Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada 1 1 RETURN BIDS TO: RETOURNER LES SOUMISSIONS À: Bid Receiving - PWGSC / Réception des soumissions - TPSGC Place du Portage, Phase III Core 0A1/Noyau 0A1 11 Laurier St.,/11, rue Laurier Gatineau Québec K1A 0S5 Bid Fax: (819) 997-9776 LETTER OF INTEREST LETTRE D'INTÉRÊT Title - Sujet GOVERNMENT WIDE ATIP SOLUTION Solicitation No. - N de l'invitation EN578-141614/A Client Reference No. - N de référence du client 20141614 File No. - N de dossier 124xl.EN578-141614 CCC No./N CCC - FMS No./N VME Solicitation Closes - L'invitation prend fin Time Zone Fuseau horaire at - à 02:00 PM Eastern Standard Time on - le 2014-01-31 EST F.O.B. - F.A.B. Plant-Usine: Destination: Other-Autre: Address Enquiries to: - Adresser toutes questions à: Buyer Id - Id de l'acheteur Laassouli, Hicham 124xl Telephone No. - N de téléphone FAX No. - N de FAX (819) 956-1209 ( ) (819) 953-3703 Destination - of Goods, Services, and Construction: Destination - des biens, services et construction: Date 2013-11-20 GETS Ref. No. - N de réf. de SEAG PW-$$XL-124-26596 Specified Herein Précisé dans les présentes Comments - Commentaires Instructions: See Herein Vendor/Firm Name and Address Raison sociale et adresse du fournisseur/de l'entrepreneur Instructions: Voir aux présentes Delivery Required - Livraison exigée See Herein Delivery Offered - Livraison proposée Vendor/Firm Name and Address Raison sociale et adresse du fournisseur/de l'entrepreneur Issuing Office - Bureau de distribution Shared Systems Division (XL)/Division des systèmes partagés (XL) 4C1, Place du Portage Phase III 11 Laurier St./11, rue Laurier Gatineau Québec K1A 0S5 Telephone No. - N de téléphone Facsimile No. - N de télécopieur Name and title of person authorized to sign on behalf of Vendor/Firm (type or print) Nom et titre de la personne autorisée à signer au nom du fournisseur/ de l'entrepreneur (taper ou écrire en caractères d'imprimerie) Signature Date Canada Page 1 of - de 9
Solicitation No. - N de l'invitation Amd. No. - N de la modif. Buyer ID - Id de l'acheteur EN578-141614/A 124xl Client Ref. No. - N de réf. du client File No. - N du dossier CCC No./N CCC - FMS No/ N VME 20141614 124xlEN578-141614 REQUEST FOR INFORMATION REGARDING ACCESS TO INFORMATION AND PRIVACY (ATIP) SOLUTION FOR CANADA 5 Response Costs 7 Contents of this RFI 8 Question to Industry TABLE OF CONTENTS 1 Background and Purpose of this Request for Information (RFI) 2 Request for information objectives... 2... 3 3 Nature of Request for Information... 4 Nature and Format of Responses Requested... 4... 4 6 Treatment of Responses...... 5... 5 9 Format of Responses... 7 10 Enquiries... 8 11 Electronic Submission... 8 4 4 Annex A: Whole of Government ATIP Solution Appendix A.1: Draft Statement of Requirements Appendix A.2: Suggested presentation outline for respondents Appendix A.3: Glossary of terms and acronyms Appendix A.4: Statistical Reporting Templates for the fiscal year ended March 31, 2013 Appendix A.5: TBS Cyber Authentication Tactical Solution (CATS) Interface Architecture and Specification Page 2 of - de 9
Solicitation No. - N de l'invitation Amd. No. - N de la modif. Buyer ID - Id de l'acheteur Client Ref. No. - N de réf. du client File No. - N du dossier CCC No./N CCC - FMS No./N VME REQUEST FOR INFORMATION REGARDING ACCESS TO INFORMATION AND PRIVACY (ATIP) SOLUTION FOR CANADA 1 BACKGROUND AND PURPOSE OF THIS REQUEST FOR INFORMATION (RFI) The purpose of the RFI is to assist the Government of Canada (GC) in defining the requirements for a modernized Access to Information and Privacy (ATIP) software solution and delivery model for institutions subject to the Access to Information Act (ATIA) and Privacy Act (PA) as defined in within the GC. This represents approximately 250 institutions as set forth in Schedule 1 of the respective Acts. This is a key initiative that is aligned with announced GC Information Technology (IT) modernization initiatives and the GC Action Plan on Open Government. As announced in Budget 2012, the GC aims to achieve: Modernizing and Reducing the Back Office The Government is committed to streamlining, consolidating and standardizing administrative functions and operations within and across organizations. The Government has identified opportunities to consolidate administrative functions including human resources and financial services, real property maintenance, information technology, communications and contracting within portfolios and across similar organizations. It has also identified ways to reduce travel expenses by using virtual tools such as teleconferencing, videoconferencing and virtual presence. http://www.budget.gc.ca/2012/plan/chap5-eng.html#a9 Under the Action Plan on Open Government the GC has committed to: Page 3 of - de 9
