canada Income Tax Act;

b) the entities have now or in the two (2) years before the closing date had a fiduciary relationship with one another (either as a result of an agency arrangement or any other form of fiduciary relationship); or

c) the entities otherwise do not deal with one another at arm’s length, or each of them does not deal at arm’s length with the same third party.


______________________________________________________________________________________

Page 12 of - de 86

2.1.3 By submitting a response, the Respondent is confirming that it agrees to be bound by all the terms and conditions of this ITQ, including the documents incorporated by reference into it.

2.1.4 If there is a conflict between the provisions of this document and any document(s) that are

incorporated into it by reference as set out above, this document prevails. 2.2 Submission of Response 2.2.1 Responses must be submitted to the PWGSC Bid Receiving Unit via epost Connect by the date

and time indicated on page one of the ITQ. 2.2.2 For Respondents needing to register with epost Connect for ITQ closing at the Bid Receiving Unit

in the National Capital Region (NCR) the email address is:

tpsgc.dgareceptiondessoumissions-abbidreceiving.pwgsc@tpsgc-pwgsc.gc.ca.

2.2.3 Interested Respondents must register a few days prior to ITQ closing date.

2.2.4 Responses will not be accepted if emailed directly to this email address. This email address is to be used to open an epost Connect conversation, as detailed SACC 2003 (2020-05-28) Standard Instructions - Goods or Services - Competitive Requirements (as amended by Article 2.1.2), or to send bids through an epost Connect message if the bidder is using its own licensing agreement for epost Connect.

2.2.5 Due to the nature of the ITQ, bids transmitted by facsimile or any other means to PWGSC will not be accepted.

2.2.6 No response shall be sent directly to the PWGSC Contracting Authority. 2.3 Enquiries 2.3.1 All enquiries and other communications regarding this ITQ must be submitted in writing no later

than 5 calendar days before the ITQ closing date. Enquiries received after that time may not be answered.

2.3.2 Respondents with questions regarding this ITQ may direct their enquiries to:

Contracting Authority Public Works and Government Services Canada Name: Kent Cummings

E-mail address: [email protected] 2.3.3 Respondents should reference as accurately as possible the numbered item of the ITQ to which

the enquiry relates. Care should be taken by Respondents to explain each question in sufficient detail in order to enable Canada to provide an accurate answer. Enquiries that are of a proprietary nature must be clearly marked "proprietary" at each relevant item. Items identified as "proprietary" will be treated as such except where Canada determines that the enquiry is not of a proprietary nature. Canada may edit the question(s) or may request that Respondents do so, so that the proprietary nature of the question(s) is eliminated, and the enquiry can be answered to all Respondents. Enquiries not submitted in a form that can be distributed to all Respondents may not be answered by Canada.


______________________________________________________________________________________

Page 13 of - de 86

2.4 Submission of Only One Response 2.4.1 The "Invitation to Qualify" is a solicitation of interest, not a request for bids or tenders. There is no

bid validity period, since an Invitation to Qualify invites Respondents simply to qualify. Canada will assume that all Respondents wish to qualify unless they withdraw in writing. If a Respondent is more than one entity, withdrawal of any entity from the Respondent during the ITQ Phase will result in withdrawing the response of the Respondent.

2.4.2 A Respondent can be an individual, a sole proprietorship, a corporation, a partnership, or a joint

venture. 2.4.3 Each Respondent (including related entities) will be permitted to qualify only once. If a

Respondent or any related entities participate in more than one response (participating means being part of the Respondent, not being a subcontractor), Canada will provide those Respondents with 2 working days to identify the single response to be considered by Canada. Failure to meet this deadline may result in all the affected responses being disqualified or in Canada choosing, in its discretion, which of the responses to evaluate.

2.4.4 For the purposes of this Article, regardless of the jurisdiction where any of the entities concerned

is incorporated or otherwise formed as a matter of law (whether that entity is an individual, corporation, partnership, etc.) an entity will be considered to be “related” to a Respondent if:

2.4.4.1 they are the same legal entity as the Respondent (i.e., the same natural person, corporation,

partnership, limited liability partnership, etc.); 2.4.4.2 the entity and the Respondent are “related persons” or “affiliated persons” according to the

Canada Income Tax Act; 2.4.4.3 the entity and the Respondent have now or in the two years before the ITQ closing had a

fiduciary relationship with one another (either as a result of an agency arrangement or any other form of fiduciary relationship); or

2.4.4.4 the entity and the Respondent otherwise do not deal with one another at arm’s length, or each of

them does not deal at arm’s length with the same third party. 2.4.4.5 Subcontractors may not be permitted to participate in Review and Refine Requirement Phase

with the Provisionally Qualified Respondent for whom they will be doing subcontracting work. 2.4.4.6 Any individual, sole proprietorship, corporation, or partnership that is a Respondent as part of a

joint venture cannot submit another response on its own or as part of another joint venture.

Example 1: Supplier A does not itself have all the experience required by the ITQ. However, Supplier B has the experience that Supplier A lacks. If Supplier A and Supplier B decide to team up to submit a response together as a joint venture, both entities are together considered the Respondent. Neither Supplier A nor Supplier B can team up with another supplier to submit a separate response, because each is already part of a Respondent.

Example 2: Supplier X is a Respondent. Supplier X’s subsidiary, Supplier Y, decides to team up with Supplier Z to submit a response as a joint venture. Suppliers Y and Z, as well as Supplier X, will all be asked to determine which one of the two responses will be considered by Canada. Both responses cannot be submitted, because Supplier Y is related to Supplier X as an affiliate.


______________________________________________________________________________________

Page 14 of - de 86

2.4.4.7 By submitting a response, the Respondent is certifying that it does not consider itself to be related to any other Respondent.

2.4.4.8 The Contracting Authority may still require that one or more of the entities constituting a

Respondent submit a certification or legal opinion regarding whether or not it is related to any other Respondent and explaining why.

2.5 Applicable Laws 2.5.1 The ITQ must be interpreted and governed, and the relations between the parties determined, by

the laws in force in Ontario. 2.5.2 Respondents may, at their discretion, substitute the applicable laws of a Canadian province or

territory of their choice without affecting the validity of the arrangement, by deleting the name of the Canadian province or territory specified and inserting the name of the Canadian province or territory of their choice. If no change is made, it acknowledges that the applicable laws specified are acceptable to the Respondent.

2.6 Language 2.6.1 Respondents are requested to identify, in writing, in Form 1: Respondent Declaration And

Response Submission Form which of Canada’s two official languages (English or French) it chooses to use for future communications with Canada regarding this ITQ and any subsequent phases of the procurement process.


______________________________________________________________________________________

Page 15 of - de 86

PART 3 - RESPONSE PREPARATION INSTRUCTIONS 3.1 Response Preparation Instructions Respondents must submit their responses electronically using epost Connect in a single submission in accordance with Section 08 Subsection 2 of the SACC 2003 (2020-05-28) Standard Instructions - Goods or Services - Competitive Requirements (as amended by Article 2.1.2). The epost Connect system has a limit of 1GB per single message posted and a limit of 20GB per conversation. The response should be provided in distinct sections as follows:

(i) Section I: ITQ Qualification Response (ii) Section II: Certification(s) and Additional Information Pricing is not a requirement and should not be included in the response.

3.2 Section I: ITQ Qualification Response In their Qualification ITQ Response, Respondents must explain how they will meet the mandatory requirements. Respondents must demonstrate their capability of meeting all of the mandatory requirements, and describe their approach in a thorough, concise and clear manner for meeting the mandatory requirements. Respondents must submit their ITQ Response as follows: 3.2.1 Submission Form: Respondents must submit the information required in Respondent Declaration

and Response Submission Form (Form 1) and are requested to include a completed Form 1 with their response. Using the form to provide the information is recommended. If Canada determines that the information provided within the Respondent’s Declaration and Response Submission Form is incomplete or requires correction, Canada will provide the Respondents with an opportunity to do so. Providing the information when requested during the evaluation period is mandatory. If the Respondent has not submitted the requested information within the period set by the Contracting Authority, its response will be declared non-responsive.

3.2.2 Substantiation of Compliance: The Respondents must substantiate their compliance with and

address clearly and in sufficient depth the mandatory criteria that are subject to evaluation in Annex B – Mandatory Evaluation Criteria. Each of the mandatory evaluation criterion must be addressed in sufficient detail to permit the evaluation team to verify the Respondent’s compliance. Simply repeating the statement contained in the ITQ is not sufficient. In order to facilitate the evaluation of the response, Canada requests that Respondents address and present their response to each criterion in the order set out in Annex B – Mandatory Evaluation Criteria. To avoid duplication, Respondents may refer to different sections of their responses by identifying the specific paragraph and page number where the subject criterion has previously been addressed. Where Canada determines that the substantiation is not complete, and Canada also determines in its sole discretion that the substantiation has not been corrected through the Phased Bid Compliance Process (PBCP) set out in Article 4.2 - Response Evaluation – Phased Bid Compliance Process, or is not an eligible correction under PBCP, the Respondent will be considered non-responsive.

3.2.3 Reference Project Contact Information -- Form 2 – Reference Project Check Form: The

Respondent must provide a contact person for each project experience description provided in its response to demonstrate the experience as required by Annex B – Mandatory Evaluation Criteria. Each contact person must confirm, if requested by Canada, the facts identified in the


______________________________________________________________________________________

Page 16 of - de 86

Respondent’s Response, relative to the project for which they are identified as a reference, as required by Annex b- Mandatory Evaluation Criteria.

i) Respondents are requested to submit a completed Form 2 - Reference Project Check Form

for each reference project, as required by Annex B - Mandatory Evaluation Criteria. ii) If the Respondent does provide a completed Form 2 - Reference Project Check Form, they

must provide it upon request by the Contracting Authority within the timeframe identified in the request.

iii) Canada may contact the identified contact person for the reference project to validate the information provided in the Respondent’s response.

3.2.4 Preliminary Supply Chain Integrity (SCI) Assessment: Provisionally Qualified Respondents will

be required to submit Form 5 - Supply Chain Security Information (SCSI) for preliminary assessment by Canada in relation to supply chain integrity when notify by Canada. Canada currently anticipates that this will take place during Step 2 of ITQ Qualification Phase (Phase 1) and RRR Phase (Phase 2). The preliminary SCI assessment process is described in Annex D – Supply Chain Integrity Assessment. Please refer to Annex D and to Part 6 for the preliminary SCI assessment

3.2.5 FOCI Assessment: Provisionally Qualified Respondents will be required to submit information for

Foreign Ownership, Control or Influence (FOCI) assessment. Provisionally Qualified Respondents will be contacted directly by the PWGSC Contract Security Program FOCI office to submit the information. Failure to provide the required information within Canada’s specified timeframe will result in the response being non-responsive. Please refer to Part 6 for FOCI requirement.

3.3 Certification(s) and Additional Information Respondents must submit the certifications and additional information required within the ITQ under Part 5 - Certifications.


______________________________________________________________________________________

Page 17 of - de 86

PART 4 - EVALUATION PROCEDURES AND BASIS OF QUALIFICATION 4.1 Evaluation Procedures

4.1.1 There are two steps in the evaluation process:

4.1.1.1 Step 1: Responses will be assessed in accordance with entire requirement of the ITQ including Annex B – Mandatory Evaluation Criteria except for SCSI and FOCI assessments. Respondents Qualified under Step 1 will be notified and become Provisionally Qualified Respondents.

4.1.1.2 Step 2: Provisionally Qualified Respondents will be invited to conduct preliminary SCSI assessment described in Annex D and FOCI assessment in parallel with Requirement Review and Refinement. Details on FOCI assessment will be provided to Provisionally Qualified Respondents at the time of assessment.

(i) Canada will request Provisionally Qualified Respondents to provide information including

their corporate structure, supply chain and financial information, together with their supply chain entities that will be used in the execution of the contract.

(ii) The Canadian Security Establishment and the Contract Security Program will launch these assessments directly with the Provisionally Qualified Respondents. Canada reserves the right to continue these assessment processes on any subcontractors or sub-processers as part of the RFP process.

4.1.2 An evaluation team composed of representatives of Canada and independent consultants will evaluate the responses. Canada may hire any independent consultant, or use any Government resources, to evaluate any response. Not all members of the evaluation team will necessarily participate in all aspects of the evaluation. By submitting a response, Respondents consent to the release of those responses to any third-party consultants retained by Canada, subject to Canada’s obtaining confidentiality undertakings from these third-party consultants.

4.1.3 Each Response will be reviewed for compliance with every mandatory requirement of this ITQ.

The Respondent may be given an opportunity to submit additional information to support achieving compliance with respect to the mandatory requirement in accordance with the Phased Bid Compliance Process outlined in Article 4.2 below.

4.1.4 The mandatory evaluation criteria are described in Annex B - Mandatory Evaluation Criteria. 4.1.5 In conducting its evaluation of the responses, Canada may:

4.1.5.1 Contact any or all reference projects supplied by Respondents to verify and validate any

information submitted by the Respondents; and

4.1.5.2 Seek clarification or verification from Respondents regarding any or all information provided by them with respect to the ITQ.

4.1.6 In addition to any other time periods established in the ITQ: 4.1.6.1 Requests for Clarifications: If Canada seeks clarification or verification from the Respondent

about its response, the Respondent will have 2 working days (or a longer period if specified in writing by the Contracting Authority) to provide the necessary information to Canada. Failure to meet this deadline will result in the response being declared non-responsive.


______________________________________________________________________________________

Page 18 of - de 86

4.1.6.2 Requests for Further Information: If Canada requires additional information in order to do any

of the following pursuant to the Section entitled “Conduct of Evaluation” in SACC 2003 (2020-05-28) Standard Instructions - Goods or Services - Competitive Requirements (as amended by Article 2.1.2):

A. verify any or all information provided by the Respondent in their response; B. contact any or all references supplied by the Respondent (e.g. contact person named

for each project) to verify and validate any information submitted by the Respondent.

The Respondent must provide the information requested by Canada within 2 working days (or a longer period provided by the Contracting Authority in writing) of a request by the Contracting Authority.

4.1.6.3 Extension of Time: If additional time is required by the Respondent, the Contracting Authority

may grant an extension at his or her sole discretion.

4.1.7 Only referenced material included within the Respondent’s response, or clarified upon request by the Contracting Authority, will be considered and evaluated. It is the sole responsibility of the Respondent to provide sufficient information so that their responses can be adequately evaluated.

4.1.8 Canada reserves the right to re-evaluate the qualification of any Qualified Respondent at any time during the procurement process. If information comes to the attention of Canada that calls into question any of the Qualified Respondent’s qualifications under this ITQ, Canada may re-evaluate that Qualified Respondent. If Canada re-evaluates the qualification of any Qualified Respondent, Canada may request further information and, if the Qualified Respondent fails to provide it within 5 working days (or a longer period provided by the Contracting Authority), Canada may disqualify the Qualified Respondent.

4.1.9 Unsuccessful Respondents will not be given another opportunity to participate or be re-evaluated for the subsequent phases of the procurement process, unless Canada determines, in its sole discretion, that the circumstances require such a change.

4.1.10 Canada reserves the right, in its sole discretion, to conduct a second qualification round among the unsuccessful Respondents if, in Canada’s opinion, the first qualification round results in an insufficient number of Qualified Respondents. Qualified Respondent(s) in first round would not need to be requalified unless Canada determines otherwise at its sole discretion.

4.1.11 If Canada determines that unsuccessful Respondents will be given a second opportunity to qualify, Canada will provide written information to all unsuccessful Respondents on the same day regarding the reasons they were unsuccessful during the first qualification round.

4.1.12 Any Respondent who does not qualify as a result of any second qualification round conducted by Canada will not be given another opportunity to participate or be re-evaluated for any subsequent phase of this procurement process.

4.2 Response Evaluation - Phased Bid Compliance Process The Phased Bid Compliance Process will apply to all mandatory evaluation criteria contained in Annex B. 4.2.1 General


______________________________________________________________________________________

Page 19 of - de 86

4.2.1.1 Notwithstanding any review by Canada of the Phased Bid Compliance Process (PBCP),

Respondents are and will remain solely responsible for the accuracy, consistency and completeness of their Responses and Canada does not undertake, by reason of this review, any obligations or responsibility for identifying any or all errors or omissions in Responses or in responses by a Respondent to any communication from Canada. The Respondent acknowledges that the reviews of this PBCP are preliminary and do not preclude a finding that the response is non-responsive, even for mandatory requirements which were subject to review and notwithstanding that the response had been found responsive. Canada may deem a response to be nonresponsive to a mandatory requirement at any time during evaluation.

The Respondent also acknowledges that its response to a notice or a Compliance Assessment Report (CAR) (each defined below) may not be successful in rendering its response responsive to the mandatory requirements that are the subject of the notice or CAR, and may render its response non-responsive to other mandatory requirements.

4.2.1.2 Canada may, in its discretion, request and accept at any time from a Respondent and consider as

part of the Response any information to correct errors or deficiencies in the Response that are clerical or administrative, such as, without limitation, failure to sign the or any part or to checkmark a box in a form, or other failure of format or form or failure to acknowledge; failure to provide a procurement business number or contact information such as names, addresses and telephone numbers. This shall not limit Canada’s right to request or accept any information after the ITQ closing in circumstances where the ITQ expressly provides for this right. The Respondent will have the time period specified in writing by Canada to provide the necessary documentation. Failure to meet this deadline will result in the Response being declared non-responsive.

4.2.1.3 The PBCP does not limit Canada’s rights under SACC 2003 (2020-05-28) Standard Instructions -

Goods or Services - Competitive Requirements (as amended by Article 2.1.2) nor Canada’s right to request or accept any information during the solicitation period or after ITQ closing in circumstances where the ITQ expressly provides for this right, or in the circumstances described in sub article 4.2.1.2.

4.2.1.4 Canada will send any Notice or CAR by any method Canada chooses, in its absolute discretion. The Respondent must submit its response by the method stipulated in the Notice or CAR. Responses are deemed to be received by Canada at the date and time they are delivered to Canada by the method and at the address specified in the Notice or CAR. An email response permitted by the Notice or CAR is deemed received by Canada on the date and time it is received in Canada’s email inbox at Canada’s email address specified in the Notice or CAR. A Notice or CAR sent by Canada to the Respondent at any address provided by the Respondent in or pursuant to the Response is deemed received by the Respondent on the date it is sent by Canada. Canada is not responsible for late receipt by Canada of a response, however caused.

4.2.2 ITQ Qualification Response 4.2.2.1 Canada will review the Response to identify any instances where the Respondent has failed to

meet any Eligible Mandatory Criterion. Eligible Mandatory Criteria are all mandatory criteria that are identified in this ITQ as being subject to the PBCP. This review will not assess whether the Response meets any standard or is responsive to all ITQ requirements.

