This quarterly report has been prepared by management as required by section 65.1 of the Financial Administration Act and in the form and manner prescribed by the Directive on Accounting Standards, GC 4400 Departmental Quarterly Financial Report. This quarterly financial report should be read in conjunction with the 2024–2025 Main Estimates.
This quarterly report has not been subject to an external audit or review.
Mandate
The National Security and Intelligence Review Agency (NSIRA) is an independent external review body that reports to Parliament. Established in July 2019, NSIRA is responsible for conducting reviews of the Government of Canada’s national security and intelligence activities to ensure that they are lawful, reasonable and necessary. NSIRA also hears public complaints regarding key national security agencies and their activities.
The NSIRA Secretariat supports the Agency in the delivery of its mandate. Independent scrutiny contributes to strengthening the accountability framework for national security and intelligence activities and to enhancing public confidence. Ministers and Canadians are informed whether national security and intelligence activities undertaken by Government of Canada institutions are lawful, reasonable, and necessary
This quarterly report has been prepared by management using an expenditure basis of accounting. The accompanying Statement of Authorities includes the agency’s spending authorities granted by Parliament and those used by the agency, consistent with the 2024–2025 Main Estimates. This quarterly report has been prepared using a special-purpose financial reporting framework (cash basis) designed to meet financial information needs with respect to the use of spending authorities.
The authority of Parliament is required before money can be spent by the government. Approvals are given in the form of annually approved limits through appropriation acts or through legislation in the form of statutory spending authorities for specific purposes.
Highlights of the fiscal quarter and fiscal year-to-date results
This section highlights the significant items that contributed to the net increase or decrease in authorities available for the year and actual expenditures for the quarter ended June 30, 2024.
NSIRA Secretariat spent approximately 19% of its authorities by the end of the first quarter, compared with 19% in the same quarter of 2023–2024 (see graph 1).
Graph 1: Comparison of total authorities and total net budgetary expenditures, Q1 2024–25 and Q1 2023–24
Text version of Figure 1
Comparison of total authorities and total net budgetary expenditures, Q1 2024–25 and Q1 2023–24
2024-25
2023-24
Total Authorities
$18.4
$23.0
Q1 Expenditures
$3.5
$4.3
Significant changes to authorities
As of June 30, 2024, Parliament had approved $18.4 million in total authorities for use by NSIRA Secretariat for 2024–2025 compared with $23.0 million as of June 30, 2023, for a net decrease of $4.6 million or 20.0% (see graph 2).
Graph 2: Variance in authorities as at June 30, 2024
Text version of Figure 2
Variance in authorities as at June 30, 2024 (in millions)
Fiscal year 2023-24 total available for use for the year ended March 31, 2024
Fiscal year 2024-25 total available for use for the year ended March 31, 2025
Vote 1 – Operating
21.3
16.8.3
Statutory
1.8
1.6
Total budgetary authorities
23.0
18.4
*Details may not sum to totals due to rounding*
The decrease of $4.6 million in authorities is mostly explained by a reduction in capital funding for infrastructure projects.
Significant changes to quarter expenditures
The first quarter expenditures totalled $3.5 million for a decrease of $0.8 million when compared with $4.3 million spent during the same period in 2023–2024. Table 1 presents budgetary expenditures by standard object.
Table 1
Variances in expenditures by standard object (in thousands of dollars)
Fiscal year 2024–25: expended during the quarter ended June 30, 2024
Fiscal year 2023–24: expended during the quarter ended June 30, 2023
Variance $
Variance %
Personnel
3,008
2,886
122
4%
Transportation and communications
58
130
(72)
(55%)
Information
6
0
6
100%
Professional and special services
269
1,165
(896)
(77%)
Rentals
25
48
(23)
(48%)
Repair and maintenance
3
24
(21)
(88%)
Utilities, materials, and supplies
28
7
21
300%
Acquisition of machinery and equipment
12
48
(36)
(75%)
Other subsidies and payments
79
4
75
1875%
Total gross budgetary expenditures
3,488
4,312
(824)
(19%)
Transportation and communications
The decrease of $72,000 is explained by a change in the timing of invoicing for the internet connection.
Professional and special services
The decrease of $896,000 is mainly explained by a change in the timing of the billing for maintenance and services in support of our classified IT network infrastructure.
Rentals
The decrease of $23,000 is explained by a decrease in cost for the rent for temporary office space.
Repair and maintenance
The decrease of $21,000 is explained by a one-time maintenance contract purchased in fiscal year 2023-2024.
Utilities, materials, and supplies
The increase of $21,000 is explained by unreconciled acquisition card purchases.
Acquisition of machinery and equipment
The decrease of $36,000 is explained by a one-time purchase of a specialized laptop along with a wall mounted charging station and warranty in 2023-2024.
Other subsidies and payments
The increase of $75,000 is explained by an increase in salary overpayments.
Risks and uncertainties
There is a risk that the funding received to offset pay increases anticipated over the coming year will be insufficient to cover the costs of such increases and the year-over-year cost of services provided by other government departments/agencies is increasing significantly.
NSIRA Secretariat is closely monitoring pay transactions to identify and address over and under payments in a timely manner and continues to apply ongoing mitigating controls.
Mitigation measures for the risks outlined above have been identified and are factored into NSIRA Secretariat’s approach and timelines for the execution of its mandated activities.
Significant changes in relation to operations, personnel and programs
Mr. Charles Fugère was appointed by the Governor-in-Council to be Executive Director of the NSIRA Secretariat on an interim basis on June 3, 2024.
Mr. Marc-André Cloutier, NSIRA Secretariat’s Director General, Corporate Services and CFO since 2023, retired in Q4 of 2023-2024. He has been replaced by Mr. Martyn Turcotte.
Approved by senior officials:
Charles Fugère Executive Director
Amanda Wark A/Chief Financial Officer
Appendix
Statement of authorities (Unaudited)
(in thousands of dollars)
Fiscal year 2024–25
Fiscal year 2023–24
Total available for use for the year ending March 31, 2025 (note 1)
Used during the quarter ended June 30, 2024
Year to date used at quarter-end
Total available for use for the year ending March 31, 2024 (note 1)
Used during the quarter ended June 30, 2023
Year to date used at quarter-end
Vote 1 – Net operating expenditures
16,810
3,088
3,088
21,254
3,873
3,873
Budgetary statutory authorities
Contributions to employee benefit plans
1,601
400
400
1,755
439
439
Total budgetary authorities (note 2)
18,411
3,488
3,488
23,009
4,312
4,312
Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.
Note 2: Details may not sum to totals due to rounding.
Departmental budgetary expenditures by standard object (unaudited)
(in thousands of dollars)
Fiscal year 2024–25
Fiscal year 2023–24
Planned expenditures for the year ending March 31, 2025 (note 1)
Expended during the quarter ended June 30, 2024
Year to date used at quarter-end
Planned expenditures for the year ending March 31, 2024
Expended during the quarter ended June 30, 2023
Year to date used at quarter-end
Expenditures
Personnel
13,205
3,088
3,088
13,303
2,886
2,886
Transportation and communications
685
58
58
650
130
130
Information
76
6
6
372
0
0
Professional and special services
3,577
269
269
3,596
1,165
1,165
Rentals
309
25
25
271
48
48
Repair and maintenance
436
3
3
4,580
24
24
Utilities, materials, and supplies
58
28
28
73
7
7
Acquisition of machinery and equipment
65
12
12
132
48
48
Other subsidies and payments
0
79
79
33
4
4
Total gross budgetary expenditures
(note 2)
18,411
3,488
3,488
23,009
4,312
4,312
Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.
Note 2: Details may not sum to totals due to rounding.
Statement of Management Responsibility Including Internal Control over Financial Reporting
Responsibility for the integrity and objectivity of the accompanying financial statements for the year ended March 31, 2023, and all information contained in these financial statements rests with the management of the National Security and Intelligence Review Agency (NSIRA) Secretariat. These financial statements have been prepared by management using the Government of Canada’s accounting policies, which are based on Canadian public sector accounting standards.
Management is responsible for the integrity and objectivity of the information in these financial statements. Some of the information in the financial statements is based on management’s best estimates and judgment and gives due consideration to materiality. To fulfill its accounting and reporting responsibilities, management maintains a set of accounts that provides a centralized record of the NSIRA Secretariat’s financial transactions. Financial information submitted in the preparation of the Public Accounts of Canada, and included in the NSIRA Secretariat’s Departmental Results Report, is consistent with these financial statements.
Management is also responsible for maintaining an effective system of internal control over financial reporting (ICFR) designed to provide reasonable assurance that financial information is reliable, that assets are safeguarded and that transactions are properly authorized and recorded in accordance with the Financial Administration Act and other applicable legislation, regulations, authorities, and policies.
Management seeks to ensure the objectivity and integrity of data in its financial statements through careful selection, training and development of qualified staff; through organizational arrangements that provide appropriate divisions of responsibility; through communication programs aimed at ensuring that regulations, policies, standards, and managerial authorities are understood throughout the NSIRA Secretariat and through conducting an annual risk-based assessment of the effectiveness of the system of ICFR.
The system of ICFR is designed to mitigate risks to a reasonable level based on an ongoing process to identify key risks, to assess effectiveness of associated key controls, and to make any necessary adjustments.
The financial statements of the National Security and Intelligence Agency Secretariat have not been audited.
The accompanying notes form an integral part of these financial statements.
Statement of Change in Departmental Net Debt (Unaudited)
For the Year Ended March 31(in thousands of dollars)
2023
2022
Net cost of operations after government funding and transfers
75
(2,361)
Change due to tangible capital assets
Acquisition of tangible capital assets
755
3,114
Amortization of tangible capital assets
(664)
(528)
Total change due to tangible capital assets
91
2,586
Change due to prepaid expenses
(65)
(22)
Net increase (decrease) in departmental net debt
101
203
Departmental net debt – Beginning of year
675
472
Departmental net debt – End of year
776
675
The accompanying notes form an integral part of these financial statements.
Statement of Cash Flows (Unaudited)
For the Year Ended March 31 (in thousands of dollars)
2023
2022
Operating activities
Net cost of operations before government funding and transfers
19,586
16,165
Non-cash items:
–
–
Amortization of tangible capital assets
(664)
(528)
Services provided without charge by other government departments (Note 9a)
(1,265)
(1,242)
Transfer of overpayments
(9)
(15)
Variations in Statement of Financial Position:
–
–
Increase (decrease) in accounts receivable and advances
(119)
5
Increase (decrease) in prepaid expenses
(65)
(22)
Decrease (increase) in accounts payable and accrued liabilities
(213)
299
Decrease (increase) in vacation pay and compensatory leave
(76)
(341)
Decrease (increase) in future employee benefits
(1)
88
Cash used in operating activities
17,174
14,439
Capital investing activities
–
–
Acquisitions of tangible capital assets (Note 7)
755
3,114
Cash used in capital investing activities
755
3,114
Net cash provided by Government of Canada
17,929
17,553
Notes to the Financial Statements (Unaudited)
1. Authority and objectives
The agency was established, effective July 12, 2019 under the National Security and Intelligence Review Agency Act (NSIRA Act).
The agency is a division of the federal public administration as set out in column 1 of Schedule I.1 of the Financial Administration Act and reports to Parliament through the Prime Minister.
The mandate of the agency is to review all Government of Canada national security and intelligence activities to ensure that they are lawful, reasonable and necessary. The agency also investigates public complaints regarding key national security agencies and activities.
To achieve its strategic outcome and deliver results for Canadians, NSIRA articulates its plans and priorities based on the core responsibility and program inventory included below:
National Security and Intelligence Reviews and Complaints Investigations
The National Security and Intelligence Review Agency reviews Government of Canada national security and intelligence activities to assess whether they are lawful, reasonable and necessary. It investigates complaints from members of the public regarding activities of CSIS, CSE or the national security activities of the RCMP, as well as certain other national security-related complaints. This independent scrutiny contributes to the strengthening of the framework of accountability for national security and intelligence activities undertaken by Government of Canada institutions and supports public confidence in this regard.
Internal Services
Internal support services are groups of related activities and resources that are administered to support the needs of programs and other corporate obligations of an organization. These groups are: Management and Oversight Services; Communications Services; Legal Services; Human Resources Management Services; Financial Management Services; Information Management Services; Information Technology Services; Real Property Services; Materiel Services; Acquisition Services; and Other Administrative Services. Internal Services include only those activities and resources that apply across an organization and not to those provided specifically to a program.
2. Summary of significant accounting policies
These financial statements are prepared using NSIRA’s accounting policies stated below, which are based on Canadian public sector accounting standards. The presentation and results using the stated accounting policies do not result in any significant differences from Canadian public sector accounting standards.
Significant accounting policies are as follows:
(a) Parliamentary authorities
NSIRA is financed by the Government of Canada through Parliamentary authorities. Financial reporting of authorities provided to NSIRA do not parallel financial reporting according to generally accepted accounting principles since authorities are primarily based on cash flow requirements. Consequently, items recognized in the Statement of Operations and Departmental Net Financial Position and in the Statement of Financial Position are not necessarily the same as those provided through authorities from Parliament. Note 3 provides a reconciliation between the bases of reporting. The planned results amounts in the ”Expenses” and ”Revenues” sections of the Statement of Operations and Departmental Net Financial Position are the amounts reported in the Future-Oriented Statement of Operations included in the 2022-2023 Departmental Plan. The planned results amounts in the “Government funding and transfers” section of the Statement of Operations and Departmental Net Financial Position and in the Statement of Change in Departmental Net Debt were prepared for internal management purposes and have not been previously published.
(b) Net cash provided by Government of Canada
NSIRA operates within the Consolidated Revenue Fund (CRF), which is administered by the Receiver General for Canada. All cash received by NSIRA is deposited to the CRF, and all cash disbursements made by NSIRA are paid from the CRF. The net cash provided by Government is the difference between all cash receipts and all cash disbursements, including transactions between departments of the Government.
(c) Amounts due from or to the CRF
Amounts due from or to the CRF are the result of timing differences at year-end between when a transaction affects authorities and when it is processed through the CRF. Amounts due from the CRF represent the net amount of cash that NSIRA is entitled to draw from the CRF without further authorities to discharge its liabilities.
(d) Expenses
Vacation pay and compensatory leave are accrued as the benefits are earned by employees under their respective terms of employment.
Services provided without charge by other government departments for accommodation, employer contributions to the health and dental insurance plans and workers’ compensation are recorded as operating expenses at their carrying value.
(e) Employee future benefits
Pension benefits: Eligible employees participate in the Public Service Pension Plan, a pension plan administered by the Government. NSIRA’s contributions to the Plan are charged to expenses in the year incurred and represent the total departmental obligation to the Plan. NSIRA’s responsibility with regard to the Plan is limited to its contributions. Actuarial surpluses or deficiencies are recognized in the financial statements of the Government of Canada, as the Plan’s sponsor.
Severance benefits: The accumulation of severance benefits for voluntary departures ceased for applicable employee groups. The remaining obligation for employees who did not withdraw benefits is calculated using information derived from the results of the actuarially determined liability for employee severance benefits for the Government as a whole.
(f) Non-financial assets
All tangible capital assets having an initial cost of $10,000 or more are recorded at their acquisition cost. Tangible capital assets do not include immovable assets located on reserves as defined in the Indian Act, works of art, museum collection and Crown land to which no acquisition cost is attributable; and intangible assets.
Inventories are valued at cost and are comprised of spare parts and supplies held for future program delivery and are not primarily intended for resale. Inventories that no longer have service potential are valued at the lower of cost or net realizable value.
(g) Measurement uncertainty
The preparation of these financial statements requires management to make estimates and assumptions that affect the reported and disclosed amounts of assets, liabilities, revenues and expenses reported in the financial statements and accompanying notes at March 31. The estimates are based on facts and circumstances, historical experience, general economic conditions and reflect the Government’s best estimate of the related amount at the end of the reporting period. The most significant items where estimates are used are contingent liabilities, the liability for employee future benefits and the useful life of tangible capital assets. Actual results could significantly differ from those estimated. Management’s estimates are reviewed periodically and, as adjustments become necessary, they are recorded in the financial statements in the year they become known.
(h) Related party transactions
Related party transactions, other than inter-entity transactions, are recorded at the exchange amount.
Inter-entity transactions are transactions between commonly controlled entities. Inter-entity transactions, other than restructuring transactions, are recorded on a gross basis and are measured at the carrying amount, except for the following:
Services provided on a recovery basis are recognized as revenues and expenses on a gross basis and measured at the exchange amount.
Certain services received on a without charge basis are recorded for departmental financial statement purposes at the carrying amount.
3. Parliamentary authorities
NSIRA receives most of its funding through annual Parliamentary authorities. Items recognized in the Statement of Operations and Departmental Net Financial Position and the Statement of Financial Position in one year may be funded through Parliamentary authorities in prior, current or future years. Accordingly, NSIRA has different net results of operations for the year on a government funding basis than on an accrual accounting basis. The differences are reconciled in the following tables:
(a) Reconciliation of net cost of operations to current year authorities used
(in thousands of dollars)
2023
2022
Net cost of operations before government funding and transfers
19,586
16,165
Adjustments for items affecting net cost of operations but not affecting authorities:
Amortization of tangible capital assets
(664)
(528)
Services provided without charge by other government departments
(1,265)
(1,242)
Increase / (decrease) in vacation pay and compensatory leave
(76)
(341)
Increase / (decrease) in employee future benefits
(1)
88
Refund of prior years’ expenditures
6
41
Total items affecting net cost of operations but not affecting authorities
(2,000)
(1,982)
Adjustments for items not affecting net cost of operations but affecting authorities
Acquisition of tangible capital assets
755
3,114
Increase / (decrease) in prepaid expenses
(65)
(22)
Accounts receivable and advances
13
15
Total items not affecting net cost of operations but affecting authorities
703
3,107
Current year authorities used
18,289
17,290
(b) Authorities provided and used
(in thousands of dollars)
2023
2022
Authorities provided:
Vote 1 – Operating expenditures
28,074
30,851
Statutory amounts
1,300
1,176
Less:
Lapsed: Operating
(11,085)
(14,737)
Current year authorities used
18,289
17,290
4. Accounts payable and accrued liabilities
The following table presents details of NSIRA’s accounts payable and accrued liabilities.
(in thousands of dollars)
2023
2022
Accounts payable – Other government departments and agencies
425
436
Accounts payable – External parties
1,008
784
Total accounts payable
1,433
1,220
Total accounts payable and accrued liabilities
1,433
1,220
5. Employee future benefits
(a) Pension benefits
NSIRA’s employees participate in the Public Service Pension Plan (the ”Plan”), which is sponsored and administered by the Government of Canada. Pension benefits accrue up to a maximum period of 35 years at a rate of two percent per year of pensionable service, times the average of the best five consecutive years of earnings. The benefits are integrated with Canada/Québec Pension Plan benefits and they are indexed to inflation.
Both the employees and the Agency contribute to the cost of the Plan. Due to the amendment of the Public Service Superannuation Act following the implementation of provisions related to Economic Action Plan 2012, employee contributors have been divided into two groups – Group 1 related to existing plan members as of December 31, 2012 and Group 2 relates to members joining the Plan as of January 1, 2013. Each group has a distinct contribution rate.
The 2022-23 expense amounts to $1,178,731 ($1,072,922 in 2021-22). For Group 1 members, the expense represents approximately 1.02 times (1.01 times in 2021-22) the employee contributions and, for Group 2 members, approximately 1.00 times (1.00 times in 2021-22) the employee contributions.
NSIRA’s responsibility with regard to the Plan is limited to its contributions. Actuarial surpluses or deficiencies are recognized in the Consolidated Financial Statements of the Government of Canada, as the Plan’s sponsor.
(b) Severance benefits
Severance benefits provided to NSIRA’s employees were previously based on an employee’s eligibility, years of service and salary at termination of employment. However, since 2011 the accumulation of severance benefits for voluntary departures progressively ceased for substantially all employees. Employees subject to these changes were given the option to be paid the full or partial value of benefits earned to date or collect the full or remaining value of benefits upon departure from the public service. By March 31, 2018, substantially all settlements for immediate cash out were completed. Severance benefits are unfunded and, consequently, the outstanding obligation will be paid from future authorities.
The changes in the obligations during the year were as follows:
(in thousands of dollars)
2023
2022
Accrued benefit obligation – Beginning of year
228
316
Expense for the year
1
(7)
Benefits paid during the year
–
(81)
Accrued benefit obligation – End of year
229
228
6. Accounts receivable and advances
The following table presents details of NSIRA’s accounts receivable and advances balances:
2023
2022
Receivables – Other government departments and agencies
454
546
Receivables – External parties
40
60
Employee advances
24
31
Net accounts receivable
518
637
7. Tangible capital assets
Amortization of tangible capital assets is done on a straight-line basis over the estimated useful life of the asset as follows:
Asset Class
Amortization Period
Informatics hardware
3 to 10 years
Other equipment
3 to 30 years
Leasehold improvements
Over the useful life of the improvement or the lease term, whichever is shorter
Assets under construction
once in service, in accordance with asset type
(in thousands of dollars)
Cost
Accumulated Amortization
Net Book Value
(1) Adjustments include assets under construction that were transferred to the other categories upon completion of the assets.
Capital Asset Class
Opening Balance
Acquisitions
Adjustments (1)
Disposal and Write- Offs
Closing Balance
Opening Balance
Amortization
Adjustments (1)
Disposals and Write- Offs
Closing Balance
2022
2021
Restated (Note 11)
Informatics hardware
335
–
–
–
335
267
40
–
–
307
28
68
Other equipment
1,124
–
–
–
1,124
422
121
–
–
543
581
703
Leasehold improvements
1,005
–
–
–
1,005
335
503
–
–
838
167
670
Assets under construction
3,293
755
–
–
4,048
–
–
–
–
–
4,048
3,293
Total
5,757
755
–
–
6,512
1,024
664
–
–
1,688
4,824
4,734
8. Contractual obligations
The nature of the NSIRA’s activities may result in some large multi-year contracts and obligations whereby NSRIA will be obligated to make future payments in order to carry out its programs or when the services/goods are received. Significant contractual obligations that can be reasonably estimated are summarized as follows:
2024
2025
2026
2027
2028
2029 and subsequent
Total
Acquisition of goods and services
4,725
45
45
45
45
–
4,905
Total
4,725
45
45
45
45
–
4,905
9. Difference between planned and actual spending
The difference between planned and actual spending is mostly due to the lingering impacts of the pandemic on the Secretariat’s ability to progress with its facilities fit-up and expansion plans, as well as on its planned spending on internal services infrastructure and systems. The project has, due to its complexity, supply chain challenges, and compliancy requirements, seen the delivery date pushed back to summer of 2024.
10. Related party transactions
NSIRA is related as a result of common ownership to all government departments, agencies, and Crown corporations. Related parties also include individuals who are members of key management personnel or close family members of those individuals, and entities controlled by, or under shared control of, a member of key management personnel or a close family member of that individual.