Solicitation No. - N de l'invitation Amd. No. - N de la modif. Buyer ID - Id de l'acheteur Client Ref. No. - N de réf. du client File No. - N du dossier CCC No./N CCC - FMS No./N VME Modernizing the Administration of Access to Information To improve service quality and ease of access for citizens, and to reduce processing costs for institutions, we will begin modernizing and centralizing the platforms supporting the administration of Access to Information (ATI). In Year 1, we will pilot online request and payment services for a number of departments allowing Canadians for the first time to submit and pay for ATI requests online with the goal of having this capability available to all departments as soon as feasible. In Years 2 and 3, we will make completed ATI request summaries searchable online, and we will focus on the design and implementation of a standardized, modern, ATI solution to be used by all federal departments and agencies. 2 REQUEST FOR INFORMATION OBJECTIVES The specific objectives of this RFI are as follows: (a) To assist the GC in understanding the next generation of ATIP Software Solution which must achieve the GC commitments to: Streamline, consolidate and standardize administrative functions and operations within and across organizations, Implement workflow and processing efficiencies, and Improve service quality and ease of access for citizens. (b) (c) (d) (e) To determine what Licensed Software is potentially available as an ATIP Software Solution that can meet the needs of the GC, To shape how the GC should best make this technology available to its institutions, To assist the GC in estimating service provisioning costs, or alternatively licensing, implementation, maintenance and support costs and options in order to develop a project budget, To determine the level of effort required of the service provider for professional services when supporting the installation, implementation and maintenance of the supplied Licensed Software Solution. Any software product selected and licensed by the GC or otherwise provisioned to the GC through this initiative may be designated as a GC standard. See Figure 4 in Appendix A.1 - ATIP Solution Requirements for a pictorial representative of the ATIPsystem. Page 4 of - de 9
Solicitation No. - N de l'invitation Amd. No. - N de la modif. Buyer ID - Id de l'acheteur Client Ref. No. - N de réf. du client File No. - N du dossier CCC No./N CCC - FMS No./N VME 3 NATURE OF REQUEST FOR INFORMATION This is not a bid solicitation. This RFI will not result in the award of any contract. As a result, potential suppliers of any goods or services described in this RFI should not reserve stock or facilities, nor allocate resources, as a result of any information contained in this RFI. Nor will this RFI result in the creation of any source list. Therefore, whether or not any potential supplier responds to this RFI will not preclude that supplier from participating in any future procurement. Also, the procurement of any of the goods and services described in this RFI will not necessarily follow this RFI. This RFI is simply intended to solicit feedback from industry with respect to the matters described in this RFI. 4 NATURE AND FORMAT OF RESPONSES REQUESTED Respondents are requested to provide their comments, concerns and, where applicable, alternative recommendations regarding how the requirements or objectives described in this RFI could be satisfied. Respondents are also invited to provide comments regarding the content, format and/or organization of any draft documents included in this RFI. Respondents should explain any assumptions they make in their responses. 5 RESPONSE COSTS Canada will not reimburse any respondent for expenses incurred in responding to this RFI. 6 TREATMENT OF RESPONSES (a) Use of Responses: Responses will not be formally evaluated. However, the responses received may be used by Canada to develop or modify procurement strategies or any draft documents contained in this RFI. Canada will review all responses received by the RFI closing date. Canada may, in its discretion, review responses received after the RFI closing date. (b) Review Team: A review team composed of Canada s representatives will review the responses. Canada reserves the right to hire any independent consultant, or use any Government resources that it considers necessary to review any response. Not all members of the review team will necessarily review all responses. (c) Confidentiality: Respondents should mark any portions of their response that they consider proprietary or confidential. Canada will handle the responses in accordance with the Access to Information Act. (d) Industry Day: Canada plans to host an Industry Day on December 19, 2013 (address will follow). The purpose will be to: Engage interested industry players, Present available information regarding the project, and Accept questions, comments and other feedback from participants. All interested participants are asked to register to receive the invitation for Industry Day. Note that there is no requirement to register for Industry Day to be eligible to participate in subsequent activities in the project and procurement process. Organizations interested in participating in Industry Day should submit an e-mail to the Contracting Authority, as identified in Section 10 of this document, requesting that they be registered. All registration requests received within fourteen (21) calendar days of the publication of this RFI will be added to the invitation list. Requests received after that time may not be considered. Page 5 of - de 9
