7.5.12. Implementing Information Assurance (IA) in the Acquisition of Information Technology (IT) Services

DEFENSE ACQUISITION GUIDEBOOK
Chapter 7 - Acquiring Information Technology

7.5.12. Implementing Information Assurance (IA) in the Acquisition of Information Technology (IT) Services

7.5.12.1. Acquisition of Information Technology (IT) Services – Information Assurance (IA) Considerations for Acquisition Strategies or Acquisition Plans

7.5.12.2. Acquisition of Information Technology (IT) Services – Information Assurance (IA) Considerations for Requests for Proposals (RFPs)

7.5.12.3. Acquisition of Information Technology (IT) Services – Information Assurance (IA) Considerations for Source Selection Procedures

7.5.12.4. Acquisition of Information Technology (IT) Services – Information Assurance (IA) Considerations for Ordering Guides

7.5.12.5. Acquisition of Information Technology (IT) Services – Information Assurance (IA) Review and Notification Process

7.5.12. Implementing Information Assurance (IA) in the Acquisition of Information Technology (IT) Services

DoD Instruction 5000.02, Enclosure 9, provides specific policy requirements for "Acquisitions of Services." Enclosure 9 defines IT Services as "The performance of any work related to IT and the operation of IT, including National Security Systems. This includes outsourced IT-based business processes, outsourced IT, and outsourced information functions."

Every year the Department acquires a vast array of IT services from the commercial sector, valued in the billions of dollars. These services support, impact, or utilize DoD information systems and networks both on and off the GIG. Because of this broad scope it is essential that IA be carefully considered as a factor in the planning, procurement, and execution of these services.

All acquisitions of IT services, regardless of acquisition of services category, are subject to Title 40/Clinger-Cohen Act, and to the maximum extent practicable, the Federal Acquisition Regulation and Defense Federal Acquisition Regulation Supplement.

Additionally, in accordance with DoD Directive 8500.01E, IA requirements shall be identified and included in the design, acquisition, installation, operation, upgrade or replacement of all DoD information systems. This section describes the actions to be taken to ensure that IA requirements are met, and IA is appropriately addressed in acquisitions of IT services.

IA considerations are described for the following "Acquisitions of IT Services" areas:

• Acquisition Strategies or Acquisition Plans
• Requests for Proposals (RFPs)
• Source Selection Procedures
• Ordering Guides
• Review and Notification Process

Throughout this section, the services of an "IA professional" are recommended for the development and review of IA elements within acquisition strategies, plans, and procurement documentation. In selecting the appropriate IA professional support, ensure that the individual's IA knowledge and experience are appropriate to the task. Table 7.5.12.T1 suggests appropriate IA workforce categories and levels from the DoD Manual 8570.01-M, "Information Assurance Workforce Improvement Program Manual," for commonly required tasks. See the manual for details of knowledge, experience, and professional certifications required for each category and level.

Table 7.5.12.T1. Suggested IA workforce categories and levels

7.5.12.1. Acquisition of Information Technology (IT) Services – Information Assurance (IA) Considerations for Acquisition Strategies or Acquisition Plans

The treatment of IA in an acquisition strategy, and/or acquisition plan, for an acquisition of IT services is different than the considerations normally addressed in a classic system acquisition strategy. In the case of a system acquisition, the focus is to ensure IA is implemented in the design, development, test, and production of the system. In the case of an acquisition of IT services, the IA considerations are dependent on the specific nature of the services being acquired.

The scope of potential IT services, and the associated IA considerations, is extremely diverse. Examples of IT services include, but are not limited to:

• On-site hardware maintenance
• Lease of telecommunications lines (fiber or circuits)
• Software development
• Test and evaluation services
• Certification and accreditation support
• Help desk support
• Computing infrastructure operational support
• Network operations and Computer Security support

Note that in some large indefinite delivery/indefinite quantity (IDIQ) IT services contracts, the actual tasks to be performed are not established until an order is placed, and there may be thousands of individual orders placed by hundreds of different ordering activities. In order to properly inform the acquisition planning process, the acquisition strategy needs to identify the IA requirements that are relevant to the IT services being acquired, and describe how the acquisition is being conducted to ensure those requirements will be met. As noted above, the scope of these considerations will vary with the nature of the IT services, but the following list provides a good baseline:

• What broad IA policies and guidance are applicable?
• What IA protections are relevant to the services being acquired?
• Are there any IT components or systems being delivered coincidental to the IT services?
• Is there an IA professional supporting the acquisition team? Has an IA professional contributed to the development of the solicitation?
• Does the solicitation clearly and unambiguously communicate IA requirements to prospective offerors?
• Does the performance work statement, specification, or statement of objectives meet IA requirements as specified in DFARS Subpart 239.71, "Security and Privacy for Computer Systems," paragraph 239.7102-1(a)?
• Is the satisfaction of IA requirements a factor for award? Will an IA professional provide subject matter expert support to the source selection process?
• If an IDIQ contract is considered, what IA requirements are allocated to the basic contract as global requirements, and what IA requirements are allocated to the order level (and the responsibility of the ordering activity to invoke)? Does the ordering guide clearly communicate to requiring activities and the ordering offices their responsibilities with regards to IA?
• Has the solicitation been reviewed by the appropriate level of IA oversight (Designated Accrediting Authority/Program Executive Officer/Systems Command/Major Command/Component Senior Information Assurance Officer)?
• Will the services contractor have access to or control of Government data?
• Will the contractor need to connect to DoD systems or networks?
• Will the contractor need to certify and accredit his information system?
• Will the contractor's personnel be performing roles that require IA training, IA professional certifications, or background investigations in order to comply with DoD IA policy requirements?

7.5.12.2. Acquisition of Information Technology (IT) Services – Information Assurance (IA) Considerations for Requests for Proposals (RFPs)

As with the acquisition strategy, the IA language in the RFP is driven by the characteristics of the IT services requirement. However, regardless of the specifics of the acquisition, the goal of the RFP is to clearly and unambiguously communicate to potential offerors what our IA requirements are, and what we expect from them in terms of compliance and performance.

Identification of IA Policy Requirements. In most cases the IT services contractor will have to comply with fundamental DoD IA policy, such as DoD Directive 8500.01E and DoD Instruction 8500.2, and CJCS Instruction 6510.01. It is best to identify in the RFP that compliance with these documents is required. For requirements beyond the fundamentals, the nature of the service becomes the driver. If contractor personnel will have IA roles or privileged system access, the requirements of DoD Directive 8570.01 will apply. If the service involves certification and accreditation support, the DoD Information Assurance Certification and Accreditation Process (DIACAP) of DoD Instruction 8510.01 should be cited. Because it would be impractical to identify all the possible permutations of IT services and IA policy in this guidebook, requiring activities should utilize an IA professional to identify all IA requirements relevant to the IT service.

Click here for the Sample RFP IA Clause contract language that can be tailored as appropriate, and included in Section H (Special Contract Requirements) of the solicitation.

Performance Work Statement (PWS) or Statement of Objective (SOO). It is in this section that specific IA requirements, functions and tasks should be communicated to the offerors. This may include identification of IA roles to be performed, specific IA controls to be satisfied, specific IA performance criteria (e.g., availability requirements). This section must clearly communicate what needs to be done with regards to IA.

Contract Data Requirements List (CDRL). In this section, identify any IA-related data products that the potential contractor must produce. This may include reports, IA artifacts, or other IA documentation.

Section M: Evaluation Factors for Award. This section contains the evaluation factors and significant subfactors by which offers will be evaluated and the relative importance that the Government places on these evaluation factors and sub-factors. See section 7.5.12.3 for additional guidance.

IA Performance. In situations where IA performance is critical, the RFP may specifically address the impact of non-compliance or lack of IA performance on the part of the contractor. These impacts may include actions such as: documentation of poor performance, rejection of work products/deliverables, denial of network or physical access to non-conforming personnel, reduction of award fees, assessment of liquidated damages, termination of the contract for the convenience of the government, and termination of the contract for default. If IA is a critical element of the service, engage with the Procurement Contracting Officer as early as possible to define these impacts, and to include the appropriate language in the solicitation and resulting contract. The IA professional, PM, and program lead for test and evaluation will identify IA test and evaluation requirements, metrics, success criteria, and how and when best to conduct the IA testing.