NSIRA enters into transactions with these entities in the normal course of business and on normal trade terms.
During the year, NSIRA received common services which were obtained without charge for other government departments as disclosed below.
(a) Common services provided without charge by other government departments
During the year, the NSIRA received services without charge from certain common service organizations, related to accommodation and the employer’s contribution to the health and dental insurance plans. These services provided without charge have been recorded at the carrying value in NSIRA’s Statement of Operations and Departmental Net Financial Position as follows:
(in thousands of dollars)
2023
2022
Accommodation
500
486
Employer’s contribution to the health and dental insurance plans
765
756
Total
1,265
1,242
The Government has centralized some of its administrative activities for efficiency, cost-effectiveness purposes and economic delivery of programs to the public. As a result, the Government uses central agencies and common service organizations so that one department performs services for all other departments and agencies without charge. The costs of these services, such as the payroll and cheque issuance services provided by Public Services and Procurement Canada and audit services provided by the Office of the Auditor General are not included in the Department’s Statement of Operations and Departmental Net Financial Position.
(b) Other transactions with other government departments and agencies
2023
2022
Expenses
7,324
6,844
11. Segmented information
Presentation by segment is based on the Department’s core responsibility. The presentation by segment is based on the same accounting policies as described in the Summary of significant accounting policies in Note 2. The following table presents the expenses incurred and revenues generated for the main core responsibilities, by major object of expense and by major type of revenue. The segment results for the period are as follows:
National Security and Intelligence Reviews and Complaints Investigations
Internal Services
2023
2022
Expenses
Salaries and employee benefits
7,817
3,200
11,017
10,282
Professional and special services
250
3,422
3,672
3,470
Accommodation
–
519
519
505
Transportation and communications
226
138
364
213
Information
4
13
17
69
Acquisition of machinery and equipment
–
47
47
354
Repair and maintenance
–
3,643
3,643
3,091
Amortization of tangible capital assets
–
664
664
528
Rental
–
215
215
130
Utilities, materials and supplies
2
37
39
30
Other
60
(671)
(611)
(2,507)
Total expenses
8,359
11,227
19,586
16,165
Net cost from continuing operations
8,359
11,227
19,586
16,165
Annex to the Statement of Management Responsibility Including Internal Control over Financial Reporting for Fiscal Year 2021-22 (unaudited)
1. Introduction
This document provides summary information on measures taken by the National Security Intelligence Review Agency (NSIRA) to maintain an effective system of internal control over financial reporting (ICFR) including information on internal control management, assessment results and related action plans.
Detailed information on NSIRA authority, mandate, and programs can be found in our Departmental Plan for the 2022 to 2023 fiscal year and our Departmental Results Report for the 2022 to 2023 fiscal year.
2. Departmental system of internal control over financial reporting
In support of an effective system of internal control, NSIRA conducted self-assessments of key control areas that were identified to be assessed in the 2022 to 2023 fiscal year. A summary of the assessment results and action plan is provided in subsection B.2.
NSIRA completed the assessment of key control areas as indicated in the following table. A summary of the results, action plans, and additional details are also provided.
2.1 Service Arrangements relevant to financial statements
NSIRA relies on other organizations for the processing of certain transactions that are recorded in its financial statements, and relies on these service providers to ensure an adequate system of ICFR is maintained over services provided to NSIRA.
Common Arrangements:
Public Services and Procurement Canada, which administers the payment of salaries and the procurement of goods and services, and provides accommodation services
Shared Services Canada, which provides IT infrastructure services
Treasury Board of Canada Secretariat, which provides information on public service insurance and centrally administers payment of the employer’s share of contributions toward statutory employee benefit plans
Readers of this annex may refer to the annexes of the above-noted departments for a greater understanding of the systems of internal control over financial reporting related to these specific services.
Specific Arrangements:
Prior to fiscal 2021-22, in accordance to a Memorandum of Understanding (MOU) between the two organizations, NSIRA relied on the Privy Council Office (PCO) for the performance of financial services, including relevant control measures. Effective, April 1, 2021, NSIRA entered into a new MOU with PCO, which reflected a shift whereby NSIRA would work towards financial services self-sufficiency, by fiscal 2022-23 (including a transition period over fiscal 2021-22).
Treasury Board of Canada Secretariat provides the agency with a SAP financial system platform to capture and report all financial transactions and a PeopleSoft human resources system platform to manage pay and leave transactions
2.2 Assessment results for the 2022 to 2023 fiscal year
NSIRA completed the assessment of key control areas as indicated in the following table. A summary of the results, action plans, and additional details are also provided.
Key Control Areas
Remediation required
Summary results and action plan
Delegation
Yes
Internal controls are functioning as intended, no action plan required.
Transfer Payments
N/A
Not applicable
With respect to the key control areas of the delegation of spending and financial authorities, controls related to spending and financial authorities were functioning well and form an adequate basis for the department’s system of internal control.
3. Departmental action plan
Assessment Plan
NSIRA will assess the performance of its system of internal control by focusing on key control areas over a cycle of years as shown in the following table.
The CSE Act provided CSE with the authority to conduct Active and Defensive Cyber Operations (ACO/DCO). As defined by the Act, a DCO stops or impedes foreign cyber threats from Canadian federal government networks or systems deemed by the Minister of National Defence (MND) as important to Canada. On the other hand, ACOs intend to limit an adversary’s ability to affect Canada’s international relations, defence, or security. ACO/DCOs are authorized by Ministerial Authorizations (MA) and, due to the potential impact on Canadian foreign policy, require the Minister of Foreign Affairs (MFA) to either consent or be consulted on ACO and DCO MAs respectively.
In this review, NSIRA set out to assess the governance framework that guides the conduct of ACO-DCOs, and to assess if CSE appropriately considered its legal obligations and the foreign policy impacts of operations. NSIRA analyzed policies and procedures, governance and operational documentation, and correspondence within and between CSE and GAC. The review began with the earliest available materials pertaining to ACO/DCOs and ended concurrently with the validity period of the first ACO/DCO Ministerial Authorizations.
NSIRA incorporated GAC into this review given its key role in the ACO/DCO governance structure arising from the legislated requirement for the role of the MFA in relation to the MAs. As a result, NSIRA was able to gain an understanding of the governance and accountability structures in place for these activities by obtaining unique perspectives from the two departments on their respective roles and responsibilities.
The novelty of these powers required CSE to develop new mechanisms and processes while also considering new legal authorities and boundaries. NSIRA found that considerable work has been conducted in building the ACO/DCO governance structure by both CSE and GAC. In this context, NSIRA has found that some aspects of the governance of can be improved by making them more transparent and clear.
Specifically, NSIRA found that CSE can improve the level of detail provided to all parties involved in the decision-making and governance of ACO/DCOs, within documents such as the MAs authorizing these activities and the operational plans that are in place to govern their execution. Additionally, NSIRA found that CSE and GAC have not sufficiently considered several gaps identified in this review, and recommended improvements relating to:
The need to engage other departments to ensure an operation’s alignment with broader Government of Canada priorities,
The lack of a threshold demarcating an ACO and a pre-emptive DCO,
The need to assess each operation’s compliance with international law, and
The need for bilateral communication of newly acquired information that is relevant to the risk level of an operation.
The gaps observed by NSIRA are those that, if left unaddressed, could carry risks. For instance, the broad and generalized nature of the classes of activities, techniques, and targets [**redacted**] ACO/DCOs can capture unintended [**redacted**] activities and targets. Additionally, given the difference in the required engagement of GAC in ACOs and DCOs, misclassifying what is truly an ACO as a pre-emptive DCO could result in a heightened risk to Canada’s international relations through the insufficient engagement of GAC.
While this review focused on the governance structures at play in relation to ACO/DCOs, of even greater importance is how these structures are implemented, and followed, in practice. We have made several observations about the information contained within the governance documents developed to date, and will subsequently assess how they are put into practice as part of our forthcoming review of ACO/DCOs.
The information provided by CSE has not been independently verified by NSIRA. Work is underway to establish effective policies and best practices for the independent verification of various kinds of information, in keeping with NSIRA’s commitment to a ‘trust but verify’ approach.
Authorities
This review was conducted pursuant to paragraphs 8(1)(a) and 8(1)(b) of the National Security and Intelligence Review Agency (NSIRA) Act.
Introduction
Review background and methodology
With the coming into force of the CSE Act on August 1, 2019, CSE received the authority to independently conduct Active and Defensive Cyber Operations (“Active and Defensive Cyber Operations,” or ACO/DCOs henceforth) for the first time. While initial briefings on the subject in late fall of 2019 conveyed to NSIRA [**relates to CSE operations**] CSE later explained that [**redacted**].In this context, NSIRA will be assessing ACO/DCOs in a staged approach. The objective of this review is to better understand CSE’s development of a governance structure for ACO/DCOs. NSIRA will follow up with a subsequent review of the operations. This subsequent review is underway, with completion expected in 2022.
This review pertained to the structures put in place by CSE to govern the conduct of ACO/DCOs. Governance in this context can pertain to the establishment of processes to guide and manage planning, inter-departmental engagement, compliance, training, monitoring, and other overarching issues that affect the conduct of ACO/DCOs. NSIRA recognizes that these structures may be revised over time based on lessons learned from operations. Canada’s allies, who have had similar powers to conduct cyber operations for many years, [**relates to foreign partners’ capabilities**]. In this context, as its objectives, NSIRA sought out to determine if, in developing a governance structure for ACO/DCOs at this early stage, CSE appropriately considered and defined its legal obligations, and the foreign policy and operational components of ACO/DCOs.
As part of this governance review, NSIRA assessed policies, procedures, governance and operational planning documents, risk assessments, and correspondence between CSE and GAC (whose key role in this process is described below). NSIRA reviewed the earliest available materials relating to the development of the ACO/DCO governance structure, with the review period ending concurrent with the validity period of the first ACO/DCO Ministerial Authorizations on August 24, 2020. As such, the findings and recommendations made throughout this report pertain to the governance structure as it was presented during the period of review.
What are Active and Defensive Cyber Operations?
As defined in the CSE Act, Defensive Cyber Operations (DCOs) are those that stop or impede foreign cyber threats before they reach Canadian federal government systems or networks and systems designated by the Minister of National Defence (MND) as being of importance to Canada, such as Canada’s critical infrastructures and registered political parties. Active Cyber Operations (ACOs), on the other hand, allow the government to use CSE’s online capabilities to undertake a range of activities in cyberspace that limit an adversary’s ability to negatively impact Canada’s international relations, defence, or security, without their knowledge or consent. ACOs can include, for example, activities that disable communications devices used by a foreign terrorist network to communicate or plan attacks. The impacts of ACO/DCOs, [**relates to CSE operations**] of an ACO/DCO.
To conduct ACO/DCOs, CSE relies on its existing access to the global information infrastructure (GII), foreign intelligence expertise, and domestic and international partnerships to obtain relevant intelligence to support the informed development of ACO/DCOs. Activities conducted under CSE’s foreign intelligence and cybersecurity mandates allow CSE to gather information related to the intent, plans, and activities of actors seeking to disrupt or harm Canadian interests. According to CSE, the preliminary gathering of intelligence, capability development, [**redacted**] comprises the majority of the work necessary to conduct an ACO/DCO whereas the resulting activity in cyberspace is considered to be [**redacted**] of the task.
Legal foundation for conducting cyber operations
The CSE Act provides the legal authority for CSE to conduct ACO/DCOs, and these aspects of the mandate are described in the Act as per Figure 1. The ministerial authorization regime in the CSE Act provides CSE with the authority to conduct the activities or classes of activities listed in section 31 of the CSE Act in furtherance of the ACO/DCO aspects.
Defensive Cyber Operations (DCOs)
Section 18 of the CSE Act
The defensive cyber operations aspect of the Establishment’s mandate is to carry out activities on or through the global information infrastructure to help protect
(a) federal institutions’ electronic information and information infrastructures; and
(b) electronic information and information infrastructures designated … as being of importance to the Government of Canada.
Active Cyber Operations (ACOs)
Section 19 of the CSE Act
The active cyber operations aspect of the Establishment’s mandate is to carry out activities on or through the global information infrastructure to degrade, disrupt, influence, respond to, or interfere with the capabilities, intentions, or activities of a foreign individual, state, organization, or terrorist group as they relate to international affairs defence or security.
Importantly, the Act limits ACO/DCOs in that they cannot be directed at Canadians or any person in Canada and cannot infringe on the Charter of Rights and Freedoms; nor can they be directed at any portion of the GII within Canada.
ACO/DCOs must be conducted under a Ministerial Authorization (MA) issued by the MND under subsection 29(1) (DCO) or under subsection 30(1) (ACO) of the CSE Act. ACO/DCO MAs permit CSE to conduct ACO/DCO activities despite any other Act of Parliament or of any foreign state. In order to issue an MA, the MND must conclude that there are reasonable grounds to believe that any activity is reasonable and proportionate, and must also conclude that the objective of the cyber operation could not reasonably be achieved by other means. In addition, the MND must consult with the Minister of Foreign Affairs (MFA) in order to issue DCO MAs, and must obtain the MFA’s consent in order to issue ACO MAs. Any authorized ACO/DCO activities cannot cause, intentionally or by criminal negligence, death or bodily harm to an individual; or willfully attempt in any manner to obstruct, pervert, or defeat the course of justice or democracy. Importantly, unlike the MAs issued under the foreign intelligence, and cybersecurity and information assurance aspects of CSE’s mandate, ACO and DCO MAs are not subject to approval by the Intelligence Commissioner.
In addition to the ACO/DCO aspects of its mandate, CSE may also conduct ACO/DCO activities through technical and operational assistance to other Government of Canada (GC) departments. CSE may assist federal law enforcement and security agencies (LESAs) for purposes such as preventing criminal activity, reducing threats to the security of Canada, and supporting GC- authorized military missions. When providing assistance, CSE operates entirely within the legal authorities and associated limitations of the department requesting the assistance. Similarly, persons acting on CSE’s behalf also benefit from the same exemptions, protections and immunities as persons acting on behalf of the requesting LESAs. These assistance activities will be reviewed in subsequent NSIRA reviews.
In addition to the CSE Act, international law forms part of the legal framework in which ACO/DCO activities are conducted. Customary international law is binding on CSE’s activities, as Canadian law automatically adopts customary international law through the common law, unless there is conflicting legislation.
NSIRA notes that international law in cyberspace is a developing area. There is limited general state practice, or opinio juris (i.e, state belief that such practice amounts to a legal obligation), or treaty law, which elaborates on how international law applies in the cyber context. Moreover, while Canada has publically articulated that international law applies in cyberspace, it has not articulated a position on how it believes international law applies in cyberspace. At the same time, Canada has committed to building a common understanding between states of agreed voluntary non-binding norms of responsible state behaviour in cyberspace. NSIRA will closely monitor this emerging area of international law, including State practice in relation to CSE’s ACO/DCO activities – particularly in assessing CSE and GAC’s consideration of applicable international law as part of our subsequent review of ACO/DCOs.
Policy framework guiding cyber operations
Development of GAC-CSE framework for consultation
Conducting ACO/DCOs may elevate risks to Canada’s foreign policy and international relations. While CSE’s foreign intelligence mandate seeks only to collect information, ACO/DCOs [**redacted**]. As GAC is the department responsible for Canada’s international affairs and foreign policy, the MFA has a legislated role to play in consenting to MND’s issuance of an ACO Ministerial Authorization.
As directed by the MFA, CSE and GAC worked together to develop a framework for collaboration on matters related to ACO/DCOs. CSE and GAC began to engage on these matters before the coming into force of the CSE Act to proactively address the consultation and consent requirements embedded in the Act. Together, CSE and GAC have developed various interdepartmental bodies related to ACO/DCOs to facilitate consultation at different levels, including working groups at the levels of Director General and Assistant Deputy Minister.
CSE Governance Structure
CSE’s Mission Policy Suite (MPS) details the authorities in place to guide ACO/DCOs, prohibited activities when conducting ACO/DCOs and guidance in interpreting these prohibitions, as well as the governance framework to oversee the development and conduct of ACO/DCOs – known as the Joint Planning and Authorities Framework (JPAF). The general structure of this governance framework and process is intended to be used for all ACO/DCOs, irrespective of their risk-level. However, depending on the risk level of the operations, the framework sets out the specific approval levels.
During the period of review, the JPAF comprised several components required to plan, approve, and conduct cyber operations. The primary planning instrument for ACO/DCOs was [**relates to CSE operations**] that detailed the [**redacted**] identified [**redacted**] and highlighted risks and mitigations. [**redacted**] is used to determine and enumerate a range of risks associated with any new activity. In this period, CSE developed [**redacted**] NSIRA also received these documents [**redacted**] that fell slightly outside the review period, but provided relevant insight into the governance structure at the operation level.
Two primary internal working groups exist to evaluate and approve CSE’s internal plans for ACO/DCOs. The Cyber Operations Group (COG) is a Director-level approval body composed of key stakeholders and is chaired by the Director of the operational area that has initiated or sponsored a cyber operations request. The role of the COG is to review the operational plan and assess any associated risks and benefits. The COG may approve a [**redacted**] or may defer approval to the CMG as appropriate. The Cyber Management Group (CMG) is a Director General (DG) level approval body that is formed [**redacted**] has been reviewed and recommended by the COG.
CSE then develops the [**relates to CSE operations**] is reviewed internally to ensure it aligns [**redacted**] and is later approved at the Director level, although CSE has indicated it could be subject to delegation to a Manager.
Findings and Recommendations
Clarity of Ministerial Authorizations
NSIRA set out to assess whether the requirements of the CSE Act in relation to ACO/DCOs are appropriately reflected in the MND’s MAs authorizing ACO/DCO activities, and that CSE appropriately consulted or received the consent of the MFA, as required by the Act.
NSIRA reviewed two MAs related to ACOs and DCOs, respectively, which were valid from [**redacted**]. Notably, both MAs only approved [**redacted**] ACO/DCOs. Additionally, NSIRA reviewed documentation supporting the MAs, including the Chief’s Applications to the MND and the associated confirmation letters from the MFA, as well as working- level documents and correspondence provided by both CSE and Global Affairs Canada (GAC).
The MAs examined by NSIRA outlined the new authorities found in the CSE Act, and set conditions on how ACO/DCOs are to be conducted, including the prohibitions that are found in the Act. Additionally, the MAs required that ACO/DCO activities align with Canada’s foreign policy priorities and respond to Canada’s national security, foreign, and defence policy priorities as articulated by the GC.
Supporting cyber operations with information collected under previous authorizations
CSE received its authority to conduct ACO/DCOs during a time when CSE’s collection of foreign signals intelligence (SIGINT) was authorized by MAs issued under the National Defence Act (NDA). [**redacted**]. CSE confirmed to NSIRA that the ACO/DCOs [**redacted**] relied solely on information collected under CSE Act MAs. CSE explained that [**redacted**] NSIRA will confirm this as part of our subsequent review of specific ACO/DCOs.
CSE’s consultation with the Minister of Foreign Affairs
CSE provided GAC with the full application packages for the ACO/DCO MAs in place during the review period. Further, GAC and CSE officials engaged at various levels prior to the coming into force of the CSE Act, and during the development of the MAs – particularly in assessing the classes of activities authorized within them. In response to CSE’s MA application package, the MFA provided letters acknowledging her consultation and consent on the DCO and ACO MAs respectively. NSIRA welcomes this early and rigorous engagement on the part of both departments, given the intersection of their respective mandates in the context of ACO/DCOs.
Both letters from the MFA note the utility of ACO/DCOs [**redacted**] for the GC, articulating the importance of approaching this capability with caution in the initial stages. Notably, the MFA highlights the “carefully defined” classes of activities defined in the ACO MA as assurance that the activities authorized under the MA presented [**redacted**]. Finally, the MFA directed her officials to work with CSE to establish a framework for collaboration on [**redacted**] This direction from the MFA aligns with GAC’s view of the importance of ensuring CSE’s activities would be coherent with Canada’s foreign policy, and that either the MA or another mechanism should provide for that.
Scope and breadth of the Ministerial Authorizations
[**relates to CSE operational policy**] ACO MA issued under section 31 of the CSE Act authorized classes of activities such as:
[**redacted**] interfering with a target’s [**redacted**] or elements of the global information infrastructure (GII);
[**redacted**]
[**redacted**]
disrupting a cyber threat actor’s ability to use certain infrastructure.
[**redacted**] DCO MA authorized the same activities, except for the last class of activities, [**relates to CSE operations**].
Both of the ACO/DCO MAs required CSE to conduct ACO/DCOs [**in a certain way**]. According to the ACO MA, it is these conditions, if met, that would make ACO/DCOs conducted under these MAs [**redacted**]. While GAC assesses While GAC assesses foreign policy risks at a more operational level, the MAs developed in the review period only required these two conditions to be met when conducting ACOs or DCOs. Further, the specifics of how to meet these broad conditions are left to CSE’s discretion, and the MA only requires CSE to self-report this. NSIRA further notes that these conditions do not include foreign policy variables, [**redacted**]. To confirm [**redacted**] foreign policy risk associated with an operation, NSIRA believes it is important that the MAs stipulate the calculation of foreign policy risk factors.
[**redacted**] stating that:
[**redacted**]
CSE appears to have responded to [**relates to CSE operations**]. This may also impact the Minisiter’s ability to assess any authorized activities as stipulated in the CSE Act, which requires sufficient precision in an MA application for the Minister to satisfy these requirements.
The classes of ACO/DCO activities, some of which are detailed in paragraph 27, are highly generalized. For instance, nearly any activity conducted in cyberspace can be feasibly classed as [**redacted**] interfering with elements of the global information infrastructure.” [**relates to CSE operations**]
Indeed, early discussions between CSE and GAC highlighted that the activity of [**redacted**] and content “raises difficult questions,” though NSIRA notes that such an activity is nevertheless authorized in the final ACO MA in the activity class of [**redacted**]. In short, the authorization for a class of activities [**redacted**] was incorporated into an even broader class of activities, without any evident [**redacted**] previously associated with it. This type of categorization does not sufficiently communicate information to the Minister to appreciate [**redacted**] activities that could be carried out under the MA.
By contrast, the techniques and associated examples outlined in the Applications are the only means through which it is clarified what types of activities could be taken as part of an ACO/DCO. These examples provide the basis for the MND to assess the classes of activities requested in the MA. Early correspondence between CSE and GAC saw the classes of activities described and analyzed in tandem with the techniques that would enable them. For instance, it was noted that [**relates to CSE operations**] which NSIRA found more informative with respect to what specific actions were captured within the class of activities. NSIRA further notes that even these techniques and examples are described in the Applications as a non-exhaustive list, potentially enabling CSE to conduct activities that are not clearly outlined in the Applications.