4.2.2.2 Canada will send a written notice to the Respondent (Compliance Assessment Report or “CAR”) identifying any Eligible Mandatory Criteria that the Respondent Response has failed to meet. A


______________________________________________________________________________________

Page 20 of - de 86

Respondent whose Response has been found responsive to the requirements will receive a CAR that states that its Response has been found responsive to the requirements. Such Respondents shall not be entitled to submit any response to the CAR.

4.2.2.3 A Respondent shall have the period specified in the CAR (the “Remedy Period”) to remedy the

failure to meet any Eligible Mandatory Criterion identified in the CAR by providing to Canada in writing additional or different information or clarification in response to the CAR. Responses received after the end of the Remedy Period will not be considered by Canada, except in circumstances and on terms expressly provided for in the CAR.

4.2.2.4 The Respondent’s response must address only the Eligible Mandatory Criteria listed in the CAR

as not having been achieved, and must include only such information as is necessary to achieve such compliance. Any additional information provided by the Respondent which is not necessary to achieve such compliance will not be considered by Canada, except that, in those instances where such a response to the Eligible Mandatory Criteria specified in the CAR will necessarily result in a consequential change to other parts of the Response, the Respondent shall identify such additional changes.

4.2.2.5 The Respondent’s response to the CAR should identify in each case the Eligible Mandatory

Criterion in the CAR to which it is responding, including identifying in the corresponding section of the original Response, the wording of the proposed change to that section, and the wording and location in the Response of any other consequential changes that necessarily result from such change. In respect of any such consequential change, the Respondent must include a rationale explaining why such consequential change is a necessary result of the change proposed to meet the Eligible Mandatory Criterion. Canada will not revise the Respondent’s Response, and failure of the Respondent to do so in accordance with this subparagraph is at the Respondent’s own risk. All submitted information must comply with the requirements of this ITQ.

4.2.2.6 Any changes to the Response submitted by the Respondent other than as permitted in this ITQ,

will be considered to be new information and will be disregarded. Information submitted in accordance with the requirements of this ITQ in response to the CAR will replace, in full, only that part of the original Response as is permitted in this Article.

4.2.2.7 Additional or different information submitted by Respondents permitted by this Article will be considered as included in the Response, for the purpose of determining whether the Response meets the Eligible Mandatory Criteria.

4.2.2.8 Canada will determine whether the Response is responsive for the requirements, considering

such additional or different information or clarification as may have been provided by the Respondent in accordance with this Article. Only Responses that meet all mandatory evaluation criteria of the ITQ to the satisfaction of Canada, will receive further evaluation

4.3 Reference Checks 4.3.1 It is the responsibility of the Respondent to confirm in advance that the contact person provided in

its response for the reference project will be available for the reference check during the evaluation to provide a response and is willing to provide a reference.

4.3.2 For the purpose of this evaluation, reference checks may be used to verify and validate the

Respondent’s response. If a reference check is performed, Canada will conduct the reference check in writing by e-mail. Canada will send the reference check request directly to the contact person for the reference project provided by the Respondent. The contact person will have five


______________________________________________________________________________________

Page 21 of - de 86

(5) working days (or a longer period otherwise specified in writing by the Contracting Authority) from the date that Canada's e-mail was sent, to respond to Canada.

4.3.3 The contact person will be required, within two working days after Canada sends out the

reference check request, to acknowledge the receipt of the reference check request and identify his or her willingness and availability to conduct such reference check. If Canada has not received the required response from the identified contact person, Canada will notify the Respondent by e-mail, to allow the Respondent to contact its contact person directly to ensure that he or she responds to Canada within the allotted time. The contact person’s failure to respond to Canada’s request in a timely manner will result in non-consideration of the Respondent’s claimed project experience.

4.3.4 Notwithstanding Articles 4.3.2 and 4.3.3, if the contact person is unavailable when required during

the evaluation period, the Respondent will be requested to provide an alternate contact person for the same reference project. Respondents will only be provided with this opportunity once for each reference project and only if the original contact person is unavailable to respond. The process as described in Articles 4.3.2 and 4.3.3 is applicable for the reference check with the alternate contact person. The period to respond for either the original contact person, or the alternate contact person, will be a total of five working days each (or a longer period otherwise specified in writing by the Contracting Authority) in accordance with Article 4.3.2.

4.3.5 Wherever information provided by a contact person differs from the information supplied by the

Respondent, the Respondent will be asked to clarify reference project information provided in its ITQ response. Canada will assess the following information during the evaluation of the Respondent’s response: the Respondent’s original reference project information; any information provided by the Respondent in response to clarification request(s); and any information supplied by the contact person for the reference project.

4.3.6 A Respondent will not meet the mandatory experience requirement if: 4.3.6.1 the identified contact person fails to respond to Canada’s request in a timely manner; 4.3.6.2 the contact person states he or she is unable or unwilling to provide the information requested; 4.3.6.3 the information provided by the Respondent cannot be verified and validated by Canada; or 4.3.6.4 the law enforcement organization is itself an affiliate or other entity that does not deal at arm’s

length with the Respondent.

4.3.6.5 Whether or not to conduct reference checks is at Canada’s sole discretion. However, if Canada chooses to conduct reference checks for any given mandatory requirement, it will check the reference projects submitted for that requirement by each Respondent that has not, at that point, been found non-responsive.

4.4 Basis of Qualification

4.4.1 To be responsive, a response must: 4.4.1.1 comply with the qualifications and conditions of the ITQ; 4.4.1.2 meet all mandatory evaluation criteria in Annex B – Mandatory Evaluation Criteria;

4.4.1.3 be qualified under the SCI and FOCI assessments.


______________________________________________________________________________________

Page 22 of - de 86

4.4.2 Responses that are assessed as not meeting sub-article 4.4.1.1 or sub-article 4.4.1.2 or not qualified under sub-article 4.4.1.3 will be declared non responsive and the Respondents will be given no further consideration.

4.4.3 Respondents whose responses are assessed as meeting sub-article 4.4.1.1 and sub-article 4.4.1.2 will be eligible to participate in RRR Phase.

4.4.4 Respondents whose responses are assessed as meeting sub-article 4.4.1.1 and sub-article 4.4.1.2 but not qualified under sub-article 4.4.1.3 will not be allowed to continue with the RRR phase and any subsequent procurement process.

4.4.5 Only Respondents whose responses are assessed as meeting sub-article 4.4.1.1, sub-article 4.4.1.2 and qualify under sub-article 4.4.1.3 will be selected as “Qualified Respondents” and will be invited to participate in any subsequent phases of the procurement process.

4.4.6 The Contracting Authority will inform each Respondent in writing to notify them whether or not

they have qualified for a subsequent phase of the procurement process upon completion of each phase or step.

4.4.7 Canada will also publish the list of Qualified Respondents on BuyandSell.gc.ca. 4.4.8 Should there be an insufficient number of Qualified Respondents after the ITQ Phase to permit a

competition in subsequent phases of the procurement process, Canada reserves the right to cancel any subsequent phases of the procurement process or to conduct a second qualification round as per sub-article 4.1.10, to modify the requirements of the ITQ phase and re-publish the solicitation using the same or a different approach or to enter into negotiation with a sole Qualified Respondent.

4.4.9 This ITQ may be cancelled if less than 3 responses are received or if there are less than 3

Qualified Respondents.


______________________________________________________________________________________

Page 23 of - de 86

PART 5 – CERTIFICATIONS Respondents must provide the required certifications to be declared a Qualified Respondent. The certifications provided by Respondents to Canada are subject to verification by Canada at all times. Canada will declare a Response non-responsive, or will declare a contractor in default if any certification made by the Respondent is found to be untrue, whether made knowingly or unknowingly, during the qualification period, or during the period of any solicitation arising from this invitation to qualify and any resulting contract(s). The Contracting Authority will have the right to ask for additional information to verify the Respondent's certifications. Failure to comply and to cooperate with any request or requirement imposed by the Contracting Authority will render the response non-responsive or constitute a default under the contract.

5.1 Certifications Required with Response Respondents must submit the following duly completed certifications as part of their response. 5.1.1 Software as a Service Publisher Certification Respondents must include Form 3 - SaaS Service Publisher Certification form as part of the Response. 5.1.2 Government of Canada Cloud Service Provider Authorization Respondents must include Form 4 - Government of Canada Cloud Service Provider Authorization Form as part of the Response. 5.1.3 Integrity Provisions - Declaration of Convicted Offences In accordance with the Integrity Provisions of the Standard Instructions, all Respondents are requested to provide with their response, if applicable, the declaration form available on the Forms for the Integrity Regime website (http://www.tpsgc-pwgsc.gc.ca/ci-if/declaration-eng.html). If Canada determines that the information required by the form is incomplete or requires correction, Canada will provide the Respondent with an opportunity to provide the additional information or make the correction. Providing the information when requested and as requested during the evaluation period is mandatory.


______________________________________________________________________________________

Page 24 of - de 86

PART 6 –- SECURITY REQUIREMENT

A Provisionally Qualified Respondent will be allowed to participate in RRR. The Provisionally Qualified Respondent must submit its FOCI and SCSI submissions on time in accordance to the terms of this ITQ, before the expiry of a three-week period from the date of the email sent by PWGSC to the Provisionally Qualified Respondent requesting the respective submissions to remain responsive. A Provisionally Qualified Respondent who fails its preliminary SCI assessment or its FOCI assessment will not be able to continue participating in the RRR phase or the rest of the procurement.

6.1 FOCI Security Requirement -- At ITQ Phase

6.1.1 A Provisionally Qualified Respondent that has been verified by Canada to have met the evaluation criteria, qualifications and conditions of the ITQ and has been notified by Canada must submit a completed FOCI package including the associated documentation as prescribed in the FOCI Guidelines and Questionnaire three weeks from the date of the email sent by the PWGSC Contract Security Program FOCI office directly to the Provisionally Qualified Respondent. The FOCI Guidelines and Questionnaire will be provided in that email.

6.1.2 At any time during the course of the FOCI assessment, Canada may, at its sole discretion, request any additional information, documentation, or clarification from the Provisionally Qualified Respondent. Canada may further, at its sole discretion, express its FOCI concerns about the Provisionally Qualified Respondent and may but is not obliged to enter into negotiations about possible mitigation measures with the Provisionally Qualified Respondent during or after the FOCI assessment. Any communications between Canada and the Provisionally Qualified Respondent must remain confidential. Canada may, at its sole discretion, disqualify the Provisionally Qualified Respondent for any breach of confidentiality in addition to seeking any other applicable remedies such as injunctions or damages.

6.1.3 Canada reserves the right to use any information in possession of Canada for the FOCI

assessment. The FOCI assessment by Canada will result in three possible determinations: “Not Under FOCI”, “Under FOCI with Mitigation Measures”, or “Under FOCI, Mitigation Measures not required”.

6.1.4 FOCI assessment resulting in evidence of FOCI requiring mitigation measures will be reviewed

and approved by the appropriate authorities. Any approved mitigation measures must remain implemented throughout the duration of the procurement process. If Canada determines that mitigation measures cannot be implemented, Canada reserves the right to disqualify the Provisionally Qualified Respondent and the Provisionally Qualified Respondent will be prevented from participating in the rest of the procurement including the RRR.

6.1.5 The Provisionally Qualified Respondent must maintain their FOCI determination of “Not under

FOCI”, or “Under FOCI with Mitigation Measures” status throughout the duration of the procurement process, and thereafter during the contract. The Provisionally Qualified Respondent must immediately provide the FOCI Office with documentation pertaining to any changes to the organization’s corporate and or ownership structure as well as any increase in foreign income or foreign debt from what was reported to the FOCI Office for the initial FOCI assessment. The


______________________________________________________________________________________

Page 25 of - de 86

Provisionally Qualified Respondent will be subject to a FOCI re-assessment based on this new information, and information in possession of Canada, if any, to re-determine the FOCI status.

6.1.6 The Provisionally Qualified Respondent must maintain their FOCI determination of “Not under

FOCI”, or “Under FOCI with Mitigation Measures” status throughout the duration of the procurement process, and thereafter during the contract. The Provisionally Qualified Respondent must immediately provide the FOCI Office with documentation pertaining to any changes to the organization’s corporate and or ownership structure as well as any increase in foreign income or foreign debt from what was reported to the FOCI Office for the initial FOCI assessment. The Provisionally Qualified Respondent will be subject to a FOCI re-assessment based on this new information, and information in possession of Canada, if any, to re-determine the FOCI status.

6.2 Anticipated FOCI Security Requirement – At Bidding Phase

6.2.1 The following process is provided for informational purposes only, as an anticipated FOCI Security Requirement. Canada reserves the right to make any change to anticipated processes, including but not limited to deleting it or inserting a new one.

6.2.2 Before accessing any information or assets, the winning bidder/contractor must be in possession

of a determination letter, specific to this contract which will expire at the end of this contract or any contract extensions, from the FOCI Office identifying the results of the FOCI assessment. This assessment will be conducted on the winning bidder or contractor as well as on the suppliers, sub-contractors for this contract of the winning bidder.

6.2.3 If the “Under FOCI with Mitigation Measures” determination letter requires mitigation measures to

be implemented, these measures must be implemented and approved by the FOCI Office prior to the winning bidder or, contractor or their personnel access information or assets. The mitigation measures must remain implemented throughout the duration of the contract, including any contract extension(s) if applicable.

6.2.4 The CSP retains the right to suspend the winning bidder or contractor’s organizational clearance

if the winning bidder or contractor becomes subject to an “Under FOCI with Mitigation Measures” determination and chooses not to implement the required mitigation measures.

6.2.5 The winning bidder or contractor must maintain their FOCI determination of “Not under FOCI”, or

“Under FOCI with Mitigation Measures” status throughout the duration of the contract, including any contract extension(s) if applicable.

6.2.6 The winning bidder or contractor must immediately provide the FOCI Office with documentation

pertaining to any changes to the organization’s corporate and or ownership structure as well as any increase in foreign income or foreign debt from what was reported to the FOCI Office for the initial FOCI assessment. The winning bidder/contractor will be subject to a FOCI re-assessment based on this new information to re-determine the FOCI status of the winning bidder/contractor.

6.2.7 An “Under FOCI” determination letter with no possible mitigation measures will result in the

winning bidder/contractor not being able to obtain the necessary security clearances, to obtain and or maintain a Designated Organization Screening (DOS) and personnel clearances with the CSP, and consequently not meeting the security requirements of the contract.


______________________________________________________________________________________

Page 26 of - de 86

6.3 General Information – Anticipated Security Requirement – At Bidding Phase A preliminary version of the Security Requirements Checklist (SRCL) including SRCL Security Guide have been included in Annex C to this ITQ and the anticipated security clearance requirements are described below. These requirements are subject to changes and are provided for information purposes. This process will be in addition to the FOCI and SCI assessments. However, Respondents that do not have the security clearances described in the preliminary SRCL may wish to initiate the process to ensure they meet the requirements. Qualified Respondents that require security sponsorship should notify the Contracting Authority in writing. Any delay in the award of a contract to allow the successful bidder to obtain the required clearance will be at the entire discretion of the Contracting Authority. For information on personnel and organization security screening or security clauses, Respondents should refer to the Contract Security Program of Public Works and Government Services Canada (http://www.tpsgc-pwgsc.gc.ca/esc-src/introduction-eng.html) website.

6.3.1 Anticipated Security Requirement for Canadian Supplier – At Bidding Phase

6.3.1.1 The Contractor must, at all times during the performance of the Contract, hold a valid Designated Organization Screening (DOS) with approved Document Safeguarding and Production Capabilities at the level of PROTECTED B, issued by the Contract Security Program (CSP), Public Works and Government Services Canada (PWGSC).

6.3.1.2 The Contractor personnel requiring access to PROTECTED information, assets or sensitive site(s) must be a citizen or permanent resident of Canada, or citizens of The United States Of America, or New Zealand, or The United Kingdom or Australia and must EACH hold a valid personnel security screening at the level of ENHANCED RELIABILITY STATUS, or SECRET, as required, and all others must have a valid SITE ACCESS clearance, as required, granted or approved by the CSP, PWGSC. Until the security screening of the Contractor personnel required by this Contract have been completed satisfactorily by the CSP, PWGSC, the Contractor/personnel MAY NOT HAVE ACCESS to PROTECTED information or assets, and may not enter sites where such information or assets are kept, without an escort.

6.3.1.3 The Contractor MUST NOT utilize its Information Technology systems to electronically process,

produce or store PROTECTED information until the CSP, PWGSC has issued written approval. After approval has been granted or approved, these tasks may be performed at the level of PROTECTED B, including an IT Link at the level of PROTECTED B.

6.3.1.4 The Contractor may subcontract, or use third parties in the performance of the Work, provided

that (a) the Contractor obtains the Contracting Authority’s prior written consent, (b) written permission is provided from the CSP, PWGSC, (c) the subcontractor or third party provider is bound by the terms of this Contract and the subcontract, (d) the Contractor remains liable to Canada for all the Work performed by the subcontractor or third party subcontractor or Offeror.

6.3.1.5 Any Contractor or, sub-contractor or third party delivering Cloud services must be approved by

the Government of Canada and comply with the security requirements in the GC Security Control Profile for Cloud-Based GC IT Services for Protected B, Medium Integrity and Medium Availability (PBMM) for the scope of the proposed Commercially Available Software as a Service provided. Compliance will be validated and verified against the Canadian Centre for Cyber Security (CCCS) Cloud Service Provider (CSP) Information Technology (IT) Security Assessment Process (ITSM.50.100) (https://cyber.gc.ca/en/guidance/cloud-service-provider-information-technology-security-assessment-process-itsm50100). Any Supplier that has participated in the process must provide documentation to confirm that they have completed the on-boarding process with (i) a copy of the most recent completed assessment report provided by CCCS; and (ii) a copy of the most recent summary report provided by CCCS. This may accelerate the qualification process.


______________________________________________________________________________________

Page 27 of - de 86

The Contractor/Offeror must comply with the provisions of the: (a) Security Requirements Check List and security guide (if applicable), attached at Annex C; (b) Contract Security Manual (Latest Edition) NOTE: There are multiple levels of personnel security screenings associated with this file. In this instance, a Security Classification Guide must be added to the SRCL clarifying these screenings. The Security Classification Guide is normally generated by the organization's project authority and/or security authority.

6.3.2 Anticipated Security Requirements For Foreign Supplier – At Bidding Phase

6.3.2.1 The Designated Security Authority (DSA) for Canada is the Industrial Security Sector (ISS), Public Works and Government Services Canada (PWGSC), administered by International Industrial Security Directorate (IISD). The Canadian DSA is the authority for confirming Contractor/Subcontractor compliance with the security requirements involving for foreign suppliers. The following security requirements apply to the Foreign recipient Contractor/Subcontractor incorporated or authorized to do business in a jurisdiction other than Canada and delivering/performing outside of Canada the Work described in the Statement of Work, in addition to the Privacy and Security Requirements.

