48 C.F.R. PART 39—ACQUISITION OF INFORMATION TECHNOLOGY
Title 48 - Federal Acquisition Regulations System
Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 U.S.C. 2473(c).
Source: 61 FR 41470, Aug. 8, 1996, unless otherwise noted.
This part prescribes acquisition policies and procedures for use in acquiring— (a) Information technology, including financial management systems, consistent with other parts of this regulation, OMB Circular No. A–127, Financial Management Systems, and OMB Circular No. A–130, Management of Federal Information Resources; and (b) Electronic and information technology. [66 FR 20897, Apr. 25, 2001] This part applies to the acquisition of information technology by or for the use of agencies except for acquisitions of information technology for national security systems. However, acquisitions of information technology for national security systems shall be conducted in accordance with 40 U.S.C. 11302 with regard to requirements for performance and results-based management; the role of the agency Chief Information Officer in acquisitions; and accountability. These requirements are addressed in OMB Circular No. A–130. [61 FR 41470, Aug. 8, 1996, as amended at 70 FR 57455, Sept. 30, 2005] As used in this part— Modular contracting means use of one or more contracts to acquire information technology systems in successive, interoperable increments. National security system means any telecommunications or information system operated by the United States Government, the function, operation, or use of which— (1) Involves intelligence activities; (2) Involves cryptologic activities related to national security; (3) Involves command and control of military forces; (4) Involves equipment that is an integral part of a weapon or weapons system; or (5) Is critical to the direct fulfillment of military or intelligence missions. This does not include a system that is to be used for routine administrative and business applications, such as payroll, finance, logistics, and personnel management applications. Year 2000 compliant with respect to information technology, means that the information technology accurately processes date/time data (including, but not limited to, calculating, comparing, and sequencing) from, into, and between the twentieth and twenty-first centuries, and the years 1999 and 2000 and leap year calculations, to the extent that other information technology, used in combination with the information technology being acquired, properly exchanges date/time data with it. [61 FR 41470, Aug. 8, 1996, as amended at 62 FR 274, Jan. 2, 1997; 62 FR 44830, Aug. 22, 1997; 63 FR 9068, Feb. 23, 1998; 66 FR 2133, Jan. 10, 2001] (a) Division A, Section 101(h), Title VI, Section 622 of the Omnibus Appropriations and Authorization Act for Fiscal Year 1999 (Pub. L. 105–277) requires that agencies may not use appropriated funds to acquire information technology that does not comply with 39.106, unless the agency's Chief Information Officer determines that noncompliance with 39.106 is necessary to the function and operation of the agency or the acquisition is required by a contract in effect before October 21, 1998. The Chief Information Officer must send to the Office of Management and Budget a copy of all waivers for forwarding to Congress. (b) In acquiring information technology, agencies shall identify their requirements pursuant to OMB Circular A–130, including consideration of security of resources, protection of privacy, national security and emergency preparedness, accommodations for individuals with disabilities, and energy efficiency. When developing an acquisition strategy, contracting officers should consider the rapidly changing nature of information technology through market research (see part 10) and the application of technology refreshment techniques. (c) Agencies must follow OMB Circular A–127, Financial Management Systems, when acquiring financial management systems. Agencies may acquire only core financial management software certified by the Joint Financial Management Improvement Program. (d) In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements. [61 FR 41470, Aug. 8, 1996, as amended at 64 FR 32748, June 17, 1999; 64 FR 72446, Dec. 27, 1999; 70 FR 57452, Sept. 30, 2005] (a) Prior to entering into a contract for information technology, an agency should analyze risks, benefits, and costs. (See part 7 for additional information regarding requirements definition.) Reasonable risk taking is appropriate as long as risks are controlled and mitigated. Contracting and program office officials are jointly responsible for assessing, monitoring and controlling risk when selecting projects for investment and during program implementation. (b) Types of risk may include schedule risk, risk of technical obsolescence, cost risk, risk implicit in a particular contract type, technical feasibility, dependencies between a new project and other projects or systems, the number of simultaneous high risk projects to be monitored, funding availability, and program management risk. (c) Appropriate techniques should be applied to manage and mitigate risk during the acquisition of information technology. Techniques include, but are not limited to: prudent project management; use of modular contracting; thorough acquisition planning tied to budget planning by the program, finance and contracting offices; continuous collection and evaluation of risk-based assessment data; prototyping prior to implementation; post implementation reviews to determine actual project cost, benefits and returns; and focusing on risks and returns using quantifiable measures. (a) This section implements Section 5202, Incremental Acquisition of Information Technology, of the Clinger-Cohen Act of 1996 (Public Law 104–106). Modular contracting is intended to reduce program risk and to incentivize contractor