Previous PageTable Of ContentsDFARS Home PageNext Page

DFARS 239



Part 239—Acquisition of Information Technology

TABLE OF CONTENTS

(Revised November 30, 2015)

239.001 Applicability.

SUBPART 239.1--GENERAL

239.101 Policy.

SUBPART 239.70--EXCHANGE OR SALE OF INFORMATION TECHNOLOGY

239.7001 Policy.

SUBPART 239.71--SECURITY AND PRIVACY FOR COMPUTER SYSTEMS

239.7100 Scope of subpart.

239.7101 Definition.

239.7102 Policy and responsibilities.

239.7102-1 General.

239.7102-2 Compromising emanations—TEMPEST or other standard.

239.7102-3 Information assurance contractor training and certification.

239.7103 Contract clauses.

SUBPART 239.72--STANDARDS

239.7201 Solicitation requirements.

SUBPART 239.73-- REQUIREMENTS FOR INFORMATION RELATING TO SUPPLY CHAIN RISK

239.7300 Scope of subpart.

239.7301 Definitions.

239.7302 Applicability.

239.7303 Authorized individuals.

239.7304 Determination and notification.

239.7305 Exclusion and limitation on disclosure.

239.7306 Solicitation provision and contract clause.

SUBPART 239.74--TELECOMMUNICATIONS SERVICES

239.7400 Scope.

239.7401 Definitions.

239.7402 Policy.

239.7403 Reserved.

239.7404 Reserved.

239.7405 Delegated authority for telecommunications resources.

239.7406 Certified cost or pricing data and data other than certified cost or pricing data.

239.7407 Type of contract.

239.7408 Special construction.

239.7408-1 General.

239.7408-2 Applicability of construction labor standards for special construction.

239.7409 Special assembly.

239.7410 Cancellation and termination.

239.7411 Contract clauses.

SUBPART 239.76--CLOUD COMPUTING

239.7600 Scope of subpart.

239.7601 Definitions.

239.7602 Policy and responsibilities.

239.7602-1 General.

239.7602-2 Required storage of data within the United States or outlying areas.

239.7603 Procedures.

239.7604 Solicitation provision and contract clause.

(Added October 30, 2015)

239.001 Applicability.

Notwithstanding FAR 39.001, this part applies to acquisitions of information technology, including national security systems.

SUBPART 239.1--GENERAL

(Revised July 15, 2009)

239.101 Policy.

See Subpart 208.74 when acquiring commercial software or software maintenance. See 227.7202 for policy on the acquisition of commercial computer software and commercial computer software documentation.

SUBPART 239.70--EXCHANGE OR SALE OF INFORMATION TECHNOLOGY

(Revised July 11, 2006)

239.7001 Policy.

Agencies shall follow the procedures in DoD 4140.1-R, DoD Supply Chain Materiel Management Regulation, Chapter 9, Section C9.5, when considering the exchange or sale of Government-owned information technology.

SUBPART 239.71--SECURITY AND PRIVACY FOR COMPUTER SYSTEMS

(Revised September 21, 2015)

239.7100 Scope of subpart.

This subpart includes information assurance and Privacy Act considerations. Information assurance requirements are in addition to provisions concerning protection of privacy of individuals (see FAR Subpart 24.1).

239.7101 Definition.

“Information assurance,” as used in this subpart, means measures that protect and defend information, that is entered, processed, transmitted, stored, retrieved, displayed, or destroyed, and information systems, by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities.

239.7102 Policy and responsibilities.

239.7102-1 General.

239.7102-2 Compromising emanations—TEMPEST or other standard.

For acquisitions requiring information assurance against compromising emanations, the requiring activity is responsible for providing to the contracting officer—

239.7102-3 Information assurance contractor training and certification.

239.7103 Contract clauses.

SUBPART 239.72--STANDARDS

(Revised July 11, 2006)

239.7201 Solicitation requirements.

Contracting officers shall ensure that all applicable Federal Information Processing Standards are incorporated into solicitations.

SUBPART 239.73–REQUIREMENTS FOR INFORMATION RELATING TO

SUPPLY CHAIN RISK

(Revised October 30, 2015)

239.7300 Scope of subpart.

239.7301 Definitions.

As used in this subpart—

“Covered item of supply” means an item of information technology that is purchased

for inclusion in a covered system, and the loss of integrity of which could result in a

supply chain risk for a covered system (see section 806(e)(6) of Pub. L. 111-383).

Covered systemmeans a national security system, as that term is defined at 44 U.S.C. 3542(b) (see section 806(e)(5) of Pub. L. 111-383). It is any information system, including any telecommunications system, used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency—

“Supply chain risk” means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a national security system (as that term is defined at 44 U.S.C. 3542(b)) so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.