6.3.2.2 The Foreign Recipient Contractor/Subcontractor certifies that the delivery and provisioning of the managed service and operations of the SaaS DEMS, including monitoring and support, will be provided from within Canada or one of its fellow member countries of the Five Eyes (FVEY) intelligence alliance including Australia, New Zealand, the United Kingdom and the United States. Additionally, the Foreign Recipient Contractor/Subcontractor certifies that the delivery and provisioning of the devices and services of the Body Worn Cameras (BWC), including support, will be provided from within Canada or one of its fellow member countries of the Five Eyes (FVEY) intelligence alliance including Australia, New Zealand, the United Kingdom and the United States.

6.3.2.3 The Foreign recipient Contractor/Subcontractor must at all times during the performance of the contract/subcontract be registered with the appropriate government administered supervisory authority responsible for CANADA PROTECTED and Personal Information in the country/countries in which it is incorporated or operating and authorized to do business and handle CANADA PROTECTED/Personal Information. The Foreign recipient Contractor/Subcontractor must provide proof of its registration with the applicable supervisory authority to the Contracting Authority and the Canadian DSA, and identify the relevant national Privacy/Security Authority.

6.3.2.4 The Foreign recipient Contractor/Subcontractor must submit, as determined by Canada, the completed Foreign Ownership, Control or Influence (FOCI) package including the associated documentation as prescribed in the FOCI Guidelines and Questionnaire by the due date identified in the email sent by the Canadian DSA.

6.3.2.5 Canada retains the right to suspend the access by the Foreign recipient Contractor/Subcontractor to CANADA PROTECTED information based on the information included in the FOCI package and returned by the Foreign recipient Contractor/Subcontractor. Canada retains the right to request the Foreign recipient


______________________________________________________________________________________

Page 28 of - de 86

Contractor/Subcontractor to implement additional security measures to mitigate the risk of a FOCI.

6.3.2.6 The Foreign recipient Contractor/Subcontractor must immediately provide to the Canadian DSA with documentation pertaining to any changes to the organization’s corporate and or ownership structure as well as any increase in foreign income or foreign debt from what was reported to the Canadian DSA for the initial FOCI assessment. The Foreign recipient Contractor/Subcontractor will be subject to a FOCI re-assessment based on this new information to re-determine the FOCI status of the Foreign recipient Contractor/Subcontractor.

6.3.2.7 Denied access to CANADA PROTECTED information by the Canadian DSA will result in the Foreign recipient Contractor/Subcontractor not being able to obtain the necessary security clearances, and consequently not meeting the security requirements of the contract.

6.3.2.8 The Foreign recipient Contractor/Subcontractor must, at all times during the performance of the contract/subcontract, adhere to the following requirements:

i. The Foreign recipient Contractor/Subcontractor must provide proof that they are incorporated or authorized to do business in their jurisdiction.

ii. The Foreign recipient Contractor/Subcontractor must not begin the work, services or performance until the Canadian Designated Security Authority (DSA) is satisfied that all contract security requirement conditions have been met. Canadian DSA confirmation must be provided, in writing, to the Foreign recipient Contractor/Subcontractor in an Attestation Form, to provide confirmation of compliance and authorization for services to be performed.

iii. The Foreign recipient Contractor/Subcontractor must identify an authorized Contract Security Officer (CSO) to be responsible for the overseeing of the security requirements, as defined in this contract. This individual will be appointed by the proponent Foreign recipient Contractor’s/Subcontractor’s Chief Executive officer or official delegate.

iv. The foreign recipient Contractor/Subcontractor must appoint someone to be its privacy officer and to act as its representative for all matters related to the Personal Information and the Records. This individual will be appointed by the proponent Foreign recipient Contractor’s/Subcontractor’s Chief Executive officer or official delegate.

The Foreign recipient Contractor/Subcontractor must not grant access to CANADA PROTECTED information/assets, except to its personnel subject to the following conditions:

(a) Personnel have a need-to-know for the performance of the contract/subcontract;

(b) Personnel have been subject to a Criminal Record Check, with favourable results, from a recognized governmental agency or private sector organization in their country as well as a Background Verification, validated by the Canadian DSA;

(c) The Foreign recipient Contractor/Subcontractor must ensure that personnel provide consent in writing to share results of the Criminal Record and Background Checks with the Canadian DSA and other Canadian Government Officials, if requested;

(d) If the Foreign recipient Contractor/Subcontractor doubts that one of its personnel has the capacity to provide consent to the disclosure and use of his or her Personal Information, the Foreign recipient Contractor/Subcontractor must request approval


______________________________________________________________________________________

Page 29 of - de 86

to the Canadian DSA (in collaboration with the Contracting Authority) to release CANADA Protected information to such individual; and

(e) The Government of Canada reserves the right to deny access to CANADA PROTECTED information/assets to a foreign recipient Contractor/Subcontractor and its personnel for cause.

6.3.2.9 In addition, the Foreign recipient Contractor/Subcontractor personnel requiring access to PROTECTED information with administrative rights and as defined in the Security Classification Guide must EACH hold a valid personnel security screening at the level of SECRET, granted and approved by their respective National Security Authority (NSA) or Designated Security Authority (DSA) of the Foreign recipient Contractor/Subcontractor’s country.

6.3.2.10 CANADA PROTECTED information/assets, provided to the Foreign recipient Contractor/ Subcontractor or produced by the Foreign recipient Contractor/Subcontractor, must:

i. not be disclosed to another government, person or firm, or representative thereof not directly related to the performance of the contract / subcontract, without the prior written consent of Canada. Such consent must be sought from its national DSA/DPA, the Canadian DSA (in collaboration with the Contracting Authority); and

ii. not be used for any purpose other than for the performance of the contract/subcontract without the prior written approval Canada. This approval must be obtained by contacting its national DSA/DPA in collaboration with the Canadian DSA.

6.3.2.11 The Foreign recipient Contractor/Subcontractor MUST NOT remove CANADA PROTECTED information/assets from the identified work site(s), and the Foreign recipient Contractor/ Subcontractor must ensure that its personnel are made aware of and comply with this restriction.

6.3.2.12 The Foreign recipient Contractor/Subcontractor must not use the CANADA PROTECTED information/assets for any purpose other than for the performance of the contract/subcontract without the prior written approval of the Government of Canada. This approval must be obtained from the Canadian DSA.

6.3.2.13 The Foreign recipient Contractor/Subcontractor must, at all times during the performance of the contract/subcontract hold an equivalence to an approved Document Safeguarding Capability (DSC) at the level of CANADA PROTECTED B.

6.3.2.14 All CANADA PROTECTED information/assets, furnished to the Foreign recipient Contractor/Subcontractor or produced by the Foreign recipient Contractor/Subcontractor, must also be safeguarded as follows:

a. The Foreign recipient Contractor/Subcontractor must immediately report to the Canadian DSA all cases in which it is known or there is reason to suspect that CANADA PROTECTED information/ assets pursuant to this contract/subcontract has been compromised.

OR a. The Foreign recipient Contractor/Subcontractor must immediately report to its

respective national DSA/DPA and the Canadian DSA (in collaboration with the Contracting Authority), all cases in which it is known or there is reason to suspect that any Personal Information provided or generated pursuant to this contract/subcontract


______________________________________________________________________________________

Page 30 of - de 86

have been lost, or in contravention of these security requirements, accessed, used or disclosed to unauthorized persons.

b. The Foreign recipient Contractor/Subcontractor must control access to all databases on which any data relating to the contract/subcontract is stored so that only individuals with the appropriate security screening are able to access the database, either by using a password or other form of access control (such as biometric controls).

c. The Foreign recipient Contractor/Subcontractor must ensure that all databases on which any data relating to the contract/subcontract is stored are physically and logically independent (meaning there is no direct or indirect connection of any kind) from all other databases.

d. The Foreign recipient Contractor/Subcontractor must not disclose CANADA PROTECTED information/assets to a third party government, person, firm or representative thereof, without the prior written consent of the Government of Canada. Such consent must be sought through the Canadian DSA.

e. The Foreign recipient Contractor/Subcontractor must provide the CANADA PROTECTED information/ assets a degree of safeguarding no less stringent than that provided by the Government of Canada in accordance with the National Policies, National Security legislation and regulations and as prescribed by the Canadian DSA.

f. All CANADA PROTECTED information/assets provided to the Foreign recipient Contractor/ Subcontractor pursuant to this Contract/Subcontract by the Government of Canada, shall be additionally marked by the Foreign recipient Contractor/Subcontractor with the equivalent security classification utilized by the Foreign recipient Contractor/Subcontractor’s country and in accordance with their National legislation, regulations and policies of the Foreign recipient Contractor/Subcontractor’s country and international bilateral security instrument concerning industrial security with Canada.

g. Upon completion of the Work, the Foreign recipient Contractor/Subcontractor must return to the Government of Canada, all CANADA PROTECTED information/assets furnished or produced pursuant to this contract/subcontract, including all CANADA PROTECTED information/assets released to and/or produced by its subcontractors.

h. The Foreign recipient Contractor/Subcontractor requiring access to CANADA PROTECTED information/assets or Canadian restricted sites, under this contract, must submit a Request for Site Access to the Chief Security Officer of the Royal Canadian Mounted Police.

i. The Foreign recipient Contractor/Subcontractor MUST NOT utilize its Information Technology (IT) systems to electronically process, produce, or store on a computer system and transfer via an IT link any CANADA PROTECTED information until authorization to do so has been confirmed by the Canadian DSA.

j. The Foreign recipient Contractor/Subcontractor must ensure that all the databases including the backup database used by organizations to provide the services described in the proposed SaaS DEMS, containing any CANADA PROTECTED Information, related to the Work, are located within Canada.

6.3.2.15 Canada may audit the Foreign recipient Contractor’s/Subcontractor’s compliance with these supplemental contract security requirements at any time. If requested by the Contracting Authority, the Foreign recipient Contractor/Subcontractor must provide Canada with access to its premises and to the Canadian Protected and Personal Information and Records at all reasonable times. If Canada identifies any deficiencies


______________________________________________________________________________________

Page 31 of - de 86

during an audit, the Foreign recipient Contractor/Subcontractor must immediately correct the deficiencies at its own expense.

6.3.2.16 Subcontracts which contain security requirements are NOT to be awarded without the prior written permission of the Canadian DSA.

6.3.2.17 All Subcontracts awarded to a third party foreign recipient are NOT to be awarded without the prior written permission of the Canadian DSA in order to confirm the security requirements to be imposed on the subcontractors.

6.3.2.18 All Subcontracts awarded by a third party foreign recipient are NOT to be awarded without the prior written permission of the Canadian DSA in order to confirm the security requirements to be imposed on the subcontractors.

6.3.2.19 Any third party supplier that will require access to CANADA PROTECTED information as part of this contract must adhere to all of the security requirements outlined in this contract.

6.3.2.20 Canada has the right to reject any request to electronically access, process, produce, transmit or store CANADA PROTECTED information/assets related to the Work in any other country if there is any reason to be concerned about the security, privacy, or integrity of the information

6.3.2.21 The Foreign recipient Contractor/Subcontractor must comply with the provisions of the Security Requirements Check List attached at Annex C.

6.4 Supply Chain Integrity (SCI) Assessment 6.4.1 In order to be fully qualified, a Provisionally Qualified Respondent must successfully complete a

preliminary Supply Chain Integrity (SCI) assessment. 6.4.2 A further, more detailed, comprehensive SCI assessment will be performed at the RFP stage.

The preliminary SCI will be assessed based on information provided in Form 5 –Supply Chain Security Information (SCSI), as well as supporting documentation requested by Canada and provided by the Provisionally Qualified Respondent. The purpose of SCI assessments is to ensure that all proposed sub-contractors, products, equipment, software, firmware and services that are procured by Canada meet the required security and supply chain standards.

6.4.3 The preliminary SCI assessment is a mandatory process at the ITQ Stage, and Annex D

Preliminary Supply Chain Integrity Assessment describes the process more in detail, including the requisite submissions. SCI is an important corporate requirement. Challenged by increasingly complex cyber threats, Canada is committed to include enhanced security assessment processes in the ITQ, RFP, and resulting Contract.

6.4.4 The Provisionally Qualified Respondent must provide the information described in Annex D

entitled Supply Chain Security Information Assessment Process as part of the preliminary SCI assessment. The Provisionally Qualified Respondent are not required to fill all sections of Form 5 – Supply Chain Security Information, but only those required by Annex D. The Qualified Respondents will be required to provide the entire supply chain security information at the time of the RFP.


______________________________________________________________________________________

Page 32 of - de 86

ANNEX A

OVERVIEW AND HIGH LEVEL DESCRIPTION OF THE REQUIREMENT

BODY WORN CAMERAS AND a DIGITAL EVIDENCE MANAGEMENT SYSTEM

This following overview of anticipated requirements is provided for information only at this stage. This Annex highlights some of the anticipated requirements that may need to be taken into consideration for both the RFP and the resulting contract. Note that the following anticipated requirements are subject to change, may not be complete and the full statement of requirements will be issued at the RFP stage.

1. Background

1.1 The Royal Canadian Mounted Police (RCMP) is Canada’s national police service and has policing mandates across the country at community, municipal, provincial, territorial and federal levels. The RCMP provides federal, provincial, territorial and municipal policing services to Canadians across 10 Provinces, 3 Territories, 150 Municipalities, and over 600 Indigenous Communities which includes providing both Federal Police Services and Specialized Police Services in support of hundreds of other police and public safety agencies across Canada.

1.2 The RCMP is a $5B organization with approximately 30,000 employees including 19,000 police officers. The RCMP has more than $1.3B in assets including 3,362 buildings and 14,749 vehicles across the country. The RCMP has made a decision to make Body Worn Cameras(BWCs) and a Digital Evidence Management System (DEMS) a national standard for all front line and general duty police officers across the country, which is in the range of 10,000 - 15,000 officers. Many of these police officers work in rural and remote areas in approximately 750 detachments across Canada.

2. Scope

The Royal Canadian Mounted Police (RCMP) is committed to ensuring that Canadians feel protected by, and have trust in their National Police Force. Canada is seeking to award a contract to a Contractor who will provide a solution that delivers BWCs and a national Software-as-a-Service (SaaS) DEMS as a fully managed service (herein after referred as “Service or Services”). It is intended that, in addition to the RCMP, other federal departments, agencies or crown corporations and/or provincial, territorial, and municipal jurisdictions may use the resulting contract to access the services.

3. Key Driver for Change

The RCMP, and other police forces, are faced with increased public scrutiny of their interactions with the communities they serve. A key initiative to increase transparency and accountability is the national deployment of BWCs for RCMP police officers. Although not a universal solution, when BWCs have been used in other police forces around the world, they have been shown to increase transparency and reduce the time it takes to resolve complaints.


______________________________________________________________________________________

Page 33 of - de 86

4. Use of Body Worn Cameras

4.1 Over the last 15 years, BWCs have been implemented around the world. In Canada, BWCs have been implemented, or are in various stages of implementation, in many of the larger police services including Calgary, Halifax, Toronto, and Peel.

4.2 The RCMP has been researching this technology for a number of years and has conducted BWC pilots. In 2017, the RCMP deployed twelve BWCs to the RCMP members who were serving in Happy Valley-Goose Bay and Cartwright in Newfoundland and Labrador (B Division) as a limited and temporary deployment of equipment to support police operations. This allowed the RCMP to assess the functionality of these devices in an operational environment.

4.3 After consulting with community members, stakeholders, and federal and territorial government officials, a limited pilot was launched in Iqaluit in the fall of 2020 to test draft operational procedures and guidelines and to determine resource requirements to support the operations of the BWCs and the storage and management of video evidence. Information and data gathered from this pilot will be used to improve operational policy, procedures and training programs in support of the RCMP’s national BWC and DEMS Program.

4.4 Pilots have been done previously, but have focused mostly on the BWC functions, limitations, operational impacts and policies. The RCMP maintains a small contingent of BWCs for limited use during major events.

5. Objectives and Business Outcomes

5.1 Canada is seeking to procure the services of a Contractor to support the RCMP in its national roll-out of BWCs and implementation of a national DEMS, as detailed in sections 6.4.1 and 6.4.2. The RCMP is targeting to have a contractor in place by the Fall of 2021. The first BWCs will be deployed in a phased manner leading to national implementation with full rollout, including a robust DEMS and related training, within 12-18 months of contract award.

5.2 As a result of implementing a national BWC and DEMS Program within the RCMP, Canadians can expect:

Improved transparency and accountability for police leading to increased public trust and confidence in police;

Increased lawful and respectful interactions between the public and the police; Improved evidence gathering and timely prosecutions; and Increased withdrawal or timely resolution of complaints due to video evidence.

5.3 The most tangible improvements are expected to be improved evidence collection, reductions in times to resolve complaints and increased transparency. The video evidence collected will provide an independent and objective way to capture incidents and interactions between police officers and the community.

6. Functional Scope

6.1 The successful Contractor will be required to provide a fully managed Service that will support the roll-out of BWCs and associated equipment, the ongoing life-cycle management of the hardware, including replacement, maintenance and repair. The Contractor will also be required to provide services in support of the implementation of a SaaS DEMS as well as any additional services required to sustain the ongoing operations of the RCMP’s BWC and DEMS Program.


______________________________________________________________________________________

Page 34 of - de 86

6.2 This Service will need to be adaptable to meet the RCMP requirements, including those of urban, rural and remote RCMP locations, and be able to deliver capabilities across multiple jurisdictions. The Service must be scalable to equip up to 10,000 – 15,000 RCMP police officers with BWCs and DEMS as well as additional DEMS users across the RCMP.

6.3 The Contractor will need to consider challenges, such as the capture and storage of digital evidence in areas with limited data bandwidth, the ability for the BWC to operate under a wide range of temperatures given the diverse locations across, and the automated activation and capture of digital evidence in emergency and high stress situations.

6.4 The Contractor will be required to deliver the following components in support of the RCMP’s national BWC and DEMS Program:

6.4.1 BWCs

The Contractor will be required to provide Contractor owned and managed BWCs and associated equipment. The following services may be required, but are not limited to:

provisioning; distributing; helpdesk support; training; maintenance, replacement and repair; secure disposal; and evergreening.

Associated equipment may include, but is not limited to the following:

multiple uniform mounting options; mounting brackets and/or clips; associated docking stations and charging cables; and various automated triggering mechanisms (e.g. holster, conducted energy weapon, car).

6.4.2 DEMS

The Contractor will be required to provide a SaaS DEMS. The following services may be required, but are not limited to:

Configuration, integration and testing; helpdesk support; training; implementation; deployment; onboarding; operations; maintenance; and evergreening.