performance while meeting the Governments need for timely access to rapidly changing technology. Consistent with the agency's information technology architecture, agencies should, to the maximum extent practicable, use modular contracting to acquire major systems (see 2.101) of information technology. Agencies may also use modular contracting to acquire non-major systems of information technology. (b) When using modular contracting, an acquisition of a system of information technology may be divided into several smaller acquisition increments that— (1) Are easier to manage individually than would be possible in one comprehensive acquisition; (2) Address complex information technology objectives incrementally in order to enhance the likelihood of achieving workable systems or solutions for attainment of those objectives; (3) Provide for delivery, implementation, and testing of workable systems or solutions in discrete increments, each of which comprises a system or solution that is not dependent on any subsequent increment in order to perform its principal functions; (4) Provide an opportunity for subsequent increments to take advantage of any evolution in technology or needs that occur during implementation and use of the earlier increments; and (5) Reduce risk of potential adverse consequences on the overall project by isolating and avoiding custom-designed components of the system. (c) The characteristics of an increment may vary depending upon the type of information technology being acquired and the nature of the system being developed. The following factors may be considered: (1) To promote compatibility, the information technology acquired through modular contracting for each increment should comply with common or commercially acceptable information technology standards when available and appropriate, and shall conform to the agency's master information technology architecture. (2) The performance requirements of each increment should be consistent with the performance requirements of the completed, overall system within which the information technology will function and should address interface requirements with succeeding increments. (d) For each increment, contracting officers shall choose an appropriate contracting technique that facilitates the acquisition of subsequent increments. Pursuant to Parts 16 and 17 of the Federal Acquisition Regulations, contracting officers shall select the contract type and method appropriate to the circumstances (e.g., indefinite delivery, indefinite quantity contracts, single contract with options, successive contracts, multiple awards, task order contracts). Contract(s) shall be structured to ensure that the Government is not required to procure additional increments. (e) To avoid obsolescence, a modular contract for information technology should, to the maximum extent practicable, be awarded within 180 days after the date on which the solicitation is issued. If award cannot be made within 180 days, agencies should consider cancellation of the solicitation in accordance with 48 CFR 14.209 or 15.206(e). To the maximum extent practicable, deliveries under the contract should be scheduled to occur within 18 months after issuance of the solicitation. [63 FR 9068, Feb. 23, 1998] When acquiring information technology services, solicitations must not describe any minimum experience or educational requirement for proposed contractor personnel unless the contracting officer determines that the needs of the agency— (a) Cannot be met without that requirement; or (b) Require the use of other than a performance-based acquisition (see subpart 37.6). [66 FR 22085, May 2, 2001; 71 FR 218, Jan. 3, 2006] Agencies shall ensure that contracts for information technology address protection of privacy in accordance with the Privacy Act (5 U.S.C. 552a) and part 24. In addition, each agency shall ensure that contracts for the design, development, or operation of a system of records using commercial information technology services or information technology support services include the following: (a) Agency rules of conduct that the contractor and the contractor's employees shall be required to follow. (b) A list of the anticipated threats and hazards that the contractor must guard against. (c) A description of the safeguards that the contractor must specifically provide. (d) Requirements for a program of Government inspection during performance of the contract that will ensure the continued efficacy and efficiency of safeguards and the discovery and countering of new threats and hazards. When acquiring information technology that will be required to perform date/time processing involving dates subsequent to December 31, 1999, agencies shall ensure that solicitations and contracts— (a)(1) Require the information technology to be Year 2000 compliant; or (2) Require that non-compliant information technology be upgraded to be Year 2000 compliant prior to the earlier of (i) The earliest date on which the information technology may be required to perform date/time processing involving dates later than December 31, 1999, or (ii) December 31, 1999; and (b) As appropriate, describe existing information technology that will be used with the information technology to be acquired and identify whether the existing information technology is Year 2000 compliant. [62 FR 274, Jan. 2, 1997] The contracting officer shall insert a clause substantially the same as the clause at 52.239–1, Privacy or Security Safeguards, in solicitations and contracts for information technology which require security of information technology, and/or are for the design, development, or operation of a system of records using commercial information technology services or support services. [61 FR 41470, Aug. 8, 1996. Redesignated at 62 FR 274, Jan. 2, 1997] Source: 66 FR 20897, Apr. 25, 2001, unless otherwise noted.
