A Guide to Reforming Information Technology Procurement in the Government of Canada

October 2022

Dr. Amanda Clarke, Associate Professor, Carleton University
Sean Boots, Public Servant-in-Residence, Carleton University

Context

Governments globally are abandoning traditional approaches to information technology (IT) procurement in favour of modern procurement practices that the evidence shows are far more likely to lead to success. The Government of Canada has yet to modernize its IT procurement practices in line with this emerging global best practice.

This policy brief outlines how the Government of Canada can implement these modern procurement practices in order to improve the success rate of individual IT projects and better manage the risks and costs associated with IT projects.

Improving how the Government of Canada buys IT equipment, software and services matters not just to the success of a given technology initiative. Getting IT procurement right matters hugely to the success of the government more broadly.

All federal policies and programs depend on the IT systems that underpin them. In most cases, some or all of these systems will need to be bought from outside vendors. Modernizing IT procurement is, in turn, essential to the health and resilience of our public services, and the well-being of Canadians dependent on them.

This policy brief draws on a policy review of global best practice in modern IT procurement and analysis of Canadian IT contracting patterns. The work was conducted as part of a research project facilitated by the federal government’s Public Servant-in-Residence program and Carleton University’s School of Public Policy and Administration. For more information on the research project and the data underpinning the analysis, please see govcanadacontracts.ca.

Table of contents

Modern IT Procurement: A New Playbook

Traditionally, governments (and many other organisations as well) have structured IT contracts in ways that all but ensure technology projects will be over-budget and delayed, will fail to meet their intended objectives, or will simply fail to get off the ground.

What characterizes this highly-risky traditional IT procurement model? First, traditional IT procurement favours high dollar value and long term projects. It tends to support only a small number of large providers operating in a non-competitive market. It relies on a model of wholly or largely outsourced IT expertise. Last, it defaults to giving vendors ownership of the data and Intellectual Property (IP) emerging from a given IT initiative or system, and also defaults to proprietary software.

All the evidence shows that when it comes to buying IT products and services, this playbook is a recipe for disaster. Thankfully, we now have a strong base of evidence to support a new playbook for Modern IT Procurement in the public sector.

Three key principles inform this new playbook:

First, contracts should be small – both in terms of their total value and their duration.

Smaller contracts raise the chances that an IT project will succeed in a few ways.

Smaller contracts are essential for agile software development, which is now accepted industry best practice in managing technology projects. Agile software development accepts as a premise that IT projects are riddled with uncertainty. Will the tech make sense when users actually interact with it? Will it be easy for people to navigate and use? Will existing policies and programs, and the technology and databases underpinning them, clash with the new IT solution you’re implementing? Will you discover that the problem you’re trying to solve is more, or less, complicated and costly than you originally thought, and you need to pivot your approach?

Acknowledging these uncertainties, agile methods build in flexibility to test what you’re building early on, directly with your intended users, to see if it works (or not) and adjust course if needed. To enable this flexibility and continuous learning, agile uses smaller contracts that avoid locking you into high-dollar value, long-term planning that rests on a series of untested assumptions.

In addition, smaller contracts hold vendors more accountable. If a vendor doesn’t deliver satisfactory work, it is much easier to shift to a different vendor at any given moment in a project’s development if you haven’t signed on to a long-term contract with them.

Similarly, smaller contracts distribute risk, rather than pooling it. If one large contract fails, the costs are high; an entire policy initiative can fall apart. Differently, if one of many smaller contracts doesn’t work out, the entire project isn’t jeopardized.

As another benefit, smaller contracts can encourage the adoption of open standards. If multiple vendors need to work together on a project, they’ll need to make sure that their work fits nicely together. Open standards and open source software licenses facilitate this.

Finally, smaller contracts can broaden the scope of potential contract bidders, and in turn encourage more competition in the market of outside providers. Large, complex contracts with many deliverables and administrative burdens will favour a smaller market of large, well-resourced vendors, and create barriers for small and medium sized enterprises to bid.