The DEMS capabilities required may include, but are not limited to the following:

secure and reliable data storage for Protected B data; upload of BWC video and other multi-media (e.g. video, audio, picture, text) files from

various sources; search and retrieval of digital evidence; integration capabilities in the form of a secure application programming interface (API); management, redaction and editing of captured information;


______________________________________________________________________________________

Page 35 of - de 86

ability to share evidence internally and externally; and data migration.

7. Functional Capabilities, Outcomes and Business Value

The following table reflects the business tools and capabilities that Canada will require the Contractor to consider when proposing solutions as part of this initiative. This list of capabilities is intended to be used to create a functional scope and to develop detailed business and operational requirements to be outlined in future stages of the procurement process. This list of tools and capabilities may evolve during the procurement process.

Functional Area

Capability Business Value

Body Worn Cameras

Robust and easy to use

Ability to withstand the physical demands of a police officer’s job without compromising officer safety.

Ability to activate with an ambidextrous single hand and can’t be accidentally deactivated.

Flexible and secure uniform mounting options

Ability to fit within the available space and visually blend in with the officer uniforms.

Compatibility with multiple uniform mounting options that can support a variety of operational needs.

Ability to be securely fastened to officers’ uniforms. Operate in rural

and remote areas

Ability to withstand a wide range of temperatures, from the extreme heat of the Canadian summer to the extreme cold of the Canadian winter, without affecting performance or compromising the ability to capture digital evidence.

Automated uploading of digital evidence

Ability to automate the upload of BWC data to DEMS within urban, rural and remote geographical areas to minimize additional work for police officers at the end of their shift.

Ability to upload evidence from BWCs to DEMS where there may be limited bandwidth in remote locations (e.g. BWCs that connect directly to DEMS via cellular network).

Battery life and storage capacity

Sufficient battery life and storage capacity to ensure that the police officer is able to capture all required recordings for the entire duration of the shift

Equipment Management

Secure supply, distribution, maintenance, repair, replacement, upgrade, and disposal of BWCs and all related equipment.

Availability of full data sheets, specification documents, diagnostic tests and any field repair manuals for the BWC hardware, the BWC firmware and the associated interfacinghardware (particularly if proprietary) that is used for the Service to assist with the extraction of data from damaged BWCs.

DEMS Cloud based storage of digital evidence

Ability to securely upload digital evidence from the BWCs and other multi-media files to a cloud-based storage solution.


______________________________________________________________________________________

Page 36 of - de 86

Provide a solution that supports rural and remote areas that have low bandwidth.

Management of evidence

Allow Canada to store and organize the digital media in a way that facilitates the organization and retrieval of data and considers the mobility of resources who will move between detachments within a single division and move from one division to another over time.

Provide a service that is available in both of Canada’s official languages (English and French) and meets Government of Canada Accessibility standards as outlined in section 8.1.

Redaction and Editing

Include tools that are secure and easy to use and support the redaction and editing of digital media for disclosure. Tools that support automation and reduce the number of manual interventions through the use of robotic process automation features are desirable.

Disclosure Accommodate the secure disclosure of evidence to a variety of external stakeholders in multiple jurisdictions across the country.

Reporting Support various types of reporting (e.g. geographic location, organization, Division, etc.).

Support a variety of reporting needs (e.g. administrative, audit, performance, etc.).

Privacy and Security

Ensures compliance to federal privacy legislation and security standards and provides tools to manage and control user access.

The Service must: a) meet cloud Protected B security level requirements for

the Government of Canada (GC) b) be hosted by a “qualified” GC Cloud Service Provider

as per Section 8.3.2.; and c) meet the GC Security Control Profile for Cloud-based

GC Services reside on IaaS and PaaS meeting the GC Security Control Profile for Cloud-based GC Services (https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/government-canada-security-control-profile-cloud-based-it-services.html).

Interfaces and Integration

Digital evidence can be integrated to RCMP source systems for the purposes of operational records management.

User Access Management

Ability for the RCMP to set role-based access controls. Ability to use federated identities for user access

management. Cross-Functional Services

Training Provision of training materials and services to support training of all RCMP police officers and end-users of the BWC and DEMS in both official languages of Canada.


______________________________________________________________________________________

Page 37 of - de 86

Helpdesk Support Provision of 24/7 support in both official languages of Canada for both the use of the BWCs and the use of the DEMS, that meets Canada’s service level standards.

Fault and performance reporting and resolution

Provision of a service that must monitor and report faults or errors and must provide resolutions to faults and errors within a set of service standards.

Ability for end-users to access reports on a variety of performance information and service usage data.

Availability / Business Continuity

Ability for end-users to continue to record and store events during major disruptions (e.g. power failure, loss of telecommunications, etc.).

Ability for end-user’s information to be stored and protected at rest, including data in backups or maintained for redundancy purposes within the geographic boundaries of Canada.

8. Anticipated Mandatory Requirements

It is anticipated that any future bid solicitation will include the following MANDATORY requirements. These pertain to the Contractor’s capacity to develop and deploy a Service that would support RCMP’s BWC and DEMS Program. The full list of requirements to be delivered to support the RCMP’s BWC and DEMS Program are under development and will be provided in subsequent stages of the procurement process.

8.1 Accessibility

The DEMS service must ensure AA compliance to Web Content Accessibility Guidelines (WCAG) 2.1 standards as described at the following link: https://www.w3.org/TR/WCAG21/

These standards include but are not limited to:

Correct use of semantic/hierarchical markup (essential for screen readers); Alt-text for all information-bearing images (null alts for decorative images); Users must be able to tab to all features (complete functionality without a mouse); Links must open in the same browser window (no new tab/new window); Tables must conform to WCAG specifications.

Any accommodations and points of interest presented visually on a map must also be presented in an accessible text format.

The DEMS service must conform to the Government of Canada Standard on Accessibility as described at the following link: https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=23601

8.2 Service Work Streams

8.2.1 Overview

The following work streams will be key responsibilities of the Contractor in the start-up, deployment, and operationalization of the RCMP’s BWC/DEMS Program:


______________________________________________________________________________________

Page 38 of - de 86

Onboarding planning Planning and implementation Training and organizational change management Deployment Operating phase Innovation and solution improvements Transition out services Additional services

An overview of the work streams is provided in the sections below. Further descriptions, scope, roles, responsibilities, current state information and requirements will be reviewed and refined with the ITQ Qualified Suppliers during the subsequent phases of the procurement process.

8.2.2 Onboarding planning

The Contractor must provide professional services to Canada to determine the most appropriate way to deploy the BWC and the DEMS nationally. The Contractor will be responsible for defining which category(s) of professional services are best suited to execute this task. This work includes key considerations for the deployment to ensure optimal success and management risk. This should be drawn from experience in managing deployments of similar scope and scale to the deployment required by Canada. Included in the planning is support in defining the number of Canada resources required to support the successful onboarding process and the number of resources required on an ongoing basis to support the management of equipment, redaction and editing of digital information, and disclosure. Any associated deliverables will be further defined the any resulting bid solicitation, as applicable.

8.2.3 Planning and implementation

The Contractor must provide implementation services including project management and planning; system, data and process design; solution implementation; configuration; linkages to Canada systems; and, testing and deployment. Also included in planning and implementation is support for business continuity planning and disaster recovery planning to ensure continuity of service during major disruptions (e.g. Power failure, loss of telecommunications, loss of internet connectivity, failure or disruption of key services, etc.).

8.2.4 Training and organizational change management support

The Contractor must provide the expertise and resources necessary to support the development of a change management and training plan based on experience with other solutions of a similar size. This includes an overview of the key steps each division and detachment should undertake to prepare for the onboarding and check lists or readiness assessment to be completed prior to onboarding. The Contractor will be required to provide input to draft policies and procedures that are currently being used for BWCs and the management of digital evidence to align policies and procedures with industry leading practices where applicable. The Contractor will also provide BWC and DEMS training tools and material that can be integrated into the broader officer training programs.

8.2.5 Deployment


______________________________________________________________________________________

Page 39 of - de 86

8.2.5.1 Initial deployment

The Contractor must support an initial deployment of BWCs to a rural, a remote, and an urban centre. This will include testing a number of elements including the BWCs, the DEMS, as well as the policies and procedures for how the BWC and DEMS is to be used. It is also expected that this initial deployment will test the organizational change management and training plans and tools that are developed.

8.2.5.2 Adjustments based on initial deployment

Canada expects to complete a formal assessment of the initial deployment and the Contractor may be required to support or make any updates and changes to the BWC and DEMS Program.

8.2.5.3 Phased deployment

The Contractor must manage and support a phased deployment of BWCs and DEMS across the country. The Contractor will be required to support the planning of this phased deployment and provide advice and guidance about the sequence and scale of each phase of deployment based on the learning from the initial deployment.

8.2.5.4 Operating phase

The Contractor must manage and support the Service after each phase of the deployment, which will include a set of responsibilities that are outlined in the contract and a set of service standards that are also outlined in the contract.

8.2.5.5 Innovation and service improvements

The Contractor must work collaboratively with Canada to innovate and make improvements to the services provided by the Contractor. This may include proposing new technologies or processes to improve Canada’s usage and benefits of the BWC and DEMS capabilities.

8.2.5.6 Transition out services

The Contractor must deliver a transition out plan that describes the activities and processes required in the event that a SaaS product agreement is terminated (e.g. Contractor goes out of business, end of contract, etc.).

8.2.5.7 Additional services

The Contractor may be asked to provide additional services to support the RCMP’s BWC and DEMS Program to address evolving requirements (e.g., professional services working with Canada to accommodate additional streams of evidence).

8.3 Security Obligations

The following areas are a subset of the larger set of security requirements which are being developed and is not an exhaustive list. Organizational Data is defined as all data created and/or processed by the RCMP and/or its Partner Agencies and/or Canada within the Service. Organizational Data includes any and all metadata and logs derived from or related to Organizational Data.


______________________________________________________________________________________

Page 40 of - de 86

8.3.1 Third-Party Assurance: Certifications and Reports

At the time of any bid submission, the Contractor must demonstrate that Organizational Data, Contractor’s Infrastructure (including any IaaS, PaaS or SaaS Service where Canada data is hosted) and Service locations are secured with appropriate security measures that comply with the requirements set forth in the Contractor’s security practices and policies.

The Contractor must demonstrate that the measures within their security practices and policies comply with requirements set forth in the following certifications and audit reports by providing independent third party assessment reports or certifications that addresses the SaaS service layer within the Service offering, by providing the following two (2) certification reports:

a) ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems – Certification achieved by an accredited certification body; and

b) AICPA Service Organization Control (SOC) 2 Type II Audit Report 2 Type II for the trust principles of security, availability, processing integrity, and confidentiality - issued by an independent Certified Public Accountant.

Other Certifications which may be reviewed and/or considered are:

a) ISO/IEC 27017:2015 Information technology -- Security techniques -- Code of practice for information security controls based on ISO/IEC 27002 for Cloud Services achieved by an accredited certification body;

b) ISO/EIC 27018:2019 Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors; and

c) Cloud Security Alliance (CSA) Level 2 CSA Star Certification and Attestation.

Each certification or audit report provided must:

a) Identify the legal business name of the Contractor or applicable Sub-processor; b) Identify the Contractor’s or Sub-processor’s certification date and the status of that

certification; and c) Identify the services included within the scope of the certification report. If there are any

exclusions identified, or there is a need to separate a subservice organization such as data centre hosting, the subservice organization’s assessment report must be provided.

Prior to contract award, if requested by Canada, all associated audit reports must be made available to Canada. Certifications must be accompanied by supporting evidence such as the ISO assessment report developed to validate compliance to the ISO certification and must clearly disclose any material findings by the auditor. The Contractor must, before the acceptance of the RCMP workload, remediate issues of concern to Canada to the satisfaction of Canada. If the Contractor is unable to remediate any of the issues to the satisfaction of Canada, Canada will have the right to terminate the contract for default. Each SOC 2 Type II audit report must have been performed within the 12 months prior to the start of the contract. Each ISO 27001 audit report must have been performed within the last 3 years prior to the start of the contract. A bridge letter may be provided to demonstrate that the Contractor is in process of renewal.

8.3.2 IT Security Assessment and Authorization Process


______________________________________________________________________________________

Page 41 of - de 86

Compliance will be assessed and validated by Canada utilizing the RCMP Security Assessment and Authorization Process or through a third-party process determined by Canada. The RCMP Security Assessment and Authorization process is based on ITSG-33 (https://cyber.gc.ca/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33) and follows the Canadian Centre for Cyber Security’s (CCCS) Information System Security Implementation Process (ISSIP) best practices and guidelines. (https://cyber.gc.ca/en/guidance/annex-2-information-system-security-risk-management-activities-itsg-33)

In the situation where the Contractor has been assessed and validated through the CCCS’ Cloud Security Provider (CSP) Information Technology (IT) Security Assessment Process (ITSM.50.100) (https://cyber.gc.ca/en/guidance/cloud-service-provider-information-technology-security-assessment-process-itsm50100), the Contractor must demonstrate that they participated in the process by successfully on-boarding, participating in, and completing the program. This includes providing the following documentation:

a) A copy of the confirmation letter that indicates they have on-boarded into the program; b) A copy of the most recent completed assessment report provided by CCCS; and c) A copy of the most recent summary report provided by CCCS.

8.3.3 Data Protection

The Contractor must:

a) Implement end-to-end encryption for all data being transferred to and from the DEMS service in accordance with Section 8.3.8 Cryptographic Protection;

b) Implement encryption of data at rest for all Services hosting Organizational Data, including any and all metadata or logs derived from or related to Organizational Data, where the encryption of data at rest remains in effect, uninterrupted, and active at all times, even in the case of equipment or technology failure, in accordance with Section 8.3.8 Cryptographic Protection;

c) Transmit Organizational Data, including any and all metadata or logs derived from or related to Organizational Data in a secure manner including the implementation of encryption for data in transit for all transmissions of Organizational Data, in accordance with Section 8.3.8 Cryptographic Protection and Section 8.3.13 Network and Communications Security.

d) Implement security controls that restricts administrative access to Organizational Data, any and all metadata or logs derived from or related to Organizational Data and Systems by the Contractor and provides the ability to require the approval of the Canada before the Contractor can access Organizational Data to perform support, maintenance or operational activities.

e) Take appropriate measures to ensure that Contractor Personnel do not have standing or ongoing access rights to Organizational Data, and access is restricted to Contractor Personnel with a need-to-know, including resources that provide technical or customer support, based on approval from the Canada.

f) Prevent any Contractor employee from holding credentials that allow that employee to delete, modify or copy Organizational Data unless that person has been cleared by the RCMP to the appropriate level deemed required by the RCMP.

The Contractor must not make any copies of databases or any part of those databases containing Organizational Data outside of regular service resilience capabilities and within approved regional spaces or zones within Canada.

The Contractor must not move or transmit Organizational Data-at-Rest outside of agreed upon service regions except when approval is obtained from the RCMP.


______________________________________________________________________________________

Page 42 of - de 86

Upon request of the Canada, the Contractor must provide Canada with a document that details and describes all metadata created from Organizational Data.

8.3.4 Removable/Portable Media

All BWCs and other portable and removable media must be FIPS 140-2 Level 1 validated and compliant

8.3.5 Data Location

As per the guidance found at: https://www.canada.ca/en/government/system/digital-government/guideline-service-digital.html#ToC4_4, the Contractor must store and protect Organizational Data, at rest, including data in backups or maintained for redundancy purposes. This includes the ability to isolate data within the geographic boundaries of Canada in one of the approved cloud service providers (CSP) on the list found at: https://cloud-broker.canada.ca/s/central-provider-page-v2?language=en_US

The Contractor/Sub-Contractor must certify that:

a) the managed service and operations of the SaaS DEMS, including monitoring and support, will be provided from within Canada, Australia, New Zealand, the United Kingdom and the United States.

b) the maintenance, repair and support for the BWCs will be provided from within Canada, Australia, New Zealand, the United Kingdom and the United States.

The Contractor must have the ability for Canada to isolate Organizational Data hosted in approved CSPs that are geographically located in Canada. Upon request of Canada, the Contractor must:

a) Provide Canada with an up-to-date list of the physical locations, including city, which may contain Organizational Data for each CSP that will be used to provide the services;

b) Identify which portions of the Service are delivered from outside of Canada, including all locations where data is stored and processed and where the Contractor manages the service from; and

c) Provide evidence of 3rd party accreditations for all physical locations hosting Organizational Data whether inside or outside of Canada.

It is the continuous obligation of the Contractor of the proposed Service to notify Canada when there are updates to the list of physical locations which may contain Organizational Data

8.3.6 Retention of Data Backups

The Contractor must ensure that: a) Data backups are retained in accordance with the RCMP Retention Policy, or at least for

a period of 5 years. b) Purge Process.

8.3.7 Security Incident Management

The Contractor’s Security Incident response process for the Service must encompass IT security incident management lifecycle and supporting practices for preparation, detection, analysis, containment, and recovery activities. This includes:


______________________________________________________________________________________

Page 43 of - de 86

a) A published and documented Security Incident Response Process for review by Canada that is aligned with one of the following standards:

i) ISO/IEC 27035:2011 Information technology -- Security techniques -- Information security incident management; OR

ii) NIST SP800-612, Computer Security Incident Handling Guide; OR iii) GC Cyber Security Event Management Plan (GC CSEMP)

(https://www.canada.ca/en/government/system/digital-government/online-security-privacy/security-identity-management/government-canada-cyber-security-event-management-plan.html); OR

iv) other best practices from industry standards, if Canada determines, in its discretion, that they meet Canada’s security requirements.

b) Documented processes and procedures of how the Contractor will identify, respond, remediate, report, and escalate Security Incidents to Canada, including:

i) The scope of the information security incidents that the Contractor will report to Canada; The level of disclosure of the detection of information security incidents and the associated responses; The target timeframe in which notification of information security incidents will occur;

ii) The procedure for the notification of information security incidents; iii) Contact information for the handling of issues relating to information security

incidents; AND iv) Any remedies that apply if certain information security occur.

The Contractor must have procedures to respond to requests for potential digital evidence or other information from within the Service environment and includes forensic procedures and safeguards for the maintenance of a chain of custody.

If required by Canada, the Contractor must: a) Work with Canada’s Security Operations Center(s) (e.g. CCCS, RCMP SOC) on

Security Incident containment, eradication and recovery in accordance with the Security Incident Response process.

b) Maintain a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data or the service; and

c) Track, or enable Canada to track, disclosure of Organizational Data, including what data has been disclosed, to whom, and at what time.

