About GPO   |   Newsroom/Media   |   Congressional Relations   |   Inspector General   |   Careers   |   Contact   |   askGPO   |   Help  
 
Home   |   Customers   |   Vendors   |   Libraries  

The Electronic Code of Federal Regulations (e-CFR) is a regularly updated, unofficial editorial compilation of CFR material and Federal Register amendments produced by the National Archives and Records Administration's Office of the Federal Register (OFR) and the Government Printing Office.

Parallel Table of Authorities and Rules for the Code of Federal Regulations and the United States Code
Text | PDF

Find, review, and submit comments on Federal rules that are open for comment and published in the Federal Register using Regulations.gov.

Purchase individual CFR titles from the U.S. Government Online Bookstore.

Find issues of the CFR (including issues prior to 1996) at a local Federal depository library.

[1]
 
 

Electronic Code of Federal Regulations

e-CFR Data is current as of October 23, 2014

Title 48Chapter 2Subchapter F → Part 239


Title 48: Federal Acquisition Regulations System


PART 239—ACQUISITION OF INFORMATION TECHNOLOGY


Contents

Subpart 239.1—General

239.101   Policy.

Subpart 239.70—Exchange or Sale of Information Technology

239.7001   Policy.

Subpart 239.71—Security and Privacy for Computer Systems

239.7100   Scope of subpart.
239.7101   Definition.
239.7102   Policy and responsibilities.
239.7102-1   General.
239.7102-2   Compromising emanations—TEMPEST or other standard.
239.7102-3   Information assurance contractor training and certification.
239.7103   Contract clauses.

Subpart 239.72—Standards

239.7201   Solicitation requirements.

Subpart 239.73—Requirements for Information Relating to Supply Chain Risk

239.7300   Scope of subpart.
239.7301   Applicability.
239.7302   Definitions.
239.7303   Authorized individuals.
239.7304   Determination and notification.
239.7305   Exclusion and limitation on disclosure.
239.7306   Solicitation provision and contract clause.

Subpart 239.74—Telecommunications Services

239.7400   Scope.
239.7401   Definitions.
239.7402   Policy.
239.7403-239.7404   [Reserved]
239.7405   Delegated authority for telecommunications resources.
239.7406   Certified cost or pricing data and data other than certified cost or pricing data.
239.7407   Type of contract.
239.7408   Special construction.
239.7408-1   General.
239.7408-2   Applicability of construction labor standards for special construction.
239.7409   Special assembly.
239.7410   Cancellation and termination.
239.7411   Contract clauses.

Authority: 41 U.S.C. 421 and 48 CFR chapter 1.

Source: 56 FR 36429, July 31, 1991, unless otherwise noted.

Subpart 239.1—General

239.101   Policy.

See Subpart 208.74 when acquiring commercial software or software maintenance. See 227.7202 for policy on the acquisition of commercial computer software and commercial computer software documentation.

[67 FR 65512, Oct. 25, 2002, as amended at 74 FR 34270, July 15, 2009]

Subpart 239.70—Exchange or Sale of Information Technology

239.7001   Policy.

Agencies shall follow the procedures in DoD 4140.1-R, DoD Supply Chain Materiel Management Regulation, Chapter 9, Section C9.5, when considering the exchange or sale of Government-owned information technology.

[71 FR 39010, July 11, 2006]

Subpart 239.71—Security and Privacy for Computer Systems

Source: 69 FR 35534, June 25, 2004, unless otherwise noted.

239.7100   Scope of subpart.

This subpart includes information assurance and Privacy Act considerations. Information assurance requirements are in addition to provisions concerning protection of privacy of individuals (see FAR Subpart 24.1).

239.7101   Definition.

Information assurance, as used in this subpart, means measures that protect and defend information, that is entered, processed, transmitted, stored, retrieved, displayed, or destroyed, and information systems, by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities.

239.7102   Policy and responsibilities.

239.7102-1   General.

