OTTAWA — A Quebec software company now has the security credentials to compete for sensitive Canadian government contracts alongside U.S. giants like Microsoft and IBM, but the firm says it took more than a year of government audits to qualify.
The experience of Nakisa, a Montreal-based enterprise software firm, has highlighted the challenges for Ottawa as it tries to procure more Canadian technology—part of a wider push for greater sovereignty over the country’s data.
Talking Points
- Nakisa, a Montreal-based enterprise software firm, spent a year and a half clearing government safety standards in a bid to compete for sensitive federal contracts
- The credentials will open up opportunities in Ottawa that are reserved for U.S. giants like IBM and Microsoft, but other Canadian firms may find the time and cost too much, said CEO Babak Varjavandi
- The government may have to streamline its processes if it wants Canadian companies to have access to government procurement
This spring, Nakisa cleared one of Ottawa’s toughest security hurdles in achieving “Protected B” cloud service standards. The designation from the Canadian Centre for Cyber Security lets the government grant the company access to sensitive data that could cause serious harm if compromised.
Founded in 2004, the company develops AI-powered business operations platforms for large enterprises, and is well established in its space. Nakisa’s client list includes household names like Pfizer, Walmart and Delta Air Lines.
Even so, CEO Babak Varjavandi said the process to prove the company met the government’s standards was arduous. “It took us about a year and a half to do,” he told The Logic.
The process involved roughly 300 criteria, such as meeting encryption standards, each with multiple requirements. Nakisa already met most of the demands as part of other independent security certifications, so the time was mainly spent validating. “For every one of them, you need to properly document it in a format that they want, you need to give it to them, they need to certify,” Varjavandi explained.
That process comes at a cost that not all small businesses can afford, he said.
The government launched its Buy Canadian policy last year to open more of its multibillion-dollar procurement budget to domestic firms. The government’s buying power is also a useful tool to protect Canadian data, said Vass Bednar, managing director of the Canadian Shield Institute, a think tank focused on economic sovereignty.
Canadian firms are governed by Canadian rules, are subject to Canadian privacy laws and many store their data in the country, she said. “Everything on your digital sovereignty dream list,” she said.
Still, positioning Canadian companies to compete with large international firms may take concerted effort, Bednar said, especially in making sure administrative burdens don’t box them out of opportunities.
The Canadian Centre for Cyber Security assesses whether companies meet the standards, which firms must demonstrate before they can enter into agreements with the government to provide secure, cloud-based services, including software, to federal institutions.
The government doesn’t track how many companies have achieved Protected B status, Jeremy César, a spokesperson for Shared Services Canada, said in a statement. But so far, Ottawa has agreements with eight firms to provide those sensitive services. ThinkOn, an Etobicoke, Ont.-based cloud infrastructure company, is the only Canadian firm on the list.
“It’s going to be really hard for Canadian counterparts that tend to be smaller in scope to go through those hoops,” Bednar said.
Earlier this week, the government announced changes meant to prevent small Canadian firms from being buried under complicated paperwork when they bid for routine government contracts. But Ottawa also wants to encourage firms to apply for sensitive work, including as part of its defence industrial and AI adoption strategies, which will require more stringent security standards.
Though the process could be shorter, Varjavandi said, the government must not sacrifice data safety. “I do believe that you need to have these kinds of security validation and these kinds of processes, because you don’t want this information to get out,” he said.
Nakisa has done approximately $2.9 million of work for the federal government over the last 20 years, according to a government database of contracts over $10,000. Now that it has cleared the security hurdles, it is pursuing more federal contracts.
The government is already eyeing Nakisa’s software to help manage federal human resources, finance and real property operations, according to a briefing note prepared for the associate deputy minister of Innovation, Science and Economic Development, and obtained by The Logic through access-to-information laws.
“It opens up a lot of doors,” Varjavandi said.