17 June 1999
Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html

-------------------------------------------------------------------------

[Federal Register: June 17, 1999 (Volume 64, Number 116)]
[Rules and Regulations]               
[Page 32747-32748]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr17jn99-32]                         

-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

GENERAL SERVICES ADMINISTRATION

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

48 CFR Part 39

[FAC 97-12; FAR Case 98-306; Item VI]
RIN 9000-AI37

 
Federal Acquisition Regulation; Restrictions on the Acquisition 
of Information Technology

AGENCIES: Department of Defense (DoD), General Services Administration 
(GSA), and National Aeronautics and Space Administration (NASA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Civilian Agency Acquisition Council and the Defense 
Acquisition Regulations Council (the Councils) have agreed on a final 
rule amending the Federal Acquisition Regulation (FAR) to implement 
Division A, Section 101(h), Title VI, section 622 of the Omnibus 
Appropriations and Authorization Act for Fiscal Year 1999.

EFFECTIVE DATE: June 17, 1999.

FOR FURTHER INFORMATION CONTACT: The FAR Secretariat, Room 4035, GS 
Building, Washington, DC, 20405, (202) 501-4755, for information 
pertaining to status or publication schedules. For clarification of 
content, contact Ms. Linda Nelson, Procurement Analyst, at (202) 501-
1900. Please cite FAC 97-12, FAR case 98-306.

SUPPLEMENTARY INFORMATION:

A. Background

    Division A, Section 101(h), Title VI, Section 622 of the Omnibus 
Appropriations and Authorization Act for Fiscal Year 1999 (Pub. L. 105-
277) was effective upon its enactment on October 21, 1998. Section 622 
provides that agencies may not use appropriated funds to acquire 
information technology that does not comply with FAR 39.106, unless the 
agency's Chief Information Officer (CIO) determines that noncompliance 
with 39.106 is necessary to the function and operation of the agency or 
the acquisition is required by a contract in effect before October 21, 
1998. The CIO must send to the Office of Management and Budget any 
waivers granted.
    This regulatory action was not subject to Office of Management and 
Budget review under Executive Order 12866, dated September 30, 1993, 
and is not a major rule under 5 U.S.C. 804.

B. Regulatory Flexibility Act

    The final rule does not constitute a significant FAR revision 
within the meaning of FAR 1.501 and Pub. L. 98-577, and publication for 
public comments is not required. However, the Councils will consider 
comments from small entities concerning the affected FAR subpart in 
accordance with 5 U.S.C. 610. Interested parties must submit such 
comments separately and should cite 5 U.S.C. 601, et seq. (FAC 97-12, 
FAR case 98-306), in correspondence.

C. Paperwork Reduction Act

    The Paperwork Reduction Act does not apply because the changes to 
the FAR do not impose information collection requirements that require 
the approval of the Office of Management and Budget under 44 U.S.C. 
3501, et seq.

List of Subjects in 48 CFR Part 39

    Government procurement.

    Dated: June 9, 1999.
Edward C. Loeb,
Director, Federal Acquisition Policy Division.

    Therefore, DoD, GSA, and NASA amend 48 CFR part 39 as set forth 
below:

[[Page 32748]]

PART 39--ACQUISITION OF INFORMATION TECHNOLOGY

    1. The authority citation for 48 CFR part 39 continues to read as 
follows:

    Authority: 40 U.S.C. 486(c); 10 U.S.C. chapter 137; and 42 
U.S.C. 2473(c).

    2. Amend section 39.101 by designating the existing paragraph as 
``(b)'', and adding paragraph (a) to read as follows:


39.101  Policy.

    (a) Division A, Section 101(h), Title VI, Section 622 of the 
Omnibus Appropriations and Authorization Act for Fiscal Year 1999 (Pub. 
L. 105-277) requires that agencies may not use appropriated funds to 
acquire information technology that does not comply with 39.106, unless 
the agency's Chief Information Officer determines that noncompliance 
with 39.106 is necessary to the function and operation of the agency or 
the acquisition is required by a contract in effect before October 21, 
1998. The Chief Information Officer must send to the Office of 
Management and Budget a copy of all waivers for forwarding to Congress.
* * * * *
[FR Doc. 99-15151 Filed 6-16-99; 8:45 am]
BILLING CODE 6820-EP-P

----------

Source: http://www.access.gpo.gov/nara/cfr/index.html

[Code of Federal Regulations]
[Title 48, Volume 1, Chapter 1 Parts 1-51]
[Revised as of October 1, 1998]
From the U.S. Government Printing Office via GPO Access
[CITE: 48CFR39]

[Page 744-747]

            TITLE 48--FEDERAL ACQUISITION REGULATIONS SYSTEM

                CHAPTER 1--FEDERAL ACQUISITION REGULATION

PART 39--ACQUISITION OF INFORMATION TECHNOLOGY

Sec.
39.000  Scope of part.
39.001  Applicability.
39.002  Definitions.