Solicitation No. - N de l'invitation Amd. No. - N de la modif. Buyer ID - Id de l'acheteur Client Ref. No. - N de réf. du client File No. - N du dossier CCC No./N CCC - FMS No./N VME (e) (f) Follow-up Activity: Canada may meet with each respondent upon request (one-on-one meeting). Following the closing date, the Contracting Authority will follow up individually with all respondents who indicate in their responses that they wish to meet with Canada. Canada intends to request that the respondent provide an overview of the functionality of proposed solution and deliver a demonstration of commercial Licensed Software components. This will enable Canada to obtain a better understanding of the capabilities of the solution and its components. During the demonstration, Canada intends to interact with the respondent to ask questions in order to gain a better understanding of the capabilities of the proposed solution. Documentation or any other information of the proposed solution, tool suite, or supporting third party applications are welcome. 7 CONTENTS OF THIS RFI (a) Section 8: Questions to industry (b) Annex A: Whole of Government ATIP Solution. (c) Appendix A.1: Draft Statement of Requirements. (d) Appendix A.2: Suggested presentation outline for respondents. (e) Appendix A.3: Glossary of terms and acronyms. (f) Appendix A.4: Statistical Reporting Templates for the fiscal year ended March 31, 2013 (g) Appendix A.5: TBS Cyber Authentication Tactical Solution (CATS) Interface Architecture and Specification These documents remain a work in progress, requirements may be added or modified or deleted. Comments regarding any aspect of the draft documents are welcome. 8 QUESTION TO INDUSTRY Software Solution Requirements Q-1 Q-2 Describe your vision of the future of ATIP applications and how it may change with advances in technology (e.g. user mobility, user devices, virtualization and hosting architectures, integrated workflows, information intelligence, reductions in the use of paper documents, etc.) Which of Canada's requirements, attached as Appendix A.1, can be met by the commercial off-the-shelf products included in your proposed solution, and which would require product customization or enhancement? Respondents that are in a position to propose a specific solution for the ATIP Software Statement of Requirements (see Appendix A.1) are requested to respond to these questions. Input from all respondents will be welcome. Respondents are encouraged to use the response template included in Appendix A.1 to provide their comments. Please include a list of the licensable COTS products that are included in your proposed solution along with the name of the software publisher or producer for each product. Page 6 of - de 9
Solicitation No. - N de l'invitation Amd. No. - N de la modif. Buyer ID - Id de l'acheteur Client Ref. No. - N de réf. du client File No. - N du dossier CCC No./N CCC - FMS No./N VME Software Solution Delivery Model Q-3 Q-4 What factors would you recommend Canada consider in order to achieve the objectives of its Software Solution Delivery Model? If you are a software solution provider, please comment on how your own licensing model and solution architecture can help or hinder Canada in achieving its objectives. Canada is particularly interested in your directions regarding multi-tenant software and off-premise solutions. What factors should Canada consider in terms of establishing an external or internal service provider capability to support all GC institutions and the large number of potential users? Canada will be interested in understanding industry perspectives on how to establish such a service, as well as the scale and scope of skills and capabilities it may require. Software Licensing/Provisioning Q-5 What recommendations would you provide to Canada in regards to licensing/provisioning models to meet its requirements? Respondents that are in a position to propose a licensed software product for this requirement are requested to respond to this question. Canada is interested in understanding: New and innovative developments in licensing options; Licensing approaches to ensure equitable and affordable support for institutions with annual ATIP request volumes that range from 20 or fewer at the low end, up to more than 25,000; Service provider recommendations on how much Canada should budget (as a range) for provisioning of the requested ATIP Software Solution: With a breakdown by initial one-time cost and annual fees, assuming a minimum ten-year operational life; With a breakdown by service (Requester Portal, Collaboration Portal, Core ATIP Case Management); and With a breakdown by line item per service, based on your own service model (if cost estimates are not available at this level, please just list the key line items for one-time and annual fees for the GC to consider in its budgeting); Challenges faced by solution providers in meeting Canada's requirements; Implications of multi-vendor solutions from a licensing perspective; and Any other suggestions respondents wish to make. Page 7 of - de 9