(a) Agencies shall ensure that information assurance is provided for information technology in accordance with current policies, procedures, and statutes, to include—

(1) The National Security Act;

(2) The Clinger-Cohen Act;

(3) National Security Telecommunications and Information Systems Security Policy No. 11;

(4) Federal Information Processing Standards;

(5) DoD Directive 8500.1, Information Assurance;

(6) DoD Instruction 8500.2, Information Assurance Implementation;

(7) DoD Directive 8570.01, Information Assurance Training, Certification, and Workforce Management; and

(8) DoD Manual 8570.01-M, Information Assurance Workforce Improvement Program.

(b) For all acquisitions, the requiring activity is responsible for providing to the contracting officer—

(1) Statements of work, specifications, or statements of objectives that meet information assurance requirements as specified in paragraph (a) of this subsection;

(2) Inspection and acceptance contract requirements; and

(3) A determination as to whether the information technology requires protection against compromising emanations.

[69 FR 35534, June 25, 2004, as amended at 73 FR 1829, Jan. 10, 2008; 75 FR 34946, June 21, 2010]

239.7102-2   Compromising emanations—TEMPEST or other standard.

For acquisitions requiring information assurance against compromising emanations, the requiring activity is responsible for providing to the contracting officer—

(a) The required protections, i.e., an established National TEMPEST standard (e.g., NACSEM 5100, NACSIM 5100A) or a standard used by other authority;

(b) The required identification markings to include markings for TEMPEST or other standard, certified equipment (especially if to be reused);

(c) Inspection and acceptance requirements addressing the validation of compliance with TEMPEST or other standards; and

(d) A date through which the accreditation is considered current for purposes of the proposed contract.

239.7102-3   Information assurance contractor training and certification.

(a) For acquisitions that include information assurance functional services for DoD information systems, or that require any appropriately cleared contractor personnel to access a DoD information system to perform contract duties, the requiring activity is responsible for providing to the contracting officer—(1) A list of information assurance functional responsibilities for DoD information systems by category (e.g., technical or management) and level (e.g., computing environment, network environment, or enclave); and

(2) The information assurance training, certification, certification maintenance, and continuing education or sustainment training required for the information assurance functional responsibilities.

(b) After contract award, the requiring activity is responsible for ensuring that the certifications and certification status of all contractor personnel performing information assurance functions as described in DoD 8570.01-M, Information Assurance Workforce Improvement Program, are in compliance with the manual and are identified, documented, and tracked.

(c) The responsibilities specified in paragraphs (a) and (b) of this section apply to all DoD information assurance duties supported by a contractor, whether performed full-time or part-time as additional or embedded duties, and when using a DoD contract, or a contract or agreement administered by another agency (e.g., under an interagency agreement).

(d) See PGI 239.7102-3 for guidance on documenting and tracking certification status of contractor personnel, and for additional information regarding the requirements of DoD 8570.01-M.

[73 FR 1829, Jan. 10, 2008]

239.7103   Contract clauses.

(a) Use the clause at 252.239-7000, Protection Against Compromising Emanations, in solicitations and contracts involving information technology that requires protection against compromising emanations.

(b) Use the clause at 252.239-7001, Information Assurance Contractor Training and Certification, in solicitations and contracts involving contractor performance of information assurance functions as described in DoD 8570.01-M.

[73 FR 1829, Jan. 10, 2008]

Subpart 239.72—Standards

239.7201   Solicitation requirements.

Contracting officers shall ensure that all applicable Federal Information Processing Standards are incorporated into solicitations.

[71 FR 39011, July 11, 2006]

Subpart 239.73—Requirements for Information Relating to Supply Chain Risk

Source: 78 FR 69271, Nov. 18, 2013, unless otherwise noted.

239.7300   Scope of subpart.

(a) This subpart implements section 806 of the National Defense Authorization Act for Fiscal Year 2011 (Pub. L. 111-383) and elements of DoD Instruction 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN), at (http://www.dtic.mil/whs/directives/corres/pdf/520044p.pdf).

(b) The authority provided in this subpart expires on September 30, 2018 (see section 806(a) of Pub. L. 112-239).

