Executive Summary: Key Legal and Evidentiary Issues

• Judicial review sought of a decision revoking a federal contractor’s security clearance following a cyber incident.

• Applicant’s Reliability Status was revoked after classified systems were exposed to a credential-stealing tool (Mimikatz).

• Central legal question involved whether the revocation decision was reasonable and procedurally fair under administrative law standards.

• Applicant alleged procedural unfairness due to investigative bias and mischaracterization of facts.

• Court found no breach of procedural fairness and held that the security authority’s decision met reasonableness standards.

• Applicant was ordered to pay $1,000 in lump sum costs; no other remedies granted.

Facts and outcome of the case

Kimberly Muma, a software engineer with over 35 years of experience in federal security contracting, applied for judicial review after his security clearance was revoked by Public Services and Procurement Canada (PSPC). Muma had been working under contract with the Department of National Defence (DND), where he had access to a classified network called the Defence Wide Area Network (DWAN). In November 2022, it was discovered that Muma had inserted a USB device containing a program known as Mimikatz—a tool capable of stealing credentials—into a classified workstation.

Although Muma argued that the insertion was unintentional and that he forgot the tool was on the device, both DND and PSPC conducted investigations. DND flagged a medium operational impact and characterized the conduct as a deliberate use of an exploitation toolset. PSPC followed with a Review for Cause and suspended Muma’s Reliability Status, the minimum requirement for holding a security clearance. During the investigation, Muma admitted to using unauthorized personal devices on classified systems, failing to report incidents, and even continuing informal technical assistance to DND colleagues after his suspension.

Muma raised several legal challenges, claiming the process was procedurally unfair and biased, particularly pointing to comments made by a DND analyst. He also argued that the facts were misinterpreted, and that PSPC conflated two incidents involving different devices. PSPC ultimately concluded there were reasonable grounds to believe Muma’s actions reflected negatively on his ability to safeguard government assets. The agency revoked his Reliability Status, thereby terminating his eligibility for Secret and Top-Secret clearance.

The court upheld PSPC’s decision, finding it procedurally fair and substantively reasonable. It concluded that Muma had multiple opportunities to respond to the allegations, and that PSPC made an independent determination based on a comprehensive review of the evidence. Allegations of bias were rejected, as the decision-making authority was separate from DND and did not rely on the contested analyst comments. The court emphasized that procedural fairness had been met, even if the applicant disagreed with the outcome.

In conclusion, the application for judicial review was dismissed. The court awarded the Attorney General of Canada $1,000 in all-inclusive lump sum costs, noting the applicant’s loss of long-term employment but recognizing the unsuccessful challenge.