Similarly, the target of ACO/DCO activities is typically identified as ‘foreign actor,’ which could encompass a wide range of [**redacted**] In the early stages of MA development, CSE and GAC had discussed [**relates to CSE operations**] within the MAs, and GAC specified that the intent of [**redacted**] was to focus on [**redacted**] given the [**redacted**]. GAC also noted that the ACO MA “would [more] clearly define [**redacted**] to some extent. Neither of these considerations were reflected in the final [**redacted**] MAs, which CSE explained “are not limited to activities [**redacted**] meaning that [**redacted**]. NSIRA believes that the MAs should carefully define targets of ACO/DCO activities [**redacted**]. ACO/DCOs to specific target sets [**redacted**] to ensure that the activities permitted by the MA are reflective of its [**redacted**].
NSIRA notes that only the MAs, and not the associated Applications, authorize CSE to conduct its activities. As such, the exclusion of this information from the MAs means that only the broad classes of activities, as described in the MAs, guide the actions that CSE can take in conducting an ACO/DCO, and not the techniques and examples in the Applications that help justify the standard on which the risk of the activities is based. NSIRA does not believe that the classes of activities as described within the MAs sufficiently limit CSE’s activities [**relates to CSE operations**]. Even though, as explained by GAC, interdepartmental consultative processes between the two departments may serve as a mechanism to limit CSE’s activities, these processes were not explicitly recorded in the MAs authorizing them. NSIRA believes more precise ACO/DCO MAs will minimize the potential for any misunderstanding regarding the specific activities authorized.
The approach of specifying broad classes of activities is in line with CSE’s general practice of obtaining broad approvals from senior levels such as the Minister, with more specific internal controls guiding the operations to be conducted within the scope of the approved activity. According to GAC, it tends to rely on more specific approvals based on the [**redacted**] for which approval is sought. CSE offered that its approach allows CSE to obtain approval for activities in such a way that “enables flexibility to maximize opportunities, but with enough caveats to ensure risks are appropriately mitigated.”
While NSIRA acknowledges that MAs should be reasonably nimble to enable CSE to conduct [**redacted**]. ACO/DCOs should the need arise, it is important that CSE does not conduct activities that were not envisioned or authorized by either the MND or MFA in the issuance of the applicable MAs. NSIRA believes that in the context of [**redacted**] ACO/DCOs, CSE can adopt a more transparent approach that would make clearer the classes of activities it requests the Minister to authorize. This is especially important given the early stage of CSE’s use of these new authorities. By authorizing more precise classes of activities, associated techniques, and intended target sets ACO/DCOs would be less likely to [**redacted**] of the MAs.
CSE has stated that, “being clear about objectives is critical for demonstrating reasonableness and proportionality.” NSIRA shares this view, and believes that the classes of activities and the objectives described in the MAs and their associated Applications should be more explicit for the MND to be able to conclude on reasonableness and proportionality of ACO/DCOs – particularly given that the MAs assessed as part of this review were not specific to an operation. As part of the Authorization, the Minister also requires CSE to provide a quarterly retroactive report on the activities conducted. Moreover, to issue an authorization, the MND must be satisfied that the activities are reasonable and proportionate, and that there are reasonable grounds to believe that the objective of the cyber operation could not reasonably be achieved by other means. This requirement further points toward a need for the MND to appreciate, with a certain degree of specificity, the types of activities and objectives that will be carried out under the authorization.
In both of the MAs reviewed, the Minister concluded that the requirements set out within s. 34(4) of the CSE Act are met. Further, the MAs set out the objectives to be met in the conduct of ACO/DCOs. However, the rationale offered that the objectives could not be reasonably achieved by other means within the ACO MA is quite broad and focuses on general mitigation strategies for cyber threat activities. The paucity of detail provided to the Minister under the current framework could make it challenging for the MND to meet this legislative requirement. In relation to the thresholds of s. 34(4) of the CSE Act, CSE has indicated that “the application for the Authorization, must set out the facts that explain how each of the activities described in the Authorization are part of a larger set of individual activities or part of a class of activities that achieves an objectives that could not reasonably be achieved by other means.” In our subsequent review of ACO/DCOs, NSIRA will assess whether specific ACO/DCOs aligned with the objectives of the MA, and CSE’s determination that they could not have reasonably been achieved by other means.
Finding no. 1: The Active and Defensive Cyber Operations Ministerial Authorization Applications do not provide sufficient detail for the Minister(s) to appreciate the scope of the classes of activities being requested in the authorization. Similarly, the Ministerial Authorization does not sufficiently delineate precise classes of activities, associated techniques, and intended target sets to be employed in the conduct of operations.
Finding no. 2: The assessment of the foreign policy risks required by two conditions within the Active and Defensive Cyber Operations Ministerial Authorizations relies too much on technical attribution risks rather than characteristics that reflect Government of Canada’s foreign policy.
Recommendation no. 1: CSE should more precisely define the classes of activities, associated techniques, and intended target sets to be undertaken for Active and Defensive Cyber Operations as well as their underlying rationale and objectives, both in its Applications and associated Ministerial Authorizations for these activities.
Recommendation no. 2: GAC should include a mechanism to assess all relevant foreign policy risk parameters of Active and Defensive Cyber Operations within the associated Ministerial Authorizations.
[**redacted**] approach to MA application development
During the review period, CSE only developed MA applications for what it considered [**redacted**]. ACO/DCOs, which were first prioritized for development [**related to CSE operations**]. As CSE’s capacity to conduct ACO/DCOs matures and it begins to [**redacted**]. NSIRA has observed CSE and GAC exploring the idea of [**redacted**] ACOs, which, if pursued, would [**redacted**] based on GAC’s methodology.
While the MAs obtained to date, which are not specific to an operation, allow CSE to act in [**redacted**]. NSIRA believes their generalized nature is not transferable to [**potential MAs of a different nature**]. For instance, [**description of an NSIRA concern about the Minister’s ability to filly assess certain factors about cyber operations in a certain context**]. In the context of the development of the 2019-20 ACO MA Application, GAC noted, “other purposes would require other MAs. They will not be completely general; they will be specific to a context.
Further, under the current legislative scheme, the MA Applications are a key mechanism through which the MFA has an opportunity to assess ACO/DCO activities. Because of the [**redacted**] ACO/DCOs to Canada’s foreign policy and international relations, NSIRA believes the MFA should be more directly involved in their development and execution at the Ministerial level, in addition to the working level engagement that takes place between CSE and GAC. Both Ministers can more effectively take accountability for such operations through individual MAs that provide specific details relating to the operation, its rationale, and the activities, tools, and techniques that will enable it. As such, when CSE [**redacted**] ACOs, NSIRA encourages CSE to develop MA Applications that are specific to these operations, and ensure these documents contain all the pertinent operational details that would allow each Minister to fully assess the implications and risks of each cyber operation and take accountability for it.
Strategic direction for cyber operations
Section 19 of the CSE Act directs CSE’s authority to conduct ACOs in relation to international affairs, defence, or security, all areas that could implicate the responsibility of other departments. Additionally the MAs reviewed by NSIRA require that ACOs “align with Canada’s foreign policy and respond to national security, foreign, and defence policy priorities as articulated by the Government of Canada.” The setting of these priorities involve a wide range of GC departments, including the Privy Council Office (PCO), the Department of National Defence (DND), and Public Safety Canada (PS) – which are responsible for coordination and oversight of different parts of priority setting in this context. Throughout this governance review, it emerged that CSE confirms compliance with these requirements with a statement that the MA meets broader GC priorities with no elaboration of how these priorities are met.
Interdepartmental GC processes are not new in the context of coordinating national security activities and operations. As one example, when the MFA requires foreign intelligence collection within Canada, he or she submits a request to the Minister of Public Safety for this collection to be facilitated by the Canadian Security Intelligence Service (CSIS) in accordance with section 16 of the CSIS Act. A Committee consisting [**redacted**] subsequently considers this type of request. The Committee considers issues at the Assistant Deputy Minister level, [**relates to GC decision making processes**]. Similarly, ensuring an ACO’s alignment with broader priorities and that it could not reasonably be achieved by other means can also be confirmed through an interdepartmental process. In other words, interdepartmental consultations are a means to assess the objectives of ACOs, their alignment with broader GC priorities, as well as whether there are other means by which to achieve the set objectives, as required by the CSE Act.
The setting of broader GC priorities and objectives for ACOs emerged as a key component of the governance structure for this new power in early discussions between CSE and GAC. During the period of review, CSE developed ACOs with GAC participating in some aspects of the planning process. GAC encouraged the MFA to request the development of a governance mechanism to mitigate the risk that “CSE could decide, on their own, to engage [**redacted**] noting that [**redacted**].
Early internal GAC assessments contrast this with CSE’s foreign intelligence mandate, which responds to Cabinet-approved intelligence priorities, and captured the essence of this discrepancy in stating:
[**quotation from GAC that reflects discussion related to strategic objectives and priorities of cyber operations**]
In another instance, GAC described the setting of such priorities as an “important issue that has not yet been agreed to with CSE,” and explained its view at the time, that a body with a mandate relevant to the cyber operation should decide if it is the appropriate tool to achieve a particular objective. GAC explained that its officials eventually agreed to move forward without pursuing this matter as long as a governance mechanism was established with CSE.
In this context, s. 34(4) of the CSE Act requires that the objectives of the cyber operation could not be reasonably attained by other means, and that cyber operations respond to priorities in various subject areas. Given these requirements, NSIRA notes that GC departments, other than just CSE and GAC, may be able to provide meaningful insight regarding other options or ongoing activities that could achieve the same objectives.
Furthermore, GAC highlighted the fact that Cabinet sets the Standing Intelligence Requirements (SIRs) that limit and more narrowly direct CSE’s foreign intelligence collection activities. When asked about this issue, CSE responded that “these discussions led both GAC and CSE to agree to begin with a [**redacted**] Ministerial Authorization supported by the CSE-GAC ACO/DCO consultation structure and governance framework.”
In NSIRA’s view, the CSE Act and the ACO MA directly relate ACOs to broader GC objectives and priorities that directly implicate the mandates of departments such as DND, PCO, CSIS, and PS, in addition to those of CSE and GAC. It is not sufficient for CSE to state that an MA and its associated activities align with these priorities without elaboration or consultation of any other parties, given that Canada’s national security and defence policy priorities are under the remit or coordination of DND, PCO, and PS. These departments would be best positioned to comment on, and confirm, a specific ACO’s alignment with Canada’s goals in order to mitigate the potential risks associated with these operations and contribute to overall accountability of these operations.
[**relates to GC national security matters**] As such, the governance process merits the inclusion of – or at the very least consultation with – other departments whose mandates are to oversee Canada’s broader strategic objectives. This could ensure that Canada’s broader interests and any potential risks have been sufficiently considered and reflected in the development of ACOs.
Finding no. 3: The current governance framework does not include a mechanism to confirm an Active Cyber Operation’s (ACO) alignment with broader Government of Canada (GC) strategic priorities as required by the CSE Act and the Ministerial Authorization. While these objectives and priorities that are outside CSE and GAC’s remit alone, the two departments govern ACOs without input from the broader GC community involved in managing Canada’s overarching objectives.
Recommendation no. 3: CSE and GAC should establish a framework to consult key stakeholders, such as the National Security and Intelligence Advisor to the Prime Minister and other federal departments whose mandates intersect with proposed Active Cyber Operations to ensure that they align with broader Government of Canada strategic priorities and that the requirements of the CSE Act are satisfied.
Threshold for conducting pre-emptive DCOs
CSE differentiates between DCOs initiated in response to a cyber threat, and DCOs issued pre-emptively to prevent a cyber threat from manifesting. Further, CSE and GAC have discussed the nature of these operations, including that they exist on a spectrum ranging from operations which are responsive, to those which can be proactive in nature. Notably, in the case of DCOs, [**relates to CSE operations**].
CSE has explained that the initiation of a DCO “requires evidence of a threat that represents a source of harm to a federal institution or designated electronic information or information infrastructure.” In CSE’s view, this threat does not need to compromise the infrastructure before a DCO be initiated so long as evidence establishes a connection between the two.
At the same time, CSE has not yet developed a means to distinguish between this type of DCO and an ACO, given that discussions between GAC and CSE noted that a DCO could resemble an ACO when it is conducted proactively. Unlike ACOs, which require the consent of the MFA and result in a comprehensive engagement of GAC throughout the planning process, DCOs only require consultation with the MFA. Without a clear threshold for a proactive DCO, the potential exists for insufficient involvement of GAC in an operation that could resemble (or constitute) an ACO, [**redacted**].
In our subsequent review, we will pay close attention to the nature of any pre-emptive DCOs planned and/or conducted to ensure that they do not constitute an ACO.
Finding no. 4: CSE and GAC have not established a threshold to determine how to identify and differentiate between a pre-emptive Defensive Cyber Operation and an Active Cyber Operation, which can lead to the insufficient involvement of GAC if the operation is misclassified as defensive.
Recommendation no. 4: CSE and GAC should develop a threshold that discerns between an Active Cyber Operation and a pre-emptive Defensive Cyber Operation, and this threshold should be described to the Minister of National Defence within the applicable Ministerial Authorizations.
Collection of information as part of a cyber operation
Under s. 34(4) of the CSE Act, the MND only issues an authorization if he or she concludes that no information will be acquired under the authorization except in accordance with an authorization issued under ss. 26(1) or 27(1) or (2) or 40(1). The ACO/DCO MAs issued under the period of review reflect this restriction. The ACO/DCO MAs and corresponding applications only mention that existing foreign intelligence MAs will be used to acquire information to support ACO/DCO activities. It further articulates that no information will be acquired in the conduct of ACO/DCO activities which are authorized under the ACO MA.
However, the MAs and the supporting applications do not describe the full extent of information collection activities resulting from ACO/DCOs. According to CSE policy, CSE is still permitted to collect information [**redacted**] so long as this activity is covered under another existing MA. CSE explained that ACO/DCO MAs cannot be relied on to facilitate intelligence collection, however [**relates to CSE operations**]. For example, [**redacted**] using the applicable Foreign Intelligence (FI) authority to [**redacted**] in accordance with GC intelligence priorities.
Although the CSE Act permits CSE to acquire information pursuant to collection MAs, NSIRA believes that CSE’s policy to allow collection activities under different MAs during the conduct of cyber operations is not accurately expressed within the ACO/DCO MAs. Instead, the collection of information is listed under prohibited conduct within the ACO MA, giving the impression that collection cannot occur under any circumstances. As a result, NSIRA notes that the way in which the ACO MA is written does not provide full transparency of CSE’s own internal policies.
CSE explained that [**redacted**] during an ACO/DCO. Further, NSIRA learned from a CSE subject-matter expert (SME) that a specific [**redacted**] which outlines the precise activities to be undertaken as part of the operation, guides each ACO/DCO. [**relates to CSE operations**].
Given CSE’s policy of allowing collection and cyber operations to occur simultaneously [**redacted**]NSIRA will closely review the roles and responsibilities [**redacted**] involved in ACO/DCOs, as well as the technical aspects of using CSE’s systems in support of ACO/DCOs, in our subsequent review of specific operations conducted by CSE to date.
Finding no. 5: CSE’s internal policies regarding the collection of information in the conduct of cyber operations are not accurately described within the Active and Defensive Cyber Operations Ministerial Authorizations.
Recommendation no. 5: In its applications to the Minister of National Defence, CSE should accurately describe the potential for collection activities to occur under separate authorizations while engaging in Active and Defensive Cyber Operations.
Internal CSE Governance
NSIRA set out to assess whether CSE’s internal governance process sufficiently incorporates all the necessary considerations in the planning and execution of the operations and, whether those implicated in the conduct of ACO/DCOs (i.e. GAC and [**redacted**]) are adequately informed of the parameters and limitations pertaining to cyber operations.
During the period of review, CSE operationalized its requirements in the CSE Act and MAs through various internal planning and governance mechanisms. These ranged from strategic, high-level planning documents and mechanisms to the individual operational [**documents/mechanisms**] of each ACO/DCO.
Governance of operations
As described earlier, CSE uses various planning and governance documentation in the approval process for individual ACO/DCOs, including the [**redacted**] CSE first develops the [**redacted**] an ACO/DCO. Following this, CSE creates a [**redacted**] which outlines the risks to be considered in conducting the ACO/DCO. Additionally, the [**redacted**] and the [**redacted**] both generally include fields relating to the prohibitions set out within the CSE Act. Once a specific target is chosen, the [**redacted**] serves as the final governance document, prior to the [**redacted**] of an ACO/DCO.
Similar to the ACO/DCO MAs, as an initial operational plan, the [**redacted**] generally preapproves a set of activities and a generalized [**redacted**] which are then further refined and developed as part of the [**redacted**] process. In NSIRA’s view, [**relates to CSE operations**].
Specifically, the [**relates to CSE operations**] and other operational details that, in NSIRA’s view, surpass simply [**redacted**] and contain key components of operational planning. [**redacted**] details the specific [**redacted**]. Nonetheless, despite the [**redacted**] the [**redacted**] it may have a lower approval threshold than that of the [**redacted**].
Overall, NSIRA welcomes that CSE has developed procedures and documented its operational planning associated with ACO/DCO activities, in accordance with its requirements in the MPS. Nonetheless, the numerous governance documents that comprise the governance of ACO/DCOs exist to serve different audiences and purposes, and result in pertinent information dispersed across them, rather than being available in a unified structure for all implicated stakeholders and decision- makers to assess. NSIRA believes the many separate components of governance may be redundant and result in unnecessary ambiguity within the same operational plans that are meant to guide ACO/DCOs. Thus, NSIRA will assess the efficacy of this governance structure as it is applied to operations as part of our subsequent review.
Finding no. 6: The [**redacted**] process, which occurs after planning documents have been approved, contains information that is pertinent to CSE’s broader operational plans. The at [**redacted**] times contained pertinent information absent from these other documents, even though it is approved at a lower level of management.
Recommendation no. 6: CSE should include all pertinent information, including targeting and contextual information, within all operational plans in place for a cyber operation, and in materials it presents to GAC.
Training on the new framework for cyber operations
Both the ACO and DCO Ministerial Authorizations authorize the following classes of persons to conduct ACO/DCO activities: [**relates to CSE’s operational policy**]. The MAs further require that these “persons or classes of persons must operationally support CSE and Government of Canada intelligence requirements, and demonstrate an understanding of the relevant legal and policy requirements.”
Further demonstrating a commitment to the training and education of its operational staff of the new legal and policy requirements, CSE has stated—with respect to a specific operation—that:
The operational activities undertaken [**redacted**] who receive extensive and continuous training on their function and duties as well as the policy considerations and compliance requirements for their specific role. Additionally, [**redacted**] are trained and accountable for the activities they are carrying out, including all relevant compliance reporting requirements. [**redacted**] performing activities [**redacted**] are also provided, in advance, all related operational materials to ensure the operational conditions outlined within are understood and adhered to.
Finally, CSE explained to NSIRA that “prior to the new Act being approved, CSE provided virtual and in-person briefings on the new authorities to all of CSE’s workforce. More tailored briefings were available for operational teams.” These included presentations and question-and-answer sessions with the Deputy Chief, Policy and Communications and other briefing sessions created by CSE’s policy teams. However, NSIRA notes these types of training sessions, while educational at a high level, are not operation-specific and do not test employees understanding of their new legislative operating environment.
Based on the above requirements and assurances, NSIRA expected to find that CSE employees supporting ACO/DCOs were provided with sufficient and effective training to thoroughly understand their responsibilities in light of CSE’s new legal authorities and constraints, and to apply this knowledge in the delivery of ACO/DCOs.
In this context, CSE conducted a tabletop exercise with a view to introduce [**certain employees**] to the MA design process at an early stage, to enlist their involvement in the drafting of MAs, and to test the functional viability of the MA framework, among other objectives. Throughout the exercise, [**the above mentioned employee**] barred from seeking advice from policy and legal representatives for management to be able to observe results as they may naturally occur. NSIRA notes a key observation from the exercise:
[**redacted**] expressed unease with the need to rely on multiple MAs to support evolving mission objectives. Policy guidance and training will be needed to [**redacted**] to know what authority they are operating under as they proceed with an operation across missions and across MAs. This guidance and training must also account for the fact that information collected under different MAs could be subject to different data management requirements.
CSE stated that [**certain employees**] obtain knowledge of the legal authorities, requirements, and prohibitions of an ACO or DCO through planning meetings and knowledge of the operational documents. In an interview with a CSE SME [**redacted**] NSIRA learned that the training offered on CSE’s new legal authorities, requirements, and prohibitions [**redacted**]. The SME said that if they had any questions about the governance, they would [**relates to CSE operations**].
It is unclear to NSIRA whether there exists a requirement for [**redacted**] to thoroughly understand the parameters delineated for an ACO/DCO within the [**redacted**]. For instance, when asked about their comfort level of operating under different MAs [**redacted**] contained in the [**redacted**] CSE explained that [**redacted**] are developed from the [**redacted**], but as described [**redacted**]. NSIRA is concerned that if [**certain employees**] are focused primarily on the [**certain document/mechanism**] they may not have an adequate understanding of the broader parameters and restrictions associated with an operation.
The MAs authorizing ACO/DCOs impose a condition on CSE’s employees involved in the execution of ACO/DCOs to demonstrate an understanding of the legal and policy requirements under which they operate. The MAs and operational planning documents contain valuable information about the parameters of the broader authority to conduct ACO/DCOs and specific operations. As such, NSIRA believes it is imperative that employees working on any aspect of delivering an ACO/DCO receive thorough training sessions to familiarize them with the requirements and limitations of their respective operations set out in the [**redacted**] and [**redacted**]. Finally, [**certain employees**] could be tested on their understanding of the MAs and their constraints on specific operations.
Finding no. 7: CSE has provided its employees with high-level learning opportunities to learn about its new authorities to conduct Active and Defensive Cyber Operations (ACO/DCOs). However, employees working directly on ACO/DCOs may not have the requisite understanding of the specifics of CSE’s new legal authorities and parameters surrounding their use.
Recommendation no. 7: CSE should provide a structured training program to its employees involved in the execution of Active and Defensive Cyber Operations (ACO/DCOs), to ensure that they have the requisite knowledge of CSE’s legal authorities, requirements, and prohibitions, as required by the associated Ministerial Authorizations.
Framework for CSE’s Engagement with GAC
Given the legislative requirement for the MFA to provide consent or to be consulted in relation to ACO/DCOs, NSIRA set out to assess whether CSE developed a framework for effective consultation and engagement of GAC officials in the intersection of their respective mandates.
GAC’s assessment of foreign policy risks
In GAC and CSE’s engagement during the development of the consultation framework, they developed a mechanism by which GAC is to consent or be consulted on an operation, and to provide its assessment of the operation’s foreign policy risk. In response to a consultation request by CSE, GAC is responsible for providing, within five business days, a Foreign Policy Risk Assessment (FPRA) that confirms whether [**redacted**]. Notably, the FPRA does not constitute an approval of an operation, only a consultation. In order to inform the development of the FRPA, CSE prepares a tailored [**document/mechanism**] for GAC which summarizes aspects of the operation. In our subsequent review, NSIRA will analyse whether the timeline provided to GAC for specific operations enabled it to meaningfully assess the associated foreign policy risks.
