What are the practical implications of Subpart 39.1 - General?

* **Agility over "Big Bang" Acquisitions:** The push for modular contracting (with a goal of awarding within 180 days and delivering within 18 months) means contractors should be prepared for faster procurement cycles and more frequent, smaller-scale deliverables rather than decade-long monolithic projects. * **Supply Chain Diligence:** Contractors must perform rigorous due diligence on their own supply chains. Even if a contractor doesn't use prohibited Chinese telecommunications equipment on a specific federal project, the "August 13, 2020" rule (FAR 39.101(f)(2)) may prohibit the government from contracting with them if they use that equipment *anywhere* in their commercial operations. * **Outcome-Based Proposals:** Since the FAR discourages agencies from setting rigid degree or "years of experience" requirements for IT services, contractors should focus their proposals on **demonstrated performance and technical solutions** rather than just "staffing by resume." * **Security as a Baseline:** Security is no longer an "extra" but a fundamental requirement. Contractors must be prepared to meet NIST-specific configurations and allow for government inspection of safeguards if they are managing a system of records.

Who is responsible for Subpart 39.1 - General?

* **Contracting Officers (COs):** * Conduct market research to ensure technology refreshment. * Ensure NIST standards and Internet Protocol (IPv6) requirements are incorporated. * Enforce prohibitions against restricted entities (Kaspersky, TikTok, etc.). * Structure modular contracts to ensure the government is not "locked in" to future increments. * **Program Managers / Requiring Officials:** * Jointly responsible with COs for assessing, monitoring, and controlling risk. * Defining requirements in accordance with energy efficiency, accessibility, and national security standards. * Ensuring technical interface requirements between modular increments are consistent. * **Agencies:** * Identify requirements based on OMB Circulars. * Ensure all IT acquisitions address the protection of privacy under the Privacy Act.

← All Free ToolsGo back to previous tools page

Explore More Tools →

subpart39.1

Subpart 39.1 - General

FAR Subpart 39.1 outlines the core policies and procedures for the acquisition of Information Technology (IT) by the Federal Government. It emphasizes the impor

Sections

6 items

39.101 · Policy

39.102 · Management of risk

39.103 · Modular contracting

39.104 · Information technology services

39.105 · Privacy

39.106 · Contract clause

Overview

FAR Subpart 39.1 outlines the core policies and procedures for the acquisition of Information Technology (IT) by the Federal Government. It emphasizes the importance of risk management, modular contracting to avoid obsolescence, and strict adherence to national security prohibitions regarding specific software, hardware, and telecommunications equipment.

Key Rules

Compliance Standards: Acquisitions must align with OMB Circular A-130 (management of info resources), OMB Circular A-127 (financial systems), and NIST security configurations.
Supply Chain Prohibitions: Agencies are strictly prohibited from procuring:
- Kaspersky Lab products or services.
- Covered Telecommunications Equipment (e.g., Huawei, ZTE) as a substantial component or critical technology.
- TikTok (covered applications) on government-used devices.
- Unmanned Aircraft Systems (Drones) from prohibited sources.
- Articles or sources prohibited by FASCSA (Federal Acquisition Supply Chain Security Act) orders.
Modular Contracting: For major IT systems, agencies should use modular contracting to the maximum extent practicable. This involves breaking acquisitions into smaller, manageable increments to reduce risk and provide quicker delivery of workable solutions.
IT Services Constraints: Solicitations generally cannot specify minimum experience or educational requirements for contractor personnel unless the agency cannot meet its needs otherwise or is not using performance-based acquisition.
Privacy & Security: Any contract involving a "system of records" must include specific rules of conduct, a list of threats/hazards, safeguards, and government inspection rights.

Responsibilities

Contracting Officers (COs):
- Conduct market research to ensure technology refreshment.
- Ensure NIST standards and Internet Protocol (IPv6) requirements are incorporated.
- Enforce prohibitions against restricted entities (Kaspersky, TikTok, etc.).
- Structure modular contracts to ensure the government is not "locked in" to future increments.
Program Managers / Requiring Officials:
- Jointly responsible with COs for assessing, monitoring, and controlling risk.
- Defining requirements in accordance with energy efficiency, accessibility, and national security standards.
- Ensuring technical interface requirements between modular increments are consistent.
Agencies:
- Identify requirements based on OMB Circulars.
- Ensure all IT acquisitions address the protection of privacy under the Privacy Act.

Practical Implications

Agility over "Big Bang" Acquisitions: The push for modular contracting (with a goal of awarding within 180 days and delivering within 18 months) means contractors should be prepared for faster procurement cycles and more frequent, smaller-scale deliverables rather than decade-long monolithic projects.
Supply Chain Diligence: Contractors must perform rigorous due diligence on their own supply chains. Even if a contractor doesn't use prohibited Chinese telecommunications equipment on a specific federal project, the "August 13, 2020" rule (FAR 39.101(f)(2)) may prohibit the government from contracting with them if they use that equipment anywhere in their commercial operations.
Outcome-Based Proposals: Since the FAR discourages agencies from setting rigid degree or "years of experience" requirements for IT services, contractors should focus their proposals on demonstrated performance and technical solutions rather than just "staffing by resume."
Security as a Baseline: Security is no longer an "extra" but a fundamental requirement. Contractors must be prepared to meet NIST-specific configurations and allow for government inspection of safeguards if they are managing a system of records.

Need help?

Get FAR guidance, audit prep support, and proposal insights from the AudCor team.

Talk to an expert