                          Subpart 39.1--General

39.101  Policy.
39.102  Management of risk.
39.103  Modular contracting.
39.104  [Reserved]
39.105  Privacy.
39.106  Year 2000 complaints.
39.107  Contract clause.

    Authority: 40 U.S.C. 486(c); 10 U.S.C. chapter 137; and 42 U.S.C.
2473(c).

    Source: 61 FR 41470, Aug. 8, 1996, unless otherwise noted.

Sec. 39.000  Scope of part.

    This part prescribes acquisition policies and procedures for use in
acquiring information technology consistent with other parts of this
chapter and OMB Circular No. A-130, Management of Federal Information
Resources.

Sec. 39.001  Applicability.

    This part applies to the acquisition of information technology by or
for the use of agencies except for acquisitions of information
technology for national security systems. However, acquisitions of
information technology for national security systems shall be conducted
in accordance with 40 U.S.C. 1412 with regard to requirements for
performance and results-based management; the role of the agency Chief
Information Officer in acquisitions; and accountability. These
requirements are addressed in OMB Circular No. A-130.

Sec. 39.002  Definitions.

    Modular contracting, as used in this part, means use of one or more
contracts to acquire information technology systems in successive,
interoperable increments.
    National security system, as used in this part, means any
telecommunications or information system operated by the United States
Government, the function, operation, or use of which--
    (a) Involves intelligence activities;

[[Page 745]]

    (b) Involves cryptologic activities related to national security;
    (c) Involves command and control of military forces;
    (d) Involves equipment that is an integral part of a weapon or
weapons system; or
    (e) Is critical to the direct fulfillment of military or
intelligence missions. This does not include a system that is to be used
for routine administrative and business applications, such as payroll,
finance, logistics, and personnel management applications.
    Year 2000 compliant, as used in this part, means, with respect to
information technology, that the information technology accurately
processes date/time data (including, but not limited to, calculating,
comparing, and sequencing) from, into, and between the twentieth and
twenty-first centuries, and the years 1999 and 2000 and leap year
calculations, to the extent that other information technology, used in
combination with the information technology being acquired, properly
exchanges date/time data with it.

[61 FR 41470, Aug. 8, 1996, as amended at 62 FR 274, Jan. 2, 1997; 62 FR
44830, Aug. 22, 1997; 63 FR 9068, Feb. 23, 1998]

                          Subpart 39.1--General

Sec. 39.101  Policy.

    In acquiring information technology, agencies shall identify their
requirements pursuant to OMB Circular A-130, including consideration of
security of resources, protection of privacy, national security and
emergency preparedness, accommodations for individuals with
disabilities, and energy efficiency. When developing an acquisition
strategy, contracting officers should consider the rapidly changing
nature of information technology through market research (see part 10)
and the application of technology refreshment techniques.

Sec. 39.102  Management of risk.

    (a) Prior to entering into a contract for information technology, an
agency should analyze risks, benefits, and costs. (See part 7 for
additional information regarding requirements definition.) Reasonable
risk taking is appropriate as long as risks are controlled and
mitigated. Contracting and program office officials are jointly
responsible for assessing, monitoring and controlling risk when
selecting projects for investment and during program implementation.
    (b) Types of risk may include schedule risk, risk of technical
obsolescence, cost risk, risk implicit in a particular contract type,
technical feasibility, dependencies between a new project and other
projects or systems, the number of simultaneous high risk projects to be
monitored, funding availability, and program management risk.
    (c) Appropriate techniques should be applied to manage and mitigate
risk during the acquisition of information technology. Techniques
include, but are not limited to: prudent project management; use of
modular contracting; thorough acquisition planning tied to budget
planning by the program, finance and contracting offices; continuous
collection and evaluation of risk-based assessment data; prototyping
prior to implementation; post implementation reviews to determine actual
project cost, benefits and returns; and focusing on risks and returns
using quantifiable measures.

Sec. 39.103  Modular contracting.