For GAC, several factors affect whether or not an ACO/DCO [**redacted**] These factors include whether an ACO/DCO aligns with GAC’s position on international norms in cyberspace and the furtherance of Canada’s national interests, [**relates to GC national security matters**] This is reflected in the TORs for the CSE-GAC WG, which require GAC to assess:
[**redacted**]
Compliance with international law and cyber norms;
Foreign Policy coherence, including whether the operation is in line with foreign policy, national security and defence priorities (i.e., beyond the [Standing Intelligence Requirements]); and
[**redacted**]
In the context of the above assessment requirements, GAC explained to NSIRA that it conducts a less detailed assessment of the foreign policy risk of specific operations, through the FPRA, on the basis that it has conducted a more detailed assessment of the classes of activities authorized in the MA.106 This assessment approach is reflected in [**redacted**] FPRAs received by NSIRA, which concluded that the operations fall within [**redacted**] but did not elaborate on the factors listed above. Given that the FPRA provides assurance of [**redacted**] of specific operations and is required under the ACO MA, NSIRA will closely review these assessments as part our subsequent review of operations.
Compliance with international law and cyber norms
[**redacted**]
Parliament may authorize violations of international law, but must do so expressly. An example of this is following the decision in X (Re), 2014 FCA 249, Parliament amended the CSIS Act through the adoption of Bill C-44 in 2015. The new provisions made it explicitly clear that CSIS could perform its duties and functions within or outside of Canada and that, pursuant to the newly adopted provisions of the CSIS Act, a judge may authorize activities outside Canada to enable the Service to investigate a threat to the security of Canada “without regard to any other law.” As per the language of the CSE Act, ACO/DCO MAs may only authorize CSE to carry out ACO/DCO activities “despite any other Act of Parliament or of any foreign state.” As outlined by case law, this language may not be sufficiently clear to allow the Minister to authorize violations of customary international law.
[**redacted**] the MAs reviewed by NSIRA stated that the activities “will conform to Canada’s obligations under international law” and each MA required that CSE’s “activities will not contravene Canada’s obligations under international law.” This would indicate that all activities conducted under this MA would be compliant with international law. However, the governance documents developed by CSE and GAC, such as the CSE-GAC consultation framework, do not set out parameters for assessing ACO/DCO activities for compliance with Canada’s obligations under international law, nor is it made clear against which specific international legal obligations ACO/DCO activities are to be assessed. NSIRA will closely monitor how CSE and GAC consider compliance with international law in relation to ACO/DCO activities in the subsequent review.
In NSIRA’s engagement with GAC, GAC highlighted its interdepartmental and international consultations dating back to 2016 on the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Tallinn Manual 2.0), which informed part of its development of the MAs [**redacted**]. GAC has created a Draft Desk book resulting from these consultations, which identifies Canada’s preliminary assessment of key rules of international law in cyberspace as described within the Tallinn Manual 2.0. NSIRA notes that while this analysis is a draft and does not represent Canada’s final position, it “has served as a starting point for further legal consideration.” NSIRA received no further documents that outline Canada’s understanding of how international law applies to ACO/DCO activities.
Further, documentation provided by both GAC and CSE recognizes a need to assess each potential ACO/DCO for lawfulness. GAC wrote that an analysis of the terms “acknowledged to be harmful” or “posing a threat to international peace and security” should be conducted within the context of each ACO/DCO. [**redacted**]
GAC explained that it assessed each activity within the authorized classes for compliance with international law at the MA development stage, and that consequently, a less detailed assessment of compliance with international law took place at the FPRA stage for each operation. GAC explained that the Draft Desk book and the Tallinn Manual 2.0 were consulted for these activities. From [**redacted**] FPRAs reviewed by NSIRA to date, it is not clear how the Draft Desk book or the analysis of the 2015 UN GGE voluntary norms has informed the assessment of each operation’s level of risk, or GAC’s conclusions that the ACO/DCOs complied with international law. Rather, GAC indicates that activities are compliant with international law, without an explanation of the basis behind these conclusions.
NSIRA notes that international law in cyberspace is a developing area, and recognizes that Canada and other States are continuing to develop and refine their legal analysis in this field. ACO/DCO activities conducted without a thorough and documented assessment of an operation’s compliance with international law would create significant legal risks for Canada if an operation violates international law. Ultimately, a better documented analysis of Canada’s legal obligations when conducting ACO/DCOs is necessary in order for GAC and CSE to assess an operation’s compliance with international law. NSIRA will further examine the lawfulness of ACO/DCO activities in our subsequent review.
Finding no. 8: CSE and GAC have not sufficiently developed a clear and objective framework with which to assess Canada’s obligations under international law in relation to Active and Defensive Cyber Operations.
Recommendation no. 8: CSE and GAC should provide an assessment of the international legal regime applicable to the conduct of Active and Defensive Cyber Operations. Additionally, CSE should require that GAC conduct and document a thorough legal assessment of each operation’s compliance with international law.
Bilateral communication of relevant information
Both GAC and CSE have implemented methodologies that require them to calculate risks based on certain factors. However, these types of risks are not absolute, and depend on a wide range of factors that can change over time or with the emergence of new information. In the case of GAC, those factors center around [**redacted**].
At present, CSE and GAC’s approach to accounting for any change in risks relies on GAC informing CSE if any change to Canada’s foreign policy should arise. However, based on GAC’s methodology above, the foreign policy risk of an operation may also rise if new information is uncovered about [**redacted**] or in relation to the potential impacts of the operation beyond a [**redacted**] For CSE’s part, it appears to primarily focus on changes to operational risks [**that are uncovered at a certain time or in a certain manner**]. This one-way mechanism does not account for other factors [**redacted**].
In this context, CSE has explained that an ACO/DCO is [**redacted**] and that as result, [**redacted**]. CSE further explained that DX and that subsequent activities may be adjusted as required using information obtained from the previous one. [**redacted**].
In this context, NSIRA observed operations that were planned to take place over a period of time, including a DCO where CSE would undertake [**related to CSE operations**]. Another ACO would see CSE [**redacted**]. In describing this operation to GAC, CSE wrote that activities would take place over a period of time [**redacted**].
[**related to CSE operations**] benefit from [**redacted**] of the ADO/DCOs [**redacted**]. NSIRA believes that a two-way notification mechanism triggering a re-assessment of the risks associated with an ACO/DCO should be established between CSE and GAC, whether those risks are uncovered prior to or during the course of an operation.
Finally, CSE’s internal governance process brings in GAC through [**a certain document/mechanism**]. In this context, GAC has highlighted objectives, [**redacted**] of an operation as information that CSE should provide for the purposes of assessing foreign policy risks. NSIRA has observed that the [**redacted**]. NSIRA notes that these details serve as important context to which GAC should have access as part of its assessment, particularly as GAC includes in its conclusions that the activities complied with [**redacted**].
Finding no. 9: CSE expects GAC to provide notification of any changes to foreign policy risks, but has not sufficiently considered the need to communicate other risks that may arise during an operation to GAC. Further, information critical to GAC’s assessment of foreign policy risks has also been excluded in materials CSE uses to engage GAC on an operation. As such, within the current consultation framework, CSE may not sufficiently communicate relevant information to GAC in support of its foreign policy assessment, and to manage ongoing changes in the risk associated with a cyber operation.
Recommendation no. 9: CSE and GAC should communicate to one another all relevant information and any new developments relevant to assessing risks associated with a cyber operation, both in the planning phases and during its execution.
Conclusion
This was NSIRA’s first review of CSE’s new powers to conduct ACO/DCOs, and it has illustrated CSE and GAC’s development of a governance structure for conducting these operations. CSE has now had the power to conduct these operations since 2019, though this review demonstrated that both departments begun conceptualizing a governance regime prior to the coming into force of the CSE Act. NSIRA is satisfied that CSE has, to date, developed a comprehensive governance structure, and commends its regular engagement with GAC to develop a consultation framework that sets out the roles and responsibilities of both departments.
However, at the broader governance level, CSE can improve the transparency and clarity around the planning of ACO/DCOs, particularly at this early stage, by setting out clearer parameters within the associated MAs for the classes of activities and target sets that could comprise ACO/DCOs. NSIRA further believes the continued development of cyber operations should benefit from consultation with other government departments responsible for Canada’s strategic priorities and objectives in the areas of national security and defence. Finally, CSE and GAC should develop a threshold and a definition for what constitutes a pre-emptive DCO, so as to ensure the appropriate involvement of GAC in an operation.
At the operational level, CSE and GAC should ensure that each operation’s compliance with international law is assessed and documented. On CSE’s part, it should ensure that information critical to assessing the risks of an operation be streamlined and included within all governance documents, and made available to all those involved in the development and approval of ACO/DCOs – including GAC. Finally, CSE should ensure that its operational staff are well-versed in the specifics of their new legislative framework and its applicability to specific operations.
While this review focused on the governance structures at play in relation to ACO/DCOs, of even greater importance is how these structures are implemented, and followed, in practice. We have made several observations about the information contained within the governance documents developed to date, and will subsequently assess how they are put into practice as part of our forthcoming review of ACO/DCOs.
Annex A: ACO/DCO Typologies
Figure 1: Different types of cyber operations. Source: CSE briefing materials
[**redacted figure**]
Figure 2: Difference between ACOs and DCOs. Source: CSE briefing material.
Text version of Figure 2
Figure 2: Difference between ACOs and DCOs. Source: CSE briefing material.
DEFENSIVE CYBER OPERATIONS
ACTIVE CYBER OPERATIONS
Authorized Activites
Gaining acess to a portion of the global information infrastructure
Installing, maintaining, copying, distributing, searching, modifying, disruption, deleting or intercepting anything on or through the global information infrastructure
Doing anything that is reasonably necessary to maintain the covert nature of the activity
Carrying out any other activity that is reasobably in the circumstances and reasonably necessary in the aid of any other activity, or class of activities, authorized by the Ministerial Authorization
Ministerial Approval
MND approval with MFA consultation
MND approval with the consent or request of MFA
Intent
To take action online to protect electronic information and infrastructures of importance to the government of Canada
To degrade, disrupt, influence, respond to or interfere with capabilities of foreign individual, state, organization
Context
Initiated in response to a cyber threat, or proactively to prevent a cyber threat
Initiated in accordance with Ministerial direction as it relates to international affairs defence or security.
Threat Actor/Target Set
Conducted against threats linked to Government systems and systems of importance, irrespective of the actor **Once confirmed not against a Canadian, person in Canada, or on GII in Canada
Conducted against specific targets in acordance with the Ministerial Authorization **Once confirmed not against a Canadian, person in Canada, or on GII in Canada
Outcome
Conducted with a view to stop or prevent cyber threats in a manner that is reasonable and proportionate to the intrusion or threat
Conducted to the extent directed by the Ministerial Authorization and that is reasonable and proportionate
Annex B: ACO/DCOs (2019-2020)
[**redacted**]
Annex C: CSE-GAC Framework
Interdepartmental Group
CSE-GAC Senior Management Team (SMT)
DG CSE-GAC ACO/DCO Working Group
ADM-Level
Co-Chairs
SMT Co-Chairs: CSE DG, [**redacted**], GAC, DG Intelligence Bureau
Co-Chairs: CSE, DG [**redacted**] GAC,DG Intelligence Bureau. It iscomposed of some of the same DG-Level participants as the SMT as well as their working-level supports.
Exchanges information on the departments’ respective plans and priorities, as well as areas of collaboration.
Under the auspices of the SMT, this entity was established with a mandate to collaborate specifically on ACO/DCO matters.
Implementation of the governance framework associated with current and planned [**redacted**]. Coordinates information sharing related to the operational planning and execution of ACO/DCOs, as well as their associated risks and adherence to Canada’s foreign policy Collaborates on the renewal, evolution, and development of current and future MAs
Resolves any issues under the purview of the WG that cannot reach resolution at the DG-level.
Annex D: Findings and Recommendations
Findings
Finding no. 1: The Active and Defensive Cyber Operations Ministerial Authorization Applications do not provide sufficient detail for the Minister(s) to appreciate the scope of the classes of activities being requested in the authorization. Similarly, the Ministerial Authorization does not sufficiently delineate precise classes of activities, associated techniques, and intended target sets to be employed in the conduct of operations.
Finding no. 2: The assessment of the foreign policy risks required by two conditions within the Active and Defensive Cyber Operations Ministerial Authorizations relies too much on technical attribution risks rather than characteristics that reflect Government of Canada’s foreign policy.
Finding no. 3: The current governance framework does not include a mechanism to confirm an Active Cyber Operation’s (ACO) alignment with broader Government of Canada (GC) strategic priorities as required by the CSE Act and the Ministerial Authorization. While these objectives and priorities that are outside CSE and GAC’s remit alone, the two departments govern ACOs without input from the broader GC community involved in managing Canada’s overarching objectives.
Finding no. 4: CSE and GAC have not established a threshold to determine how to identify and differentiate between a pre-emptive Defensive Cyber Operation and an Active Cyber Operation, which can lead to the insufficient involvement of GAC if the operation is misclassified as defensive.
Finding no. 5: CSE’s internal policies regarding the collection of information in the conduct of cyber operations are not accurately described within the Active and Defensive Cyber Operations Ministerial Authorizations.
Finding no. 6: The [**redacted**] process, which occurs after planning documents have been approved, contains information that is pertinent to CSE’s broader operational plans. The [**redacted**] at times contained pertinent information absent from these other documents, even though it is approved at a lower level of management.
Finding no. 7: CSE has provided its employees with high-level learning opportunities to learn about its new authorities to conduct Active and Defensive Cyber Operations (ACO/DCOs). However, employees working directly on ACO/DCOs may not have the requisite understanding of the specifics of CSE’s new legal authorities and parameters surrounding their use.
Finding no. 8: CSE and GAC have not sufficiently developed a clear and objective framework with which to assess Canada’s obligations under international law in relation to Active and Defensive Cyber Operations.
Finding no. 9: CSE expects GAC to provide notification of any changes to foreign policy risks, but has not sufficiently considered the need to communicate other risks that may arise during an operation to GAC. Further, information critical to GAC’s assessment of foreign policy risks has also been excluded in materials CSE uses to engage GAC on an operation. As such, within the current consultation framework, CSE may not sufficiently communicate relevant information to GAC in support of its foreign policy assessment, and to manage ongoing changes in the risk associated with a cyber operation.
Recommendations
Recommendation no. 1: CSE should more precisely define the classes of activities, associated techniques, and intended target sets to be undertaken for Active and Defensive Cyber Operations as well as their underlying rationale and objectives, both in its Applications and associated Ministerial Authorizations for these activities.
Recommendation no. 2: GAC should include a mechanism to assess all relevant foreign policy risk parameters of Active and Defensive Cyber Operations within the associated Ministerial Authorizations.
Recommendation no. 3: CSE and GAC should establish a framework to consult key stakeholders, such as the National Security and Intelligence Advisor to the Prime Minister and other federal departments whose mandates intersect with proposed Active Cyber Operations, to ensure that they align with broader Government of Canada strategic priorities and that the requirements of the CSE Act are satisfied.
Recommendation no. 4: CSE and GAC should develop a threshold that discerns between an Active Cyber Operation and a pre-emptive Defensive Cyber Operation, and this threshold should be described to the Minister of National Defence within the applicable Ministerial Authorizations.
Recommendation no. 5: In its applications to the Minister of National Defence, CSE should accurately describe the potential for collection activities to occur under separate authorizations while engaging in Active and Defensive Cyber Operations.
Recommendation no. 6: CSE should include all pertinent information, including targeting and contextual information, within all operational plans in place for a cyber operation, and in materials it presents to GAC.
Recommendation no. 7: CSE should provide a structured training program to its employees involved in the execution of Active and Defensive Cyber Operations (ACO/DCOs), to ensure that they have the requisite knowledge of CSE’s legal authorities, requirements, and prohibitions, as required by the associated Ministerial Authorizations.
Recommendation no. 8: CSE and GAC should provide an assessment of the international legal regime applicable to the conduct of Active and Defensive Cyber Operations. Additionally, CSE should require that GAC conduct and document a thorough legal assessment of each operation’s compliance with international law.
Recommendation no. 9: CSE and GAC should communicate to one another all relevant information and any new developments relevant to assessing risks associated with a cyber operation, both in the planning phases and during its execution.
This was NSIRA’s first review of CSE’s governance of Active and Defensive Cyber Operations (ACO/DCOs). The review assessed the governance framework that guides the conduct of ACO/DCOs and whether CSE appropriately considers its legal obligations and the foreign policy impacts of operations.
CSE’s authority to conduct ACO/DCOs was introduced in 2019 through the Communications Security Establishment Act. These powers did not exist prior to the introduction of that legislation and are important new capabilities for the Government of Canada. The current global environment is clarifying the relevance of these capabilities and authorities for Canada.
In keeping with its commitment to lawfulness, CSE has worked diligently and methodically to operationalize these new authorities. As CSE continues to develop this capability, it is proceeding cautiously to ensure all activities are carried out in accordance with the CSE Act, and in line with Canada’s international obligations, in particular those highlighted in Canada’s recently published statement on the application of International Law in cyberspace.
CSE acknowledges the crucial role that review bodies play in the national security and intelligence community and CSE welcomes reviews by and recommendations from these review bodies. NSIRA’s recommendations from its review of CSE’s ACO/DCO governance framework will help guide the development of CSE’s capabilities so that CSE can continue to ensure lawfulness as well as effectiveness, efficiency and responsiveness.
As a crucial partner in the ACO/DCO governance framework, NSIRA engaged GAC in this review and made recommendations in relation to both GAC and CSE. CSE and GAC are pleased to provide the following response to NSIRA’s recommendations.
Recommendation no.1:
CSE should more precisely define the classes of activities, associated techniques, and intended target sets to be undertaken for Active and Defensive Cyber Operations as well as their underlying rationale and objectives, both in its Applications and associated Ministerial Authorizations for these activities.
CSE’s response:
CSE agrees with this recommendation.
While CSE agrees with this recommendation, CSE notes that the Minister is always provided with a sufficient amount of information and detail necessary to assess the application and grant an authorization.
CSE agrees that, where operationally appropriate, combining the information contained in briefings and presentations into the written application and authorisation will provide a more comprehensive written record. CSE has begun refining the information included in Active Cyber Operations (ACO) and Defensive Cyber Operations (DCO) applications and authorisations.
Recommendation no.2:
GAC should include a mechanism to assess all relevant foreign policy risk parameters of Active and Defensive Cyber Operations within the associated Ministerial Authorizations.
GAC’s response:
GAC agrees with this recommendation.
GAC already includes a consideration of a wide variety of factors in its Foreign Policy Risk Assessment, as identifiable in the Foreign Policy Risk Assessment template.
CSE has also in the past provided separate operational/technical risk assessments in its mission plans. This has included additional information about the targets and their activities on the GII, the technologies they use, or the complex technical systems CSE develops and deploys to conduct these operations.
Recommendation no.3:
CSE and GAC should establish a framework to consult key stakeholders, such as the National Security and Intelligence Advisor to the Prime Minister and other federal departments whose mandates intersect with proposed Active Cyber Operations to ensure that they align with broader Government of Canada strategic priorities and that the requirements of the CSE Act are satisfied.
Joint CSE and GAC response:
In principle, CSE and GAC agree with this recommendation.
All relevant Government of Canada stakeholders whose mandates may intersect with a planned ACO are consulted. We agree with the importance of ensuring alignment with broad Government of Canada strategic priorities and believe there are a number of avenues already in place through which updates can be shared and consultations can be undertaken with the broader security and intelligence community as and when needed. Examples of this include the Assistant Deputy Minister (ADM) and Deputy Minister (DM) level security and intelligence committee infrastructure (e.g. ADM National Security Operations Committee, DM Operations Committee) and the geographic-specific committee infrastructure. Additionally, there is a community-wide intelligence priority process that provides a framework and guidance for intelligence-related activities such as cyber operations.
We appreciate that as the types of ACOs considered and undertaken broaden, the current model for consulting government departments and agencies may need to evolve. CSE and GAC will work together to evolve an appropriate consultation framework over time as needed.
Recommendation no.4:
CSE and GAC should develop a threshold that discerns between an Active Cyber Operation and a pre-emptive Defensive Cyber Operation, and this threshold should be described to the Minister of National Defence within the applicable Ministerial Authorizations.
Joint CSE and GAC response:
CSE and GAC disagree with this recommendation.
CSE and GAC cannot agree with this recommendation as it refers to an activity (pre-emptive Defensive Cyber Operation) that is not provided for in the Communications Security Establishment Act (CSE Act) and that CSE does not conduct.
Under the DCO aspect of CSE’s mandate in section 18 of the CSE Act, CSE is authorized to carry out activities on or through the global information infrastructure to help protect federal institutions’ electronic information and information infrastructures and electronic information and information infrastructures designated under the CSE Act as being of importance to the Government of Canada (relevant infrastructure). The threat does not need to have compromised the information or infrastructure before a DCO is initiated, but it must present a credible threat to the designated information infrastructure(s). (U) In circumstances where CSE is aware a cyber threat exists but this threat has not manifested as a threat to the designated infrastructure(s), CSE can consider conducting an ACO. CSE can only conduct an ACO if it can satisfy the Minister that any intended activities would degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state or organisation or terrorist group as they relate to international affairs, defence or security.
If NSIRA believes that CSE and GAC need to more clearly define the threshold between an ACO and a DCO, then CSE and GAC also disagree with this recommendation on the basis that the CSE Act clearly sets out the conditions that CSE must satisfy before undertaking cyber security activities, DCOs or ACOs. There is no need for any other threshold to be created.
Recommendation no. 5:
In its applications to the Minister of National Defence, CSE should accurately describe the potential for collection activities to occur under separate authorizations while engaging in Active and Defensive Cyber Operations.
CSE’s response:
CSE agrees with this recommendation.
CSE already accurately describes the potential for collection activities, and the authority for such activities, in its applications to the Minister of National Defence. CSE has taken steps to ensure that applications for and authorizations of ACOs and DCOs clearly reference the authorizations under which any acquisition of information required to achieve the intended outcome of the ACO or DCO is conducted.
Importantly, CSE is not permitted to acquire information under an ACO or DCO authorization. The acquisition of the information relied on to conduct ACO and DCO activities is authorised under CSE’s foreign intelligence authorization, cybersecurity authorization or an emergency authorization. The use of this information in support of ACO and DCO purposes is outlined in CSE’s foreign intelligence and cybersecurity authorizations. These authorizations are reviewed by the Intelligence Commissioner who assesses the reasonableness and proportionality of the acquisition and use of information for ACO and DCO purposes.
Recommendation no. 6:
CSE should include all pertinent information, including targeting and contextual information, within all operational plans in place for a cyber operation, and in materials it presents to GAC.