Solicitation No. - N de l'invitation Amd. No. - N de la modif. Buyer ID - Id de l'acheteur Client Ref. No. - N de réf. du client File No. - N du dossier CCC No./N CCC - FMS No./N VME Services Canada may decide to conduct a procurement resulting in a contract for the provisioning of an ATIP Software Solution. Canada would like to be able to use a separate method of supply for each of the following: Implementation and integration services to integrate the selected software solution into the GC environment; Business analysis and configuration services, to establish and maintain the common baseline configuration of the licensed software for use by all GC institutions; and Onboarding services to assist individual GC institutions in transitioning to the new licensed software solution, including any additional setup, configuration, integration, training and change management work required. Q-6 What factors should Canada consider as part of such a decision? For respondents that are providers of licensed software solutions, Canada is interested in understanding: Your capability and capacity to provide the required services in relation to your licensed software, in the National Capital Region; The capability and capacity of your network of industry partners, including companies and individuals, who are able to provide the required services in relation to your licensed software in the National Capital Region; The capability and capacity of your company and network of industry partners to provide the onboarding services to institutions that may be based in locations across Canada, as well as internationally; and Any aspects of your software solution that may limit the ability of other competitive organizations to provide supplementary services (implementation and integration, business analysis and configuration, onboarding). 9 FORMAT OF RESPONSES (a) Cover Page: If the response includes multiple volumes, respondents are requested to indicate on the front cover page of each volume the title of the response, the solicitation number, the volume number and the full legal name of the respondent. (b) Title Page: The first page of each volume of the response, after the cover page, should be the title page, which should contain: (i) the title of the respondent s response and the volume number; (ii) the name and address of the respondent; (iii) the name, address and telephone number of the respondent s contact; Page 8 of - de 9
Solicitation No. - N de l'invitation Amd. No. - N de la modif. Buyer ID - Id de l'acheteur Client Ref. No. - N de réf. du client File No. - N du dossier CCC No./N CCC - FMS No./N VME (iv) (v) the date; and the RFI number. (c) Numbering System: Respondents are requested to prepare their response using a numbering system corresponding to the one in this RFI. All references to descriptive material, technical manuals and brochures included as part of the response should be referenced accordingly. 10 ENQUIRIES Because this is not a bid solicitation, Canada will not necessarily respond to enquiries in writing or by circulating answers to all potential suppliers. However, respondents with questions regarding this RFI may direct their enquiries to: Contracting Authority: Hicham Laassouli E-mail Address: hicham.laassouli@pwgsc-tpgsc.gc.ca Telephone: (819) 956-1209 11 ELECTRONIC SUBMISSION Canada requests that potential vendors submit their response electronically by e-mail to the Contracting Authority identified above by the time and date indicated on page 1 of the RFI. Each respondent should ensure that the company name, the RFI number and the closing date appear in the subject line of the e-mail message. Page 9 of - de 9
Request for Information EN578-141614 Annex A Access to Information and Privacy (ATIP) Whole of Government ATIP Solution 13 November 2013
Government of Canada Annex A: Whole of Government ATIP Solution CONTENTS 1 Background of the Initiative...1 1.1 Current Situation...1 1.2 Managing Information Security...2 1.3 Target Outcomes...3 1.4 Service Delivery Model...5 1.4.1 Legislated Mandate...5 1.4.2 Current State...5 1.4.3 Future Model...6 2 Draft Solution Requirements...9 2.1 Software Solution Requirements...9 2.2 Software Solution Delivery Model Requirements... 10 2.2.1 Application Management and Maintenance Services... 10 2.2.2 Application Configuration Services... 11 2.2.3 Infrastructure Provision and Support Services... 11 2.3 Solution Implementation Requirements... 12 2.3.1 Phases and Timelines... 12 2.3.2 Services to be Deployed Initial Deployment... 12 2.3.3 Institution Onboarding... 13 2.4 Security Requirements for Service Delivery... 14 2.4.1 Multiple Levels of Security... 14 2.4.2 Layered Security... 15 2.4.3 Cryptographic Support... 15 2.4.4 Canadian Citizenship for Support Personnel... 15 2.4.5 Data Sovereignty... 16 13 November 2013 ii
Government of Canada Annex A: Whole of Government ATIP Solution 2.4.6 Supply Threats to the Government of Canada... 16 2.4.7 Security Clearance... 17 2.4.8 Canadian Industrial Security Directorate Security Process... 18 2.4.9 Privacy... 18 13 November 2013 iii