    (a) This section implements Section 5202, Incremental Acquisition of
Information Technology, of the Clinger-Cohen Act of 1996 (Public Law
104-106). Modular contracting is intended to reduce program risk and to
incentivize contractor performance while meeting the Governments need
for timely access to rapidly changing technology. Consistent with the
agency's information technology architecture, agencies should, to the
maximum extent practicable, use modular contracting to acquire major
systems (see 2.101) of information technology. Agencies may also use
modular contracting to acquire non-major systems of information
technology.
    (b) When using modular contracting, an acquisition of a system of
information technology may be divided into several smaller acquisition
increments that--
    (1) Are easier to manage individually than would be possible in one
comprehensive acquisition;

[[Page 746]]

    (2) Address complex information technology objectives incrementally
in order to enhance the likelihood of achieving workable systems or
solutions for attainment of those objectives;
    (3) Provide for delivery, implementation, and testing of workable
systems or solutions in discrete increments, each of which comprises a
system or solution that is not dependent on any subsequent increment in
order to perform its principal functions;
    (4) Provide an opportunity for subsequent increments to take
advantage of any evolution in technology or needs that occur during
implementation and use of the earlier increments; and
    (5) Reduce risk of potential adverse consequences on the overall
project by isolating and avoiding custom-designed components of the
system.
    (c) The characteristics of an increment may vary depending upon the
type of information technology being acquired and the nature of the
system being developed. The following factors may be considered:
    (1) To promote compatibility, the information technology acquired
through modular contracting for each increment should comply with common
or commercially acceptable information technology standards when
available and appropriate, and shall conform to the agency's master
information technology architecture.
    (2) The performance requirements of each increment should be
consistent with the performance requirements of the completed, overall
system within which the information technology will function and should
address interface requirements with succeeding increments.
    (d) For each increment, contracting officers shall choose an
appropriate contracting technique that facilitates the acquisition of
subsequent increments. Pursuant to Parts 16 and 17 of the Federal
Acquisition Regulations, contracting officers shall select the contract
type and method appropriate to the circumstances (e.g., indefinite
delivery, indefinite quantity contracts, single contract with options,
successive contracts, multiple awards, task order contracts).
Contract(s) shall be structured to ensure that the Government is not
required to procure additional increments.
    (e) To avoid obsolescence, a modular contract for information
technology should, to the maximum extent practicable, be awarded within
180 days after the date on which the solicitation is issued. If award
cannot be made within 180 days, agencies should consider cancellation of
the solicitation in accordance with 48 CFR 14.209 or 15.206(e). To the
maximum extent practicable, deliveries under the contract should be
scheduled to occur within 18 months after issuance of the solicitation.

[63 FR 9068, Feb. 23, 1998]

Sec. 39.104  [Reserved]

Sec. 39.105  Privacy.

    Agencies shall ensure that contracts for information technology
address protection of privacy in accordance with the Privacy Act (5
U.S.C. 552a) and part 24. In addition, each agency shall ensure that
contracts for the design, development, or operation of a system of
records using commercial information technology services or information
technology support services include the following:
    (a) Agency rules of conduct that the contractor and the contractor's
employees shall be required to follow.
    (b) A list of the anticipated threats and hazards that the
contractor must guard against.
    (c) A description of the safeguards that the contractor must
specifically provide.
    (d) Requirements for a program of Government inspection during
performance of the contract that will ensure the continued efficacy and
efficiency of safeguards and the discovery and countering of new threats
and hazards.

Sec. 39.106  Year 2000 compliance.

    When acquiring information technology that will be required to
perform date/time processing involving dates subsequent to December 31,
1999, agencies shall ensure that solicitations and contracts--
    (a)(1) Require the information technology to be Year 2000 compliant;
or

[[Page 747]]

    (2) Require that non-compliant information technology be upgraded to
be Year 2000 compliant prior to the earlier of
    (i) The earliest date on which the information technology may be
required to perform date/time processing involving dates later than
December 31, 1999, or
    (ii) December 31, 1999; and
    (b) As appropriate, describe existing information technology that
will be used with the information technology to be acquired and identify
whether the existing information technology is Year 2000 compliant.

[62 FR 274, Jan. 2, 1997]

Sec. 39.107  Contract clause.

    The contracting officer shall insert a clause substantially the same
as the clause at 52.239-1, Privacy or Security Safeguards, in
solicitations and contracts for information technology which require
security of information technology, and/or are for the design,
development, or operation of a system of records using commercial
information technology services or support services.

[61 FR 41470, Aug. 8, 1996. Redesignated at 62 FR 274, Jan. 2, 1997]

                           PART 40 [RESERVED]