8.3.8 Cryptographic Protection


a) Configure any cryptography used to implement confidentiality or integrity safeguards, or used as part of an authentication mechanism (e.g., VPN solutions, TLS, software modules, PKI, and authentication tokens where applicable), in accordance with Communications Security Establishment (CSE)-approved cryptographic algorithms and cryptographic key sizes and crypto periods;

b) Use cryptographic algorithms and cryptographic key sizes and crypto periods that have been validated by the Cryptographic Algorithm Validation Program

c) (http://csrc.nist.gov/groups/STM/cavp/), and are specified in ITSP.40.111 Cryptographic Algorithms for Unclassified, Protected A, and Protected B Information, or subsequent versions (

The Contractor must ensure that:


______________________________________________________________________________________

Page 44 of - de 86

a) A minimum of FIPS 140-2 Level 1 validated cryptography is employed when encryption is required for Body Worn Cameras.; and

b) A minimum of FIPS 140.-2 Level 1 validated cryptography is employed when encryption is required for the DEMS.

Where applicable:

a) All encryption must be implemented, configured, and operated in a Cryptographic Module, validated by the Cryptographic Module Validation Program (https://cyber.gc.ca/en/cryptographic-module-validation-program-cmvp), in an either approved or an allowed mode to provide a high degree of certainty that the FIPS 140-2 validated cryptographic module is providing the expected security services in the expected manner; and

b) Ensure that any FIPS 140-2 modules in use have an active, current, and valid certification. FIPS 140-2 compliant/validated products will have certificate numbers.

8.3.9 External Application Programming Interfaces (API)


a) Provide services that use open, published, supported, and documented Application Programming Interfaces (API) to support activities such as interoperability between components and to facilitate migration of applications; and

b) Take appropriate measures to protect external APIs through secure authentication methods. This includes ensuring that all externally exposed API queries require successful authentication before they can be called and providing the ability for Canada to meet the Government of Canada (GC) standards on API (https://www.canada.ca/en/government/system/digital-government/modern-emerging-technologies/government-canada-standards-apis.html).

8.3.10 Identity and Access Management

The Contractor must have the ability for Canada to support secure access to the Service including ability to configure:

a) Multi-factor authentication in accordance with CSE's ITSP.30.031 V3 (or subsequent versions) (https://cyber.gc.ca/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3) using GC-approved credentials;

b) Role-based access; c) Access controls on objects in storage; and d) Granular authorization policies to allow or limit access.

The Contractor must have the ability to establish organization-wide defaults to manage tenant-wide policies.

8.3.11 Federation

The Contractor must have the ability for Canada to support federated identity integration including:


______________________________________________________________________________________

Page 45 of - de 86

a) Support for open standards for authentication protocols such as Security Assertion Markup Language (SAML) 2.0 and/or OpenID Connect 1.0, or subsequent versions, where the End User credentials and authentication to the Service are under the sole control of Canada; and

b) Ability to associate Canada’s unique identifiers (e.g. an end-user unique ID, an end-user email address, etc.) with the corresponding Cloud Service user account(s).

8.3.12 Location of Contractor’s Employees - Remote Service Management

The Contractor must manage and monitor remote administration of the Contractor's Service that is used to host Organizational Data including, but not limited to the following measures:

a) Implementing multi-factor authentication mechanisms for authenticate remote access users, in accordance with CSE's ITSP.30.031 V3 (or subsequent versions) (https://cyber.gc.ca/en/guidance/user-authentication-guidance-information-technology-systems-itsp30031-v3);

b) Use security-hardened endpoints (e.g. computers, end user devices, jump servers, etc.) that are configured for least functionality (e.g. dedicated endpoint that does not have Internet browsing or open e-mail access) to provide support and administration of Services and Contractor Infrastructure;

Upon Canada’s request, the Contractor must provide a document that describes the Contractor’s approach and process for managing and monitoring remote administration of the Service.

8.3.13 Network and Communications Security


a) Enforce secure connections to the Service, including providing data-in-transit protection between Canada and the Service using TLS 1.2, or subsequent versions;

b) Use up-to-date and supported protocols, cryptographic algorithms and certificates, as outlined in CSE’s ITSP.40.062 (https://cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062) and ITSP.40.111 (https://cyber.gc.ca/en/guidance/cryptographic-algorithms-unclassified-protected-and-protected-b-information-itsp40111);

c) Use correctly configured certificates within the TLS connections in accordance with CSE guidance (CSE’s ITSP.40.062 https://cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062)

8.3.14 Logging and Auditing

The Contractor must allow Canada to centrally review and analyze audit records from the SaaS service components that include, but not limited to the following:

a) Forwarding Canada tenant events and logs to an RCMP and/or GC-managed centralized audit log system using standardized reporting interfaces, protocols, and data formats (e.g. Common Event Format (CEF), syslog, or other common log formats) and APIs that support log data remote retrieval (e.g. via a database interface using SQL, etc.).

b) The Contractor must provide Application Programming Interface(s) for the SaaS service component that allows Canada to:

i) Inspect and interrogate data at rest; and ii) Export security event logs for the Solution(s); and


______________________________________________________________________________________

Page 46 of - de 86

iii) Assess events stored in application logs. This includes, but is not limited to events such as user access and behaviour, administrator access and behaviour, and changes to third-party API access, stored in application logs.

8.3.15 Information Spillage

The Contractor must have a documented process that outlines its approach for an Information Spillage Incident. The process must be aligned with:

a) ITSG-33 Security Control for IR-9 Information Spillage Response; or

b) Another industry standard, approved by the RCMP and/or Canada in writing.

The Contractor’s Information Spillage process must include, at a minimum:

a) A process for notifying Canada of the potential for Information Spillage; b) A process for identifying the specific data elements that is involved in a system’s

contamination; c) A process to isolate and eradicate a contaminated system; and d) A process for identifying systems that may have been subsequently contaminated and

any other actions performed to prevent further contamination.

Upon Canada’s request, the Contractor must provide a document that describes the Contractor’s Information Spillage response process.

In the case of an Information Spillage incident, identified either by the RCMP, the GC and/or the Contractor, the Contractor must be able to proceed as per Section 8.3.7 Security Incident Management.

8.3.16 Security Testing and Validation

The Contractor must allow Internal Vulnerability Assessment testing to be conducted on an as and when required basis by Canada or a third party selected by Canada. This testing must be conducted at a minimum on a yearly basis and aligned to the Vulnerability Management controls in the RCMP Departmental Security Control Profile (RDSCP). The Contractor and Canada must agree on the assignment of responsibility for supporting Vulnerability Assessment testing.

8.3.17 Background Checks/Personnel Security Screening

The Contractor and its subcontractors and sub-subcontractors shall work with Canada or any authorized third-party, to identify roles within the Contractor’s organization with elevated rights of access. Personnel occupying those roles may be subject to additional RCMP Personnel Security Screening processes. If Contractor employees with elevated rights of access do not qualify for appropriate RCMP Personnel Security Clearance levels identified, then the Contractor must provide the RCMP a plan for staffing the identified roles with personnel qualified to meet the identified RCMP Personnel Security Clearance thresholds.

8.3.18 Ongoing Supply Chain Integrity Process

Addressing Security Concerns


______________________________________________________________________________________

Page 47 of - de 86

If Canada decides in its discretion that the identified security concern represents a threat to national security that is both serious and imminent, the Contracting Authority may require that the Contractor immediately cease deploying the identified service(s) and/or product(s) from the Contract according to a schedule determined by the Canada. However, prior to making a final determination in this regard, Canada will provide the Contractor with the opportunity to address the security concerns within 48 hours of receiving notice from the Contracting Authority. The Contractor may propose, for example, mitigation measures for Canada’s consideration. Canada will make the final determination.

8.3.19 Industrial Security Program – Security Requirement for Canadian and Foreign Suppliers

The Contractor must comply with the provisions of the: a) Security Requirements Check List and security guide (if applicable); b) Industrial Security Manual (Latest Edition); c) OSS website: Security requirements for contracting with the Government of Canada,

located at www.tpsgc-pwgsc.gc.ca/esc-src

NOTE: There may be multiple levels of personnel security screenings associated with this file. The Contractor must refer to the security guide that is attached to the SRCL clarifying these screenings.

8.4 Privacy Obligations

The privacy requirements will be further refined at a later stage of the procurement process.

8.4.1 Third-Party Assurance: Certifications

A certification which may be reviewed and considered is:

a) ISO/EIC 27018:2019 Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors;


______________________________________________________________________________________

Page 48 of - de 86

Acronyms, Definitions and Interpretations API Application Programming Interface means an interface that allows developers

to interact with programs and applications including learning management systems.

BWC Body Worn Camera CCCS Canadian Centre for Cyber Security is a government organization that helps

build Canada's cyber resilience and security through their advice, guidance, expertise, and partnerships. The CCCS provides a single window for expert advice and services for governments, critical infrastructure operators, and the public and the private sector to strengthen their cyber security. (www.cyber.gc.ca)

Cloud Services Cloud Services means a style of computing in which scalable and elastic IT-enabled capabilities are delivered as a service using internet technologies. (Gartner.com)

CSE Communications Security Establishment. This is the Government of Canada's national cryptologic agency. Administered under the Department of National Defence, it is responsible for foreign signals intelligence and protecting Canadian government electronic information and communication networks.

CSP, PWGSC CSP, PWGSC means the PSPC Contract Security Program, Public Works and Government Services Canada.

CSP Cloud Service Provider means the entity that owns, operates, and maintains the physical infrastructure (“Cloud”) and provides virtualized computing resources to consumers. The CSP can provide basic information technology infrastructure such as compute and data storage or complete solutions as hosted software.

DEMS Digital Evidence Management System DOS Designated Organization Screening FM Fairness Monitor GC Government of Canada. IaaS Infrastructure as a Service means a cloud service delivery method whereby a

Cloud Service Provider provides the consumer with fundamental computing resources such as servers, processing, storage, and networking upon which the consumer can deploy and run arbitrary software which can include operating systems and applications. The consumer does not manage or control the underlying Cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly has limited control of select networking components (by example, host firewalls).

ISSIP Information Security Implementation Process Information Spillage

Information Spillage means incidents where an Information Asset is inadvertently placed on an Asset or system that is not authorized to process it (e.g. ITSG-33, IR-9).

ITQ Invitation to Qualify Metadata Metadata means data that provides information about other data. MFA Multi-Factor Authentication is an authentication method in which a computer

user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism.

Organizational Data

Organizational Data is defined as all data created and/or processed by the RCMP and/or its Partner Agencies and/or Canada within the Cloud Service. Organizational Data includes any and all metadata and logs derived from or related to Organizational Data


______________________________________________________________________________________

Page 49 of - de 86

PaaS Platform as a Service is a Cloud Service delivery method whereby a Cloud Service Provider (CSP) provides a platform on which the consumer can build, deliver and support applications and services over the Internet. Servers, operating system and other services such as database, middleware is managed by the CSP.

PSPC or PWGSC or Public Services and Procurement Canada or Public Works and Government Services Canada

PSPC or PWGSC or Public Services and Procurement Canada or Public Works and Government Services Canada means the Public Services and Procurement Canada as established under the Department of Public Works and Government Services Act.

QR Qualified Respondent. RBAC Role-Based Access Control means access control based on user roles (i.e., a

collection of access authorizations a user receives based on an explicit or implicit assumption of a given role). Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization. A given role may apply to a single individual or to several individuals. (nist.gov)

RCMP Royal Canadian Mounted Police is Canada’s national police service, providing law enforcement at the federal level. The RCMP also provides provincial policing in eight of Canada's provinces (Alberta, British Columbia, Manitoba, New Brunswick, Newfoundland and Labrador, Nova Scotia, Prince Edward Island, and Saskatchewan, i.e., all except Ontario and Quebec) and local policing on a contract basis in the three territories (Northwest Territories, Nunavut, and Yukon) and more than 150 municipalities, 600 aboriginal communities, and three international airports.

RDSCP RCMP Departmental Security Control Profile Redaction Redaction means to hide ore remove parts of a text before publication or

distribution. RFI Request for Information RFP Request for Proposal is a document that solicits proposal, made through a

bidding process, by an agency interested in procuring a commodity, service, or valuable asset, to potential suppliers to submit business proposals.

SA&A Security Assessment and Authorization which is the mechanism by which risk to an IT system is understood, mitigated, and consistently and measurably managed throughout its lifecycle.

SaaS Software as a Service is a software distribution model in which the customer pays via subscription for access to an application that is hosted by a Cloud Service Provider (CSP). The service is made available over the Internet.

SaaS Solution or Solution

SaaS Solution or Solution means the software application delivered through a SaaS distribution model in which an Application Service Provider or Cloud Service Provider makes centrally hosted software applications available to customers over the Internet, providing access to and use of a fully maintained, automatically upgraded, up-to-date Solution, technical support services, as well as physically and electronically secure information technology infrastructure, all included in the subscription service.

Security Event Log

Security Event Log means any event, notification or alert that a device, systems or software is technically capable of producing in relation to its status, functions and activities. Security Events Logs are not limited to security devices, but are applicable to all devices, systems and software that are technically capable of producing event logs that can be used in security investigations,


______________________________________________________________________________________

Page 50 of - de 86

auditing and monitoring. Examples of systems that can produce security event logs are, but not limited to: firewalls, intrusion prevention systems, routers, switches, content filtering, network traffic flow logs, network, authentication services, directory services, DHCP, DNS, hardware platforms, virtualization platforms, servers, operating systems , web servers, databases, applications , application/layer 7 firewalls.

Security Incident Security Incident means any observable or measurable anomaly occurring with respect to an Asset, which results, or which may result, in: (A) a violation of the Canada’s Security Policies, a Specific Security Measure, the Supplier’s or Supplier Subcontractor’s security policies or procedures, or any requirement of these Security Obligations or the Privacy Obligations; or (B) the unauthorized access to, modification of, or exfiltration of any Authorized Personnel’s credentials, Users’ credentials, or Information Asset.

SRCL Security Requirements Checklist Sub-processor Sub-processor means any natural or legal person, public authority, agency or other

body which processes personal information on behalf of a data controller. TBS Treasury Board of Canada Secretariat. It provides advice and makes

recommendations to the Treasury Board committee of ministers on how the government spends money on programs and services, how it regulates and how it is managed.

WCAG Web Content Accessibility Guidelines. It is developed through the W3C process in cooperation with individuals and organizations around the world, with a goal of providing a single shared standard for web content accessibility that meets the needs of individuals, organizations, and governments internationally.


______________________________________________________________________________________

Page 51 of - de 86

ANNEX B

MANDATORY EVALUATION CRITERIA 1. Mandatory Requirements 1.1 Respondents must meet all of the mandatory requirements in this Attachment in accordance with

Part 4 - Evaluation Procedures and Basis of Qualification of the ITQ.

2. Substantiation of Compliance – Mandatory Evaluation Criteria

2.1. Respondents must respond to each of the mandatory requirements explaining, demonstrating, substantiating and justifying their experience and qualifications. Respondents’ responses to the mandatory requirements will be evaluated in accordance with Part 4 - Evaluation Procedures and Basis of Qualification of the ITQ. The Phased Bid Compliance Process will apply to all mandatory criteria.

2.2. Respondents are requested to submit a completed “Form 2 – Project Reference Check Form”, for each reference project in response to a corresponding mandatory criterion.

2.3. Respondents must provide the required number of reference project(s) as indicated in mandatory criteria M1 to M3. If more than the required number of reference project(s) is provided, Respondents will be requested to identify the reference project(s) to be evaluated within the timeframe specified by the Contracting Authority.

2.4. To satisfy any of the technical evaluation criteria for M1, M2 and M3, in addition to its own experience, the Respondent may submit the experience of any of the following entities (collectively, “Team Member(s)”):

(a) a parent or subsidiary of the Respondent;

(b) a Joint Venture partner of the Respondent;

(c) a subsidiary of the parent of the Respondent; and

(d) an Association of Entities.

An Association of Entities includes separate legal entities within a formally organized network, where all members of the network operate using a common brand, with shared access to intellectual property and talent resources and integrated technology, methodology, strategies and policies across the network.

2.4.1 Where a Respondent cites the experience of a Team Member(s), Respondent must demonstrate that this experience is accessible to the Respondent and the Respondent will rely upon and use the experience in the performance of any resulting contract. If the experience of a Team Member(s) is being relied upon, the Respondent is required to include in its Response to M1, M2 and M3: (a) the legal name of the Team Member(s) that performed the work or services being relied upon to demonstrate the experience; (b) a detailed description of the relationship between the Team Member(s) and the Respondent; and (c) a demonstration of how the Respondent will be able to rely upon and use the Team Member(s) experience in the performance of any resulting contract.

2.4.2 Respondents should include with their Response:


______________________________________________________________________________________

Page 52 of - de 86

a) a document substantiating the business relationship with Team Member(s); and

b) an agreement between the Respondent and the Team Member(s) setting out how the Team Member(s) will engage their experience in the performance of any resulting contract.

If the Respondent does not submit the documentation in 2.4.2 a) and b) with their Response, Canada may provide the Respondents with an opportunity to submit the documentation. Providing the documentation if requested, and on the terms requested, is mandatory.

Criteria Mandatory Criteria Evaluation Proof Required

M1

Reference Projects for Body Worn Camera (BWC)

The Respondent must provide a minimum of one (1) up to a maximum of four (4) reference projects where, at a minimum, the Respondent has supplied and distributed a cumulative total of 11,000 Body Worn Cameras (BWC), including BWC maintenance, support and training services, to law enforcement organizations.

Each of the reference projects must have been for a duration of at least *one (1) year within the past five (5) years from the ITQ closing date.

One (1) of the reference project(s) must have been for the supply and distribution of a minimum of 5,000 BWCs;

All reference projects must have included the supply and distribution of body worn cameras.

All reference projects must have included the provision of BWC maintenance and support services which included 24/7 technical support service by phone, email or online for equipment non-performance, errors or defects; and,

All reference projects must have included the provision of BWC training services which included: (a) train-the-trainer training session(s); and, (b) training aids development, such as online courses or reference materials.

*One (1) year is defined as a twelve (12) month consecutive period ending on or before the closing date of the ITQ.

Met/Not Met

The Respondent must provide the following information for each reference project:

Name of the law enforcement organization

Description of goods and services provided, including the number of BWCs supplied and distributed

Dates and period of time the goods and services were provided.

The Respondent must provide, either with the Response, or upon request by Canada at a later date the following information for each reference project, for Canada to conduct reference checks:

Name of the contact person, Title, Email address, and Phone number

If the contact person is unavailable for the reference check during the evaluation, Canada will proceed in accordance with ITQ Article – 4.3 Reference Checks.


______________________________________________________________________________________

Page 53 of - de 86

The project experience of a Team Member of the Respondent is acceptable for this criterion subject to 2.4 above in Annex B.

M2

Reference Projects for Digital Evidence Management System (DEMS)

The Respondent must provide a minimum of one (1) up to a maximum of four (4) reference projects where, at a minimum, the Respondent has delivered DEMS services to law enforcement organization(s) for a cumulative total of 11,000 end users.