7.5.12.3. Acquisition of Information Technology (IT) Services – Information Assurance (IA) Considerations for Source Selection Procedures

Section M of the Uniform Contract format contains the Evaluation Factors for Award. This section contains the evaluation factors and significant sub-factors by which offers will be evaluated and the relative importance that the Government places on these evaluation factors and sub-factors. IA is just one of numerous factors that may be assessed for the purposes of making a contract award decision. It may be a major contributing factor in a best value determination, or it may be a minimum qualification for an award based primarily on cost or price.

The extent to which IA considerations impact the award factors is a direct function of the clear communication and understanding of the potential loss or damage that an IA failure could subject to a system, organization or mission capability. For this reason, an IA professional should be tasked to assess the IA requirement and risks, and to advise the contracting officer accordingly. As appropriate, an IA professional should develop IA related evaluation factors, and participate in the negotiation of relative weightings of these factors. Correspondingly, an IA professional should also be part of the source selection evaluation board to ensure that the IA aspects of offerors' proposals are assessed for technical and functional appropriateness, adequacy, and compliance with requirements.

7.5.12.4. Acquisition of Information Technology (IT) Services – Information Assurance (IA) Considerations for Ordering Guides

In many large IT services contracts, the initial contract award merely establishes the scope of work, pricing, and other global factors, but no specific work is done until separate task orders are established. For these indefinite delivery-indefinite quantity (IDIQ) contracts, the IA considerations can vary widely from order to order. Additionally, orders may be originated from activities separate from the activity that awarded the basic IDIQ contract, even from other agencies. To ensure that IA is appropriately considered in these individual and potentially unique orders, the "ordering guide" for the contract should inform the ordering activities of their responsibilities with regards to IA. Specifically, ordering/requiring activities are responsible to ensure that any order placed for IT services will result in a commitment from the service provider to deliver services that comply with DoD IA policies. To do this, the ordering activity must be aware of what general IA requirements are invoked in the basic contract, and then ensure that individual orders provide specific details, and any supplemental IA requirements that may be needed to achieve policy requirements. For example, the basic contract may invoke DoD Instruction 8500.2 and require "implementation of appropriate baseline IA controls", but the individual order would have to specify the Mission Assurance Category (MAC) and Confidentiality Level relevant to that order.

Finally, since IT services acquisitions must comply with the Title 40/Clinger-Cohen Act which requires a level of assurance that IA compliance is being achieved, it may be appropriate to direct that a hierarchy of IA review and approvals be established based on factors such as dollar value of the individual orders. This will ensure that qualifying orders are reviewed at an oversight level commensurate with their value.

Click here for the Sample IA Section of an Ordering Guide. The specific form, structure and content should be driven by the needs of the acquisition, and the example is provided merely to offer a point of departure, and may not be appropriate for a specific acquisition.

7.5.12.5. Acquisition of Information Technology (IT) Services – Information Assurance (IA) Review and Notification Process

Paragraph 5 of Enclosure 9 of DoD Directive 5000.02 includes specific requirements for higher-level review and approval of proposed acquisitions of services. The following IA reviews are required to be conducted in support of the Decision Authority approval process:

• For acquisitions of IT Services estimated at greater than $250M (basic plus all options)
  • DoD Component IA Review of Acquisition Strategy/Acquisition Plan/Request for Proposal (RFP)
• For acquisitions of IT Services estimated at greater than $500M (basic plus all options)
  • DoD Component IA Review of Acquisition Strategy/Acquisition Plan/RFP, and
  • DoD CIO IA ** Review of Acquisition Strategy/Acquisition Plan/RFP, and
  • Notification of cognizant Mission Area Portfolio Manager by ther DoD CIO Acquisition prior to RFP release.

For acquisitions of IT services below the $250M threshold, follow Component guidance. For acquisition of IT services related to telecommunications or transport infrastructure, recommend review for IA technical sufficiency by Defense IA/Security Accreditation Working Group (DSAWG) representative.

** Contact the Defense-wide Information Assurance Program (DIAP) Acquisition Team at diap.acquisition@osd.mil to arrange for early coordination reviews and formal reviews.

Top of page