239.7301   Applicability.

Notwithstanding FAR 39.001, this subpart shall be applied to acquisition of information technology for national security systems, as that term is defined at 44 U.S.C. 3542(b), for procurements involving—

(a) A source selection for a covered system or a covered item involving either a performance specification (see 10 U.S.C. 2305(a)(1)(C)(ii)), or an evaluation factor (see 10 U.S.C. 2305(a)(2)(A)), relating to supply chain risk;

(b) The consideration of proposals for and issuance of a task or delivery order for a covered system or a covered item where the task or delivery order contract concerned includes a requirement relating to supply chain risk (see 10 U.S.C. 2304c(d)(3) and FAR 16.505(b)(1)(iv)(D)); or

(c) Any contract action involving a contract for a covered system or a covered item where such contract includes a requirement relating to supply chain risk.

239.7302   Definitions.

As used in this subpart—

Covered item means an item of information technology that is purchased for inclusion in a covered system, and the loss of integrity of which could result in a supply chain risk for a covered system (see section 806(e)(6) of Pub. L. 111-383).

Covered system means a national security system, as that term is defined at 44 U.S.C. 3542(b) (see section 806(e)(5) of Pub. L. 111-38). It is any information system, including any telecommunications system, used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency—

(1) The function, operation, or use of which—

(i) Involves intelligence activities;

(ii) Involves cryptologic activities related to national security;

(iii) Involves command and control of military forces;

(iv) Involves equipment that is an integral part of a weapon or weapons system; or

(v) Is critical to the direct fulfillment of military or intelligence missions but this does not include a system that is to be used for routine administrative and business applications, including payroll, finance, logistics, and personnel management applications; or

(2) Is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

Information technology, in lieu of the definition at FAR 2.1, and supply chain risk, are defined in the clause at 252.239-7018, Supply Chain Risk.

239.7303   Authorized individuals.

(a) Subject to 239.7304, the following individuals are authorized to take the actions authorized by 239.7305:

(1) The Secretary of Defense.

(2) The Secretary of the Army.

(3) The Secretary of the Navy.

(4) The Secretary of the Air Force.

(b) The individuals authorized at paragraph (a) may not delegate the authority to take the actions at 239.7305 or the responsibility for making the determination required by 239.7304 to an official below the level of—

(1) For the Department of Defense, the Under Secretary of Defense for Acquisition, Technology, and Logistics; and,

(2) For the military departments, the senior acquisition executive for the department concerned.

239.7304   Determination and notification.

The individuals authorized in 239.7303 may exercise the authority provided in 239.7305 only after—

(a) Obtaining a joint recommendation by the Under Secretary of Defense for Acquisition, Technology, and Logistics and the Chief Information Officer of the Department of Defense, on the basis of a risk assessment by the Under Secretary of Defense for Intelligence, that there is a significant supply chain risk to a covered system;

(b) Making a determination in writing, in unclassified or classified form, with the concurrence of the Under Secretary of Defense for Acquisition, Technology, and Logistics, that—

(1) Use of the authority in 239.7305(a)(b) or (c) is necessary to protect national security by reducing supply chain risk;

(2) Less intrusive measures are not reasonably available to reduce such supply chain risk; and

(3) In a case where the individual authorized in 239.7303 plans to limit disclosure of information under 239.7305(d), the risk to national security due to the disclosure of such information outweighs the risk due to not disclosing such information; and

(c)(1) Providing a classified or unclassified notice of the determination made under paragraph (b) of this section—

(i) In the case of a covered system included in the National Intelligence Program or the Military Intelligence Program, to the Select Committee on Intelligence of the Senate, the Permanent Select Committee on Intelligence of the House of Representatives, and the congressional defense committees; and

(ii) In the case of a covered system not otherwise included in paragraph (a) of this section, to the congressional defense committees; and

(2) The notice shall include—

(i) The following information (see 10 U.S.C. 2304(f)(3)):

(A) A description of the agency's needs.

(B) An identification of the statutory exception from the requirement to use competitive procedures and a demonstration, based on the proposed contractor's qualifications or the nature of the procurement, of the reasons for using that exception.

(C) A determination that the anticipated cost will be fair and reasonable.

(D) A description of the market survey conducted or a statement of the reasons a market survey was not conducted.

(E) A listing of the sources, if any, that expressed in writing an interest in the procurement.