(a) This subpart implements section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d), and the Architectural and Transportation Barriers Compliance Board Electronic and Information Technology (EIT) Accessibility Standards (36 CFR part 1194). (b) Further information on section 508 is available via the Internet at http://www.section508.gov. (c) When acquiring EIT, agencies must ensure that— (1) Federal employees with disabilities have access to and use of information and data that is comparable to the access and use by Federal employees who are not individuals with disabilities; and (2) Members of the public with disabilities seeking information or services from an agency have access to and use of information and data that is comparable to the access to and use of information and data by members of the public who are not individuals with disabilities. Undue burden, as used in this subpart, means a significant difficulty or expense. (a) Unless an exception at 39.204 applies, acquisitions of EIT supplies and services must meet the applicable accessibility standards at 36 CFR part 1194. (b)(1) Exception determinations are required prior to contract award, except for indefinite-quantity contracts (see paragraph (b)(2) of this section). (2) Exception determinations are not required prior to award of indefinite-quantity contracts, except for requirements that are to be satisfied by initial award. Contracting offices that award indefinite-quantity contracts must indicate to requiring and ordering activities which supplies and services the contractor indicates as compliant, and show where full details of compliance can be found (e.g., vendor's or other exact website location). (3) Requiring and ordering activities must ensure supplies or services meet the applicable accessibility standards at 36 CFR part 1194, unless an exception applies, at the time of issuance of task or delivery orders. Accordingly, indefinite-quantity contracts may include noncompliant items; however, any task or delivery order issued for noncompliant items must meet an applicable exception. (c)(1) When acquiring commercial items, an agency must comply with those accessibility standards that can be met with supplies or services that are available in the commercial marketplace in time to meet the agency's delivery requirements. (2) The requiring official must document in writing the nonavailability, including a description of market research performed and which standards cannot be met, and provide documentation to the contracting officer for inclusion in the contract file. The requirements in 39.203 do not apply to EIT that— (a) Is purchased in accordance with Subpart 13.2 (micro-purchases) prior to April 1, 2005. However, for micro-purchases, contracting officers and other individuals designated in accordance with 1.603–3 are strongly encouraged to comply with the applicable accessibility standards to the maximum extent practicable; (b) Is for a national security system; (c) Is acquired by a contractor incidental to a contract; (d) Is located in spaces frequented only by service personnel for maintenance, repair or occasional monitoring of equipment; or (e) Would impose an undue burden on the agency. (1) Basis. In determining whether compliance with all or part of the applicable accessibility standards in 36 CFR part 1194 would be an undue burden, an agency must consider— (i) The difficulty or expense of compliance; and (ii) Agency resources available to its program or component for which the supply or service is being acquired. (2) Documentation. (i) The requiring official must document in writing the basis for an undue burden decision and provide the documentation to the contracting officer for inclusion in the contract file. (ii) When acquiring commercial items, an undue burden determination is not required to address individual standards that cannot be met with supplies or service available in the commercial marketplace in time to meet the agency delivery requirements (see 39.203(c)(2) regarding documentation of nonavailability). [66 FR 20897, Apr. 25, 2001, as amended at 67 FR 80322, Dec. 31, 2002; 69 FR 59703, Oct. 5, 2004]
Title 48: Federal Acquisition Regulations System
PART 39—ACQUISITION OF INFORMATION TECHNOLOGY
Section Contents
39.000 Scope of part.
39.001 Applicability.
39.002 Definitions.
39.101 Policy.
39.102 Management of risk.
39.103 Modular contracting.
39.104 Information technology services.
39.105 Privacy.
39.106 Year 2000 compliance.
39.107 Contract clause.
39.201 Scope of subpart.
39.202 Definition.
39.203 Applicability.
39.204 Exceptions.
39.000 Scope of part.
top
39.001 Applicability.
top
39.002 Definitions.
top
Subpart 39.1—General
top
39.101 Policy.
top
39.102 Management of risk.
top
39.103 Modular contracting.
top
39.104 Information technology services.
top
39.105 Privacy.
top
39.106 Year 2000 compliance.
top
39.107 Contract clause.
top
Subpart 39.2—Electronic and Information Technology
top
39.201 Scope of subpart.
top
39.202 Definition.
top
39.203 Applicability.
top
39.204 Exceptions.
top