Each of the reference projects must have been for a duration of at least *one (1) year within the past five (5) years from the ITQ closing date.

All reference projects must have deployed the DEMS as a SAAS Model.

All reference projects must have deployed a DEMS capable of: (a) storing uploaded body worn camera audio and video; (b) searching and retrieving of digital evidence; and, (c) redacting.

All reference projects must have included the Respondent providing implementation services and demonstrate that the Respondent provided support with the following tasks: (a) planning; (b) configuration; (c) testing, and (d) phased onboarding.

All reference projects must have included the Respondent providing training services for the DEMS including: (a) train-the-trainer training session(s); and, (b) training aids development such as online courses or reference materials.

All reference projects must have included maintenance and support for the DEMS including: (a) 24/7 technical support service by phone, email or online for application performance issues, errors and defects; (b) application corrective measures (e.g. bug fixes) and/or patches; and, (c) provision of ongoing application upgrades.

*One (1) year is defined as a twelve (12) month consecutive period ending on or

Met/Not Met

The Respondent must provide the following information for each reference project: Name of the law enforcement

organization;

Description of services and capabilities provided, and the number of end-users

Dates and period of time the services were provided.



If the contact person is unavailable for the reference check during the evaluation, Canada will proceed in accordance with ITQ Article – 4.3 Reference Checks.

Note: Reference projects may be the same as those used for M1, but must respond to the requirements as described in M2.


______________________________________________________________________________________

Page 54 of - de 86

before the closing date of the ITQ.


M3

Reference Projects for Integrated BWC and DEMS Service

The Respondent must provide a minimum of one (1) up to a maximum of three (3) reference projects where, at a minimum, the Respondent has provided integrated BWC and DEMS services to law enforcement organization(s) for a cumulative total of 3,000 end users.

Each of the reference projects must have been for a duration of at least *one (1) year within the past five (5) years from the ITQ closing date

All reference projects must have included the following integrated BWC and DEMS service:

automated upload of the body worn camera, audio and video, from the docking station to the DEMS.

*One (1) year is defined as a twelve (12) month consecutive period ending on or before the closing date of the ITQ.


Met/Not Met

The Respondent must provide the following information for each reference project:

Name of the law enforcement organization,

Description of goods, services and capabilities provided, and the number of end-users

Dates and period of time that the services provided.



If the contact person is unavailable for the reference check during the evaluation, Canada will proceed in accordance with ITQ Article 4.3 – Reference Checks.

Note: Reference projects may be the same as those used for M1 and M2, but must respond to the requirements as described in M3.

M4 The Respondent (or in the case of a joint venture, one of the persons or entities comprising the joint-venture) must own the intellectual property for the proposed DEMS component necessary for the performance of the proposed Service (excluding add-ons and extensions) to Canada, in order to allow for the Respondent to introduce and support product enhancements into the main commercial product to align with Government of Canada (GC) needs.

Met/Not Met

The Respondent must provide a brief description of how they meet the criteria. The description should be no more than one page. In addition, the Respondent must submit as part of its response the certification that it is the Software as a Service (SaaS) Publisher of the proposed Service and it has all the rights necessary to license the Service to Canada (Form 3 – SaaS Publisher Certification Form)


______________________________________________________________________________________

Page 55 of - de 86

M5

The Respondent’s proposed DEMS service must allow end-users to work in both of Canada’s official languages (English and French) during the period of the contract. If the proposed solution does not allow end users to work in both of Canada’s official languages (English and French) at the ITQ closing date, the Respondent must provide a roadmap to demonstrate that the DEMS service will be available in both of Canada’s official languages (English and French) prior to the implementation of the solution.

Met/Not Met

If the proposed DEMS service does allow end users to work in both of Canada’s official languages (English and French) at the ITQ closing date, the Respondent must provide a brief description of how they meet the criteria. The description should be no more than one page. The Respondent must include the following items in both of Canada’s official languages (English and French):

1) A screenshot of a general search page; and

2) User guide If the proposed solution does not allow end users to work in both Canada’s official languages (English and French) at the ITQ closing date, the Respondent must provide a high level roadmap that contains the timelines for delivering key product features and capabilities in both of Canada’s official languages (English and French) prior to implementation of the solution including technical support, user interface for DEMS, user interface for BWC, training, and product documentation.

M6

The Respondent must demonstrate that the DEMS component of the proposed Service is offered through a Software as a Service (SaaS) model as defined by National Institute of Standards and Technology special publication 800-145.

Met/Not Met

To demonstrate that the Respondent meets this requirement, the Respondent must provide a description of how the proposed Service meets the criteria. The description should be no more than one page.

M7

The Respondent must demonstrate that they have read and that they understand the accessibility requirements as outlined in the following:

Web Content Accessibility Guidelines (WCAG) 2.1 standards as described at the following link: https://www.w3.org/TR/WCAG21/

Government of Canada Standard on Web Accessibility as described at the following link: https://www.tbs-

Met/Not Met

The Respondent must submit Form 1 – Respondent Declaration and Response Submission Form acknowledging that the Respondent has read and that they understand the accessibility requirements as outlined in the Web Content Accessibility Guidelines (WCAG) 2.1 standards, Government of Canada Standard on Web Accessibility, and the Accessibility Strategy for the Public Service of Canada.


______________________________________________________________________________________

Page 56 of - de 86

sct.gc.ca/pol/doc-eng.aspx?id=23601

Accessibility Strategy for the Public Service of Canada as described at the following link: https://www.canada.ca/en/government/publicservice/wellness-inclusion-diversity-public-service/diversity-inclusion-public-service/accessibility-public-service/accessibility-strategy-public-service-toc.html

Accessible Canada Act (https://www. parl.ca/DocumentViewer/en/42-1/bill/C-81/royal-assent) – The Accessible Canada Act was enacted into law in order to enhance the full and equal participation of all persons, especially persons with disabilities, in society. This is to be achieved through the realization, within the purview of matters coming within the legislative authority of Parliament, of a Canada without barriers, particularly by the identification, removal and prevention of barriers.

Guideline on Making Information

Technology Usable by All (https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=32620) - This guideline supports the Government of Canada’s direction to ensure that departments, agencies and organizations consider accessibility in the acquisition or development of information technology (IT) solutions and equipment to make IT usable by all.

M8

The Respondent must demonstrate that the DEMS component of the proposed Service will be deployed on one of the approved GC Cloud Service Providers (CSP) for Protected B data (https://cloud-broker.canada.ca/s/central-provider-page-v2?language=en_US) by ITQ closing date. Qualified Respondents’ Service will be required to meet Canada’s security requirement specified in the Security Requirement Check List (SRCL) that will be part of the bid solicitation document.

Met/Not Met

The Respondent must submit a certification that the proposed Service will be deployed within an approved GC Cloud Service Provider at the Protected B Security Level (Form 4 – Government of Canada Cloud Service Provider Authorization Form).


______________________________________________________________________________________

Page 57 of - de 86

ANNEX C: SECURITY REQUIREMENT CHECK LIST (SRCL)


______________________________________________________________________________________

Page 58 of - de 86


______________________________________________________________________________________

Page 59 of - de 86


______________________________________________________________________________________

Page 60 of - de 86

SRCL Security Guide BWCs/DEMS

SRCL #: 202102120/M7594-212120 Preamble All contractors employed on this contract must support the RCMP’s security environment by complying with the requirements described in this document. A more detailed security obligation will be provided at the Request for a proposal phase. General Security Requirements

1. All Protected information (hard copy documentation) or other sensitive assets for which the RCMP is

responsible will be shared with the contractor through pre-approved processes.

2. The information disclosed by the RCMP will be administered, maintained, and disposed of in accordance with the Contract. At minimum the contractor must follow the Policy on Government Security.

3. The contractor will promptly notify the RCMP contract authority of any security incidents related to the RCMP information provided. (i.e. loss of sensitive information, accidental or deliberate.)

4. Photography is not permitted. If photos are required, please contact the Contract Authority and

Departmental Security Branch.

5. The contractor is not permitted to disclose sensitive information provided by the RCMP, to any sub-contractors, without those individuals having the proper RCMP security clearance level required to access the protected information.

6. The RCMP’s Departmental Security reserves the right to conduct inspections of the contractor’s facility and provide guidance on mandatory safeguards (safeguards as specified in this document and possibly additional site specific safeguards). Inspections may be performed prior to sensitive information being shared and/or as required (e.g. if the contractor’s office relocates). The intent of the inspection is to ensure the quality of security safeguards.

7. To ensure Canada’s sovereign control over its data, all sensitive or protected data under government control will reside in Canada. Data in transit and at rest will be appropriately encrypted.

8. The Contractors and vendors’ personnel security clearance requirements will be based on the

expected roles and access to GC data and systems as defined in the Security Classification Guide in Appendix A

Physical Security

1. Storage: Protected information/assets must be stored in a container approved by the RCMP Security Authority. The container must be located (at minimum) within an “Operations Zone”. As such, the contractor’s facility must have an area/room that meets the following criteria:


______________________________________________________________________________________

Page 61 of - de 86

Operations Zone Definition An area where access is limited to personnel who work there and to properly

escorted visitors. Note: The personnel working within the Operational Zone must:

possess a valid Enhanced Reliability Status (ERS), or be escorted by an individual who possesses a valid ERS

Perimeter Must be indicated by a recognizable perimeter or a secure perimeter depending on project needs. For example, the controls may be a locked office or suite.

Monitoring Monitored periodically by authorized employees. For example, users of the space working at the location are able to observe if there has been a breach of security.

Note: Refer to Appendix A for more information on the Security Zone concept.

2. Discussions: Where sensitive conversations are anticipated, Operations Zones must have a stand

off from public spaces or be designed with acoustic speech privacy properties (where the user has a reasonable expectation that they will not be overheard). For example, private room/office and/or boardroom.

3. Production: The production (generation and/or modification) of Protected information or assets must

occur in an area that meets the criteria of an Operations Zone.

4. Destruction: All drafts or misprints (damaged copies and/or left over copies) must be destroyed by the contractor. Protected information must be destroyed in accordance with the RCMP’s Security Manual. The equipment/system (i.e. shredder) used to destroy sensitive material is rated according to the degree of destruction. RCMP approved destruction equipment must be utilized.

Approved levels of destruction for Protected B include:

Residue size must be less than 1 x 14.3 mm (particle cut).

Note: If the contractor is unable to meet the RCMP’s destruction requirements, all sensitive

information/assets are to be returned to the RCMP for proper destruction. Any sensitive drafts/misprints awaiting disposal must be protected in the agreed upon

manner until destroyed.

5. Transport/Transmittal: The physical exchange of sensitive information must ensure that the data is encrypted before transport and transmittal. When a delivery service is used, it must offer proof of mailing, a record while in transit and of delivery.

Transport Transport: to transfer sensitive information and assets from one person or place to another by someone with a need to know the information or need to access the asset.

Transmittal Transmit: to transfer sensitive information and assets from one person or place to another by someone without a need to know the information or need to access the asset.

Note:


______________________________________________________________________________________

Page 62 of - de 86

For Transport of Protected B information (travel to/from neutral locations for meetings and/or interviews): In place of a single envelope, a briefcase or other container of equal or greater strength may be used. Double envelope/wrap to protect fragile contents or to keep bulky, heavy or large parcels intact.

For Transmittal of Protected B information (Canada Post or registered courier): Address in a nonspecific manner. Add "To Be Opened Only By" because of the need-to-know or need-to-access principles when warranted.

General IT Security Controls Appropriate Control of Protected Information Transport/Transmittal 1. If there is a requirement to transport RCMP Protected information, it must be transported using a

FIPS 140-2 compliant portable storage device provided by the RCMP, with access restricted to RCMP security cleared contractor personnel only and the RCMP client. The FIPS 140-2 compliant portable storage device must be delivered by-hand or shipped by an approved courier to the contractor’s location.

2. The password for the portable storage device is to be provided verbally, either in person or by telephone to RCMP security cleared contractor personnel only.

3. Sensitive RCMP information shall not be transmitted to or from any external email address. 4. If electronic processing of Protected RCMP information is required, the contractor must ensure the

information is: encrypted while at rest encrypted while in transit; and access controls are implemented.

Note: Advanced Encryption Standard (AES) Algorithm with key lengths of 256 bits is approved for encrypting Protected information.

Telephony 1. All voice communication by any cellular or mobile telephone must be restricted to non-sensitive

information, unless the phone is specifically accredited and issued for sensitive information.

Printing, Scanning, and Photocopying 2. If electronic RCMP Protected information has to be printed / scanned, the contractor must have

additional/dedicated computer(s), printer(s)/scanners. This equipment must not be connected to the local area network nor the Internet. This computer(s) will require RCMP approved disk drive encryption.

Storing 3. If required, backup of RCMP Protected information is subject to the same security guidelines

(encryption and access controls) as is the live information.

4. Electronic records must be destroyed according to ITSG-06 Clearing and Declassifying Electronic Data Storage Devices (refer to https://www.cse-cst.gc.ca/en/node/270/html/10572 for further information)


______________________________________________________________________________________

Page 63 of - de 86

5. All RCMP supplied storage devices used throughout the duration of this contract must be returned to the RCMP immediately upon contract termination.

Extended Security Controls for Body Worn Cameras and Digital Evidence Management

Extended Security Controls for Body Worn Cameras (BWC) and Digital Evidence Management (DEMS) This section provides an outline of the core security controls vendors bidding on the Digital Evidence Management and/or Body Worn Cameras (DEMS/BWC) contract will be required to meet. All vendors must provide evidence supporting their ability to meet the security controls listed below. As per supporting security documentation, evidence may include:

1. Internal policy, procedure, or standards documentation 2. Third party audit reports from one of the acceptable industry standard certifications 3. Documentation from a subcontractor or a sub-subcontractor, including a hyperscaler

Details related to the individual security controls can be found at: https://www.cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33

A Note on Inherited Security Controls The National Institute of Standards and Technology (NIST) defines common security controls as “security controls whose implementation results in a security capability that is inheritable by one or more organizational information systems.” Security controls are deemed inheritable by information systems or information system components when the systems or components receive protection from the implemented controls but the controls are developed, implemented, assessed, authorized, and monitored by entities other than those responsible for the systems or components including entities internal or external to the organizations where the systems or components reside. Where vendors inherit security controls from sub-contractors or sub-sub-contractors, vendors must note this and provide evidence of such inheritance. The following is a summary of the expected security controls that will be defined in more details at the RFP stage.

ID Security Objective Security Controls

1.0 Identity and access management (IAM) Objective: Implement identity and access management mechanisms for the solution.

AC-1, AC-2, AC-2(1), AC-2 (2) AC-2(3), AC-2(4), AC-2(5), AC-2(6), AC-2(7), AC-2(8), AC-2(9) AC-2(10), AC-2(11), AC-3, AC-4, AC-4(21), AC-5, AC-6, AC-6(1), AC-6(2), AC-6(3) AC-6(5), AC-6(7), AC-6(8), AC-6(9), AC-6(10), AC-7, AC-8, AC-10, AC-11, AC-11(1), AC-12, AC-12(1), AC-14, AC-17, AC-17(1), AC-17(2), AC-17(3), AC-17(4), AC-17(9), AC-17(100), AC-18, AC-18(1), AC-18(4), AC-18(5), AC-19, AC-19(4), AC-19(5), AC-20, AC-20(1), AC-20(2), AC-2, AC-22, AC-23, AC-24. IA-1, IA-2, IA-2(1), IA-2(2), IA-2(3), IA-2(4), IA-2(5), IA-2(6), IA-2(8), IA-2(11), IA-3, IA-4, IA-4(2), IA-4(3), IA-4(4), IA-5, IA-5(1), IA-5(2), IA-5(3), IA-5(4), IA-5(6), IA-5(7), IA-5(8), IA-5(11), IA-6, IA-7, IA-8.


______________________________________________________________________________________

Page 64 of - de 86


2.0 Auditing Objective: Implement an auditing mechanism for the solution.

AU-1, AU-2, AU-2(3), AU-3, AU-3(1), AU-3(2), AU-5, AU-5(2), AU-6, AU-6(1), AU-6(2), AU-6(3), AU-6(10), AU-7, AU-7(1), AU-8, AU-8(1), AU-9, AU-9(2), AU-9(3), AU-9(4), AU-10, AU-11, AU-12, AU-14, AU-14(1),

3.0 Data protection Objective: Implement mechanisms for the protection of data in transit and data at rest.

SC-8, SC-8(1), SC-12, SC-12(1), SC-12(2), SC-12(3), SC-13, SC-15, SC-17, SC-28, SC-28(1).

4.0 Networking Objective: Implement mechanisms to establish external and internal network perimeters and monitor network traffic.

AC-4, SC-7, SC-7(3), SC-7(4). SC-7(5), SC-7(7), SC-7(8), SC-7(10), SC-7(12), SC-7(13), SC-7(14), SC-7(18), SC-7(19), SC-7(21) SC-8, SC-10,

5.0 Secure development Objective: Limit vulnerabilities in the solution and ensure the integrity of data.

AC-12, CA-8, RA-5, SA-1, SA-2, SA-3, SA-4, SA-4(1), SA-4(2), SA-4(3), SA-4(7), SA-4(8), SA-4(9), SA-5, SA-8, SA-9, SA-9(1), SA-9(2), SA-9(4), SA-9(5), SA-10, SA-10(1), SA-11, SA-11(1), SA-11(2), SA-11(8), SA-12, SA-12(1), SA-121(2), SA-12(5), SA-12(7), SA-12(8), SA-12(9), SA-12(11), SA-15. SC-1, SC-2, SC-2(1), SC-4, SC-5, SC-6, SC-18, SC-18(3), SC-18(4), SC-19, SC-20, SC-21, SC-22, SC-23, SC-23(1), SC-39, SI-10, SI-11, SI-12, SI-15, SI-16.

6.0 Service continuity Objective: Implement the required security mechanisms to support service continuity.

CP-1, CP-2, CP-2(1), CP-2(3), CP-2(4), CP-2(5), CP-2(6), CP-2(8), CP-3, CP-4, CP-4(1), CP-4(2), CP-6, CP-6(1), CP-6(2), CP-6(3), CP-7, CP-7(1), CP-7(2), CP-7(3), CP-7(4), CP-8, CP-8(1), CP-8(1), CP-8(2), CP-8(3), CP-8(5), CP-9, CP-9(1), CP-9(2), CP-9(3), CP-9(5), CP-9(7), CP-10, CP-10(2), CP-10(4). MA-1, MA-2, MA-2(2), MA-3, MA-3(1), MA-3(2), MA-3(3), MA-4, MA-4(1), MA-4(2), MA-4(3), MA-4(6), MA-4(7), MA-5, MA-5(1), MA-6,


______________________________________________________________________________________

Page 65 of - de 86


7.0 Configuration management Objective: Implement the security aspects of configuration management.

CM-1, CM-2, CM-2(1), CM-2(2), CM-2(3), CM-2(7), CM-3, CM-3(1), CM-3(4), CM-3(6), CM-4, CM-5, CM-5(1), CM-5(5), CM-5(6), CM-6, CM-6(1), CM-6(2), CM-7, CM-7, CM-7(1), CM-7(2), CM-7(5), CM-8, CM-8(1), CM-8(2), CM-8(3), CM-8(5), CM-9, CM-10, CM-10(1), CM-11, SA-22. SC-43. MP-1, MP-2, MP-3, MP-4, MP-5, MP-5(4). MP-6, MP-6(1), MP-6(2), MP-6(3), MP-7, MP-7(1), MP-8, MP-8(1).

