Overview
This section establishes the requirement for federal agencies to proactively identify, assess, and mitigate risks associated with information technology (IT) acquisitions through a collaborative approach between contracting and program officials.
Key Rules
- Mandatory Analysis: Prior to awarding an IT contract, agencies must perform a comprehensive analysis of risks, benefits, and costs.
- Joint Accountability: Contracting and program office officials share mutual responsibility for monitoring and controlling risk during both the investment selection and implementation phases.
- Risk Tolerance: The FAR explicitly permits "reasonable risk taking" provided those risks are appropriately controlled and mitigated.
- Specific Risk Factors: Agencies must consider various risk types, including technical obsolescence, schedule delays, contract type implications, dependencies on other systems, and funding availability.
- Prescribed Mitigation Techniques: The regulation encourages specific strategies such as modular contracting, prototyping prior to full implementation, and conducting post-implementation reviews.
Practical Implications
- Cross-Functional Collaboration: Effective IT procurement requires constant communication between the technical program office and the contracting office to ensure performance goals align with risk management.
- Incremental Delivery: By emphasizing modular contracting and prototyping, the regulation pushes agencies away from "big bang" implementations in favor of smaller, manageable stages that reduce the impact of technical failure.