Government of Canada Annex A: Whole of Government ATIP Solution 1 BACKGROUND OF THE INITIATIVE 1.1 CURRENT SITUATION Currently within the GC, 69 institutions employ a range of automated systems to manage and process ATIP request. These 69 institutions account for 98.3% of all ATIP request processed in FY 2011/12. In all but one case the solution selected has been the purchase of Commercial Off-The-Shelf (COTS) Licensed Software with licences for ATIP professionals within the respective institutional ATIP units. One institution has developed their solution internally. In all cases of the COTS solution, institutions deal directly with their respective supplier for Licensed Software support and rely upon their internal Information Technology (IT) unit for hardware and technical support of the Licensed Software. In total approximately 1,450 ATIP professionals are using one of the COTS/in-house ATIP software solutions. All GC employees are subject to the Information and Privacy Acts however currently they are not integrated into the ATIP licensed products workflow processes. The GC received a total of 110,500 ATIP request for FY 2012/13 and processed 18,389,964 pages as part of these request. Requests have grown at more than 6% per year over the last ten years. Generally institutions are delivering ATIP services with their respective Licensed Software products. However this operational model lacks an enterprise focus and has a number of negativities characteristics such as: Each institution s ATIP unit must divert resources to acquiring and supporting its own selected Licensed Software Solution. Typically this manifests itself in the creation of a super-user who is diverted away from the core responsibility of the unit. IT and procurement resources are consumed for hardware and professional services to host and maintain the solution. Many of these costs are duplicated across government adding to the total cost of ownership for the GC. Smaller ATIP units lack the capacity to undertake the expensive process to acquire and maintain an ATIP automated solution. While each institution s business needs are met, this model lacks enterprise focus and vision. Enterprise needs are not visible to individual institutions and therefore common requirements such as integration with common back office systems, GC ATIP standards, GC total cost of ownership, program reporting and enterprise security are not considered. 13 November 2013 1
Government of Canada Annex A: Whole of Government ATIP Solution 1.2 MANAGING INFORMATION SECURITY A survey by the GC examined the relative mix of processed records in terms of security classification. Findings indicate the situation is quite diverse with some organizations having little or no Secret information to process, while others have larger concentrations, up to 30% or more of total records processed. The majority of records processed by all institutions are at a level of Protected B or below, allowing them to be processed on a certified and accredited platform, fully-connected to the internal institutional network and the Internet, through a firewall. The prevailing approach has been to address Secret and above records manually (on paper) where volumes are limited to approximately 5% of the total records processed. Where larger concentrations of Secret and above records must be processed, institutions have implemented physically isolated systems, certified and accredited to hold Secret information. In at least one institution with a full Secret network reaching all employees, the entire ATIP system operates in the Secret domain. In another example, processing is split between a classified (Secret) and an unclassified domain, requiring reconciliation of requests and processing statistics (e.g., number of pages processed) in a semi-automated manner. This requires a continuous manual data transfer, using offline media, which has proven to be quite costly and no fully reliable. In all cases, there have been very few records higher than Secret to process in any department and those are processed manually only. The GC is currently investigating security solutions that will enable limited, controlled online data transfers between security domains, in an asynchronous manner. Respondents should assume that such a solution will not be available in the initial deployment of any ATIP Software Solution, but will become available later in the deployment cycle. In all cases, it is the responsibility of the GC to address the security requirements for certification and accreditation of any solution. The GC will welcome suggestions and recommendations from industry as to how any proposed solution may be best deployed to facilitate operations within the bounds of current information security constraints. 13 November 2013 2