(F) A statement of the actions, if any, the agency may take to remove or overcome any barrier to competition before a subsequent procurement for such needs;

(ii) The joint recommendation by the Under Secretary of Defense for Acquisition, Technology, and Logistics and the Chief Information Officer of the Department of Defense as specified in paragraph (a);

(iii) A summary of the risk assessment by the Under Secretary of Defense for Intelligence that serves as the basis for the joint recommendation specified in paragraph (a); and

(iv) A summary of the basis for the determination, including a discussion of less intrusive measures that were considered and why they were not reasonably available to reduce supply chain risk.

239.7305   Exclusion and limitation on disclosure.

Subject to 239.7304, the individuals authorized in 239.7303 may, in the course of conducting a covered procurement—

(a) Exclude a source that fails to meet qualification standards established in accordance with the requirements of 10 U.S.C. 2319, for the purpose of reducing supply chain risk in the acquisition of covered systems;

(b) Exclude a source that fails to achieve an acceptable rating with regard to an evaluation factor providing for the consideration of supply chain risk in the evaluation of proposals for the award of a contract or the issuance of a task or delivery order;

(c) Withhold consent for a contractor to subcontract with a particular source or direct a contractor for a covered system to exclude a particular source from consideration for a subcontract under the contract; and

(d) Limit, notwithstanding any other provision of law, in whole or in part, the disclosure of information relating to the basis for carrying out any of the actions authorized by paragraphs (a) through (c) of this section, and if such disclosures are so limited—

(1) No action undertaken by the individual authorized under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court; and

(2) The authorized individual shall—

(i) Notify appropriate parties of a covered procurement action and the basis for such action only to the extent necessary to effectuate the covered procurement action;

(ii) Notify other Department of Defense components or other Federal agencies responsible for procurements that may be subject to the same or similar supply chain risk, in a manner and to the extent consistent with the requirements of national security; and

(iii) Ensure the confidentiality of any such notifications.

239.7306   Solicitation provision and contract clause.

(a) Insert the provision at 252.239-7017, Notice of Supply Chain Risk, in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, that involve the development or delivery of any information technology whether acquired as a service or as a supply.

(b) Insert the clause at 252.239-7018, Supply Chain Risk, in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, that involve the development or delivery of any information technology whether acquired as a service or as a supply.

Subpart 239.74—Telecommunications Services

239.7400   Scope.

This subpart prescribes policy and procedures for acquisition of telecommunications services and maintenance of telecommunications security. Telecommunications services meet the definition of information technology.

[62 FR 1060, Jan. 8, 1997, as amended at 71 FR 39011, July 11, 2006]

239.7401   Definitions.

As used in this subpart—

(a) Common carrier means any entity engaged in the business of providing telecommunications services which are regulated by the Federal Communications Commission or other governmental body.

(b) Foreign carrier means any person, partnership, association, joint-stock company, trust, governmental body, or corporation not subject to regulation by a U.S. governmental regulatory body and not doing business as a citizen of the United States, providing telecommunications services outside the territorial limits of the United States.

(c) Governmental regulatory body means the Federal Communications Commission, any statewide regulatory body, or any body with less than statewide jurisdiction when operating under the State authority. The following are not “governmental regulatory bodies”—

(1) Regulatory bodies whose decisions are not subject to judicial appeal; and

(2) Regulatory bodies which regulate a company owned by the same entity which creates the regulatory body.

(d) Noncommon carrier means any entity other than a common carrier offering telecommunications facilities, services, or equipment for lease.

(e) Securing, sensitive information, and telecommunications systems have the meaning given in the clause at 252.239-7016, Telecommunications Security Equipment, Devices, Techniques, and Services.

(f) Telecommunications means the transmission, emission, or reception of signals, signs, writing, images, sounds, or intelligence of any nature, by wire, cable, satellite, fiber optics, laser, radio, or any other electronic, electric, electromagnetic, or acoustically coupled means.

(g) Telecommunications services means the services acquired, whether by lease or contract, to meet the Government's telecommunications needs. The term includes the telecommunications facilities and equipment necessary to provide such services.