How small should a contract value be, and what should its duration be, in order to maximize the chances of project success? Drawing on a survey of 25,000 software projects, the Standish Group (2014, 2015) (a US based consulting firm) found that software projects that cost over $10 million succeed in only 8% of cases, whereas projects under $1 million have a 70% success rate. They conclude: “We have found that most software projects only require a small team for a short duration in order to deliver value to the organization; only in very rare cases do projects need to be larger and longer. Most, if not all, large, complex, multi-year projects are unnecessary” (The Standish Group 2015, p. 3).

Similarly, a 2019 US government publication, “De-risking custom technology projects” recommends “that no more than $2 million be spent on any single contract annually, and that no contract last for more than three years, including option periods” (Carnahan, Hart & Jaquith 2019, p. 38).

The second principle of modern IT procurement focuses on the source of IT expertise, and calls for investment in in-house IT expertise.

Historically, many governments have treated IT expertise as something that should largely be bought from outside providers. This has left governments in a hugely vulnerable position when it comes to making decisions about technology, and crucially, when it comes to contracting out IT projects and expertise.

Now, policymakers are awakening to the reality that a well-functioning government needs strong in-house IT capacity in order to effectively build and maintain technology itself, and also to be smart shoppers, and to provide effective oversight, when they decide to contract IT work to outside vendors.

The third principle of modern IT procurement focuses on data and Intellectual Property ownership and licensing.

A key element of modern government IT procurement has been the shift to public ownership of custom software code and an emphasis on open source software. This shift does not preclude the use of external vendors; in many cases around the world, governments hire IT firms to produce open source software that can be reused by other departments and jurisdictions.

Public ownership of software code and open source software support more effective IT procurement in a number of ways.

First, as already discussed, open source software supports the use of multiple vendors, by ensuring that different technology solutions produced by the same or different vendors are compatible. Open source software also prevents “vendor lock-in”, a vulnerable (and, over time, very expensive) situation where departments become dependent on an existing software vendor and are unable to switch to alternative providers due to technical or intellectual property constraints. Adopting or procuring open source software also facilitates reuse among departments (as well as other levels of government), leading to more effective stewardship of taxpayer funds.

Implementing Modern Government IT Procurement in the Government of Canada: Six Recommendations

1. Invest in in-house digital competency

Canadian digital government researchers have warned since the mid-2000s that the federal government needs to invest in its in-house IT capacity (Borins, Kernaghan & Brown 2007; Clarke, 2019; Roy 2006). The Government of Canada has recently made some effort to build its in-house IT capacity through recruitment via the Canadian Digital Service, time-limited fellowships facilitated by the non-profit Code for Canada, and the creation of the Digital Academy in the Canada School of Public Service. However, at present, outsourcing IT expertise remains a preferred default in most departments. Using data from govcanadacontracts.ca, we found that from 2017-2018 to 2021-2022, spending on IT consulting services has grown by 54 percent, after correcting for inflation, from a total of $1.17B to $1.79B per year. The total spent on IT consulting services over the five year period under examination was $7.7B.¹

What’s more, the vast majority of senior leadership in the Government of Canada have risen through a system in which they were never expected to understand how modern technologies work, how to manage and oversee technology projects, or to connect decisions about technology to their mainstream focus on policy design and program delivery. Given how central IT is to the core functionality of all government programs and services, the lack of digital expertise amongst the senior ranks of the federal government is a significant liability.

The federal government should build on existing efforts to build in-house IT capacity. All other recommendations that follow rest on successfully implementing this first recommendation; without in-house IT capacity, it will be impossible to effectively reform other aspects of IT procurement, or to deliver on digital government modernization more broadly.

This capacity building should focus not just on jobs explicitly focused on IT; all public servants interact with technology systems and data in one way or another through the course of their work. Public servants with backgrounds in policy, accounting, program delivery, and other areas move over time into management roles where, in many cases, they may be responsible for delivering or procuring IT projects. How can this capacity be built?