CSE’s response:
CSE disagrees with this recommendation.
GAC requires sufficient and pertinent information upon which to base its analysis related to foreign risk and international law. CSE has worked with GAC to share the appropriate level of operational detail that GAC has requested to conduct their work. This need is reflected in the CSE-GAC Governance Framework whereby GAC is provided with an operation-specific Mission Plan to inform its Foreign Policy Risk Assessment. GAC is satisfied with the information provided by CSE. When GAC has required additional information to conduct its Foreign Policy Risk Assessment or international law assessment, CSE has provided the supplemental information requested.
Recommendation no. 7:
CSE should provide a structured training program to its employees involved in the execution of Active and Defensive Cyber Operations (ACO/DCOs), to ensure that they have the requisite knowledge of CSE’s legal authorities, requirements, and prohibitions, as required by the associated Ministerial Authorizations.
CSE’s response:
CSE agrees with this recommendation.
To supplement the existing mandatory annual training and testing that covers CSE’s legal authorities, requirements and prohibitions, CSE will consider developing a tailored training program for employees involved in the planning and execution of ACOs and DCOs.
Recommendation no. 8:
CSE and GAC should provide an assessment of the international legal regime applicable to the conduct of Active and Defensive Cyber Operations. Additionally, CSE should require that GAC conduct and document a thorough legal assessment of each operation’s compliance with international law.
Joint CSE and GAC response:
CSE and GAC partially agree with this recommendation.
In the time since this review concluded, GAC and CSE have continued to develop the process for assessing the international legal implications of cyber operations, with GAC’s Legal Bureau documenting a thorough legal assessment of each operation’s compliance with international law.
Procedurally, CSE submits a Mission Plan to GAC requesting a Foreign Policy Risk Assessment. Once received, GAC’s Legal Bureau leads a consultation process with Department of Justice (DOJ) counsel from both CSE’s and GAC’s Department of Legal Services (DLS), and in some cases, with DOJ counsel from the Constitutional, Administrative and International Law Section (CAILS), to discuss the international law implications of the planned operation as described in the Mission Plan. (U) These discussions are summarised in a written legal assessment recorded in the Foreign Policy Risk Assessment and are grounded in the international law analysis the GAC Legal Bureau has been developing over many years, including in the Government of Canada’s comments on the draft chapter of Tallinn Manual 2.0 in 2016, the development of the Draft Desk Book coordinated by GAC’s Legal Bureau and produced in August 2019, and the extensive legal analysis done in advance of the original ACO and DCO MAs.
GAC notes that it would be unusual to produce a comprehensive legal assessment of applicable law with respect to a range of potential or hypothetical operations that might be conducted by Canada, its allies and its adversaries in any field, cyber or otherwise. Rather it is GAC’s practice, like that of States generally, to produce legal assessments in relation to specific proposed activities or operations or court cases or other potential disputes.
GAC has consolidated its international legal analysis into a public statement on international law applicable to cyberspace. This public statement was developed and completed through extensive interdepartmental consultations among legal and policy experts, as well as an analysis of other national statements and leading publications and processes, including Tallinn Manual 2.0, the Swiss-led Expert Dialogue on International Law and Cyber, the Dutch-led Hague process, the Swiss-led Informal Consultations on International Humanitarian Law and Cyber Operations, the Oxford Process, and the US Cyber Command annual Legal Conference. Canada has joined like-minded and other nations in producing a public statement, in part to advance ongoing multilateral processes at the United Nations and elsewhere, to further develop common understandings and a broader consensus on how international law applies in cyberspace.
Recommendation no. 9:
CSE and GAC should communicate to one another all relevant information and any new developments relevant to assessing risks associated with a cyber operation, both in the planning phases and during its execution.
Joint CSE and GAC response:
CSE and GAC agree with this recommendation.
In the time since this review concluded, CSE and GAC have increased the frequency of working-level exchanges. Under the GAC-CSE Foreign Cyber Operations Governance Framework, GAC and CSE will bolster the existing points of contact and develop standard operating procedures for CSE and GAC to mutually provide any new information or developments relevant to a cyber operation.
A departmental plan describes a department’s priorities, plans and associated costs for the upcoming three fiscal years.
Vision, mission, raison d’etre and operating context
Minister’s mandate letter
Key priorities
In 2024–25, the NSIRA Secretariat’s top priorities are to
support NSIRA Members in undertaking professional, independent reviews of Canada’s national security and intelligence activities;
support NSIRA Members in conducting independent investigations of national security and intelligence public complaints;
provide transparency about our work; and
continue to strengthen our domestic and international partnerships.
Refocusing Government Spending
In Budget 2023, the government committed to reducing spending by $14.1 billion over the next five years, starting in 2023–24, and by $4.1 billion annually after that.
While not officially part of the government spending reduction exercise, the NSIRA Secretariat will respect the spirit of this exercise by
critically considering the need for contractors, and
identifying work that can be done in-house or deferred, if required.
NSIRA remains committed to managing spending with prudence and probity and that resources are used effectively, and efficiently to achieve organizational objectives.
Highlights
A Departmental Results Framework consists of an organization’s core responsibilities, the results it plans to achieve, and the performance indicators that measure progress toward these results.
National security and intelligence reviews and complaints investigations
Departmental results:
NSIRA reviews Government of Canada national security and intelligence activities to assess whether they are lawful, reasonable, and necessary. The Agency also investigates complaints from members of the public on the activities of the Canadian Security Intelligence Service (CSIS), the Communications Security Establishment (CSE), the Royal Canadian Mounted Police (RCMP), as well as certain other national security-related complaints, independently and in a timely manner.
The NSIRA Secretariat supports the Agency in the delivery of its mandate. Independent scrutiny contributes to strengthening the accountability framework for national security and intelligence activities and to enhancing public confidence. Ministers and Canadians are informed whether national security and intelligence activities undertaken by Government of Canada institutions are lawful, reasonable, and necessary.
See GC InfoBase for the full framework and program inventory.
Planned spending: $10,852,987
Planned human resources: 69
Support to national security and intelligence reviews and complaints investigations: The NSIRA Secretariat will support the Agency as it ensures institutions’ accountability and enhances public confidence. This will involve conducting transparent and timely investigations into complaints related to national security or intelligence activities and the denial of security clearances.
Throughout 2024–25, the NSIRA Secretariat will support and conduct the Agency’s current reviews and initiate new reviews as per its Forward Review Plan. It will also conduct the Agency’s mandated annual reviews under the National Security and Intelligence Review Agency Act and annual reviews of CSIS and CSE activities.
For more information on the NSIRA Secretariat’s plans, see the “Plans to deliver” section of this plan.
More information about National security and intelligence reviews and complaints investigations can be found in the full departmental plan.
This Departmental Plan describes the priorities and goals for the National Security and Intelligence Review Agency (NSIRA) Secretariat in 2024–25. Our work is fundamentally anchored by our role in supporting the Agency’s mandate to undertake independent, expert review and investigation of the Government of Canada’s national security and intelligence activities.
Since the Agency’s inception in 2019, the NSIRA Secretariat has worked to establish a professional workforce and the supporting infrastructure, processes, and policies needed to carry out its mandate. Our approaches have matured as we have taken time for deep internal reflection and to consult with our domestic and international partners. Combined with the growing willingness of the national security community to genuinely accept and adjust to our mandate, we are now well positioned to leverage what we have learned and confidently advance our work as a world-recognized review body. In so doing, we will continue to work towards NSIRA’s vision of an accountable, transparent, and effective national security and intelligence community that upholds the rule of law.
In 2024–25, the Secretariat will continue to improve the quality of our working environment to attract and retain an exceptional workforce. We recognize that prioritizing the physical and mental well-being of our employees, and continuing to advance diversity and inclusion, are important aspects of becoming an employer of choice. We have taken steps to implement meaningful action in the coming year. NSIRA is well positioned to take on new and exciting challenges in the year ahead. I would like to thank both Secretariat staff and NSIRA Members, whose ongoing professionalism and dedication to our important work continues to be the force behind our past and future success.
John Davies Executive Director National Security and Intelligence Review Agency Secretariat
Plans to deliver on core responsibilities and internal services
Core responsibilities and internal services:
National security and intelligence reviews and complaints investigations
Internal services
National security and intelligence reviews and complaints investigations
Description
NSIRA reviews Government of Canada national security and intelligence activities to assess whether they are lawful, reasonable, and necessary. The Agency investigates complaints from members of the public regarding activities of CSIS, CSE, and the national security activities of the RCMP, as well as certain other national security-related complaints.
The NSIRA Secretariat supports the Agency in the delivery of this mandate. The resulting independent scrutiny contributes to the strengthening of the framework of accountability for national security and intelligence activities undertaken by Government of Canada institutions and enhancing public confidence.
Quality of life impacts
NSIRA’s core responsibility relates most closely to the indicator ‘confidence in institutions’, within the ‘democracy and institutions’ sub domain and under the overarching domain of ‘good governance’.
Results and targets
The following tables show, for each departmental result related to national security and intelligence reviews and complaints investigations, the indicators, the results from the three most recently reported fiscal years, the targets and target dates approved in 2024–25.
Table 1: Indicators, results and targets for departmental result “Ministers and Canadians are informed whether national security and intelligence activities undertaken by Government of Canada institutions are lawful, reasonable, and necessary”
Indicator
2020–21 result
2021–22 result
2022–23 result
Target
Date to achieve
All mandatory reviews are completed on an annual basis
N/A
100%
100%
100% completion of mandatory reviews
December 2022
Reviews of national security or intelligence activities of at least five departments or agencies are conducted each year
N/A
100%
100%
At least one national security or intelligence activity is reviewed in at least five departments or agencies annually
December 2022
All Member-approved high priority national security or intelligence activities are reviewed over a three- year period
N/A
33%
33%
100% completion over three years; at least 33% completed each year
December 2022
Table 2: Indicators, results, and targets for departmental result “National security-related complaints are independently investigated in a timely manner”
Indicator
2020–21 result
2021–22 result
2022–23 result
Target
Date to achieve
Note: NSIRA was created on July 12, 2019. Actual results for 2020–21 are not available because the new Departmental Results Framework was being developed during the transition of the Security Intelligence Review Committee into the establishment of NSIRA. The new framework is for measuring and reporting on results achieved starting in 2021–22; in 2022–23, NSIRA finalized service standards on the time required to complete its investigations (effective April 1, 2023). The results will be included in the next Departmental Results Report.
Percentage of investigations completed within NSIRA service standards
N/A
N/A
N/A
90% – 100%
March 2024
The financial, human resources and performance information for NSIRA’s program inventory is available on GC InfoBase.
Plans to achieve results
Support to NSIRA reviews
The NSIRA Secretariat will continue to support the Agency’s current, ongoing reviews and new reviews from the Forward Review Plan throughout 2024–25. This will include supporting the annual reviews of CSIS and CSE activities, to provide responsible Ministers and the Canadian public with an assessment of these institutions’ activities, including their lawfulness, reasonableness, and necessity.
In 2024–25, the NSIRA Secretariat will continue to be informed and guided by the knowledge acquired through reviews of departments and agencies (reviewees) to date. As it becomes increasingly familiar with reviewees’ organizational structures, networks, policies, and activities, and able to apply such information to subsequent reviews, it will leverage this knowledge to ensure these institutions’ national security and intelligence activities are reviewed from a strongly informed position of independence. The NSIRA Secretariat will also continue to support reviews focused on crosscutting, horizontal issues that span multiple reviewees, with a goal of fully leveraging NSIRA’s authority in this regard.
In addition to conducting its mandated annual reviews in 2024-25, the NSIRA Secretariat will lead the development of a new review plan that is timely, topical, and responsive. The Forward Review Plan involves evaluating proposals for new reviews against an established matrix of criteria. The criteria represent the considerations or aspects that NSIRA deems to be the most important and relevant to the issues and topics it addresses through its discretionary reviews. The outcome will be a prioritized list of new reviews that will be undertaken once the existing reviews are completed. In this way, the NSIRA Secretariat will continue to support NSIRA Members in executing their responsibilities and exercising their authority under the NSIRA Act.
Support to NSIRA complaints investigations
In 2024–25, the NSIRA Secretariat will support the Agency in ensuring institutions’ accountability and enhancing public confidence by conducting transparent and timely investigations into complaints related to national security and the denial of security clearances. NSIRA’s independent investigation of complaints plays a critical role in maintaining public access to justice.
In the coming year, the NSIRA Secretariat will apply its rules of procedure, which were first implemented in 2021, to promote accessibility, timeliness, and efficiency in the Agency’s investigation of complaints. This includes an informal resolution process that has proven successful in resolving complaints that do not need to proceed e to formal investigation process.
The NSIRA Secretariat will further implement the Agency’s new service standards for the investigation of complaints, which were created in 2022–23 and effective as of April 1, 2023.
Transparency
The NSIRA Secretariat will continue to proactively publish unclassified versions of all Agency review reports. It will engage reviewees in a timelier manner on release approvals and aim to publish redacted reports on the NSIRA website shortly after these reports are provided to reviewees and their respective Ministers, leveraging processes developed during the previous year.
Partnerships
Participation
In 2024–25, the NSIRA Secretariat will build on its ongoing partnership efforts from the previous year. It will continue its participation in the Five Eyes Intelligence Oversight and Review Council, which brings together review agency representatives from Canada, the United States, Australia, New Zealand, and the United Kingdom.
Engagement
The NSIRA Secretariat will also continue to support multilateral and bilateral engagement with other like-minded European and international partners. Such participation and engagement will include ongoing working-level visits and exchanges. This work will support NSIRA’s interest in benefiting from, and contributing to, the sharing of best practices with the broader review and oversight community. The NSIRA Secretariat will also continue to build on recent efforts to foster collaborative relationships with other domestic review bodies and civil society groups.
Key risks
The NSIRA Secretariat has made progress on accessing the information required to conduct reviews; however, there continues to be risks associated with reviewees’ ability to respond to, and prioritize, information requests, hindering NSIRA’s ability to deliver its review plan in a timely way. The NSIRA Secretariat will continue to mitigate this risk by providing clear communication related to information requests, tracking their timely completion within communicated timelines, and escalating issues when appropriate.
Snapshot of planned resources in 2024–25
Planned spending: $18,575,110
Planned full-time resources: 100
Related government priorities
In 2024–25, the NSIRA Secretariat will continue to implement its three-year action plan on human rights, accessibility, employment equity, diversity, and inclusion. It first put this plan into effect during fiscal year 2022–23, following a maturity assessment of its policies, programs, and practices, and the Call to Action from the Clerk of the Privy Council. It includes, among many components, incorporating a gender-based analysis plus lens into the design and implementation of the NSIRA Secretariat’s policies and programs.
Employee self-identification data, which was first collected by the NSIRA Secretariat in 2023–2024 (further to the establishment of a special program under the Canadian Human Rights Act), will continue to inform the NSIRA Secretariat’s activities in the year ahead and better position it to:
prevent, eliminate, or reduce disadvantages and barriers that are experienced by any group of individuals based on, or related to, prohibited grounds of discrimination;
identify gaps in representation, to implement recruitment and retention measures aimed at not only achieving but retaining a diverse workforce and maintaining an inclusive work environment;
leverage the value of diverse peoples and perspectives in its work; and
identify meaningful opportunities for employee engagement in keeping with its overall commitment to human rights, accessibility, employment equity, diversity, and inclusion.
NSIRA’s Forward Looking Review Plan continues to be informed by considerations related to anti-racism, equity, and inclusion. These considerations apply to the process of selecting reviews to be undertaken, as well as to the analysis that takes place during individual reviews. NSIRA reviews routinely take into account the potential for national security or intelligence activities to result in disparate outcomes for various communities, and will continue to do so in the year ahead.
In 2024–25, in the context of complaint investigations, the NSIRA Secretariat will continue to support the Agency as it works with the Civilian Review and Complaints Commission (CRCC) to develop strategies for the collection, analysis, and use of identity-based data. Following the completion of a joint study, it will focus on assessing how some recommendations can be implemented for the collection, analysis, and use of identity-based data in relation to the NSIRA and CRCC mandates.
The NSIRA Secretariat will also continue to implement its Accessibility Plan, which outlines the steps that will be taken to increase accessibility within the organization and for all Canadians over the next two years. In addition, its Diversity, Inclusion, and Employment Equity Advisory Committee will continue to work with management and staff to build a more equitable, diverse, and inclusive workplace and workforce. This will include organizing discussions and learning events with all staff and providing advice on policy and program design.
In the year ahead, the NSIRA Secretariat will also develop and implement a pay equity plan, as required by the Pay Equity Act. Closing any identified gender pay gap is essential to advancing gender equality and fostering a workplace driven by inclusivity and fairness.
Program inventory
National security and intelligence reviews and complaints investigations are supported by the following program in the program inventory:
National security and intelligence activity reviews and complaints investigations.
Supporting information on planned expenditures, human resources, and results related to NSIRA’s program inventory is available on GC Infobase.
Internal services
Description
Internal services are the services that are provided within a department so that it can meet its corporate obligations and deliver its programs. There are 10 categories of internal services:
management and oversight services
communications services
human resources management services
financial management services
information management services
information technology services
real property management services
materiel management services
acquisition management services
Plans to achieve results
In 2024–25, the NSIRA Secretariat will continue to take steps to ensure resources are deployed in the most effective and efficient manner possible, and its operations and administrative structures, tools, and processes continue to focus on supporting the delivery of its priorities.
The NSIRA Secretariat recognizes the need to be an inclusive, healthy, and flexible employer. Over the coming year, it will continue to encourage flexible working arrangements, such as teleworking, to achieve work–life balance and meet performance expectations.
In the coming year, the NSIRA Secretariat’s office footprint, with modern and flexible workstations in the classified and non-classified realm, is expected to be completed. The project has been pushed back to a summer 2024 delivery date due to its complexity, supply chain challenges, and compliance requirements.
The NSIRA Secretariat also continues to implement security controls and keeps its Security Plan and Business Impact Analysis evergreen, to ensure resiliency over time. In addition, based on the NSIRA Secretariat’s Information Management plans and strategies developed last fiscal year, it has identified the tools and resources required to execute the plans and strategies over the coming years.
Snapshot of planned resources in 2024-25
Planned spending: $7,722,123
Planned full-time resources: 31
Related government priorities
Planning for contracts awarded to Indigenous businesses
The NSIRA Secretariat is among the final wave of departments and agencies that are to achieve the mandatory minimum target of contract awards to Indigenous businesses by 2024–25. Efforts are already well underway in support of the Government of Canada’s commitment which requires that an annual, mandatory minimum target of five percent of the total value of contracts be awarded to Indigenous businesses.
In 2021-22, the NSIRA Secretariat exceeded its plan to reach two percent of total contract values awarded to Indigenous business, and achieved three percent, as shown in Table 3. Measures undertaken by the NSIRA Secretariat to facilitate the achievement of the mandatory minimum target by 2024–25 include a commitment to process an increasing minimum number of contracts in each of the following three fiscal years, as set-asides under the Procurement Strategy for Indigenous Business.
Table 3: Progress toward target for contracts with Indigenous businesses
5% reporting field description
2021–22 actual % achieved
2022–23 actual % achieved
2023–24 planned % target
2024–25 planned % target
Total percentage of contracts with Indigenous businesses
3%
3%
3%
5%
Planned spending and human resources
This section provides an overview of NSIRA’s planned spending and human resources for the next three fiscal years and compares planned spending for 2024–25 with actual spending from previous years.
Spending
Table 4: Actual spending summary for core responsibilities and internal services ($ dollars)
The following table shows information on spending for each of NSIRA’s core responsibilities and for its internal services for the previous three fiscal years. Amounts for the current fiscal year are forecasted based on spending to date.
Core responsibilities and Internal Services
2020–21 actual expenditures
2021–22 actual expenditures
2022–23 forecast spending
National Security and Intelligence Reviews and Complaints Investigations
7,394,642
7,756,271
9,516,920
Subtotal
7,394,642
7,756,271
9,516,920
Internal Services
9,895,112
10,532,876
10,799,513
Total
17,289,754
18,289,147
20,316,433
Table 5: Budgetary planning summary for core responsibilities and internal services (dollars)
The following table shows information on spending for each of NSIRA’s core responsibilities and for its internal services for the upcoming three fiscal years.
Core responsibilities and Internal Services
2024–25 budgetary spending
(as indicated in Main Estimates)
2024–25 planned spending
2025–26 planned spending
2026–27 planned spending
National Security and Intelligence Reviews and Complaints Investigations
10,852,987
10,852,987
10,852,051
10,852,051
Subtotal
10,852,987
10,852,987
10,852,051
10,852,051
Internal Services
7,722,123
7,722,123
7,758,034
7,758,034
Total
18,575,110
18,575,110
18,610,085
18,610,085
Funding
Figure 1: Departmental spending 2021–22 to 2026–27
The following graph presents planned spending (voted and statutory expenditures) over time.
Text version of Figure 1
Departmental spending trend graph
2021–22
2022–23
2023–24
2024–25
2025–26
2026–27
Statutory
1,176,321
1,300,166
1,513,580
1,764,845
1,766,593
1,766,593
Voted
16,113,433
16,988,981
18,802,853
16,810,265
16,843,492
16,843,492
Total
17,289,754
18,289,147
20,316,433
18,575,110
18,610,085
18,610,085
Peak spending was reached in 2023–24 with the inclusion of the majority of construction project expenditures. The NSIRA Secretariat will move to steadier state of spending in 2024–25.
Estimates by vote
Information on NSIRA’s organizational appropriations is available in the 2024–25 Main Estimates.
Future-oriented condensed statement of operations
The future-oriented condensed statement of operations provides an overview of NSIRA’s operations for 2023–24 to 2024–25.
The forecast and planned amounts in this statement of operations were prepared on an accrual basis. The forecast and planned amounts presented in other sections of the Departmental Plan were prepared on an expenditure basis. Amounts may therefore differ.
A more detailed future-oriented statement of operations and associated notes, including a reconciliation of the net cost of operations with the requested authorities, are available at NSIRA’s website.
Table 6: Future-oriented condensed statement of operations for the year ending March 31, 2025 (dollars)
Financial information
2023–24 Forecast results
2024–25 Planned results
Difference (2024–25 planned results minus 2023–24 Forecast results)
Total expenses
18,786,869
20,400,691
1,613,823
Total revenues
0
0
0
Net cost of operations before government funding and transfers
18,786,869
20,400,691
1,613,823
Human resources
Table 7: Actual human resources for core responsibilities and internal services
The following table shows a summary of human resources, in full-time equivalents (FTEs), for NSIRA’s core responsibilities and for its internal services for the previous three fiscal years. Human resources for the current fiscal year are forecasted based on year to date.