239.7302 Applicability.

Notwithstanding FAR 39.001, this subpart shall be applied to acquisition of information technology for national security systems, as that term is defined at 44 U.S.C. 3542(b), for procurements involving—

either a performance specification (see 10 U.S.C. 2305(a)(1)(C)(ii)), or an evaluation

factor (see 10 U.S.C. 2305(a)(2)(A)), relating to supply chain risk;

a covered system or a covered item of supply where the task or delivery order

contract concerned includes a requirement relating to supply chain risk (see 10

U.S.C. 2304c(d)(3) and FAR 16.505(b)(1)(iv)(D)); or

item of supply where such contract includes a requirement relating to supply chain

risk.

239.7303 Authorized individuals.

239.7304 Determination and notification.

The individuals authorized in 239.7303 may exercise the authority provided in 239.7305 only after—

national security by reducing supply chain risk;

Department of Defense as specified in paragraph (a) of this section;

paragraph (a) of this section; and

239.7305 Exclusion and limitation on disclosure.

Subject to 239.7304, the individuals authorized in 239.7303 may, in the course of

procuring information technology, whether as a service or as a supply, that is a

covered system, is a part of a covered system, or is in support of a covered system—

239.7306 Solicitation provision and contract clause.

SUBPART 239.74--TELECOMMUNICATIONS SERVICES

(Revised May 10, 2016)

239.7400 Scope.

This subpart prescribes policy and procedures for acquisition of telecommunications services and maintenance of telecommunications security. Telecommunications services meet the definition of information technology.

239.7401 Definitions.

As used in this subpart—

telecommunications services which are regulated by the Federal Communications Commission or other governmental body.

trust, governmental body, or corporation not subject to regulation by a U.S. governmental regulatory body and not doing business as a citizen of the United States, providing telecommunications services outside the territorial limits of the United States.

any statewide regulatory body, or any body with less than statewide jurisdiction when operating under the State authority. The following are not “governmental regulatory bodies”—

telecommunications facilities, services, or equipment for lease.

meaning given in the clause at 252.239-7016, Telecommunications Security Equipment, Devices, Techniques, and Services.

signs, writing, images, sounds, or intelligence of any nature, by wire, cable, satellite, fiber optics, laser, radio, or any other electronic, electric, electromagnetic, or acoustically coupled means.

contract, to meet the Government's telecommunications needs. The term includes the telecommunications facilities and equipment necessary to provide such services.

239.7402 Policy.

239.7403 Reserved.

239.7404 Reserved.

239.7405 Delegated authority for telecommunications resources.

The contracting officer may enter into a telecommunications service contract on a month-to-month basis or for any longer period or series of periods, not to exceed a total of 10 years. See PGI 239.7405 for documents relating to this contracting authority, which the General Services Administration has delegated to DoD.

239.7406 Certified cost or pricing data and data other than certified cost or

pricing data.

239.7407 Type of contract.

When acquiring telecommunications services, the contracting officer may use a basic agreement (see FAR 16.702) in conjunction with communication service authorizations. When using this method, follow the procedures at PGI 239.7407.

239.7408 Special construction.

239.7408-1 General.

239.7408-2 Applicability of construction labor standards for special construction.

239.7409 Special assembly.

239.7410 Cancellation and termination.

239.7411 Contract clauses.

SUBPART 239.75

(Removed July 11, 2006)

SUBPART 239.76—CLOUD COMPUTING

(Revised November 30, 2015)

239.7600 Scope of subpart.

This subpart prescribes policies and procedures for the acquisition of cloud computing services.

239.7601 Definitions.

As used in this subpart—

“Authorizing official,” as described in DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), means the senior Federal official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.

“Cloud computing” means a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This includes other commercial terms, such as on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. It also includes commercial offerings for software-as-a-service, infrastructure-as-a-service, and platform-as-a-service.

“Government data” means any information, document, media, or machine readable material regardless of physical form or characteristics, that is created or obtained by the Government in the course of official Government business.

“Government-related data” means any information, document, media, or machine readable material regardless of physical form or characteristics that is created or obtained by a contractor through the storage, processing, or communication of Government data. This does not include a contractor’s business records (e.g., financial records, legal records, etc.) or data such as operating procedures, software coding, or algorithms that are not uniquely applied to the Government data.

“Spillage” means a security incident that results in the transfer of classified or controlled unclassified information onto an information system not accredited (i.e., authorized) for the appropriate security level.

239.7602 Policy and responsibilities.

239.7602-1 General.

239.7602-2 Required storage of data within the United States or outlying areas.

239.7603 Procedures.

Follow the procedures relating to cloud computing at PGI 239.7603.

239.7604 Solicitation provision and contract clause.

Previous PageTop Of PageTable Of ContentsDFARS Home PageNext Page