Acquisition of Information Technology

Overview

FAR Part 39 establishes the policies and procedures for the acquisition of Information Technology (IT) and Information and Communication Technology (ICT). It focuses on balancing the need for rapid technological advancement with rigorous risk management, data security, personal privacy, and accessibility for individuals with disabilities (Section 508).

Key Rules

• Modular Contracting: For major IT systems, agencies should use modular contracting to the maximum extent practicable. This involves breaking acquisitions into smaller, interoperable increments to reduce risk and provide quicker delivery of workable solutions.
• Prohibited Technology: There are strict prohibitions against acquiring specific technologies, including hardware/software from Kaspersky Lab, covered telecommunications equipment (e.g., certain Chinese-linked entities), TikTok, and certain unmanned aircraft systems (drones).
• Section 508 Compliance: Agencies must ensure that ICT is accessible to federal employees and the public with disabilities, matching the access available to those without disabilities, unless a specific exception or exemption (like "undue burden") applies.
• Performance-Based Requirements: When hiring IT services, agencies generally cannot mandate specific minimum education or experience levels for contractor personnel unless the mission cannot be met otherwise or it is not a performance-based acquisition.
• Speed of Acquisition: To avoid technical obsolescence, modular IT contracts should ideally be awarded within 180 days of the solicitation and provide for deliveries within 18 months.
• Standards and Security: IT acquisitions must comply with NIST common security configurations, Internet Protocol (IPv6) requirements, and energy-efficient/sustainable product mandates.

Responsibilities

• Contracting Officers (COs):
  • Conduct market research to account for rapidly changing technology.
  • Ensure appropriate privacy and security clauses (e.g., FAR 52.239-1) are included in contracts.
  • Structure contracts to allow for modular increments and ensure the government is not forced to buy future increments.
  • Verify and maintain documentation for Section 508 exceptions or exemptions in the contract file.
• Program Managers / Requiring Officials:
  • Identify requirements consistent with OMB Circulars (A-130, A-127).
  • Collaborate with COs to assess, monitor, and control project risks (technical, schedule, and cost).
  • Provide written justification and documentation for Section 508 exemptions (undue burden, fundamental alteration, or non-availability).
  • Identify specific threats, hazards, and safeguards for systems handling private records.

Practical Implications

• Avoidance of "Big Bang" Failures: By emphasizing modular contracting, the FAR attempts to prevent large-scale IT project failures where years of development result in obsolete or non-functional systems. Contractors should expect more frequent, smaller task orders rather than single, decade-long development cycles.
• Accessibility is Not Optional: Section 508 compliance is a baseline requirement. Contractors must be prepared to provide "Voluntary Product Accessibility Templates" (VPATs) or similar documentation to prove their software or hardware meets accessibility standards.
• Supply Chain Rigidity: The "Kaspersky," "TikTok," and "covered telecom" bans mean that contractors must have robust supply chain illumination tools. Even incidental use of prohibited tech can disqualify a vendor or lead to contract termination.
• Shift to Outcomes over Resumes: Because agencies are discouraged from requiring specific degrees or years of experience for IT services, contractors have more flexibility in how they staff projects, provided they can meet the performance outcomes defined in the Statement of Objectives (SOO) or PWS.