[56 FR 36429, July 31, 1991, as amended at 70 FR 67918, Nov. 9, 2005]

239.7402   Policy.

(a) Acquisition. DoD policy is to acquire telecommunications services from common and noncommon telecommunications carriers—

(1) On a competitive basis, except when acquisition using other than full and open competition is justified;

(2) Recognizing the regulations, practices, and decisions of the Federal Communications Commission (FCC) and other governmental regulatory bodies on rates, cost principles, and accounting practices; and

(3) Making provision in telecommunications services contracts for adoption of—

(i) FCC approved practices; or

(ii) The generally accepted practices of the industry on those issues concerning common carrier services where—

(A) The governmental regulatory body has not expressed itself;

(B) The governmental regulatory body has declined jurisdiction; or

(C) There is no governmental regulatory body to decide.

(b) Security. (1) The contracting officer shall ensure, in accordance with agency procedures, that purchase requests identify—

(i) The nature and extent of information requiring security during telecommunications;

(ii) The requirement for the contractor to secure telecommunications systems;

(iii) The telecommunications security equipment, devices, techniques, or services with which the contractor's telecommunications security equipment, devices, techniques, or services must be interoperable; and

(iv) The approved telecommunications security equipment, devices, techniques, or services, such as found in the National Security Agency's Information Systems Security Products and Services Catalogue.

(2) Contractors and subcontractors shall provide all telecommunications security techniques or services required for performance of Government contracts.

(3) Except as provided in paragraph (b)(4) of this section, contractors and subcontractors shall normally provide all required property, to include telecommunications security equipment or related devices, in accordance with FAR 45.102. In some cases, such as for communications security (COMSEC) equipment designated as controlled cryptographic item (CCI), contractors or subcontractors must also meet ownership eligibility conditions.

(4) The head of the agency may authorize provision of the necessary property as Government-furnished property or acquisition as contractor-acquired property, as long as conditions of FAR 45.102(b) are met.

[56 FR 36429, July 31, 1991, as amended at 56 FR 67220, Dec. 30, 1991; 62 FR 1060, Jan. 8, 1997; 71 FR 39011, July 11, 2006; 74 FR 37647, July 29, 2009]

239.7403-239.7404   [Reserved]

239.7405   Delegated authority for telecommunications resources.

The contracting officer may enter into a telecommunications service contract on a month-to-month basis or for any longer period or series of periods, not to exceed a total of 10 years. See PGI 239.7405 for documents relating to this contracting authority, which the General Services Administration has delegated to DoD.

[70 FR 67918, Nov. 9, 2005]

239.7406   Certified cost or pricing data and data other than certified cost or pricing data.

(a) Common carriers are not required to submit certified cost or pricing data before award of contracts for tariffed services. Rates or preliminary estimates quoted by a common carrier for tariffed telecommunications services are considered to be prices set by regulation within the provisions of 10 U.S.C. 2306a. This is true even if the tariff is set after execution of the contract.

(b) Rates or preliminary estimates quoted by a common carrier for nontariffed telecommunications services or by a noncommon carrier for any telecommunications service are not considered prices set by law or regulation.

(c) Contracting officers shall obtain sufficient data to determine that the prices are reasonable in accordance with FAR 15.403-3 or 15.403-4. See PGI 239.7406 for examples of instances where additional data may be necessary to determine price reasonableness.

[77 FR 76940, Dec. 31, 2012]

239.7407   Type of contract.

When acquiring telecommunications services, the contracting officer may use a basic agreement (see FAR 16.702) in conjunction with communication service authorizations. When using this method, follow the procedures at PGI 239.7407.

[71 FR 27646, May 12, 2006]

239.7408   Special construction.

239.7408-1   General.

(a) Special construction normally involves a common carrier giving a special service or facility related to the performance of the basic telecommunications service requirements.

This may include—

(1) Moving or relocating equipment;

(2) Providing temporary facilities;

(3) Expediting provision of facilities; or

(4) Providing specially constructed channel facilities to meet Government requirements.

(b) Use this subpart instead of FAR part 36 for acquisition of “special construction.”

(c) Special construction costs may be—

(1) A contingent liability for using telecommunications services for a shorter time than the minimum to reimburse the contractor for unamortized nonrecoverable costs. These costs are usually expressed in terms of a termination liability, as provided in the contract or by tariff;

(2) A onetime special construction charge;

(3) Recurring charges for constructed facilities;

(4) A minimum service charge;

(5) An expediting charge; or

(6) A move or relocation charge.