Core responsibilities and Internal Services
2021–22 actual full time equivalents
2022–23 actual full time equivalents
2023–24 forecast full time equivalents
National Security and Intelligence Reviews and Complaints Investigations
52
53
69
Subtotal
52
53
69
Internal Services
22
25
31
Total
74
78
100
Given the NSIRA secretariat continues to be a growing organization, the increase of 4 FTEs is reasonable year over year. The organization plans to continue to grow towards 100 FTEs through various recruitment and retention programs.
Table 8: Human resources planning summary for core responsibilities and internal services
The following table shows information on human resources, in full-time equivalents (FTEs), for each of NSIRA’s core responsibilities and for its internal services planned for 2024–25 and future years.
Core responsibilities and Internal Services
2024–25 planned full time equivalents
2025–26 planned full time equivalents
2026–27 planned full time equivalents
National Security and Intelligence Reviews and Complaints Investigations
69
69
69
Subtotal
69
69
69
Internal Services
31
31
31
Total
100
100
100
With a tight labour market and the requirement for a significant portion of employees to work primarily from secure office space, recruitment continues to prove challenging. New recruitment and retention programs will help the NSIRA secretariat in its ongoing efforts to be fully staffed.
Corporate Information
Organizational profile
Appropriate minister: The Right Honourable Justin Trudeau, Prime Minister of Canada Institutional head: John Davies, Executive Director Ministerial portfolio: Privy Council Office Enabling instrument:National Security and Intelligence Review Agency Act Year of incorporation / commencement: 2019
Organizational contact information
National Security and Intelligence Review Agency P.O. Box 2430, Station “D” Ottawa, Ontario K1P 5W5
Information on NSIRA’s departmental sustainable development strategy can be found on NSIRA’s website
Federal tax expenditures
NSIRA’s Departmental Plan does not include information on tax expenditures.
Tax expenditures are the responsibility of the Minister of Finance. The Department of Finance Canada publishes cost estimates and projections for government wide tax expenditures each year in the Report on Federal Tax Expenditures.
This report provides detailed information on tax expenditures, including objectives, historical background and references to related federal spending programs, as well as evaluations, research papers and gender-based analysis plus.
Appendix: definitions
appropriation(crédit)
Any authority of Parliament to pay money out of the Consolidated Revenue Fund.
budgetary expenditures(dépenses budgétaires)
Operating and capital expenditures; transfer payments to other levels of government, organizations or individuals; and payments to Crown corporations.
core responsibility(responsabilité essentielle)
An enduring function or role performed by a department. The intentions of the department with respect to a core responsibility are reflected in one or more related departmental results that the department seeks to contribute to or influence.
Departmental Plan(plan ministériel)
A report on the plans and expected performance of an appropriated department over a 3‑year period. Departmental Plans are usually tabled in Parliament each spring.
departmental priority(priorité)
A plan or project that a department has chosen to focus and report on during the planning period. Priorities represent the things that are most important or what must be done first to support the achievement of the desired departmental results.
departmental result(résultat ministériel)
A consequence or outcome that a department seeks to achieve. A departmental result is often outside departments’ immediate control, but it should be influenced by program-level outcomes.
departmental result indicator (indicateur de résultat ministériel)
A quantitative measure of progress on a departmental result.
departmental results framework(cadre ministériel des résultats)
A framework that connects the department’s core responsibilities to its departmental results and departmental result indicators.
Departmental Results Report(rapport sur les résultats ministériels)
A report on a department’s actual accomplishments against the plans, priorities and expected results set out in the corresponding Departmental Plan.
experimentation(expérimentation)
The conducting of activities that seek to first explore, then test and compare the effects and impacts of policies and interventions in order to inform evidence-based decision-making, and improve outcomes for Canadians, by learning what works, for whom and in what circumstances. Experimentation is related to, but distinct from innovation (the trying of new things), because it involves a rigorous comparison of results. For example, using a new website to communicate with Canadians can be an innovation; systematically testing the new website against existing outreach tools or an old website to see which one leads to more engagement, is experimentation.
full‑time equivalent(équivalent temps plein)
A measure of the extent to which an employee represents a full person‑year charge against a departmental budget. For a particular position, the full‑time equivalent figure is the ratio of number of hours the person actually works divided by the standard number of hours set out in the person’s collective agreement.
gender-based analysis plus (GBA Plus)(analyse comparative entre les sexes plus [ACS Plus])
An analytical process used to assess how diverse groups of women, men and gender-diverse people experience policies, programs and services based on multiple factors including race ethnicity, religion, age, and mental or physical disability.
For the purpose of the 2020–21 Departmental Results Report, those high-level themes outlining the government’s agenda in the 2019 Speech from the Throne, namely: Fighting climate change; Strengthening the Middle Class; Walking the road of reconciliation; Keeping Canadians safe and healthy; and Positioning Canada for success in an uncertain world.
horizontal initiative(initiative horizontale)
An initiative where two or more federal organizations are given funding to pursue a shared outcome, often linked to a government priority.
non‑budgetary expenditures(dépenses non budgétaires)
Net outlays and receipts related to loans, investments and advances, which change the composition of the financial assets of the Government of Canada.
performance (rendement)
What an organization did with its resources to achieve its results, how well those results compare to what the organization intended to achieve, and how well lessons learned have been identified.
performance indicator(indicateur de rendement)
A qualitative or quantitative means of measuring an output or outcome, with the intention of gauging the performance of an organization, program, policy or initiative respecting expected results.
performance reporting(production de rapports sur le rendement)
The process of communicating evidence‑based performance information. Performance reporting supports decision making, accountability and transparency.
plan(plan)
The articulation of strategic choices, which provides information on how an organization intends to achieve its priorities and associated results. Generally, a plan will explain the logic behind the strategies chosen and tend to focus on actions that lead to the expected result.
planned spending(dépenses prévues)
For Departmental Plans and Departmental Results Reports, planned spending refers to those amounts presented in Main Estimates.
A department is expected to be aware of the authorities that it has sought and received. The determination of planned spending is a departmental responsibility, and departments must be able to defend the expenditure and accrual numbers presented in their Departmental Plans and Departmental Results Reports.
program(programme)
Individual or groups of services, activities or combinations thereof that are managed together within the department and focus on a specific set of outputs, outcomes or service levels.
program inventory(répertoire des programmes)
Identifies all the department’s programs and describes how resources are organized to contribute to the department’s core responsibilities and results.
result(résultat)
A consequence attributed, in part, to an organization, policy, program or initiative. Results are not within the control of a single organization, policy, program or initiative; instead they are within the area of the organization’s influence.
statutory expenditures(dépenses législatives)
Expenditures that Parliament has approved through legislation other than appropriation acts. The legislation sets out the purpose of the expenditures and the terms and conditions under which they may be made.
target (cible)
A measurable performance or success level that an organization, program or initiative plans to achieve within a specified time period. Targets can be either quantitative or qualitative.
voted expenditures(dépenses votées)
Expenditures that Parliament approves annually through an appropriation act. The vote wording becomes the governing conditions under which these expenditures may be made.
This quarterly report has been prepared by management as required by section 65.1 of the Financial Administration Act and in the form and manner prescribed by the Directive on Accounting Standards, GC 4400 Departmental Quarterly Financial Report. This quarterly financial report should be read in conjunction with the 2023–24 Main Estimates.
This quarterly report has not been subject to an external audit or review.
Mandate
The National Security and Intelligence Review Agency (NSIRA) is an independent external review body that reports to Parliament. Established in July 2019, NSIRA is responsible for conducting reviews of the Government of Canada’s national security and intelligence activities to ensure that they are lawful, reasonable and necessary. NSIRA also hears public complaints regarding key national security agencies and their activities.
This quarterly report has been prepared by management using an expenditure basis of accounting. The accompanying Statement of Authorities includes the agency’s spending authorities granted by Parliament and those used by the agency, consistent with the 2023–24 Main Estimates. This quarterly report has been prepared using a special-purpose financial reporting framework (cash basis) designed to meet financial information needs with respect to the use of spending authorities.
The authority of Parliament is required before money can be spent by the government. Approvals are given in the form of annually approved limits through appropriation acts or through legislation in the form of statutory spending authorities for specific purposes.
Highlights of the fiscal quarter and fiscal year-to-date results
This section highlights the significant items that contributed to the net increase or decrease in authorities available for the year and actual expenditures for the quarter ended September 30, 2023.
NSIRA Secretariat spent approximately 52% of its authorities by the end of the third quarter, compared with 39% in the same quarter of 2022–23 (see graph 1).
Graph 1: Comparison of total authorities and total net budgetary expenditures, Q3 2023–2024 and Q3 2022–2023
Text version of Figure 1
Comparison of total authorities and total net budgetary expenditures, Q3 2023–24 and Q3 2022–23
2023-24
2022-23
Total Authorities
$24.4
$29.8
Q2 Expenditures
$4.8
$4.7
Year-to-Date Expenditures
$12.8
$11.6
Significant changes to authorities
As at December 31, 2023, Parliament had approved $24.4 million in total authorities for use by NSIRA Secretariat for 2023–24 compared with $29.8 million as of December 31, 2022, for a net decrease of $5.3 million or 18% (see graph 2).
Graph 2: Variance in authorities as at December 31, 2023
Text version of Figure 2
Variance in authorities as at June 30, 2023 (in millions)
Fiscal year 2022-23 total available for use for the year ended March 31, 2023
Fiscal year 2023-24 total available for use for the year ended March 31, 2024
Vote 1 – Operating
28.1
22.6
Statutory
1.6
1.8
Total budgetary authorities
29.7
24.4
The decrease of $5.3 million in authorities is mostly explained by a gradual reduction in NSIRA Secretariat’s ongoing operating funding due to an ongoing construction project nearing completion.
Significant changes to quarter expenditures
The third quarter expenditures totalled $4.8 million for an increase of $0.1 million when compared with $4.7 million spent during the same period in 2022–2023. Table 1 presents budgetary expenditures by standard object.
Table 1
Variances in expenditures by standard object(in thousands of dollars)
Fiscal year 2023–24: expended during the quarter ended December 31, 2023
Fiscal year 2022–23: expended during the quarter ended December 31, 2022
Variance $
Variance %
Personnel
2,866
2,503
363
15%
Transportation and communications
110
82
28
34%
Information
1
4
(3)
(75%)
Professional and special services
486
1,271
(785)
(62%)
Rentals
78
83
(5)
(6%)
Repair and maintenance
1,161
685
476
69%
Utilities, materials and supplies
(1)
21
(22)
(105%)
Acquisition of machinery and equipment
83
2
81
4050%
Other subsidies and payment
(33)
17
(50)
(294%)
Total gross budgetary expenditures
4,751
4,668
83
2%
*Details may not sum to totals due to rounding*
Professional and special services
The decrease of $785,000 is due to the timing of invoicing for our Internal Support Services agreement.
Repair and maintenance
The increase of $476,000 is due to the timing of invoicing for an ongoing capital project.
Utilities, materials and supplies
The decrease of $22,000 is due to a temporarily unreconciled acquisition card suspense account.
Acquisition of machinery and equipment
The increase of $81,000 is due to the purchase of software licenses and the corresponding support and maintenance.
Other subsidies and payments
The decrease of $50,000 is explained by a prior year refund that was deposited to NSIRA’s account in error.
Significant changes to year-to-date expenditures
The year-to-date expenditures totalled $12.8 million for an increase of $1.2 million (11%) when compared with $11.6 million spent during the same period in 2022–23. Table 2 presents budgetary expenditures by standard object.
Table 2
Variances in expenditures by standard object(in thousands of dollars)
Fiscal year 2023–24: year-to-date expenditures as of December 31, 2023
Fiscal year 2022–23: year-to-date expenditures as of December 31, 2022
Variance $
Variance %
Personnel
8,766
7,751
1,015
13%
Transportation and communications
302
196
106
54%
Information
5
9
(4)
(44%)
Professional and special services
2,155
2,695
(540)
(20%)
Rentals
151
132
19
14%
Repair and maintenance
1,188
749
439
(59%)
Utilities, materials and supplies
56
49
7
14%
Acquisition of machinery and equipment
135
15
120
800%
Other subsidies and payment
89
18
71
394%
Total gross budgetary expenditures
12,847
11,614
1,233
11%
*Details may not sum to totals due to rounding*
Personnel
The increase of $1,015,000 relates to an increase in average salary, an increase in full time equivalent (FTE) positions, and back-pay from the new collective agreement for the EC and AS occupational groups.
Transportation and communications
The increase in $106,000 is due to the timing of the invoicing for our internet connections.
Professional and special services
The decrease of $540,000 is mainly explained by the conclusion of guard services contracts associated to a capital construction project and the timing of invoicing for internal support services.
Repair and maintenance
The increase of $439,000 is due to the timing of invoicing for an ongoing capital project.
Acquisition of machinery and equipment
The increase of $120,000 is mainly explained by the one-time purchase of a specialized laptop and licenses.
Other subsidies and payments
The increase of $71,000 is due to an increase in salary overpayments.
Risks and uncertainties
The NSIRA Secretariat has made progress on accessing the information required to conduct reviews; however, there continues to be risks associated with reviewees’ ability to respond to, and prioritize, information requests, hindering NSIRA’s ability to deliver its review plan in a timely way. The NSIRA Secretariat will continue to mitigate this risk by providing clear communication related to information requests, tracking their timely completion within communicated timelines, and escalating issues when appropriate.
There is a risk that the funding received to offset pay increases anticipated over the coming year will be insufficient to cover the costs of such increases and the year-over-year cost of services provided by other government departments/agencies is increasing significantly.
Mitigation measures for the risks outlined above have been identified and are factored into NSIRA Secretariat’s approach and timelines for the execution of its mandated activities
Significant changes in relation to operations, personnel and programs
There have been no changes to the NSIRA Secretariat Program.
Approved by senior officials:
John Davies Executive Director
Martyn Turcotte Director General, Corporate Services, Chief Financial Officer
Appendix
Statement of authorities (Unaudited)
(in thousands of dollars)
Fiscal year 2023–24
Fiscal year 2022–23
Total available for use for the year ending March 31, 2024 (note 1)
Used during the quarter ended December 31, 2023
Year to date used at quarter-end
Total available for use for the year ending March 31, 2023 (note 1)
Used during the quarter ended December 31, 2022
Year to date used at quarter-end
Vote 1 – Net operating expenditures
22,633
4,313
11,531
28.063
4,236
10,318
Budgetary statutory authorities
Contributions to employee benefit plans
1,755
438
1,316
1,728
432
1,296
Total budgetary authorities (note 2)
24,388
4,751
12,847
29,791
4,668
11,614
Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.
Note 2: Details may not sum to totals due to rounding.
Departmental budgetary expenditures by standard object (unaudited)
(in thousands of dollars)
Fiscal year 2023–24
Fiscal year 2022–23
Planned expenditures for the year ending March 31, 2024 (note 1)
Expended during the quarter ended December 31, 2023
Year to date used at quarter-end
Planned expenditures for the year ending March 31, 2023
Expended during the quarter ended December 31, 2022
Year to date used at quarter-end
Expenditures
Personnel
13,372
2,866
8,766
13,389
2,503
7,751
Transportation and communications
650
110
302
597
82
196
Information
371
1
5
372
4
9
Professional and special services
4,906
486
2,155
4,902
1,271
2,695
Rentals
271
78
151
271
83
132
Repair and maintenance
4,580
1,161
1,188
9,722
685
749
Utilities, materials and supplies
73
(1)
56
173
21
49
Acquisition of machinery and equipment
132
83
135
232
2
15
Other subsidies and payments
33
(33)
89
133
17
18
Total gross budgetary expenditures (note 2)
24,388
4,751
12,847
29,791
4,668
11,614
Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.
Note 2: Details may not sum to totals due to rounding.
NSIRA Recommendation 1: CSE should obtain additional legal advice on its internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate, explicitly in relation to compliance with the Privacy Act. which thoroughly addresses the following two issues:
Whether the internal sharing of information between the foreign intelligence and cybersecurity aspects of the mandate is a use or a disclosure of information for the purposes of the Privacy Act: and
Whether uses and disclosures a re done in accordance with sections 7 and 8 of the Privacy Act.
CSE Response: Disagree. CSE does not accept recommendation 1. CSE has already received comprehensive and clear legal advice on this matter from the Department of Justice and has relied on that advice in the conductof its activities (which NSIRA has found lawful).
NSIRA Recommendation 2: All foreign intelligence and cyber security applications from the Chief of CSE should appropriately inform the Minister of National Defence that retained information might be used to support a different aspect.
CSE Response:CSE has already implemented the recommended action. CSE notes that it had and continues to inform the Minister a bout the use of information for other aspects of its mandate. Applications for all foreign intelligence and cybersecurity Ministerial Authorizations in 2021-2022 included wording to clearly reflect that information collected under one aspect of CSE’s mandate could be used to support a different aspect.
In accordance with the Accessible Canada Act, I am pleased to table the National Security and Intelligence Review Agency’s (NSIRA) first progress report to its Accessibility Plan 2022 – 2025. This progress report describes the work that has been done to implement activities over the course of 2023.
As noted in our inaugural plan, accessibility is a work in progress. The Review Agency and the NSIRA Secretariat have made advances on several fronts, however there is more work to be done. Despite the best of intentions, it is apparent that some of the timelines were optimistic given the organization’s small size and the need to wait for work to be completed by other departments or agencies.
Most of the activities identified for completion in the first year were focused on increasing awareness and improving accessibility for the workforce and in the workplace. Consequently, for this first progress report consultations were limited to engaging with members of the NSIRA Secretariat’s workforce who offered their insights as persons with disabilities. The information provided by employees reinforced the importance of seeking input from persons with disabilities to identify and resolve barriers.
Through the combined efforts of growing internal capacity and new service level agreements with other public service organizations, NSIRA hopes to be better positioned to address areas that fell behind in 2023. We are optimistic that the coming year will provide an opportunity to double down on efforts to ensure that accessibility is integrated in an effective and sustainable manner in all aspects of the Review Agency’s and the NSIRA Secretariat’s work.
John Davies
Executive Director, NSIRA Secretariat
General
The Executive Director of the NSIRA Secretariat, who is the deputy head and employer, leads the Secretariat that supports the Review Agency in the fulfillment of its mandate under the National Security and Intelligence Review Agency Act. The Secretariat is responsible for monitoring feedback to evaluate progress and to determine its future accessibility plans.
In compliance with the requirements of the Accessible Canada Act (“ACA”) and the Accessible Canada Regulations, this progress report is available on NSIRA’s website, which is used to communicate with the public.
To request a copy of this report, the accessibility plan, or a description of the feedback process in an alternate format or to provide feedback about NSIRA’s progress report, the accessibility plan and any barriers encountered in dealing with NSIRA, please contact the undersigned by mail, telephone, or email.
Chief of Staff, Executive Director’s Office National Security and Intelligence Review Agency Secretariat P.O. Box 2430, Station “B” Ottawa, Ontario, K1P 5W5
The National Security and Intelligence Review Agency published its Accessibility Plan 2022 – 2025 in December 2022. This first progress report describes the work that has been done to implement activities between January 1 and December 31, 2023.
The Accessibility Plan 2022 – 2025 set out three priority areas to improve accessibility:
Increasing staff awareness about accessibility and the barriers that limit access for Canadians with disabilities.
Ensuring Canadians have access to NSIRA’s publications and services.
Continuing to advance a culture of respect and inclusion by integrating accessibility in all aspects of the organization’s work.
Through the efforts of the Senior Advisor, Wellness Initiatives, the NSIRA Secretariat can monitor progress, identify areas for improvement, and ensure overall coherence across the activities outlined in the accessibility plan.
Progress with respect to the priority areas and the accessibility plan is set out on the following pages. It is organized according to the seven key areas outlined in the Accessible Canada Act namely: employment; built environment; information and communication technologies (ICT); communication other than ICT; procurement of goods, services, and facilities; design and delivery of programs and services; and transportation.
The Review Agency and the NSIRA Secretariat were able to make advances on several fronts, however delays in staffing, stringent security requirements, and the organization’s small size meant activities did not progress as quickly as initially anticipated. The NSIRA Secretariat does not have ultimate control over certain fundamental aspects related to the built environment, technology, or security and must, therefore, adjust its pace to align with the direction given by the responsible policy centres.
Progress vis-à-vis accessibility plan
Employment
While developing the accessibility plan, the NSIRA Secretariat identified gaps with respect to employment. There was no written accommodation process for persons with disabilities employed in the NSIRA Secretariat. Furthermore, there was limited information available about accessibility requirements, resources, and information.
Status: On track
The NSIRA Secretariat was able to make advances in relation to many of the priorities with respect to employment. The Manager, Human Resources Services was joined by the Senior Advisor, Wellness Initiatives, midway through the year. Together they worked on 14 specific cases in 2023 to ensure that employees received the accommodations they requested to enable them to participate fully in all aspects of their work experience. Additionally, the following progress was made:
Duty to accommodate training was developed and delivered to all human resources staff and managers in February 2023.
Work is underway to make available a series of “how to” guides and a calendar of events for HR advisors, managers, and employees early in 2024.
The NSIRA Secretariat launched a new SelfID questionnaire in 2023, which was completed by all term and indeterminate employees. The data shows that the representation of persons with disabilities currently stands at 19.5%.
Performance measures and indicators relative to employment are under development, which will enable the NSIRA Secretariat to review selection practices to identify and prevent or mitigate barriers.
All recruitment and staffing material and communications with candidates at all stages of hiring processes include information about accommodations and accessibility. For example, invitations to interviews or to written exams clearly indicate that accommodations are available upon request.
A new feedback questionnaire was developed and launched in November 2023, to systematically seek feedback from candidates about the effectiveness of accommodation measures in selection processes.
A second feedback questionnaire was developed and launched in October 2023 to seek feedback from NSIRA Secretariat employees about barriers, gaps, appropriateness, and timeliness of workplace accommodations. (See the section entitled “Feedback” for more information.)
Employees and managers received training on the Government of Canada Workplace Accessibility Passport (GCWAP) in February and May 2023. Managers and employees are routinely encouraged to use GCWAP.
The Senior Advisor, Wellness Initiatives, introduced a standard operating practice to consult with other organizations to increase awareness of accessibility and to develop accommodation strategies for NSIRA Secretariat employees. Additionally, the Senior Advisor coordinates with the Communication Security Establishment (CSE), Privy Council Office (PCO), RCMP, and ergonomic firms as needed to develop individualized approaches.
Electronics must undergo specialized screening before they can be brought into the workplace. This type of security screening falls outside the control of the NSIRA Secretariat, which has requested expedited screening of electronics intended as an accommodation measure. The NSIRA Secretariat has set up a small inventory of screened equipment to further accelerate the process.
A new workshop entitled Accommodations at NSIRA was developed and delivered in May 2023. It will continue to be offered at least annually during National Accessibility Week. Accessibility awareness is routinely discussed at various occupational health and safety committee meetings.
Accessibility awareness and accommodation measures are now featured in training offered to HR staff and managers, as well as new employee orientation and on-boarding. Every letter of offer includes a point of contact with whom employees may confidentially discuss their accommodation needs.