Government of Canada Annex A: Whole of Government ATIP Solution 1.3 TARGET OUTCOMES Our end state model implies a common ATIP Software Solution that will be used by multiple institutions, served by a single provider. The single provider may be either: a) A commercial organization with the ability to provision the ATIP Software service to all GC institutions, in accordance with the requirements of the GC; or b) A GC institution, suitably organized to deliver the service. The GC would prefer a solution in which the single provider is a commercial organization. Depending on the capabilities of industry to meet the full range of security requirements, a hybrid solution may also be an option. In a hybrid solution, the GC and a commercial organization would deliver specific components of the solution. The objectives of the end state model are to: Enable a single institution to serve as the provider of the ATIP Software solution to all GC client institutions; Significantly reduce or eliminate the requirement to host, maintain and manage a separate instance of the ATIP Software solution for each client institution; Extend the ATIP Software Solution to fully support key participants in the request management process, enabling streamlining and automation of the many manual and paper-intensive tasks; Enable the GC to standardize on a common business process and baseline configuration for the ATIP Software Solution, with sufficient flexibility to support structural variances in each institution (e.g., organizational structure, division of roles and responsibilities, etc.); Ensure complete segregation or partitioning of data between client institutions; Establish a single, secure solution for all institutions, able to be certified and accredited for handling Unclassified and Undesignated/Designated information up to Protected B, that may be hosted by the GC or by an external service provider; Provide options for handling requests that require processing of Classified records up to Secret and Designated information up to Protected C (Protected C having essentially the same IT security requirements as Secret. Note that at present, solutions for Secret and above must be hosted within the GC network); and 13 November 2013 3
Government of Canada Annex A: Whole of Government ATIP Solution Achieve efficiencies in software usage through either a licensing model, a service subscription or volume-based model; and Enable the GC to provide an affordable service to institutions that receive few ATIP requests and require only occasional access to the ATIP Software solution. The new ATIP Software Solution will address Canada s requirement for substantial enhancements to functionality. The solution will extend to a much broader range of potential users, including 1300-1600 core users (ATIP officers within ATIP offices) and up to 377,000+ peripheral users (Offices of Primary Interest (OPIs) tasked to retrieve records across all GC institutions) and any number of online requesters or customers from the general public. Canada is interested in an entity licensing, subscription or service delivery model. In this case, entity refers to Canada and includes all GC institutions. Our end state model implies a common ATIP Software Solution that will be provisioned to, and used by, multiple institutions. It is envisioned that the GC would enter into a 3-year contract with the software publisher/developer or software service provider, with the option to extend the contract yearly for 9 option years. Institutions will access this ATIP Software Solution in several ways: The delivery of the core ATIP Case Management service for ATIP officers will migrate, over a period of years, from the current institution-specific implementations towards a centralized application delivery method and/or multi-tenant delivery model. Under this model, GC institutions will access their service from a designated provider(s) and the GC will realize savings through the consolidation of institution-installed software and supporting infrastructure. All GC institutions, whether using an automated ATIP Case Management solution or not, will have the ability to receive online requests and deliver final response packages through a new Requester Portal service. All GC institutions, whether using an automated ATIP Case Management solution or not, will have the ability to leverage a shared Collaboration Portal service to aggregate (upload/import) records and consult with information owners (internal, interdepartmental, external) regarding information content for release in response to each request. 13 November 2013 4
Government of Canada Annex A: Whole of Government ATIP Solution In a few cases and due to the high security requirement of the information processed (e.g., Secret), the Licensed Software may be installed on institution specific or multiinstitution security-accredited infrastructure with the GC. 1.4 SERVICE DELIVERY MODEL 1.4.1 LEGISLATED MANDATE The requirements for administration of the Access to Information and Privacy Acts are defined within the Acts themselves. In particular: In the case of both acts, the designated Minister responsible is the President of the Treasury Board of Canada; The head of each GC institution is accountable for responding to requests under each Act; Treasury Board of Canada Secretariat is responsible for providing policies, guidelines, regulations and tools to support institutions in fulfilling their obligations under each of the Acts; and The scope of applicability of both Acts has been extended to include all GC institutions, encompassing departments, agencies, Crown corporations and their wholly-owned subsidiaries. 