First, more can be done to upskill existing public servants. Expanding the reach of digital competency training to include all public servants is an important step to establish a public service that is prepared to handle present-day service delivery and policy challenges. This could be accomplished by expanding the Canada School of Public Service’s Digital Academy so that its training reaches a broader range of public servants. Feeder programs to the public service, including graduate programs in public policy and administration, also need to include more digital era competencies into their core curricula.

For procurement officers specifically, we endorse the Auditor General’s call for mandatory training for procurement officers on complex IT projects and on agile procurement methods, content currently absent in their training (Office of the Auditor General of Canada 2018). This training should include content that will alert procurement officers to, and help them fend off, vendor-led efforts to sideline or slow their work, a problem that has been flagged since the earliest investigations of Canadian e-government published in the mid-2000s (Borins et al. 2007; Roy 2006). Current vendors (many of them Canadian branches of large international firms that have witnessed similar changes elsewhere) are likely highly aware of the challenge these types of procurement reform present to their current industry dominance, and would be motivated to block or water down these measures through lobbying and marketing activities.

In addition to upskilling existing public servants, the Government of Canada will have to aggressively compete to recruit new technology talent if it wants to remain capable of delivering successful technology outcomes. Several policy reforms will support this objective:

• Introducing market-competitive pay scales for software developers and cybersecurity experts, in a separate classification distinct from IT support and system administration roles. Although increases to compensation for public servants can be controversial, doing so is likely to save taxpayer funds in the long-term by reducing the need for costly external IT consultants and by ensuring government technology projects are less prone to high-cost failures;
• allowing departments to classify and hire technology staff that report directly to program and business teams (outside of departmental CIO and IT divisions);
• creating “dual-stream” career progression models for technology staff that enable compensation at the highest pay scales without management responsibilities (ie. “individual contributor” progression models, used in most modern technology companies);
• removing bilingualism requirements from technology staff classifications in order to increase the available talent pool (a measure we acknowledge is controversial and not without costs, and also not likely to materialize); and
• hiring distributed technology staff into the public service with the ability to work anywhere in Canada.

2. Introduce IT spend controls

The most successful government IT procurement efforts, measured by taxpayer dollars saved, are the United Kingdom’s early spend control efforts. These spend controls – introduced in 2011 – are credited with saving £1.3B over five years (about $2.3B CAD) (National Audit Office 2017). Departments’ procurement spending was limited by the government’s Technology Code of Practice, which instituted a maximum cap on the size of IT contracts, limited certain types of contracts to a maximum of two years, and eliminated automatic contract renewals (GDS 2017 2).

The Government of Canada should adopt similar spend control approaches, applied comprehensively across all federal departments and agencies. This should include clear limits on the maximum size of IT contracts (for example, no more than $2M, as per the US General Service Administration [GSA] recommendations) as well as the maximum duration (for example, no more than 3 years, including extensions, again the recommendation used by the US’ GSA). These sorts of controls could help avoid the current situation, in which the majority (54%) of IT spending is allocated to contracts that break the $2 million/year threshold for likely project success.²

These limits are likely to be controversial when first imposed on departments (who may be incentivized to “rush through” large, multi-year contracts before the limits take effect), given the number of current IT contracts that are larger than these thresholds. In these cases, as a transitional step, exceptions should be given on a limited basis to the maximum size of IT contracts but not to the maximum duration. Departments should instead be given guidance to split large procurements into smaller, independently-feasible deliverables that could be delivered by separate vendors through modular contracting (see below). Comprehensive efforts should be made to streamline the process of establishing smaller-scale IT contracts in order to enable this, in order to avoid situations where for example procuring a contract with a maximum duration of two years takes more than a year.