8.0 Security operations

Objective: Implement security operations mechanisms for the service.

IR-1, IR-2, IR-3, IR-3(2), IR-4, IR-4(1), IR-4(3), IR-4(6), IR-5, IR-5(1), IR-6, IR-6(1), IR-7, IR-7(1), IR-7(2), IR-8, IR-9, IR-9(1), IR-9(2), IR-9(3), IR-9(4). SI-1, SI-2, SI-2(1), SI-2(2), SI-2(3), SI-3(1), SI-3(2), SI-3(7), SI-4, SI-4(1), SI-4(2), SI-4(4), SI-4(4), SI-4(5), SI-4(7), SI-4(11), SI-4(14), SI-4(16), SI-4(20), SI-4(22), SI-4(23) SI-5, SI-5(1), SI-5, SI-6, SI-7, SI-7(1), SI-7(5), SI-7(7), SI-8, SI-8(1), SI-8(2). PL-1, PL-2, PL-2(3), PL-4, PL-4(1), PL-8

9.0 Security assessment Objective: Authorize the service for production use.

CA-1, CA-2, CA-2(1), CA-2(2), CA-2(3), CA-3, CA-3(2), CA-3(3), CA-3(5), CA-5, CA-6, CA-7, CA-7(1), CP-7(2), CP-7(3), CP-7(4), CP-8, CP-8(1), CP-8(2), CP-8(3), CP-8(5), CP-9, CP-9(1), CP-9(2), CP-9(3), CP-9(5), CP-9(7), CP-10, CP-10(2), CP-10(4), CA-8, CA-8(1), CA-9.

RA-1, RA-2, RA-3, RA-5, RA-5(1), RA-5(2), RA-5(3), RA-5(5), RA-5(6), RA-5(8),

10.0 Physical security Objective: Implement security control of physical and environmental mechanisms for the service

PE-1, PE-2, PE-2(3), PE-3, PE-3(1), PE-3(2), PE-4, PE-5, PE-6, PE-6(1), PE-6(4), PE-8, PE-8(1), PE-9, PE-10, PE-11, PE-11(1), PE-12, PE-13, PE-13(2), PE-13(2), PE-13(3), PE-14, PE-14(2), PE-15, PE-15(1), PE-16, PE-17.

11.0 Personnel Security Objective : : Implement personnel security control for the service

PS-1, PS-2, PS-3, PS-3(3), PS-4, PS-4(2), PS-5, PS-6, PS-7, PS-8,


______________________________________________________________________________________

Page 66 of - de 86

Personnel Security

1. All contractor and sub-contractor personnel will be required to obtain and maintain a personnel

security clearance/status commensurate with the sensitivity of the work being performed throughout the life cycle of the contract (in accordance with the provisions of the SRCL).

2. If unscreened personnel are being used on this requirement, the roles will be identified and approved by RCMP. This will occur once the successful vendor is chosen.

3. The contractor will be responsible for advising the RCMP of any changes in personnel security requirements. For example: Cleared personnel leaving the company or no longer supporting the RCMP contract, new personnel requiring security screening and personnel requiring renewal of their personnel security screening.

4. As the supplier and its employees will have access to RCMP Protected and/or Classified

information, an RCMP Clearance at the appropriate level is required. Contractor personnel must submit to verification by the RCMP, prior to being granted access to Protected or Classified information, systems, assets and/or facilities. The RCMP reserves the right to deny access to any of the contractor personnel, at any time.

When the RCMP identifies a requirement for Facility Access (FA2), Enhanced Reliability Status (ERS) or ERS with Secret, they will direct the contractors to the RCMP online portal for their completion of the clearance forms

The RCMP: 1. Will conduct personnel security screening checks that exceed the security requirements identified

from the Policy on Government Security.

RCMP reserves the caveat to increase or change the levels required if they deem appropriate ,once the job roles are more closely defined.


______________________________________________________________________________________

Page 67 of - de 86

Appendix B – Security Zone Concept The Government Security Policy (Section 10.8 - Access Limitations) stipulates that “departments must limit access to classified and protected information and other assets to those individuals who have a need to know the information and who have the appropriate security screening level”. The Operational Security Standard on Physical Security (Section 6.2 - Hierarchy of Zones) states that “departments must ensure that access to and safeguards for protected and classified assets are based on a clearly discernable hierarchy of zones”.

Public Zone is where the public has unimpeded access and generally surrounds or forms part of a government facility. Examples: the grounds surrounding a building, or public corridors and elevator lobbies in multiple occupancy buildings. Reception Zone is where the transition from a public zone to a restricted-access area is demarcated and controlled. It is typically located at the entry to the facility where initial contact between visitors and the department occurs; this can include such spaces as places where services are provided and information is exchanged. Access by visitors may be limited to specific times of the day or for specific reasons. Operations Zone is an area where access is limited to personnel who work there and to properly-escorted visitors; it must be indicated by a recognizable perimeter and monitored periodically. Examples: typical open office space, or typical electrical room. Security Zone is an area to which access is limited to authorized personnel and to authorized and properly-escorted visitors; it must be indicated by a recognizable perimeter and monitored continuously, i.e., 24 hours a day and 7 days a week. Example: an area where secret information is processed or stored. High Security Zone is an area to which access is limited to authorized, appropriately-screened personnel and authorized and properly-escorted visitors; it must be indicated by a perimeter built to the specifications recommended in the TRA, monitored continuously, i.e., 24 hours a day and 7 days a week and be an area to which details of access are recorded and audited. Example: an area where high-value assets are handled by selected personnel.


______________________________________________________________________________________

Page 68 of - de 86

Access to the zones should be based on the concept of "need to know" and restricting access to protect employees and valuable assets. Refer to RCMP Guide G1-026, Guide to the Application of Physical Security Zones for more detailed information.


______________________________________________________________________________________

Page 69 of - de 86

Annex D

Supply Chain Security Information Assessment Process

a) Qualification Requirement: In order to become a Qualified Respondent and to be eligible to bid on any solicitation associated with this procurement process, each Provisionally Qualified Respondent must successfully complete the preliminary Supply Chain Integrity (SCI) assessment and not be definitively disqualified. A comprehensive SCI assessment will be conducted by Canada at the RFP stage.

b) Definitions: The following words and expressions used with respect to the preliminary SCI assessment have the following meanings:

(a) “Product” means any hardware that operates at the data link layer of the Open Systems Interconnection model (OSI Model) Layer 2 and above; any software; and any Workplace Technology Device;

(b) “Workplace Technology Device” means any desktop, mobile workstation (such as a laptop or tablet), smart phone, or phone, as well as any peripheral item or accessory such as a monitor, keyboard, computer mouse, audio device or external or internal storage device such as a USB flash drive, memory card, external hard drive or writable CDs and DVDs or other media;

(c) “Product Manufacturer” means the entity that assembles the component parts to manufacture the final Product;

(d) “Software Publisher” means the owner of the copyright of the software, who has the right to license (and authorize others to license/sub-license) its software products;

(e) “Canada’s Data” means any data originating from the Work, any data received in contribution to the Work or any data that is generated as a result of the delivery of security, configuration, operations, administration and management services, together with any data that would be transported or stored by the contractor or any subcontractor as a result of performing the Work under any contract resulting from a subsequent solicitation; and

(f) “Work” means all the activities, services, goods, equipment, matters and things required to be done, delivered or performed by the contractor under any contract resulting from a subsequent solicitation.

c) Submission Requirements for the Preliminary SCI Assessment (part of step 2 of the ITQ):

(a) Provisionally Qualified Respondents must submit the information listed below before the expiry of a three-week period from the date of the email sent by the PWGSC directly to the Provisionally Qualified Respondents requesting the submission. Canada requests that Provisionally Qualified Respondents provide the information by using Form 5 - Supply Chain Security Information, but the form in which the information is submitted is not itself mandatory. Canada also requests that, on each page, Provisionally Qualified Respondents indicate their legal name and insert a page number as well as the total number of pages:


______________________________________________________________________________________

Page 70 of - de 86

(A) Ownership information for Provisionally Qualified Respondents: Provisionally Qualified Respondents must provide for the preliminary SCI assessment:

(1) Duns & Bradstreet number of the Provisionally Qualified Respondent, or:

(I) Ownership Information: the Provisionally Qualified Respondent must provide a list of all its shareholders. If the Provisionally Qualified Respondent is a subsidiary, this information must be provided for each parent corporation or parent partnership, up to the ultimate owner. With respect to any publicly traded corporation, in the bid, the Provisionally Qualified Respondent must include a list of those shareholders who hold at least 1% of the voting shares; however, upon request, a publicly traded Provisionally Qualified Respondent must provide further information about other shareholders;

(II) Investors that are not Shareholders;

(III) C-Suite; and

(IV) Board of Directors; and

(2) Corporate Website link.

(B) DEMS SaaS Product List with Location Information: Provisionally Qualified Respondents must identify, for the preliminary SCI assessment, the DEMS SaaS Products over which Canada’s Data would be transmitted and/or on which Canada’s Data would be stored, or that would be used and/or installed by the Provisionally Qualified Respondents or any of its subcontractors to perform any part of the Work, together with the location information regarding each DEMS SaaS Product.

The location where each DEMS SaaS Product is interconnected with any given network for Canada’s Data (the service delivery points or nodes, such as points of presence, third party locations, data centre facilities, operations centre, security operations centre, internet or other public network peering points, etc.) must be identified by the Provisionally Qualified Respondents.

Canada requests that Provisionally Qualified Respondents insert a separate row using Form 5 - Supply Chain Security Information for each DEMS SaaS Product. Canada also requests that the Provisionally Qualified Respondents not repeat multiple iterations of the same DEMS SaaS Product (e.g., if the serial number and/or the color is the only difference between two DEMS SaaS Products, they will be treated as the same DEMS SaaS Product for the purposes of preliminary SCI assessment).

d) Preliminary Supply Chain Integrity Assessment Process:

(a) Canada will assess whether, in its opinion, the Provisionally Qualified Respondent’s solution could compromise or be used to compromise the security of Canada’s equipment, firmware, software, systems or information.

(b) In conducting its assessment:


______________________________________________________________________________________

Page 71 of - de 86

(A) Canada may request from the Provisionally Qualified Respondent any additional information that Canada requires to conduct a complete preliminary SCI assessment. The Provisionally Qualified Respondent will have 2 working days (or a longer period if specified in writing by the Contracting Authority) to provide the necessary information to Canada. Failure to meet this deadline will result in the disqualification of the Provisionally Qualified Respondent.

(B) Canada may use any government resources or consultants to conduct the assessment and may contact third parties to obtain further information. Canada may use any information, whether it is included in the response or comes from another source that Canada considers advisable for conducting a preliminary SCI assessment.

(c) If, in Canada’s opinion, there is a possibility that any aspect of the SCSI, if used by Canada, could compromise or be used to compromise the security of Canada’s equipment, firmware, software, systems or information:

(A) Canada will notify the Provisionally Qualified Respondent in writing (sent by email) and identify which aspect(s) of the SCSI is subject to concern(s) or cannot be assessed (for example, proposed future releases of products cannot be assessed). Any further information that Canada might be able to provide to the Provisionally Qualified Respondent regarding its concerns will be determined based on the nature of the concerns. In some situations, for reasons of national security, it may not be possible for Canada to provide further information to the Provisionally Qualified Respondent; therefore, in some circumstances, the Provisionally Qualified Respondent will not know the underlying reasons for Canada’s concerns with respect to a product, subcontractor or other aspect of the Provisionally Qualified Respondent’s SCSI. With respect to any concerns, Canada may, in its discretion, identify a potential mitigation measure that the Provisionally Qualified Respondent would be required to implement with respect to any portion of the SCSI if awarded a contract.

(B) The notice will provide the Provisionally Qualified Respondent with one opportunity to submit revised SCSI within the 10 calendar days following the day on which Canada’s written notification is sent to the Provisionally Qualified Respondent (or a longer period specified in writing by the Contracting Authority). If Canada has identified a potential mitigation measure that the Provisionally Qualified Respondent would be required to implement if allowed to participate in the rest of the procurement, or if awarded a contract, the Provisionally Qualified Respondent must confirm in its revised SCSI submission whether or not it agrees that any RRR or RFP conditions, or awarded contract will contain additional commitments relating to those mitigation conditions.

(C) If the Provisionally Qualified Respondent submits revised SCSI within the allotted time, Canada will perform a second assessment. If, in Canada’s opinion, there is a possibility that any aspect of the Provisionally Qualified Respondent’s revised SCSI could compromise or be used to compromise the security of Canada’s equipment, firmware, software, systems or information, no further opportunities to revise the SCSI will be provided and the Provisionally Qualified Respondent will be disqualified and unable to participate in any subsequent phase of the procurement process. If Canada’s approval is subject to any mitigation measures, no contract will be awarded to the Provisionally Qualified Respondent and the Provisionally Qualified Respondent will not be


______________________________________________________________________________________

Page 72 of - de 86

able to participate in the rest of the procurement process, unless Canada is satisfied that the contract includes additional commitments reflecting the required mitigation measures.

(d) By participating in this process, the Provisionally Qualified Respondent acknowledges that the nature of information technology is such that new vulnerabilities, including security vulnerabilities, are constantly being identified. Also, the Provisionally Qualified Respondent acknowledges that Canada’s security assessment does not involve the assessment of a proposed solution. As a result:

(A) qualification pursuant to the preliminary SCI assessment does not constitute an approval that the products or other information included as part of the preliminary SCI will meet the requirements of any subsequent solicitation or any resulting contract or other instrument that may be awarded as a result of any subsequent solicitation, including the eventual RFP, if any, of this procurement;

(B) qualification under this ITQ following the preliminary SCI assessment does not mean that the same or similar SCSI will be assessed in the same way for future requirements;

(C) at any time during the next phases of this procurement process, Canada may advise a Qualified Respondent that some aspect(s) of its SCSI has become the subject of security concerns. At that point, Canada will notify the Qualified Respondent and provide the Qualified Respondent with an opportunity to revise its SCSI, using the same process described above; and

(D) during the performance of any contract resulting from a subsequent solicitation, if Canada has concerns regarding certain products, designs or subcontractors originally included in the SCSI, the terms and conditions of that contract will govern the process for addressing those concerns.

(e) All Provisionally Qualified Respondents will be notified in writing regarding whether or not they have been disqualified as a result of the preliminary SCI assessment.

(f) Any Qualified or Provisionally Qualified Respondent that has qualified with respect to the preliminary SCI assessment will be required, when responding to any subsequent solicitation under this procurement process, to propose a supply chain consistent with the SCSI submitted as part of the preliminary SCI assessment, in particular with the SCSI submitted in response to the Ownership information for the Provisionally Qualified Respondents in subsection c) (a)(A) and DEMS SaaS Product List with Location Information in subsection c)(a)(B) of this document (subject to revision only pursuant to the next Sub-article). Except pursuant to the paragraph below, no alternative or additional information submitted pursuant to subsection c)(a)(A) or c)(a)(B) may be proposed at the RFP stage.

(g) Once a Qualified or Provisionally Qualified Respondent has been qualified with respect to the preliminary SCI assessment, no modifications are permitted to the SCSI except under exceptional circumstances, as determined by Canada. Given that not all the exceptional circumstances can be foreseen, whether changes may be made and the process governing those changes will be determined by Canada on a case-by-case basis.

e) By submitting SCSI for the preliminary SCI assessment, and in consideration of the opportunity to participate in this procurement process, the Provisionally Qualified


______________________________________________________________________________________

Page 73 of - de 86

Respondent agrees to the terms of the following non-disclosure agreement (the “Non-Disclosure Agreement”):

(a) The Provisionally Qualified Respondent agrees to keep confidential and store in a secure location any information it receives from Canada regarding Canada’s assessment of the Provisionally Qualified Respondent’s SCSI (the “Sensitive Information”) including, but not limited to, which aspect of the SCSI is subject to concern, and the reasons for Canada’s concerns.

(b) Sensitive Information includes, but is not limited to, any documents, instructions, guidelines, data, material, advice or any other information whether received orally, in printed form or otherwise, and regardless of whether or not that information is labeled as classified, confidential, proprietary or sensitive.

(c) The Provisionally Qualified Respondent agrees that it will not reproduce, copy, divulge, release or disclose, in whole or in part, in whatever way or form any Sensitive Information to any person other than a person employed by the Provisionally Qualified Respondent who has a need to know the information and has a security clearance commensurate with the level of Sensitive Information being disclosed, without first receiving the written consent of the Contracting Authority.

(d) The Provisionally Qualified Respondent agrees to notify the Contracting Authority immediately if any person, other than those permitted by the previous Sub-article, accesses the Sensitive Information at any time.

(e) The Provisionally Qualified Respondent agrees that a breach of this Non-Disclosure Agreement may result in disqualification of the Provisionally Qualified Respondent at any stage of the procurement process, or immediate termination of a resulting contract or other resulting instrument. The Provisionally Qualified Respondent also acknowledges that a breach of this Non-Disclosure Agreement may result in a review of the Provisionally Qualified Respondent’s security clearance and a review of the Provisionally Qualified Respondent’s status as an eligible bidder for other requirements.

(f) All Sensitive Information will remain the property of Canada and must be returned to the Contracting Authority or destroyed, at the option of the Contracting Authority, if requested by the Contracting Authority, within 30 days following that request.

(g) This Non-Disclosure Agreement remains in force indefinitely. If the Provisionally Qualified Respondent wishes to be discharged from its obligations with respect to any records that include the Sensitive Information, the Provisionally Qualified Respondent may return all the records to an appropriate representative of Canada together with a reference to this Non-Disclosure Agreement. In that case, all Sensitive Information known to the Provisionally Qualified Respondent and its personnel (i.e., Sensitive Information that is known, but not committed to writing) would remain subject to this Non-Disclosure Agreement, but there would be no further obligations with respect to the secure storage of the records containing that Sensitive Information (unless the Provisionally Qualified Respondent created new records containing the Sensitive Information). Canada may require that the Provisionally Qualified Respondent provide written confirmation that all hard and soft copies of records that include Sensitive Information have been returned to Canada.