Built Environment
The accessibility plan reported barriers in the built environment including heavy doors without automatic door openers; airlocks between doors; tripping hazards; narrow corridors; lack of accessible signage; restrictions with respect to assistive devices and job aids; an emergency alert system that flashes lights but does not emit an audible alarm; lack of control over lighting or temperature within the office space; and an outdated building emergency evacuation plan. Some of the barriers were tied to requirements of the Treasury Board Policy on Government Security and other policies that apply to the NSIRA Secretariat, but for which it is not the author.
Status: Ongoing
The NSIRA Secretariat made some inroads incorporating accessibility requirements into the built environment, but progress was slow. Delays can be attributed to two main reasons. First, NSIRA’s built environment is subject to standards established by Public Services and Procurement Canada (PSPC) and the CSE. Second, there was a lot of staff movement, which was compounded by delays in staffing. The following provides additional detail about progress in respect of the built environment:
The NSIRA Secretariat identified the need for updated standards to PSPC and CSE and will continue to emphasize the importance of accessibility assessments in the built environment in its ongoing discussions with PSPC and CSE.
Efforts to develop an action plan to remove and/or mitigate barriers, such as text to voice platforms, audible and visual alerts, signage, etc., have advanced slowly because of delays staffing.
In partnership with CSE and PCO, work is underway to develop and document a process to procure and enable the use of medical/assistive devices and adaptive technology in the workplace. This work is being done in consultation with the Senior Advisor, Wellness Initiatives.
Alternate arrangements were established on a case-by-case basis to address accessibility issues prior to individuals attending a site or office. This involved working in partnership with managers and corporate services. Delays in staffing may affect the extent to which alternative arrangements are delivered on a consistent and timely basis.
The NSIRA Secretariat created a process to identify employees who need assistance in a building emergency and evacuation, which was deployed for a drill in the fall 2023. The NSIRA Secretariat is continuing to work with the building senior managers of the Courts Administration Service and the Department of Natural Resources Canada, who are responsible for establishing the Building Emergency Procedures at NSIRA’s two worksites.
The security component of new employee on-boarding has been reviewed to identify barriers or gaps for persons with disabilities. Revisions are underway and the updated content will be launched early in 2024.
Information and Communication Technologies
The accessibility plan identified barriers with respect to information and communication technologies (ICT), notably that neither the intranet website, nor the internet website were fully accessible. Documents on both websites were not designed with accessibility in mind. Individuals bringing a complaint did not have the option to bring a complaint through any means other than by completing a templated form and persons with a hearing impairment had limited options for engaging with the Registrar.
Status: Ongoing
The NSIRA Secretariat’s Information Management (IM) and Information Technology (IT) team had several important priorities to tackle in 2023, one of which was a well-functioning internet website that adheres to accessibility standards and is compliant to Web Content Accessibility Guidelines (WCAG). This was accomplished in November 2023. The IM and IT team is understaffed and therefore has not been able to undertake all the activities identified in the accessibility plan. The team has still made some small progress in the following areas:
Work planning to review and modify accessibility of previously published documents, including fillable forms to ensure they are WCAG 2.0 compliant has been initiated and will continue.
Preliminary and informal discussions have been initiated drawing on the experiences of NSIRA’s existing workforce to better understand the types of barriers encountered as persons with disabilities and the challenges associated with accommodating their needs.
The NSIRA IT providers are the PCO and the CSE and both deliver their IT services with their own service model. There is a Memorandum of Understanding (MOU) between the CSE and the NSIRA as well as a MOU between the PCO and the NSIRA for the respective IT services. The NSIRA relies on these two different IT providers, which own their respective IT network and which the NSIRA Secretariat uses to communicate and collaborate; these IT providers control, monitor, manage and maintain the IT equipment on their respective networks. The NSIRA has no control over the hardware or the software that can be used on any of the networks to which it has access. Both service models are perceived not to be designed to be flexible and adaptable to meet the specific accessibility requirements of the NSIRA. In this context, the NSIRA Secretariat has already informally engaged these two partners to address accessibility in the interim. The NSIRA Secretariat will formally engage both partners to discuss tangible and sustainable solutions or means regarding accessibility in IT service delivery going forward.
Training for all staff about creating accessible documents and using other accessibility features available through ICT has been delayed due to a lack of resources. The Corporate Services team will inform NSIRA Secretariat employees early in the new year about training, information sessions, and online tools offered by other Government of Canada departments.
The NSIRA Secretariat’s Webmaster completed some training in which some concepts of WCAG 2.1 were taught. Training for other employees who draft reports, publications, and other publicly available material will begin in the second year of the Accessibility Plan 2022–2025. In the interim, the Webmaster will continue to ensure that material posted online is WCAG 2.0 compliant.
The work to incorporate digital tools to enhance accessibility with respect to the complaints process is delayed. As opposed to simply adapting existing forms, the NSIRA Secretariat has determined that a new complaints portal must be developed. Accessibility will be incorporated into the design and development of the new portal.
Communication other than ICT
The accessibility plan aimed to address several barriers with respect to communication for staff and members of the public including the absence of a process to provide alternate formats and communication support upon request. Other barriers included technical or sector-specific language in public facing documents and reports, as well as lack of guidance or established procedures for use of closed captioning, sign language interpretation, or TTY for persons with a hearing disability.
Status: Ongoing
In 2023 the NSIRA Secretariat engaged the services of a communications expert, a partner of the Five Eyes Intelligence Oversight and Review Council (FIORC), to develop a new communication strategy, which reviewed internal and external communications, as well as stakeholder engagement practices. The strategy identified key priorities for improving NSIRA’s output, engagement, and reputation, including recommendations for a new public-facing website. The NSIRA Secretariat is in the process of recruiting a Communications Manager, whose responsibilities will include implementing the communication strategy and leading on the communications activities identified in the Accessibility Plan 2022 – 2025. Progress was achieved on the following in 2023:
The NSIRA Secretariat’s Review Report Style Guide ensures that all review reports are written in accordance with accessibility guidelines published by Employment and Social Development Canada.
The Review Report Style Guide is an evergreen document. Additional changes are underway, which will be more explicit about what to include/consider from an accessibility perspective.
The NSIRA reports published in 2023 were available in HTML and PDF and included alt text for all graphics and images. Alt text was also included for posts on X (formerly known as Twitter).
Procurement of Goods, Services and Facilities
Although no barriers were identified with respect to the procurement of goods, services and facilities, the accessibility plan nevertheless noted that improvements could be made to ensure “accessibility by design” in procurement practices.
Status: Delayed
Due to a lack of staff, the NSIRA Secretariat was unable to carry out its planned activities for incorporating accessibility by design in its procurement practices. The NSIRA Secretariat recently negotiated a service level agreement with another public service organization and will explore integrating accessibility into the services offered in the new year.
Design and Delivery of Programs and Services
An important part of NSIRA’s mandate is to investigate complaints related to activities carried out by the Canadian Security Intelligence Service and the CSE, as well as complaints related to the denial or revocation of security clearances, and other matters under its purview. Ensuring that Canadians with disabilities can participate in these processes is integral to the investigations, however the Rules of Procedure do not provide accessibility options to accommodate the needs of persons with disabilities, while also complying with the necessary security requirements.
Status: Ongoing
As the work began to address the barriers identified with respect to NSIRA’s investigative function, it became clear that accessibility is contingent primarily on the built environment. The accessibility plan reported barriers such as heavy doors without automatic door openers. This includes the hearing room where investigative proceedings are held. Tripping hazards and restrictions with respect to assistive devices were also noted, among other concerns.
Similarly, progress around programs and services is inextricably linked to the barriers with respect to information and communication technologies. For the complaint investigation process, this included the internet website, which was not fully accessible, and limited options for persons with a hearing impairment to engage with the Registrar.
The new internet website includes a more user-friendly interface that meets WCAG standards. Complainants can more easily navigate to the information and forms they need to bring a complaint. The complaint forms themselves have been redesigned to be more accessible. Additionally, the following activities are underway:
A new section of the Rules of Procedure is being drafted to reflect the Review Agency’s commitment to ensuring accessibility. Progress is significantly dependent on the NSIRA Secretariat’s progress in incorporating accessibility requirements into the built environment.
In addition, the amendments to the Rules of Procedure will reflect an investigation participant’s ability to access alternate arrangements on a case-by-case basis to address their accessibility needs prior to their attendance on the premises for investigative proceedings.
The Rules of Procedure will also provide that the Registrar is to be notified of barriers and/or accessibility requirements for the Review Agency to accommodate those needs.
Finally, the Rules will provide that an individual wishing to bring a complaint must be provided procedural assistance by the Registrar in the event assistance is needed to address any barriers. This will enable access to persons with a variety of disabilities, including an individual with a cognitive disability who may require assistance articulating their complaint or allegations.
Transportation
The NSIRA Secretariat did not identify any barriers or develop an action plan with respect to this element.
Status: On track
Although specific actions were not identified, it is worth noting that NSIRA’s offices are in Ottawa, where employees and members of the public may use various modes of transportation to reach the work sites. Accessible transportation services are provided by OC Transpo in Ottawa and by the Société de Transport de l’Outaouais in Gatineau. Individuals who use their personal vehicles may park in designated spots available at nearby lots. Information is provided to new hires about designated parking spaces.
Consultations
The Accessible Canada Act requires consultations with persons with disabilities in preparing progress reports. The activities outlined in the accessibility plan for completion or launch in the first year aimed to improve accessibility for the workforce and in the workplace. This, combined with NSIRA’s specific mandate, greatly influenced the focus of consultations for this first progress report.
Thanks to the introduction of a self-identification (SelfID) questionnaire, employees who identified as a person with a disability were specifically invited to provide insight into barriers in the workplace and how to resolve, remove or mitigate them. Additionally, all staff were offered an opportunity to participate in the consultation process whether they had self-identified as a person with a disability or not. In this manner the NSIRA Secretariat benefited from a range of perspectives and first-hand experiences about barriers and the actions needed to become a more inclusive and accessible organization.
Feedback
Feedback from the NSIRA Secretariat’s employees included suggestions to improve security scanning of assistive devices and other required technology. Suggestions were also made with respect to knowledge transfer among staff responsible for facilities (i.e., the built environment) to ensure a smooth transition and avoid potential delays for employees who await assistive or adaptive devices or equipment.
Other employees identified barriers with respect to wheelchair accessibility at one location, which had not been previously noted. Concerns also included the height of some equipment, which was out of reach for a person using a wheelchair.
Since the pandemic, meetings often include employees working on-site and from home. The feedback from employees revealed that the sound system does not pick up voices consistently from all areas of the boardrooms. Consequently, parts of presentations or discussions in the boardroom are not being captured and employees participating from home cannot hear what is being said. It was therefore recommended that this be addressed in the context of the built environment.
No feedback was received from members of the public about the accessibility plan during the year under review. The NSIRA Secretariat will continue to welcome feedback in the coming year.
This quarterly report has been prepared by management as required by section 65.1 of the Financial Administration Act and in the form and manner prescribed by the Directive on Accounting Standards, GC 4400 Departmental Quarterly Financial Report. This quarterly financial report should be read in conjunction with the 2023–24 Main Estimates.
This quarterly report has not been subject to an external audit or review.
Mandate
The National Security and Intelligence Review Agency (NSIRA) is an independent external review body that reports to Parliament. Established in July 2019, NSIRA is responsible for conducting reviews of the Government of Canada’s national security and intelligence activities to ensure that they are lawful, reasonable and necessary. NSIRA also hears public complaints regarding key national security agencies and their activities.
This quarterly report has been prepared by management using an expenditure basis of accounting. The accompanying Statement of Authorities includes the agency’s spending authorities granted by Parliament and those used by the agency, consistent with the 2023–24 Main Estimates. This quarterly report has been prepared using a special-purpose financial reporting framework (cash basis) designed to meet financial information needs with respect to the use of spending authorities.
The authority of Parliament is required before money can be spent by the government. Approvals are given in the form of annually approved limits through appropriation acts or through legislation in the form of statutory spending authorities for specific purposes.
Highlights of the fiscal quarter and fiscal year-to-date results
This section highlights the significant items that contributed to the net increase or decrease in authorities available for the year and actual expenditures for the quarter ended September 30, 2023.
NSIRA Secretariat spent approximately 33% of its authorities by the end of the second quarter, compared with 23% in the same quarter of 2022–23 (see graph 1).
Graph 1: Comparison of total authorities and total net budgetary expenditures, Q2 2023–24 and Q2 2022–23
Text version of Figure 1
Comparison of total authorities and total net budgetary expenditures, Q2 2023–24 and Q2 2022–23
2023-24
2022-23
Total Authorities
$24.3
$29.7
Q2 Expenditures
$3.8
$3.6
Year-to-Date Expenditures
$8.1
$6.9
Significant changes to authorities
As at September 30, 2023, Parliament had approved $24.3 million in total authorities for use by NSIRA Secretariat for 2023–24 compared with $29.7 million as of September 30th, 2022, for a net decrease of $5.4 million or 18.2% (see graph 2).
Graph 2: Variance in authorities as at September 30, 2023
Text version of Figure 2
Variance in authorities as at June 30, 2023 (in millions)
Fiscal year 2022-23 total available for use for the year ended March 31, 2023
Fiscal year 2023-24 total available for use for the year ended March 31, 2024
Vote 1 – Operating
28.0
22.6
Statutory
1.7
1.7
Total budgetary authorities
29.7
24.3
*Details may not sum to totals due to rounding*
The decrease of $5.4 million in authorities is mostly explained by a gradual reduction in NSIRA Secretariat’s ongoing operating funding due to an ongoing construction project nearing completion.
Significant changes to quarter expenditures
The second quarter expenditures totalled $3.8 million for an increase of $0.2 million when compared with $3.6 million spent during the same period in 2022–2023. Table 1 presents budgetary expenditures by standard object.
Table 1
Variances in expenditures by standard object(in thousands of dollars)
Fiscal year 2023–24: expended during the quarter ended September 30, 2023
Fiscal year 2022–23: expended during the quarter ended September 30, 2022
Variance $
Variance %
Personnel
3,014
2,903
111
4%
Transportation and communications
62
70
(8)
(11%)
Information
4
0
4
100%
Professional and special services
504
578
(74)
(13%)
Rentals
25
39
(14)
(36%)
Repair and maintenance
3
33
(30)
(91%)
Utilities, materials and supplies
50
12
38
317%
Acquisition of machinery and equipment
4
4
0
0%
Other subsidies and payment
118
3
115
3833%
Total gross budgetary expenditures
3,784
3,642
142
4%
Repair and maintenance
The decrease of $30,000 is due to the timing of invoicing for an ongoing capital project.
Utilities, materials and supplies
The increase of $38,000 is due to a temporarily unreconciled suspense account.
Other subsidies and payments
The increase of $115,000 is explained by an increase in payroll system overpayments which were subsequently resolved.
Significant changes to year-to-date expenditures
The year-to-date expenditures totalled $8.1 million for an increase of $1.1 million (17%) when compared with $6.9 million spent during the same period in 2022–23. Table 2 presents budgetary expenditures by standard object.
Table 2
Variances in expenditures by standard object(in thousands of dollars)
Fiscal year 2023–24: year-to-date expenditures as of September 30, 2023
Fiscal year 2022–23: year-to-date expenditures as of September 30, 2022
Variance $
Variance %
Personnel
5,900
5,248
652
12%
Transportation and communications
192
114
78
68%
Information
4
5
(1)
(20%)
Professional and special services
1,669
1,424
245
17%
Rentals
73
49
24
49%
Repair and maintenance
27
64
(37)
(58%)
Utilities, materials and supplies
57
28
29
104%
Acquisition of machinery and equipment
52
13
39
300%
Other subsidies and payment
122
1
121
12100%
Total gross budgetary expenditures
8,096
6,946
1,150
17%
Personnel
The increase of $652,000 relates to an increase in average salary and an increase in full time equivalent (FTE) positions.
Transportation and communications
The increase of $78,000 is due to the timing of invoicing for the organization’s internet connections.
Professional and special services
The increase of $245,000 is explained by an increase in IT support costs and guard services associated to a capital construction project.
Repair and maintenance
The decrease of $37,000 is due to the timing of invoicing for an ongoing capital project.
Utilities, materials and supplies
The increase of $29,000 is due to a temporarily unreconciled suspense account.
Acquisition of machinery and equipment
The increase of $39,000 is mainly explained by the one-time purchase of a specialized laptop.
Other subsidies and payments
The increase of $121,000 is explained by an increase in payroll system overpayments which were subsequently resolved.
Risks and uncertainties
The Secretariat assisted NSIRA in its work with the departments and agencies subjected to reviews to ensure a timely and unfettered access to all the information necessary for the conduct of reviews. While work remains to be done on this front, we acknowledge the improvements in cooperation and support to the independent review process demonstrated by some reviewees.
There is a risk that the funding received to offset pay increases anticipated over the coming year will be insufficient to cover the costs of such increases and the year-over-year cost of services provided by other government departments/agencies is increasing significantly.
NSIRA Secretariat is closely monitoring pay transactions to identify and address over and under payments in a timely manner and continues to apply ongoing mitigating controls.
Mitigation measures for the risks outlined above have been identified and are factored into NSIRA Secretariat’s approach and timelines for the execution of its mandated activities.
Significant changes in relation to operations, personnel and programs
There have been two new Governor-in-Council appointments during the Second quarter, Ms. Colleen Swords and Mr. Jim Chu.
There have been no changes to the NSIRA Secretariat Program.
Approved by senior officials:
John Davies Deputy Head
Marc-André Cloutier Director General, Corporate Services, Chief Financial Officer
Appendix
Statement of authorities (Unaudited)
(in thousands of dollars)
Fiscal year 2023–24
Fiscal year 2022–23
Total available for use for the year ending March 31, 2024 (note 1)
Used during the quarter ended September 30, 2023
Year to date used at quarter-end
Total available for use for the year ending March 31, 2023 (note 1)
Used during the quarter ended September 30, 2022
Year to date used at quarter-end
Vote 1 – Net operating expenditures
22,564
3,345
7,218
27,931
3,210
6,082
Budgetary statutory authorities
Contributions to employee benefit plans
1,755
439
878
1,728
432
864
Total budgetary authorities (note 2)
24,319
3,784
8,096
29,659
3,642
6,946
Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.
Note 2: Details may not sum to totals due to rounding.
Departmental budgetary expenditures by standard object (unaudited)
(in thousands of dollars)
Fiscal year 2023–24
Fiscal year 2022–23
Planned expenditures for the year ending March 31, 2024 (note 1)
Expended during the quarter ended September 30, 2023
Year to date used at quarter-end
Planned expenditures for the year ending March 31, 2023
Expended during the quarter ended September 30, 2022
Year to date used at quarter-end
Expenditures
Personnel
13,303
3,014
5,900
13,245
2,903
5,248
Transportation and communications
650
62
192
597
70
114
Information
371
4
4
372
0
5
Professional and special services
4,906
504
1,669
4,914
578
1,424
Rentals
271
25
73
271
39
49
Repair and maintenance
4,580
24
27
9,722
33
64
Utilities, materials and supplies
73
50
57
173
12
28
Acquisition of machinery and equipment
132
4
52
232
4
13
Other subsidies and payments
33
118
122
133
3
1
Total gross budgetary expenditures
(note 2)
24,319
3,784
8,096
29,659
3,642
6,946
Note 1: Includes only authorities available for use and granted by Parliament as at quarter-end.
Note 2: Details may not sum to totals due to rounding.
I am pleased to present the National Security and Intelligence Review Agency (NSIRA) Secretariat’s Departmental Results Report for 2022-23. Throughout the reporting period, the Secretariat has continued to execute its mission to support NSIRA in its focus on conducting highquality, impactful reviews and fair and efficient complaint investigations. We also worked to expand our capacity and expertise across all business lines, building on the work of previous years.
In 2022-23, NSIRA’s review work continued to expand to new areas within Canada’s national security and intelligence community and NSIRA continued to collaborate and de-conflict with like-minded accountability bodies in Canada with similar mandates. NSIRA’s work on complaint investigations was extensive and included the completion of a significant volume of referrals from the Canadian Human Rights Commission. The NSIRA Secretariat was an integral part of all of these developments which required us to remain agile, diverse and to explore all avenues of our productivity in the support of NSIRA.
Internally, we undertook a number of ambitious initiatives related to training and development, with a focus on attracting and retaining highly professional staff and offering career progression options. We continued to refine our business processes to enhance the quality of our output and strengthened our relationship with our various domestic and international counterparts to exchange on best practices in the field of national security and intelligence accountability.
I would like to thank all NSIRA Secretariat staff for their continued dedication to fulfilling our important mandate, and for ensuring that our work is held to the highest standards.
John Davies Executive Director National Security and Intelligence Review Agency
Results at a glance
In 2022-23, the National Security and Intelligence Review Agency (NSIRA) Secretariat continued to execute its mandate of assisting NSIRA in its Reviews and Investigations with the goal of improving national security and intelligence accountability and transparency in Canada. This related not only to the activities of the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), but also other federal departments and agencies engaged in such activities, including:
the Department of National Defence (DND) and the Canadian Armed Forces (CAF);
the Canada Border Services Agency (CBSA); and,
all departments and agencies engaging in national security and intelligence activities in the context of NSIRA’s yearly reviews of the Security of Canada Information Disclosure Act and the Avoiding Complicity in Mistreatment by Foreign Entities Act.
The NSIRA Secretariat’s total spending in 2022-23 amounted to $18,289,147 and its total actual full-time equivalents were 78.
Review
NSIRA’s review of national security and intelligence activities undertaken by Government of Canada institutions ensures that ministers and Canadians are informed about whether these activities were lawful, reasonable and necessary.
During 2022–23, the Secretariat assisted NSIRA in completing 7 reviews, including reviews of activities that were never previously subject to independent scrutiny. We also refined our methodology, emphasizing a stronger role for NSIRA Members in working with staff to shape reviews throughout their lifecycle.
Complaint investigations
In 2022-23 the Secretariat assisted NSIRA in the continuation of maturation and modernization of the processes underpinning the fulfillment of its investigation mandate. The jurisdiction assessment phase was regularized, incorporating a verification protocol for the three agencies for which NSIRA has complaints jurisdiction. The administration and conduct of the investigative process has increased emphasis on investigative interviews in order to enhance the relevance of the process for complainants.
COVID-19 remained a lingering feature of the investigative landscape in the first half of the year which caused continued constraints with respect to the progress of investigations, requiring inperson meetings in compliance with security protocols. The new processes reduced delays in the conduct of investigations. It is anticipated that this will continue on a forward basis as we emerge from the pandemic.
The level of investigation activities last year remained high and included the completion of a significant referral from the Canadian Human Rights Commission (CHRC). A number of initiatives were commenced relating to data management and service standards which are expected to enhance file management in the coming year.
For more information, see the “Results: what we achieved” section of this report.