3. Adopt modular contracting

Through updated contracting policies and guidance for departments, the Government of Canada should adopt modular contracting as a best practice for software development and IT implementation work.³ Principles of modular contracting include user-centered design, agile, product ownership, continuous delivery, and building with “loosely coupled parts” (breaking large software projects into smaller ones that can each be independently swapped out or replaced at any time). This, combined with deliberately small contracts, is designed to ensure that departments can very easily replace an under-performing vendor with another vendor with minimal disruption or delay (Carnahan, Hart & Jaquith 2019).

A key distinction between modular procurement contracts and traditional large IT procurements is that departments should procure “services, not software” – namely, procuring the services of a software development team to build a software product, rather than procuring the complete product itself. Vendors are held accountable, in turn, by quality assurance mechanisms that depend on being able to demonstrate working software on a frequent and routine basis, rather than documentation and descriptions of what the software might do in the future. This ultimately depends on sufficient in-house public service IT capacity to successfully evaluate the quality of the software being produced, and to dismiss and replace vendors when necessary.⁴

4. Reduce barriers to entry for small and medium sized enterprises

A range of policies and norms collectively act as a barrier to entry to smaller and less-established vendors that are attempting to enter the Government of Canada procurement marketplace. This includes cumbersome and time-consuming procurement processes (reviewing posted Requests for Proposals, preparing bids, participating in evaluation processes) as well as an emphasis on standardized solutions (and as a result, already-established vendors) that blocks out newcomer IT firms (DeCoste 2019).

More specifically, organizational security screening processes required via Public Service and Procurement Canada’s (PSPC) Industrial Security Program and unclear processes to approve outside software for use with Protected B information prevent small and innovative firms from participating in departments’ digital initiatives. Together, these administrative burdens reinforce the dominance of established industry players in government IT procurements.

The Standing Offer and Supply Arrangement mechanisms for external IT capacity, managed by PSPC and made mandatory for departments to adopt in 2005 also reinforce the dominant role of established IT vendors. PSPC periodically issues invitations to qualify for these lists, with a high enough barrier to entry that the successful vendors tend to be those that have previously participated.

As mandatory procurement mechanisms, these Standing Offer and Supply Arrangement lists can in some cases block departments from procuring similar capabilities separately (from, for example, vendors that specialize in more modern programming languages and technology frameworks). In its 2020 report on IT outsourcing, the Professional Institute of the Public Service of Canada (PIPSC) recommended that these mechanisms be “reconsidered entirely” (PIPSC 2020) in favour of increased in-house capacity.

Alongside eliminating current Standing Offer and Supply Arrangement mechanisms for IT activities, the Government of Canada should implement streamlined, short-term procurement approaches that are designed around modern digital capacities. This includes capabilities in design research, service design, and software development in more modern programming languages than are presently included in these mechanisms. Similar to the UK’s Digital Marketplace (Rooney 2016), the government could introduce a Canadian Digital Marketplace which would engage small-scale, specialized digital vendors that don’t normally engage in government procurements and that are outside of the National Capital Region.

For firms participating in these new procurement approaches, barriers to entry should be dramatically lower than current Government of Canada procurement requirements. For example, in cases where vendors are working on fully open-source software or conducting design research activities without requiring access to any sensitive information or systems, only minimal pre-registration and security screening activities should be required. Insights from the legal design community should be used to minimize the quantity and complexity of contract documentation required of vendors to participate (Smith & Waterman 2016). Any Digital Marketplace or comparable structure should be operated as an in-house government service, with continuous design research to gain feedback from vendors and public servants alike, and a dedicated team established to continually improve the service over time.

Finally, to explicitly support small enterprises, the Government of Canada should follow the lead of the US government’s Advancing Equity in Federal Procurement memorandum (Miller 2021), which sets a goal of 15% of contract dollars being spent on small and disadvantaged businesses (typically, under 250 employees). In 2021-2022, the US government awarded 30.9% of contract dollars ($72B USD) to small-business subcontractors, thanks in part to this goal (Clements 2022). This approach could complement the Government of Canada’s current 5% minimum target for procurement with Indigenous-owned businesses (PSPC 2021).

