FAR -- Part 39 Acquisition of Information Technology

Previous PageTable Of ContentsNext Page



FAR -- Part 39
Acquisition of Information Technology

(FAC 2005-82)
(7 May 2015)

39.000 -- Scope of Part.

This part prescribes acquisition policies and procedures for use in acquiring—

(a) Information technology, including financial management systems, consistent with other parts of this regulation, OMB Circular No. A-127, Financial Management Systems and OMB Circular No. A-130, Management of Federal Information Resources; and

(b) Information and information technology.

39.001 -- Applicability.

This part applies to the acquisition of information technology by or for the use of agencies except for acquisitions of information technology for national security systems. However, acquisitions of information technology for national security systems shall be conducted in accordance with 40 U.S.C. 11302 with regard to requirements for performance and results-based management; the role of the agency Chief Information Officer in acquisitions; and accountability. These requirements are addressed in OMB Circular No. A-130.

39.002 -- Definitions.

As used in this part--

“Modular contracting” means use of one or more contracts to acquire information technology systems in successive, interoperable increments.

“National security system” means any telecommunications or information system operated by the United States Government, the function, operation, or use of which --

Subpart 39.1 – General

39.101 -- Policy.

(a)

(b) Agencies must follow OMB Circular A-127, Financial Management Systems, when acquiring financial management systems. Agencies may acquire only core financial management software certified by the Joint Financial Management Improvement Program.

(c) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology’s website at http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated.

(d) When acquiring information technology using Internet Protocol, agencies must include the appropriate Internet Protocol compliance requirements in accordance with 11.002(g).

39.102 -- Management of Risk.

(a) Prior to entering into a contract for information technology, an agency should analyze risks, benefits, and costs. (See Part 7 for additional information regarding requirements definition.) Reasonable risk taking is appropriate as long as risks are controlled and mitigated. Contracting and program office officials are jointly responsible for assessing, monitoring and controlling risk when selecting projects for investment and during program implementation.

(b) Types of risk may include schedule risk, risk of technical obsolescence, cost risk, risk implicit in a particular contract type, technical feasibility, dependencies between a new project and other projects or systems, the number of simultaneous high risk projects to be monitored, funding availability, and program management risk.

(c) Appropriate techniques should be applied to manage and mitigate risk during the acquisition of information technology. Techniques include, but are not limited to: prudent project management; use of modular contracting; thorough acquisition planning tied to budget planning by the program, finance and contracting offices; continuous collection and evaluation of risk-based assessment data; prototyping prior to implementation; post implementation reviews to determine actual project cost, benefits and returns; and focusing on risks and returns using quantifiable measures.

39.103 -- Modular Contracting.

(a) This section implements 41 U.S.C. 2308. Modular contracting is intended to reduce program risk and to incentivize contractor performance while meeting the Governments need for timely access to rapidly changing technology. Consistent with the agency’s information technology architecture, agencies should, to the maximum extent practicable, use modular contracting to acquire major systems (see 2.101) of information technology. Agencies may also use modular contracting to acquire non-major systems of information technology.

(b) When using modular contracting, an acquisition of a system of information technology may be divided into several smaller acquisition increments that --

(c) The characteristics of an increment may vary depending upon the type of information technology being acquired and the nature of the system being developed. The following factors may be considered:

(d) For each increment, contracting officers shall choose an appropriate contracting technique that facilitates the acquisition of subsequent increments. Pursuant to Parts 16 and 17 of the Federal Acquisition Regulations, contracting officers shall select the contract type and method appropriate to the circumstances (e.g., indefinite delivery, indefinite quantity contracts, single contract with options, successive contracts, multiple awards, task order contracts). Contract(s) shall be structured to ensure that the Government is not required to procure additional increments.

(e) To avoid obsolescence, a modular contract for information technology should, to the maximum extent practicable, be awarded within 180 days after the date on which the solicitation is issued. If award cannot be made within 180 days, agencies should consider cancellation of the solicitation in accordance with 14.209 or 15.206(e). To the maximum extent practicable, deliveries under the contract should be scheduled to occur within 18 months after issuance of the solicitation.

39.104 – Information Technology Services.

When acquiring information technology services, solicitations must not describe any minimum experience or educational requirement for proposed contractor personnel unless the contracting officer determines that the needs of the agency—

39.105 -- Privacy.

Agencies shall ensure that contracts for information technology address protection of privacy in accordance with the Privacy Act (5 U.S.C. 552a) and Part 24. In addition, each agency shall ensure that contracts for the design, development, or operation of a system of records using commercial information technology services or information technology support services include the following:

(a) Agency rules of conduct that the contractor and the contractor’s employees shall be required to follow.

(b) A list of the anticipated threats and hazards that the contractor must guard against.

(c) A description of the safeguards that the contractor must specifically provide.

(d) Requirements for a program of Government inspection during performance of the contract that will ensure the continued efficacy and efficiency of safeguards and the discovery and countering of new threats and hazards.

39.106 -- Contract Clause.

The contracting officer shall insert a clause substantially the same as the clause at 52.239-1, Privacy or Security Safeguards, in solicitations and contracts for information technology which require security of information technology, and/or are for the design, development, or operation of a system of records using commercial information technology services or support services.

Subpart 39.2 – Electronic and Information Technology

39.201 Scope of subpart.

(a) This subpart implements section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d), and the Architectural and Transportation Barriers Compliance Board Electronic and Information Technology (EIT) Accessibility Standards (36 CFR part 1194).

(b) Further information on section 508 is available via the Internet at http://www.section508.gov.

(c) When acquiring EIT, agencies must ensure that--

39.202 Definition.

Undue burden, as used in this subpart, means a significant difficulty or expense.

39.203 Applicability.

(a) Unless an exception at 39.204 applies, acquisitions of EIT supplies and services must meet the applicable accessibility standards at 36 CFR part 1194.

(b)

(c)

39.204 Exceptions.

The requirements in 39.203 do not apply to EIT that--

(a) Is purchased in accordance with Subpart 13.2 (micro-purchases) prior to April 1, 2005. However, for micro-purchases, contracting officers and other individuals designated in accordance with 1.603-3 are strongly encouraged to comply with the applicable accessibility standards to the maximum extent practicable;

(b) Is for a national security system;

(c) Is acquired by a contractor incidental to a contract;

(d) Is located in spaces frequented only by service personnel for maintenance, repair or occasional monitoring of equipment; or

(e) Would impose an undue burden on the agency.


Previous PageTop Of PageTable Of ContentsNext Page