Overview
FAR 39.105 mandates that information technology contracts comply with the Privacy Act and FAR Part 24, specifically outlining oversight and security requirements for contracts involving the design, development, or operation of a system of records.
Key Rules
- Regulatory Compliance: Agencies must ensure all IT contracts address privacy protection in accordance with 5 U.S.C. 552a and FAR Part 24.
- Rules of Conduct: Contracts must specify agency-defined rules of conduct that both the contractor and its employees are legally required to follow.
- Threat Identification: The agency must provide a comprehensive list of anticipated threats and hazards that the contractor is responsible for guarding against.
- Defined Safeguards: The contract must explicitly describe the technical and administrative safeguards the contractor is required to provide.
- Government Oversight: Contracts must include provisions for a government inspection program to monitor the efficacy of safeguards and ensure the contractor is countering new hazards during performance.
Practical Implications
- Contractors managing government data must prepare for continuous federal oversight and rigorous audits of their internal security protocols and employee behavior.
- Solicitations for "system of records" projects will contain highly specific security requirements that go beyond general commercial best practices to meet statutory Privacy Act obligations.