5. Procure and publish open source software

While we do not have a comprehensive data source to verify this assumption, we can anticipate that the vast majority of Government of Canada IT contracts would not prioritize public ownership of software code and open source software given the Policy on Title to Intellectual Property Arising Under Crown Procurement Contracts (2015) explicitly prevents procuring open source custom software that is owned by the Government of Canada (outside of exceptional cases). The Policy requires that new intellectual property created through Crown procurement contracts (particularly for software products) is owned by the contractor rather than the government.

The federal government should eliminate provisions preventing procurement of open source software in the Policy on Title to Intellectual Property Arising Under Crown Procurement Contracts. This policy represents a clear recipe for ongoing lock-in to the vendors producing custom software for the government, reducing departments’ ability to share and reuse resulting software. This likely leads to frequent cases where the Government of Canada pays for the same or comparable software multiple times over.

In lieu of the current default, a reverse approach should be instituted – where vendor ownership of intellectual property requires an approved exception case, rather than government ownership as is currently the case.

Alongside removing barriers to the procurement of new open source software and making government ownership of contractor-produced intellectual property the default, the Government of Canada should begin a government-wide effort to exclusively procure and publish open source software. In doing so, it would follow the steps that peer countries have taken to reduce vendor lock-in, increase software reuse, and improve stewardship of taxpayer dollars.

Historical concerns about the security and quality of open source software – still often cited by government IT leaders – are outdated and do not reflect the transformative effect that open source software adoption has had on the broader technology industry. Well-established strategies exist to safely open source existing software code (Shipman 2018). Done well, making government software code open source increases public trust and ultimately leads to more reliable, more secure software. It also reflects an important shift towards public ownership of the infrastructure used to deliver public services (Wylie 2020).

As a first step, government-wide IT and procurement policies should be introduced that require that all custom software code developed by in-house IT staff and by external contractors be publicly released under an open source license, throughout the full software development process or (at the latest) prior to it being adopted in production by a department. This should be accompanied by robust software development and security practices, including peer reviews, automated testing, and vulnerability disclosure processes.

Following this initial step, Government of Canada departments should undertake a comprehensive but incremental effort to migrate away from proprietary software products, including legacy database systems and information management products. The only exception to government-wide open source software requirements should be fully-managed cloud services (such as software-as-a-service products), fraud detection software in cases where public disclosure would reduce its effectiveness, and limited national security contexts.

6. Improve the extent and quality of publicly-disclosed IT procurement data

Beyond public spending disclosures, the Government of Canada should begin comprehensively tracking vendor performance on existing and future IT projects, and require that these performance reports are considered during IT procurement evaluations where the same vendors are candidates. Under current procurement regulations, past vendor performance is not considered valid evaluation criteria, and vendors with a track record of consistent, large-scale IT project failures continue to successfully win bids as a result. Vendor performance reports should be completed for all IT and management consulting contracts, at the close-out of each contract or (for multi-year contracts) updated annually, and should be published publicly within a year of being written.

Public sector patterns of dependency on IT vendors and consultants have expanded, in part, because of a lack of transparency on their cost and scale. The limited data available – and significant data quality issues – hinder the ability of policymakers and the public to monitor spending on IT vendors and management consultants. The Government of Canada should urgently adopt more disclosure efforts focused on IT contract spending, alongside improvements to data stewardship and quality. This should include publicly publishing the per diem rates associated with every contract (in contracts with multiple roles at different rates, the highest, lowest, and average per diem rates should all be independently disclosed), specifying vendors’ Business Number in order to more accurately link contracts and amendments from the same vendor, and associating amendments back to their original contracts by a consistent reference number in the Proactive Disclosure of Contracts dataset.