______________________________________________________________________________________

Page 74 of - de 86

f) Anticipated Submission Requirements for the Comprehensive SCI Assessment (Qualified Suppliers will be informed of requirements at RFP stage) – Provided for Informational Purposes Only at this ITQ stage:

In the future, subject to possible changes, Canada will likely also require the following information:

(A) Full Product List (Body Worn Camera):

(1) Location: identify where each Product is interconnected with any given network for Canada’s Data (identify the service delivery points or nodes, such as points of presence, third party locations, data centre facilities, operations centre, security operations centre, internet or other public network peering points, etc.).

(2) Product Type: identify the generally recognized description used by industry such as hardware, software, etc.; components of an assembled Product, such as module or card assembly, must be provided for all layer 3 internetworking devices;

(3) Component: identify the generally recognized description used by industry such as firewall router, switch, server, security appliance, etc.;

(4) Product Model Name or Number: identify the advertised name or number of the Product assigned to it by the Product Manufacturer;

(5) Description and Purpose of the Product: identify the advertised description or purpose by the Product Manufacturer of the Product and the intended usage or role in the Work described for the Project;

(6) Source: identify the Product Manufacturer and/or Software Publisher of embedded components;

(7) Name of Subcontractor: identify all subcontractors. In the “SCSI Submission Form” provided with this ITQ, “Name of Subcontractor” refers to any subcontractor that will provide, install or maintain one or more Products, if the Provisionally Qualified Respondent would not do so itself, as further defined below.

(B) Full Product List (DEMS SaaS):

(1) Product Type: identify the generally recognized description used by industry such as hardware, software, etc.; components of an assembled Product, such as module or card assembly, must be provided for all layer 3 internetworking devices;

(2) Component: identify the generally recognized description used by industry such as firewall router, switch, server, security appliance, etc.;

(3) Product Model Name or Number: identify the advertised name or number of the Product assigned to it by the Product Manufacturer;

(4) Description and Purpose of the Product: identify the advertised description or purpose by the Product Manufacturer of the Product and the intended usage or role in the Work described for the Project;


______________________________________________________________________________________

Page 75 of - de 86

(5) Source: identify the Product Manufacturer and/or Software Publisher of embedded components;

(6) Name of Subcontractor: identify all subcontractors. In the “SCSI Submission Form” provided with this ITQ, “Name of Subcontractor” refers to any subcontractor that will provide, install or maintain one or more Products, if the Provisionally Qualified Respondent would not do so itself, as further defined below.

(C) Network Diagrams: one or more conceptual network diagrams that collectively show the complete network proposed to be used to perform the Work. The network diagrams are only required to include portions of the bidders’ network (and its possible subcontractors’ networks) over which Canada’s Data would be transmitted in performing any resulting contract. Likely, the diagram will need to show:

(1) the following key nodes for the delivery of the services under any resulting contract:

(I) service delivery points;

(II) core network; and

(III) subcontractor network (specifying the name of the subcontractor as listed in the List of Subcontractors);

(2) the node interconnections, if applicable;

(3) any node connections with the Internet; and

(4) for each node, a cross-reference to the Product that will be deployed within that node, using the line item number from the IT Product List.

(D) List of Subcontractors: a list of any subcontractors that could be used to perform any part of the Work (including subcontractors affiliated or otherwise related to the bidder) pursuant to any resulting contract. The list must include at a minimum:

(1) the name of the subcontractor;

(2) the address of the subcontractor’s headquarters;

(3) the portion of the Work that would be performed by the subcontractor; and

(4) the location(s) where the subcontractor would perform the Work.

This list must identify all third parties who may perform any part of the Work, whether they would be subcontractors to the bidder, or subcontractors to subcontractors of the bidder down the chain. This means that every subcontractor that could have access to Canada’s Data or would be responsible either for transporting it or for storing it must be identified. Subcontractors would also include, for example, technicians who might be deployed to maintain the bidder’s solution. For the purposes of this requirement, a third party who is merely a supplier of goods to the bidder, but who does not perform any portion


______________________________________________________________________________________

Page 76 of - de 86

of the Work, is not considered to be a subcontractor. If the bidder does not plan to use any subcontractors to perform any part of the Work, Canada requests that the bidder indicate this in its response.


______________________________________________________________________________________

Page 77 of - de 86

Annex E

Acts and Policies This following section is provided for information only at this stage. It highlights some of the various policies and acts that may need to be taken into consideration for both the RFP and the resulting contract. Note that the list may not be complete and other policies and acts could also apply. 1.0 Digital Standards and Policy

1.1 Government of Canada Digital Standards (Government of Canada Digital Standards - Canada.ca) form the foundation of the government’s shift to becoming more agile, open, and user-focused. They guide teams in designing digital services in a way that best serves Canadians.

1.2 The Policy on Service and Digital (Policy on Service and Digital- Canada.ca (tbs-sct.gc.ca)) - Serves as an integrated set of rules that articulate how GC organizations manage service delivery, information and data information technology, and cyber security in the digital era.

2.0 Interoperability Standards

Standards on Application Programming Interfaces (APIs) (Government of Canada Standards on APIs - Canada.ca) - The standards govern how APIs are to be developed within and for the GC to better support integrated digital processes across departments and agencies.

3.0 Cloud Computing and Data Sovereignty

Government of Canada White Paper: Data Sovereignty and Public Cloud (Government of Canada White Paper: Data Sovereignty and Public Cloud - Canada.ca ) - The purpose of this paper is to provide an overview of the risks to data sovereignty that is associated with using commercial public cloud environments. The risks to data residency and security are also discussed. These risks are examined in the context of the GC’s cloud-first strategy. By the end of this paper, the reader will understand these risks and the associated mitigation measures. The reader will also understand how cloud services can help the GC address other risks, such as: aging IT, current security gaps and not benefiting from emerging technology.

4.0 Privacy


______________________________________________________________________________________

Page 78 of - de 86

4.1 Interim Policy on Privacy Protection (Policy on Privacy Protection- Canada.ca (tbs-sct.gc.ca)) – The objectives of this interim policy are as follows: to facilitate statutory and regulatory compliance, and to enhance effective application of the Privacy Act and its Regulations by government institutions; to ensure consistency in practices and procedures in administering the Act and Regulations; and to ensure effective protection and management of personal information and mitigating privacy risks in government programs and activities.

4.2 Access to Information (Access to Information Act (justice.gc.ca)) An Act to extend the

present laws of Canada that provide access to information under the control of the Government of Canada.

4.3 Privacy Act (Privacy Act (justice.gc.ca)) - An Act to extend the present laws of Canada

that protect the privacy of individuals and that provide individuals with a right of access to personal information about themselves.

5.0 Security Policy

Policy on Government Security (Policy on Government Security- Canada.ca (tbs-sct.gc.ca)) – Provides direction to manage government security in support of the trusted delivery of GC programs and services, the protection of information, individuals and assets, and provides assurance to Canadians, partners, oversight bodies and other stakeholders regarding security management in the GC.

6.0 Accessibility 6.1 Standard on Web Accessibility (https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=23601)

The objective of this standard is to ensure a high level of Web accessibility is applied uniformly across Government of Canada websites and web applications.

6.2 Accessibility Strategy for the Public Service of Canada

(Accessibility Strategy for the Public Service of Canada - Canada.ca) - The Strategy outlines how the vision of the GC being the most accessible and inclusive public service in the world and how the guiding principles of Nothing without us, collaboration, sustainability, and transparency are to be implemented.

6.3 Accessible Canada Act (Government Bill (House of Commons) C-81 (42-1) - Royal

Assent - Accessible Canada Act - Parliament of Canada) – The Accessible Canada Act was enacted into law in order to enhance the full and equal participation of all persons, especially persons with disabilities, in society. This is to be achieved through the realization, within the purview of matters coming within the legislative authority of Parliament, of a Canada without barriers, particularly by the identification, removal and prevention of barriers.


______________________________________________________________________________________

Page 79 of - de 86

6.4 Web Content Accessibility Guidelines (Web Content Accessibility Guidelines (WCAG) 2.1 (w3.org)) – The Web Content Accessibility Guidelines (WCAG) 2.1 covers a wide range of recommendations for making Web content more accessible. Following these guidelines will make content more accessible to a wider range of people with disabilities, including accommodations for blindness and low vision, deafness and hearing loss, limited movement, speech disabilities, photosensitivity, and combinations of these, and some accommodation for learning disabilities and cognitive limitations; but will not address every user need for people with these disabilities. These guidelines address accessibility of web content on desktops, laptops, tablets, and mobile devices.

6.5 Guideline on Making Information Technology Usable by All (Guideline on Making

Information Technology Usable by All- Canada.ca (tbs-sct.gc.ca)) - This guideline supports the Government of Canada’s direction to ensure that departments, agencies and organizations consider accessibility in the acquisition or development of information technology (IT) solutions and equipment to make IT usable by all.

7.0 Official Languages

The Official Languages Act (OLA) (Policy on Official Languages- Canada.ca (tbs-sct.gc.ca)) reaffirms the equality of the status of English and French as the official languages of Canada and establishes equal rights and privileges as to their use in institutions. The policy’s objective is to facilitate compliance with and ensure effective implementation of the OLA and its Refutations by institutions.

8.0 Nunavut Settlement Area (NSA)

The Directive on Government Contracts, Including Real Property Leases, in the Nunavut Settlement Area (Directive on Government Contracts, Including Real Property Leases, in the Nunavut Settlement Area- Canada.ca (tbs-sct.gc.ca)) ensures that government contracting in the Nunavut Settlement Area will meet the Government of Canada’s obligations under Article 24 of the Nunavut Agreement.

9.0 Comprehensive Land Claim Agreements

Modern treaties, also known as Comprehensive Land Claim Agreements (CLCAs), (https://buyandsell.gc.ca/policy-and-guidelines/supply-manual/section/9#section-9.35) are typically tripartite, including Indigenous organizations or nations, the Crown, and provincial/territorial governments as signatories. They provide clarity and predictability with respect to land and resource rights, ownership, and management. Modern treaties/CLCAs also seek to ensure fair treatment of Indigenous interests with respect to cultural, social, political and economic rights, including rights to lands, and to fish and hunt and practice their own cultures. The rights defined in them are constitutionally protected within section 35 of the Constitution Act, 1982.


______________________________________________________________________________________

Page 80 of - de 86

FORM 1 – RESPONDENT DECLARATION AND RESPONSE SUBMISSION FORM By submitting its Response, the Respondent hereby certifies to Canada as follows:

1. Respondent’s Full Legal Name The “Respondent is the person or entity submitting the Response. Respondents who are part of a corporate group should clearly identify the corporation that is the actual Respondent.

Name [RESPONDENT'S FULL LEGAL NAME]

Business Name (if different from legal name)

Mailing Address [RESPONDENT'S FULL ADDRESS INCLUDING: Street Number / Street Name, Unit / Suite / Apartment Number City, Province, Territory Postal Code Country]

Civic (physical) address

[RESPONDENT'S FULL ADDRESS INCLUDING: Street Number / Street Name, Unit / Suite / Apartment Number City, Province, Territory Postal Code Country]

Organization Telephone number

2. Respondent’s Procurement Business Number (PBN) [Note to Respondents: Please ensure that the PBN you provide matches the legal name under which you have submitted your response. If it does not, the Respondent will be determined based on the legal name provided, not based on the PBN, and the Respondent will be required to submit the PBN that matches the legal name of the Respondent.]

Procurement Business Number [PROCUREMENT BUSINESS NUMBER]

3. Authorized Representative of the Respondent Name

Title

Business Telephone Number

Cellular Telephone Number


______________________________________________________________________________________

Page 81 of - de 86

E-mail Address

4. Identification of Joint Venture Parties For a Response submitted on behalf of a Joint Venture, the Respondent must provide the information or indicate “N/A” if not applicable. Name(s) of Joint Venture Persons or Entities

PBN(s) of Joint Venture Member

5. Language Preference

If qualified to participate in the next step of the procurement process, the Respondent would prefer to receive correspondence and associated procurement documentation in the following language: English French

6. Federal Contractors Program for Employment Equity (FCP) Eligibility to Respond Federal Contractors Program for Employment Equity

[ ] The Respondent, and any of its persons or entities if it is a Joint Venture, is not named on the Federal Contractors Program (FCP) for Employment Equity " FCP Limited Eligibility to Bid" list. Canada may declare a Response non-responsive if the Respondent, or any of its persons or entities if the Respondent is a Joint Venture, appears on the “FCP Limited Eligibility to Bid" list at the time of contract award.

7. Code of Conduct for Procurement

[ ] The Respondent complies with Canada’s Code of Conduct for Procurement (the “Code”).

8. Ineligibility and Suspension Policy

[ ] The Respondent has read, understands, and complied with the requirements of Canada’s Ineligibility and Suspension Policy ("Policy") and applicable directives in effect on the bid solicitation issue date. [ ] The Respondent is not currently suspended, or ineligible under the Policy. [ ] The Respondent understands that any subsequent criminal charges or convictions may result in the Bidder’s suspension or ineligibility to contract with Canada.

List of Names: Board of Directors (First Name Last Name) List may be included as an attachment to this Annex Other Members (First Name Last Name)

1. Director 2. Director 3. Director 4. Director 5. Director


______________________________________________________________________________________

Page 82 of - de 86

6. Director 7. Director 8. Director 9. Director 10. Director [Insert Title] [Insert Title] 9. Accessibility Requirements

(as specified in M7 of Annex B, Mandatory Evaluation Criteria)

[ ] The Respondent has read and understands the accessibility requirements as outlined in the Web Content Accessibility Guidelines (WCAG) 2 standards, Government of Canada Standard on Web Accessibility, and the Accessibility Strategy for the Public Service of Canada. Yes No

10. Accuracy and Integrity Accuracy of information

[ ] All the information that the Respondent submits with its Response is true, accurate, and complete as of the date indicated below.

11. Declaration and Signatures The Respondent represents that the person identified above as the Respondent’s representative is fully authorized to represent the Respondent in all matters related to its Response, including but not limited to providing clarifications and additional information that may be requested in association with its Response. The Respondent also hereby agrees and acknowledges that: a. This declaration form has been duly authorized and validly executed; b. The Respondent has received, read, examined, understood and agrees to be bound by the entire ITQ including all amendment(s) thereto; c. The Respondent is bound by all statements and representations in its ITQ Response; and d. The Respondent acknowledges that information provided above will be used to support the evaluation of its Response. I, the undersigned, being a principal of the Respondent, have the authority to bind the corporation, partnership, sole proprietorship, or Joint Venture as applicable, and hereby certify that the information given on this form and in the submitted Response is accurate to the best of my knowledge.

Name and Title of Representative authorized to sign on behalf of the Respondent

___________________________________________________ Name of Authorized Representative ___________________________________________________ Title of Authorized Representative:

Signature and Date of Representative authorized to sign on behalf of the Respondent

____________________________________________________ Signature of Authorized Representative Date


______________________________________________________________________________________

Page 83 of - de 86

FORM 2 – REFERENCE PROJECT CHECK FORM Instructions to Respondents: (a) Respondents are requested to submit a Reference Project Check Form for each Reference

Project submitted in response to mandatory requirements in Annex B – Mandatory Evaluation Criteria of the ITQ, as applicable.

(b) If the information requested in this form is not provided with the Respondent’s ITQ

response it must be provided upon receipt of a request from the Contracting Authority within the timeframe identified in the request.

(c) Canada may contact the contact person, provided for the reference project, to validate the

information provided.

# Response

(a) Mandatory Requirement Number (from Annex B) (b) Respondent Full Legal Name (if the Respondent is a joint venture, the full legal name of the

joint venture member that rendered the services and/or provided the goods at the Reference Project)

(c) Description of the Reference Project (d) Name of law enforcement organization (Reference Project) (e) Name of the contact person that is responsible to accept the services/goods on behalf of the

Reference Project (f) Title of contact person (while responsible to accept the delivery of the services at the reference

project) (g) Current telephone number of contact person (h) Current e-mail address of the contact person (i) Role and responsibilities of the contact person at the reference project


______________________________________________________________________________________

Page 84 of - de 86

FORM 3 - SAAS PUBLISHER CERTIFICATION FORM The Respondent certifies that it or _______________________ [insert name of the particular Joint Venture partner, if applicable] is the SaaS Publisher of the proposed Digital Evidence Management System (DEMS) solution and that it has all the rights necessary to license it and provide SaaS services to Canada in accordance with M4 of Annex B - Mandatory Evaluation Criteria. Name of the DEMS solution: _____________________________________________________________________________ Name of SaaS Publisher: _________________________________________________________ Signature of authorized signatory of SaaS Publisher: ___________________________________ Print Title of authorized signatory of SaaS Publisher: ___________________________________ Address for authorized signatory of SaaS Publisher: ___________________________________ Telephone no. for authorized signatory of SaaS Publisher: _______________________________ Email for authorized signatory of SaaS Publisher: _____________________________________ Date signed: ___________________________________________________________________ ITQ Number: __________________________________________________________________


______________________________________________________________________________________

Page 85 of - de 86

FORM 4 - GOVERNMENT OF CANADA CLOUD SERVICE PROVIDER

AUTHORIZATION FORM The Government of Canada (GC) Cloud Service Provider (CSP) acknowledges that the Respondent named below has submitted a response to the Invitation to Qualify (ITQ) (Reference No. M7594-212120/F) in accordance with M8 of Annex B Mandatory Evaluation Criteria for the following proposed Digital Evidence Management System (DEMS) solution to be deployed on the GC approved cloud identified below. The GC CSP hereby confirms that:

(i) The Respondent named below is authorized to deploy its DEMS solution on the cloud identified below.

(ii) The cloud identified below on which the proposed DEMS solution will be deployed and hosted meets the GC Security Control Profile for Cloud-based GC Services (https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/government-canada-security-control-profile-cloud-based-it-services.html).

Name of the DEMS solution: ______________________________________________________ Name of the GC approved cloud: __________________________________________________ Name of the Respondent: _________________________________________________________ Name of GC CSP: ______________________________________________________________ Signature of authorized signatory of GC CSP: ________________________________________ Print Title of authorized signatory of GC CSP: ___________________________________ Address for authorized signatory of GC CSP: ___________________________________ Telephone no. for authorized signatory of GC CSP: _______________________________ Email for authorized signatory of GC CSP: _____________________________________ Date signed: ___________________________________________________________________


______________________________________________________________________________________

Page 86 of - de 86

Form 5: Supply Chain Integrity Information

The form is available upon request at the following email address:

Contracting Authority Public Works and Government Services Canada Name: Kent Cummings

E-mail address: [email protected]

solicitation closes - l'invitation prend fin at - à 02:00

Documents