Results: what we achieved
Core responsibility
Assisting NSIRA in National Security and Intelligence Reviews and Complaints Investigations
Description:
The National Security and Intelligence Review Agency reviews Government of Canada national security and intelligence activities to assess whether they are lawful, reasonable and necessary. It investigates complaints from members of the public regarding activities of CSIS, CSE or the national security activities of the RCMP, as well as certain other national security-related complaints. This independent scrutiny contributes to the strengthening of the framework of accountability for national security and intelligence activities undertaken by Government of Canada institutions and supports public confidence in this regard. The NSIRA Secretariat’s function is to assist NSIRA in the conduct of this important work.
Results:
The NSIRA Secretariat assisted NSIRA in the completion of 7 national security and intelligence reviews over the course of 2022–23. Five reviews focused mainly on an individual department or agency, while two reviews were interdepartmental by design. Organizations whose activities were the subject of specific reviews included:
Canadian Security Intelligence Service — one review
Communications Security Establishment — two reviews
Department of National Defence and the Canadian Armed Forces — one review
Canada Border Services Agency – one review
The two interdepartmental reviews by design were:
The annual review of disclosures under the Security of Canada Information Disclosure Act (SCIDA)
The annual review of the implementation of directions issued under the Avoiding Complicity in Mistreatment by Foreign Entities Act (ACA)
During the reporting period, the Secretariat continued to refine its processes and methodology to assist the NSIRA review mandate, with the goal of promoting high-quality, impactful reviews.
NSIRA Members worked closely with Secretariat staff in designing and executing individual reviews. The Secretariat supported NSIRA in the development and implementation of a “Considerations Matrix” which uses objective criteria to identify review topics in accordance with NSIRA’s core mandate and mission. In addition, the Secretariat implemented an updated process at the staff level for its Quality Assurance of review work, incorporating peer review at key stages.
NSIRA continued to place emphasis on the review of the use of technology by reviewed entities. The Secretariat’s Technology Directorate supported NSIRA’s ongoing first technology-focused review of the lifecycle of CSIS information collected by technical capabilities pursuant to a Federal Court warrant.
Investigation of national security and intelligence–related complaints
During the past year, the Secretariat continued to assist NSIRA efforts in reforming the investigative process for complaints and developing procedures and practices to ensure that the conduct of investigations is fair, timely and transparent. This included work on a streamlined jurisdictional assessment phase and increased use of investigative interviews as the principal means of fact finding. These developments enabled the Secretariat to successfully assist NSIRA in dealing with a significant volume of complaints over this reporting period.
During 2022-23, under instructions from NSIRA leadership, the Secretariat began developing service standards related to the investigation of complaints. The service standards will set internal time limits for certain investigative steps for each type of complaint, under normal circumstances. The service standards will specify the circumstances under which those time limits do not apply. The Secretariat will finalize and publish its service standards in 2023.
The Secretariat assisted NSIRA in completing sixty-seven complaint investigations during the 2022-23 reporting period, which included 58 referrals from the CHRC and 9 other complaints. Additionally, the Secretariat began the last phase of a study on race-based data and the collection of demographic information jointly commissioned with the Civilian Review and Complaints Commission for the RCMP (CRCC). The study will assess the viability of the collection of identity-based and demographic data as part of the CRCC’s ongoing anti-racism initiatives. Improved, more precise and more consistent tracking, collection and measurement of data is necessary to support anti-racism efforts in government.
Gender-based analysis plus
In 2022–23, the NSIRA Secretariat’s Diversity, Inclusion and Employment Equity Advisory Committee examined and provided recommendations to senior management on ways it can improve its internal policies, programs and procedures, as well as its external service delivery model to increase inclusion, diversity and equity.
We continue to work closely with partners to develop strategies for the collection, analysis and use of race-based and demographic data in the context of the complaints process. Improving awareness and understanding of NSIRA’s investigation process remains a core objective to ensure justice is accessible to all.
The potential for national security and intelligence activities to result in disparate outcomes for minority groups is taken into account when the Secretariat assists NSIRA to plan and conduct its reviews. Diversity is one of the elements on NSIRA’s Review Considerations Matrix, which uses objective criteria to identify review topics in accordance with NSIRA’s core mandate and mission. While NSIRA’s reviews are focused on the compliance, reasonableness, necessity and efficacy of activities, particular consideration is given to the impacts of these activities on diverse communities.
In 2022-23, the NSIRA Secretariat worked to establish a framework for the collection of employee self-identification data, in order to understand the makeup of its workforce and how it compares with the broader Canadian population. Understanding where there are gaps in representation of equity-deserving groups will help to determine where changes are needed to correct historical disadvantages and achieve equality in the workplace. This initiative will be implemented in 2023-24.
The NSIRA Secretariat also published its first accessibility plan in accordance with the Accessible Canada Act: National Security and Intelligence Review Agency Accessibility Plan 2022 – 2025. The plan was developed further to both internal and external consultations which included individuals whose lived experience as persons with a disability provided invaluable insight into barriers, potential gaps, and important considerations with respect to mitigation strategies. This inaugural plan outlines the steps that will be taken to increase accessibility within the organization and for Canadians more generally over the next three years.
Innovation
Given the Secretariat’s mandate to assist NSIRA’s functions and responsibilities, the Secretariat did not engage in any program-related innovation activities.
Key risks
During the reporting period, the Secretariat assisted NSIRA in its work with the departments and agencies subject to review, to ensure timely and unfettered access to all the information necessary for the conduct of reviews. While work remains to be done on this front, we acknowledge the improvements in cooperation and support to the independent review process demonstrated by some reviewees. Secretariat staff generally increased its level of occupancy within the departments’ offices and its access to information systems.
Physical distancing precautions established by the COVID-19 pandemic were, for the most part, lifted in 2022–23. However, the Secretariat remains ready to implement such measures if they are deemed necessary in the future. We see investments made in virtual meeting technology as beneficial for the organization as they have allowed us to gain flexibility.
Results achieved
The following table shows, for the assistance in completing National Security and Intelligence Reviews and Complaints Investigations, the results achieved, the performance indicators, the targets and the target dates for 2022–23, and the actual results for the three most recent fiscal years for which actual results are available.
Departmental results
Performance indicators
Target
Date to achieve target
2020-21 actual results
2021-22 actual results
2022-23 actual results
Ministers and Canadians are informed whether national security and intelligence activities undertaken by Government of Canada institutions are lawful, reasonable and necessary
All mandatory reviews are completed on an annual basis
100% completion of mandatory reviews
2021-22
Not applicable (N/A)
100%
100%
Reviews of national security or intelligence activities of at least five departments or agencies are conducted each year
At least one national security or intelligence activity is reviewed in at least five departments or agencies annually
2021-22
N/A
100%
100%
All Member-approved high priority national security or intelligence activities are reviewed over a three- year period
100% completion over three years; at least 33% completed each year
2021-22
N/A
33%
33%
National security-related complaints are independently investigated in a timely manner
Percentage of investigations completed within NSIRA service standards
90%
2022-23
N/A
N/A
Note: The NSIRA Secretariat was created on July 12, 2019. Actual results for 2020–21 are not available because the new Departmental Results Framework in the changeover from the Security Intelligence Review Committee to the NSIRA Secretariat was being developed. This new framework is for measuring and reporting on results achieved starting in 2021–22. In 2022–23, the Secretariat will finalize the development of service standards for how long it takes to complete its investigations; the results will be included in the next Departmental Results Report.
Financial, human resources and performance information for NSIRA’s Program Inventory is available in GC InfoBase.
Budgetary financial resources (dollars)
The following table shows, for internal services, budgetary spending for 2022–23, as well as actual spending for that year.
2022–23 Main Estimates
2022–23 Planned spending
2022–23 Total authorities available for use
2022–23 Actual spending (authorities used)
2022–23 Difference (Actual spending minus Planned spending)
$10,756,818
$10,756,818
$11,541,004
$7,756,271
$(3,000,547)
Financial, human resources and performance information for NSIRA Secretariat’s Program Inventory is available in GC InfoBase.
Human resources (full-time equivalents)
The following table shows, in full-time equivalents, the human resources the NSIRA Secretariat’s needed to fulfill this core responsibility for 2022–23.
2022–23 Planned full-time equivalents
2022–23 Actual full-time equivalents
2022–23 Difference (Actual full-time equivalents minus Planned full-time equivalents)
69
53
(16)
Financial, human resources and performance information for NSIRA Secretariat’s Program Inventory is available in GC InfoBase.
Internal Services
Description
Internal services are those groups of related activities and resources that the federal government considers to be services in support of programs and/or required to meet corporate obligations of an organization. Internal services refers to the activities and resources of the 10 distinct service categories that support program delivery in the organization, regardless of the internal services delivery model in a department. The 10 service categories are:
Acquisition Management Services
Communication Services
Financial Management Services
Human Resources Management Services
Information Management Services
Information Technology Services
Legal Services
Material Management Services
Management and Oversight Services
Real Property Management Services
Results
During the reporting period, the NSIRA Secretariat continued to take steps to ensure resources were deployed in the most effective and efficient manner possible and its operations and administrative structures, tools and processes continued to focus on supporting the delivery of its priorities.
The Secretariat recognizes the need to be an inclusive, healthy, and flexible employer. Over the past year, we have encouraged flexible working arrangements, such as teleworking, to achieve work–life balance and meet performance expectations.
The Secretariat initiated a project associated with the accreditation of its current space for use of classified material. Various testing, inspections and supported documents were issued to the Lead Security Agency issuing the authority to operate within the required timelines.
Work on increasing the Secretariat’s footprint with modern and flexible workstations within the classified and non-classified realm commenced in the summer of 2022. The project has, due to its complexity, supply chain challenges, and compliancy requirements, seen the delivery date pushed back to summer of 2024.
The Secretariat also completed work on refreshing two of its multifunctional meeting rooms. The Secretariat continues to implement security controls and keeps its Security Plan and the Business Impact Analysis evergreen, in order to ensure resiliency.
The Secretariat has successfully implemented an ergonomic and accessibility program. This program is a joint venture between the human resources and property management teams. In addition to this, based on the Information Management plans and strategies developed last fiscal year, the Secretariat identified the tools and resources required to execute the plans/strategies over the coming years.
Contracts awarded to Indigenous businesses
The Government of Canada is committed to reconciliation with Indigenous peoples and to improving socio-economic outcomes by increasing opportunities for First Nations, Inuit and Métis businesses through the federal procurement process.
Under the Directive on the Management of Procurement, which came into effect on May 13, 2021, departments must ensure that a minimum of 5% of the total value of the contracts they award are held by Indigenous businesses. This requirement is being phased in over three years, and full implementation is expected by 2024.
Indigenous Services Canada has set the implementation schedule:
Phase 1 departments: April 1, 2022, to March 31, 2023
Phase 2 departments: April 1, 2023, to March 31, 2024
Phase 3 departments: April 1, 2024, to March 31, 2025
The NSIRA Secretariat is a Phase 3 organization and is aiming to achieve the minimum 5% target by the end of 2025.
In order to achieve this target, the Secretariat plans to implement a strategy to create more opportunities for Indigenous businesses. Tools will be added to ensure Indigenous considerations for every contract and consideration will be given to amending internal policies.
In addition, all staff will be required to complete the mandatory course Indigenous Considerations in Procurement (COR409) from the Canada School of Public Service as well as Procurement in the Nunavut Settlement Area (COR410) from the Canada School of Public Service.
Budgetary financial resources (dollars)
The following table shows, for internal services, budgetary spending for 2021–22, as well as spending for that year.
2022–23 Main Estimates
2022–23 Planned spending
2022–23 Total authorities available for use
2022–23 Actual spending (authorities used)
2022–23 Difference (Actual spending minus Planned spending)
$17,493,858
$17,493,858
$17,822,513
$10,532,876
($6,960,982)
The difference of $6.9 million between planned and actual spending is mostly due to the lingering impacts of the pandemic on the Secretariat’s ability to progress with its facilities fit-up and expansion plans, as well as on its planned spending on internal services infrastructure and systems.
Human resources (full-time equivalents)
The following table shows, in full-time equivalents, the human resources the department needed to carry out its internal services for 2022–23.
2022–23 Planned full-time equivalents
2022–23 Actual full-time equivalents
2022–23 Difference (Actual full-time equivalents minus Planned full-time equivalents)
31
25
(6)
Spending and human resources
Spending
Spending 2020–21 to 2025–26
The following graph presents planned (voted and statutory spending) over time.
Text version of Figure 1
Departmental spending trend graph
2020-21
2021-22
2022-23
2023-24
2024-25
2025-26
Statutory
962,186
1,176,321
1,300,166
1,755,229
1,755,229
1,756,977
Voted
11,289,189
16,113,433
16,988,980
21,253,996
16,753,702
16,786,929
Total
12,251,375
17,289,754
18,289,147
23,009,225
18,508,931
18,543,906
The graph illustrates the Secretariat’s spending trends over a six-year period from 2020-21 to 2025–26. Fiscal years 2020–21 to 2022–23 reflect actual expenditures as reported in the Public Accounts. Fiscal years 2023–24 to 2025–26 represent planned spending.
The increased spending in 2023-24 is due to the expectation that the facilities fit-up and expansion is planned to be completed in this fiscal year.
The levelling of authorities in 2024–25 and 2025-26 is due to the sunsetting of funding earmarked for the completion of facilities fit-up and expansion.
Budgetary performance summary for core responsibilities and internal services (dollars)
The “Budgetary performance summary for core responsibilities and internal services” table presents the budgetary financial resources allocated for the NSIRA Secretariat’s core responsibilities and for internal services.
Core responsibilities and Internal Services
2022-23 Main Estimates
2022-23 Planned spending
2023-24 Planned spending
2024-25 Planned spending
2022-23 Total authorities available for use
2020-21 Actual spending (authorities used)
2021-22 Actual spending (authorities used)
2022-23 Actual spending (authorities used)
National Security and Intelligence Reviews and Complaints Investigations
10,756,818
10,756,818
10,757,687
10,757,687
11,541,004
3,009,066
7,394,642
7,756,271
Subtotal
10,756,818
10,756,818
10,757,687
10,757,687
11,541,004
3,009,066
7,394,642
7,756,271
Internal Services
17,493,858
17,493,858
7,701,336
7,701,042
17,822,513
6,643,579
9,895,112
10,532,876
Total
28,250,676
28,250,676
18,459,023
18,458,729
29,363,517
9,652,645
17,289,754
18,289,147
Human resources
The “Human resources summary for core responsibilities and internal services” table presents the full-time equivalents (FTEs) allocated to each of the Secretariat’s core responsibilities and to internal services.
Human resources summary for core responsibilities and internal services
Core responsibilities and Internal Services
2020-21 Actual full-time equivalents
2021-22 Actual full-time equivalents
2022-23 Planned full-time equivalents
2022-23 Actual full-time equivalents
2023-24 Planned full-time equivalents
2024-25 Planned full-time equivalents
National Security and Intelligence Reviews and Complaints Investigations
38
52
69
53
69
69
Subtotal
38
52
69
53
69
69
Internal Services
22
22
31
25
31
31
Total
29
60
100
78
100
100
Expenditures by vote
For information on the Secretariat’s organizational voted and statutory expenditures, consult the Public Accounts of Canada.
Government of Canada spending and activities
Information on the alignment of the Secretariat’s spending with Government of Canada’s spending and activities is available in GC InfoBase.
Financial statements and financial statements highlights
Financial statements
NSIRA’s financial statements (unaudited) for the year ended March 31, 2023, are available on the departmental website.
Financial statement highlights
Condensed Statement of Operations (unaudited) for the year ended March 31, 2023 (dollars)
Financial information
2022-23 Planned results
2022-23 Actual results
2021-22 Actual results
Difference (2022-23 Actual results minus 2022-23 Planned results)
Difference (2022-23 Actual results minus 2021-22 Actual results)
Total expenses
$28,250,676
$19,585,699
$16,164,825
($8,664,977)
$3,420,874
Total revenues
0
0
0
0
0
Net cost of operations before government funding and transfers
Appropriate minister: The Right Honourable Justin Trudeau, Prime Minister of Canada Institutional head: John Davies, Executive Director Ministerial portfolio: Privy Council Office Enabling instrument:National Security and Intelligence Review Agency Act Year of incorporation / commencement: 2019
Raison d’être, mandate and role: who we are and what we do
“Raison d’être, mandate and role: who we are and what we do” is available on NSIRA‘s website.
Operating context
Information on the operating context is available on NSIRA’s website.
Reporting framework
NSIRA’s Departmental Results Framework, with accompanying results and indicators, were under development in 2020–21. Additional information on key performance measures are included in the 2021–22 Departmental Plan.
Text version of Figure 2
Core Responsibility: National Security and Intelligence Reviews and Complaints Investigations
Departmental Results Framework
Ministers and Canadians are informed whether national security and intelligence activities undertaken by Government of Canada institutions are lawful, reasonable and necessary
Indicator: All mandatory reviews are completed on an annual basis
Internal Services
Indicator: Reviews of national security or intelligence activities of at least five departments or agencies are conducted each year
Indicator: All Member-approved high priority national security or intelligence activities are reviewed over a three-year period
National security-related complaints are independently investigated in a timely manner
Indicator: Percentage of investigations completed within NSIRA service standards
Program Inventory
Program: National security and intelligence activity reviews and complaints investigations
Supporting information on the program inventory
Financial, human resources and performance information for NSIRA’s Program Inventory is available in GC InfoBase.
Supplementary information tables
The following supplementary information table is available on NSIRA’s website:
Gender-based analysis plus
Federal tax expenditures
The tax system can be used to achieve public policy objectives through the application of special measures such as low tax rates, exemptions, deductions, deferrals and credits. The Department of Finance Canada publishes cost estimates and projections for these measures each year in the Report on Federal Tax Expenditures. This report also provides detailed background information on tax expenditures, including descriptions, objectives, historical information and references to related federal spending programs. The tax measures presented in this report are the responsibility of the Minister of Finance.
Organizational contact information
National Security and Intelligence Review Agency P.O. Box 2430, Station “D” Ottawa, Ontario K1P 5W5
Appendix: definitions
appropriation(crédit)
Any authority of Parliament to pay money out of the Consolidated Revenue Fund.
budgetary expenditures(dépenses budgétaires)
Operating and capital expenditures; transfer payments to other levels of government, organizations or individuals; and payments to Crown corporations.
core responsibility(responsabilité essentielle)
An enduring function or role performed by a department. The intentions of the department with respect to a core responsibility are reflected in one or more related departmental results that the department seeks to contribute to or influence.
Departmental Plan(plan ministériel)
A report on the plans and expected performance of an appropriated department over a 3‑year period. Departmental Plans are usually tabled in Parliament each spring.
departmental priority(priorité)
A plan or project that a department has chosen to focus and report on during the planning period. Priorities represent the things that are most important or what must be done first to support the achievement of the desired departmental results.
departmental result(résultat ministériel)
A consequence or outcome that a department seeks to achieve. A departmental result is often outside departments’ immediate control, but it should be influenced by program-level outcomes.
departmental result indicator (indicateur de résultat ministériel)
A quantitative measure of progress on a departmental result.
departmental results framework(cadre ministériel des résultats)
A framework that connects the department’s core responsibilities to its departmental results and departmental result indicators.
Departmental Results Report(rapport sur les résultats ministériels)
A report on a department’s actual accomplishments against the plans, priorities and expected results set out in the corresponding Departmental Plan.
experimentation(expérimentation)
The conducting of activities that seek to first explore, then test and compare the effects and impacts of policies and interventions in order to inform evidence-based decision-making, and improve outcomes for Canadians, by learning what works, for whom and in what circumstances. Experimentation is related to, but distinct from innovation (the trying of new things), because it involves a rigorous comparison of results. For example, using a new website to communicate with Canadians can be an innovation; systematically testing the new website against existing outreach tools or an old website to see which one leads to more engagement, is experimentation.
full‑time equivalent(équivalent temps plein)
A measure of the extent to which an employee represents a full person‑year charge against a departmental budget. For a particular position, the full‑time equivalent figure is the ratio of number of hours the person actually works divided by the standard number of hours set out in the person’s collective agreement.
gender-based analysis plus (GBA Plus)(analyse comparative entre les sexes plus [ACS Plus])
An analytical process used to assess how diverse groups of women, men and gender-diverse people experience policies, programs and services based on multiple factors including race ethnicity, religion, age, and mental or physical disability.
For the purpose of the 2022–23 Departmental Results Report, government-wide priorities are the high-level themes outlining the government’s agenda in the November 23, 2021, Speech from the Throne: building a healthier today and tomorrow; growing a more resilient economy; bolder climate action; fighter harder for safer communities; standing up for diversity and inclusion; moving faster on the path to reconciliation; and fighting for a secure, just and equitable world.
horizontal initiative(initiative horizontale)
An initiative where two or more federal organizations are given funding to pursue a shared outcome, often linked to a government priority.
non‑budgetary expenditures(dépenses non budgétaires)
Net outlays and receipts related to loans, investments and advances, which change the composition of the financial assets of the Government of Canada.
performance (rendement)
What an organization did with its resources to achieve its results, how well those results compare to what the organization intended to achieve, and how well lessons learned have been identified.
performance indicator(indicateur de rendement)
A qualitative or quantitative means of measuring an output or outcome, with the intention of gauging the performance of an organization, program, policy or initiative respecting expected results.
performance reporting(production de rapports sur le rendement)
The process of communicating evidence‑based performance information. Performance reporting supports decision making, accountability and transparency.
plan(plan)
The articulation of strategic choices, which provides information on how an organization intends to achieve its priorities and associated results. Generally, a plan will explain the logic behind the strategies chosen and tend to focus on actions that lead to the expected result.
planned spending(dépenses prévues)
For Departmental Plans and Departmental Results Reports, planned spending refers to those amounts presented in Main Estimates.
A department is expected to be aware of the authorities that it has sought and received. The determination of planned spending is a departmental responsibility, and departments must be able to defend the expenditure and accrual numbers presented in their Departmental Plans and Departmental Results Reports.
program(programme)
Individual or groups of services, activities or combinations thereof that are managed together within the department and focus on a specific set of outputs, outcomes or service levels.
program inventory(répertoire des programmes)
Identifies all the department’s programs and describes how resources are organized to contribute to the department’s core responsibilities and results.
result(résultat)
A consequence attributed, in part, to an organization, policy, program or initiative. Results are not within the control of a single organization, policy, program or initiative; instead they are within the area of the organization’s influence.
statutory expenditures(dépenses législatives)
Expenditures that Parliament has approved through legislation other than appropriation acts. The legislation sets out the purpose of the expenditures and the terms and conditions under which they may be made.
target (cible)
A measurable performance or success level that an organization, program or initiative plans to achieve within a specified time period. Targets can be either quantitative or qualitative.
voted expenditures(dépenses votées)
Expenditures that Parliament approves annually through an appropriation act. The vote wording becomes the governing conditions under which these expenditures may be made.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
