| # | Description |
|---|---|
| 39.000 | Scope of part. |
| 39.001 | Applicability. |
| 39.002 | Definitions. |
| # | Description |
|---|---|
| 39.101 | Policy. |
| 39.102 | Management of risk. |
| 39.103 ---- 39.104 [Reserved] | |
| 39.105 | Privacy. |
| 39.106 | Year 2000 compliance. |
| 39.107 | Contract clause. |
This part prescribes acquisition policies and procedures for use in acquiring information technology consistent with other parts of this regulation and OMB Circular No. A-130, Management of Federal Information Resources.
This part applies to the acquisition of information technology by or for the use of agencies except for acquisitions of information technology for national security systems. However, acquisitions of information technology for national security systems shall be conducted in accordance with 40 U.S.C. 1412 with regard to requirements for performance and results-based management; the role of the agency Chief Information Officer in acquisitions; and accountability. These requirements are addressed in OMB Circular No. A-130.
"National security system," as used in this part, means any telecommunications or information system operated by the United States Government, the function, operation, or use of which--
(a) Involves intelligence activities;
(b) Involves cryptologic activities related to national security;
(c) Involves command and control of military forces;
(d) Involves equipment that is an integral part of a weapon or weapons system; or
(e) Is critical to the direct fulfillment of military or intelligence missions. This does not include a system that is to be used for routine administrative and business applications, such as payroll, finance, logistics, and personnel management applications.
"Year 2000 compliant," as used in this part, means, with respect to information technology, that the information technology accurately processes date/time data (including, but not limited to, calculating, comparing, and sequencing) from, into, and between the twentieth and twenty-first centuries, and the years 1999 and 2000 and leap year calculations, to the extent that other information technology, used in combination with the information technology being acquired, properly exchanges date/time data with it.
In acquiring information technology, agencies shall identify their requirements pursuant to OMB Circular A-130, including consideration of security of resources, protection of privacy, national security and emergency preparedness, accommodations for individuals with disabilities, and energy efficiency. When developing an acquisition strategy, contracting officers should consider the rapidly changing nature of information technology through market research (see Part 10) and the application of technology refreshment techniques.
(a) Prior to entering into a contract for information technology, an agency should analyze risks, benefits, and costs. (See Part 7 for additional information regarding requirements definition.) Reasonable risk taking is appropriate as long as risks are controlled and mitigated. Contracting and program office officials are jointly responsible for assessing, monitoring and controlling risk when selecting projects for investment and during program implementation.
(b) Types of risk may include schedule risk, risk of technical obsolescence, cost risk, risk implicit in a particular contract type, technical feasibility, dependencies between a new project and other projects or systems, the number of simultaneous high risk projects to be monitored, funding availability, and program management risk.
(c) Appropriate techniques should be applied to manage and mitigate risk during the acquisition of information technology. Techniques include, but are not limited to: prudent project management; use of modular contracting; thorough acquisition planning tied to budget planning by the program, finance and contracting offices; continuous collection and evaluation of risk-based assessment data; prototyping prior to implementation; post implementation reviews to determine actual project cost, benefits and returns; and focusing on risks and returns using quantifiable measures.
Agencies shall ensure that contracts for information technology address protection of privacy in accordance with the Privacy Act (5 U.S.C. 552a) and Part 24. In addition, each agency shall ensure that contracts for the design, development, or operation of a system of records using commercial information technology services or information technology support services include the following:
(a) Agency rules of conduct that the contractor and the contractor's employees shall be required to follow.
(b) A list of the anticipated threats and hazards that the contractor must guard against.
(c) A description of the safeguards that the contractor must specifically provide.
(d) Requirements for a program of Government inspection during performance of the contract that will ensure the continued efficacy and efficiency of safeguards and the discovery and countering of new threats and hazards.
When acquiring information technology that will be required to perform date/time processing involving dates subsequent to December 31, 1999, agencies shall ensure that solicitations and contracts--
(a)(1) Require the information technology to be Year 2000 compliant; or
(2) Require that non-compliant information technology be upgraded to be Year 2000 compliant prior to the earlier of--
(i) The earliest date on which the information technology may be required to perform date/time processing involving dates later than December 31, 1999, or
(ii) December 31, 1999; and
(b) As appropriate, describe existing information technology that will be used with the information technology to be acquired and identify whether the existing information technology is Year 2000 compliant.
The contracting officer shall insert a clause substantially the same as the clause at 52.239-1, Privacy or Security Safeguards, in solicitations and contracts for information technology which require security of information technology, and/or are for the design, development, or operation of a system of records using commercial information technology services or support services.