What are the practical implications of Policy?

* **Due Diligence:** Contracting Officers and requiring activities must conduct rigorous supply chain vetting to ensure contractors are not using prohibited Chinese telecommunications equipment or banned software in their internal operations. * **Interdisciplinary Coordination:** Successful IT acquisitions require early collaboration between the CO, the Chief Information Officer (CIO), and the requiring official to ensure NIST security standards and IPv6 requirements are written into the Statement of Work.

← All Free ToolsGo back to previous tools page

Explore More Tools →

section39.101

Policy

Overview

FAR 39.101 establishes the fundamental policy framework for the acquisition of information technology (IT), emphasizing security, interoperability, and supply chain integrity. It mandates compliance with specific OMB circulars and NIST standards while listing explicit prohibitions against high-risk software, hardware, and telecommunications providers.

Key Rules

Requirement Identification: Agencies must align IT requirements with OMB Circular A-130, focusing on security, privacy, national security, accessibility (Section 508), and energy efficiency.
Supply Chain & Security Prohibitions:
- Kaspersky Lab: Absolute ban on any hardware, software, or services.
- Covered Telecommunications: Prohibits the procurement or use of equipment/services from specific entities (e.g., Huawei, ZTE) as defined in FAR subpart 4.21.
- Covered Applications: Prohibits the presence or use of TikTok on government-managed devices.
- FASCSA Orders: Compliance with supply chain risk orders issued under the Federal Acquisition Supply Chain Security Act.
- Unmanned Aircraft: Restrictions on procuring certain drones per FAR 40.202.
Technical Standards: Mandatory inclusion of NIST common security configurations and Internet Protocol (IPv6) compliance.
Financial Systems: Only "core" financial management software certified by the Joint Financial Management Improvement Program (JFMIP) may be acquired.
Sustainability: Requirements must incorporate sustainable products, energy-efficient power management, and best practices for data center management.

Practical Implications

Due Diligence: Contracting Officers and requiring activities must conduct rigorous supply chain vetting to ensure contractors are not using prohibited Chinese telecommunications equipment or banned software in their internal operations.
Interdisciplinary Coordination: Successful IT acquisitions require early collaboration between the CO, the Chief Information Officer (CIO), and the requiring official to ensure NIST security standards and IPv6 requirements are written into the Statement of Work.

Need help?

Get FAR guidance, audit prep support, and proposal insights from the AudCor team.

Talk to an expert

39.102 Management of risk →