In addition to these improvements, departments should also be required to disclose, on an annual basis, the total amount spent (on a per-vendor basis) on information technology and professional services contracts. In addition, departments undertaking IT projects should disclose IT and professional services contract costs (also per-vendor) associated with each IT project on an annual basis. These disclosures should be made in a machine-readable CSV format similar to the Proactive Disclosure of Contracts dataset, published on Canada’s Open Government website.

Fully adopting a modern contracting data framework (namely the Open Contracting Data Standard) would bring Canada closer to peer countries’ contract disclosure and transparency efforts and could help the government achieve the data disclosure recommendations presented here. This work will hinge in large part on further investments in the government’s data collection and analysis capacity; in part, the poor quality of contract award data provided by departments is a reflection of the lack of capacity for strong data stewardship in the Government of Canada – itself caused in part by the government’s IT outsourcing tendencies.

References

Borins, S. F., Kernaghan, K., & Brown, D. (2007). Digital state at the leading edge. Toronto: University of Toronto Press.

Carnahan, R., Hart, R., & Jaquith, W. (2019). State Software Budgeting Handbook. 18F, Technology Transformation Service, General Services Administration. https://derisking-guide.18f.gov/state-field-guide/

Clarke, A. (2019). Opening the Government of Canada: The federal bureaucracy in the digital age. Vancouver: UBC Press.

Clements, T. (2022). Biden-Harris Administration Awards Record-Breaking $154.2 Billion in Contracting to Small Businesses. US Small Business Administration. https://www.sba.gov/article/2022/jul/26/biden-harris-administration-awards-record-breaking-1542-billion-contracting-small-businesses

DeCoste, Luke. (2019). Outdated procurement rules hindering digital government. Policy Options. https://policyoptions.irpp.org/magazines/february-2019/outdated-procurement-rules-hindering-digital-government/

Miller, J. (2021). Advancing Equity in Federal Procurement. Office of Management and Budget. https://www.whitehouse.gov/wp-content/uploads/2021/12/M-22-03.pdf

National Audit Office. (2017). Digital Transformation in Government. https://www.nao.org.uk/reports/digital-transformation-in-government/

Office of the Auditor General of Canada. (2018). Procuring Complex Information Technology Solutions. https://www.oag-bvg.gc.ca/internet/English/parl_oag_202102_01_e_43747.html

Professional Institute of the Public Service of Canada. (2020). Part one: The real cost of outsourcing. https://pipsc.ca/news-issues/outsourcing/part-one-real-cost-outsourcing

Public Services and Procurement Canada. (2021). Government of Canada announces federal-wide measures to increase opportunities for Indigenous businesses. News release. https://www.canada.ca/en/public-services-procurement/news/2021/08/government-of-canada-announces-federal-wide-measures-to-increase-opportunities-for-indigenous-businesses.html

Rooney, C. (2016). Bringing government procurement into the digital age. Government Digital Service. https://digitalmarketplace.blog.gov.uk/2016/11/30/bringing-government-procurement-into-the-digital-age/

Roy, J. (2006). E-government in Canada: Transformation for the Digital Age. University of Ottawa Press.

Shipman, A. (2018). How to open up closed code. Government Digital Service. https://technology.blog.gov.uk/2018/02/19/how-to-open-up-closed-code/

Smith, W., & Waterman, J. (2016). Working together to design government contracts for the digital age. Government Digital Service. https://digitalmarketplace.blog.gov.uk/2016/07/14/working-together-to-design-government-contracts-for-the-digital-age/

The Standish Group. (2014). CHAOS Report 2015. https://www.standishgroup.com/sample_research_files/CHAOSReport2015-Final.pdf

The Standish Group. (2015). HAZE. https://www.standishgroup.com/sample_research_files/Haze4.pdf

Wylie, B. (2020). Using Government IT to Teach and Build Public Infrastructure. https://biancawylie.medium.com/using-government-it-to-teach-and-build-public-infrastructure-cb300711b697