1.4.2 CURRENT STATE In the current state, each institution defines its own processes and procedures for addressing requests under each Act. Treasury Board of Canada Secretariat (TBS) has orchestrated a high level of harmonization across institutions through the use of policies, guidelines, regulations and supporting tools. A key driver of harmonization has been the Annual Statistical Reporting requirements, supported by standardized reporting templates provided to each institution. Approximately 70 institutions currently use software to support the management of requests under the Acts. These institutions account for well over 95% of all such requests received by GC institutions on an annual basis. Most of the supporting software is from commercial suppliers of ATIP solutions. The GC now has an estimated 1600 active licenses for ATIP software. The software has been operating primarily on dedicated servers within each institution. Recently, the responsibility for managing the servers and infrastructure of 43 departments has moved to Shared Services Canada (SSC), including most of the institutions using ATIP software. TBS provides updates each year for the Statistical Reporting Templates to all institutions. The institutions then provide the requirements to their selected software vendor, if any, to implement. Otherwise they complete the templates manually. 13 November 2013 5
Government of Canada Annex A: Whole of Government ATIP Solution It can take many months or longer to ensure all supporting ATIP software is able to produce the latest versions of Statistical Reports. More recently, with major updates, it has taken more than one year. This impedes TBS and the GC institutions in terms of effectively meeting reporting obligations with respect to the Acts. 1.4.3 FUTURE MODEL The future service delivery model addresses three key areas: Solution Definition and Maintenance (Solution Architecture); Client Service Delivery (how ATIP services are delivered to Canadians); and Application Service Delivery (how supporting application services are delivered to GC institutions). These are illustrated in the following diagrams in an initial definition, subject to revision. Solution Definition and Maintenance: application. This describes the model for creating and maintaining the overall solution definition, including the solution architecture. A new service delivery model is being established by TBS. A central agency, TBD, will become the custodian of the common business solution for all institutions, including business processes and functional requirements. A software vendor and/or service provider will implement functional requirements and maintain the underlying COTS software Infrastructure and security will be addressed by a commercial provider, possibly with assistance from SSC. 13 November 2013 6
Government of Canada Annex A: Whole of Government ATIP Solution Client Service Delivery: This describes the model for providing services to Canadians ( clients ). The Requester Portal will provide a new online channel for clients to initiate requests under either Act to any GC institution. institutions, as per the standard process today. Clients will continue to be able to submit paper requests directly to If it is determined that the Requester Portal is to be accessed through the existing Service Canada portal, that portal will handle authentication of clients through appropriate credentials and other means. Institutions will continue to be responsible for managing the delivery of services to Canadians in accordance with the Acts, supported by the Solution. A future option under consideration is to provide a service to institutions for administering requests under the Acts. This is primarily intended for smaller institutions that receive few requests per year, and that may not have the proficiency to respond quickly and efficiently. Management of the overall service under the Acts will continue to be managed jointly by TBS and the institutions. 13 November 2013 7
Government of Canada Annex A: Whole of Government ATIP Solution Application Service Delivery: This describes the model for delivering supporting software application services to GC institutions. Application Service Management (ASM) is expected to be coordinated through a central agency. The responsible agency will manage contracts with the commercial service provider and monitor service levels. The Application Service Provider (ASP) is anticipated to be a commercial organization that will deliver Application Management and Maintenance Services (AMMS) to all GC institutions, with the assistance of the publisher of the selected ATIP software. The service provider will engage with SSC in regards to the infrastructure and security. The GC is interested in proposals that would deliver solutions for both Protected B and Secret security domains. 13 November 2013 8