(d) When a common carrier submits a proposal or quotation which has special construction requirements, the contracting officer shall require a detailed special construction proposal. Analyze all special construction proposals to—

(1) Determine the adequacy of the proposed construction;

(2) Disclose excessive or duplicative construction; and

(3) When different forms of charge are possible, provide for the form of charge most advantageous to the Government.

(e) When possible, analyze and approve special construction charges before receiving the service. Impose a ceiling on the special construction costs before authorizing the contractor to proceed, if prior approval is not possible. The contracting officer must approve special construction charges before final payment.

[56 FR 36429, July 31, 1991, as amended at 71 FR 39011, July 11, 2006]

239.7408-2   Applicability of construction labor standards for special construction.

(a) The construction labor standards in FAR Subpart 22.4 ordinarily do not apply to special construction. However, if the special construction includes construction, alteration, or repair (as defined in FAR 22.401) of a public building or public work, the construction labor standards may apply. Determine applicability under FAR 22.402.

(b) Each CSA or other type contract which is subject to construction labor standards under FAR 22.402 shall cite that fact.

[56 FR 36429, July 31, 1991, as amended at 71 FR 39011, July 11, 2006]

239.7409   Special assembly.

(a) Special assembly is the designing, manufacturing, arranging, assembling, or wiring of equipment to provide telecommunications services that cannot be provided with general use equipment.

(b) Special assembly rates and charges shall be based on estimated costs. The contracting officer should negotiate special assembly rates and charges before starting service. When it is not possible to negotiate in advance, use provisional rates and charges subject to adjustment, until final rates and charges are negotiated. The CSAs authorizing the special assembly shall be modified to reflect negotiated final rates and charges.

[56 FR 36429, July 31, 1991, as amended at 71 FR 39011, July 11, 2006]

239.7410   Cancellation and termination.

(a)(1) Cancellation is stopping a requirement after placing of an order but before service starts.

(2) Termination is stopping a requirement after placing an order and after service starts.

(b) Determine cancellation or termination charges under the provisions of the applicable tariff or agreement/contract.

239.7411   Contract clauses.

(a) In addition to other appropriate FAR and DFARS clauses, use the following clauses in solicitations, contracts, and basic agreements for telecommunications services. Modify the clauses only if necessary to meet the requirements of a governmental regulatory agency—

(1) 252.239-7002, Access;

(2) 252.239-7004, Orders for Facilities and Services;

(3) 252.239-7005, Rates, Charges, and Services;

(4) 252.239-7006, Tariff Information;

(5) 252.239-7007, Cancellation or Termination of Orders;

(6) 252.239-7008, Reuse Arrangements.

(b) Use the following clauses in solicitations, contracts, and basic agreements for telecommunications services when the acquisition includes or may include special construction. Modify the clauses only if necessary to meet the requirements of a governmental regulatory agency—

(1) 252.239-7011, Special Construction and Equipment Charges; and

(2) 252.239-7012, Title to Telecommunication Facilities and Equipment.

(c) Use the following clauses in basic agreements for telecommunications services—

(1) 252.239-7013, Obligation of the Government;

(2) 252.239-7014, Term of Agreement, and insert the effective date of the agreement in paragraph (a) of the clause; and

(3) 252.239-7015, Continuation of Communication Service Authorizations, as appropriate, and insert in paragraph (a) of the clause, the name of the contracting office and the basic agreement or contract number which is being superseded.

(d) Use the clause at 252.239-7016, Telecommunications Security Equipment, Devices, Techniques, and Services, in solicitations and contracts when performance of a contract requires secure telecommunications.

[56 FR 36429, July 31, 1991, as amended at 57 FR 42632, Sept. 15, 1992; 62 FR 40473, July 29, 1997; 70 FR 67919, Nov. 9, 2005; 71 FR 39011, July 11, 2006]



For questions or comments regarding e-CFR editorial content, features, or design, email ecfr@nara.gov.
For questions concerning e-CFR programming and delivery issues, email webteam@gpo.gov.