511.171 Requirements for GSA Information Systems.
(a) CIO Coordination. The contracting officer shall ensure the requirements office has coordinated and identified possible CIO policy inclusions with the GSA IT prior to publication of a Statement of Work, or equivalent as well as the Security Considerations section of the acquisition plan to determine if the CIO policies apply. The CIO policies and GSA IT points of contact are available on the Acquisition Portal at https://insite.gsa.gov/itprocurement.
(b)GSA Requirements. For GSA procurements (contracts, actions, or orders) that may involve GSA Information Systems, excluding GSA’s government-wide contracts e.g. Federal Supply Schedules and Governmentwide Acquisition Contracts, the contracting officer shall incorporate the coordinated Statement of Work or equivalent including the applicable sections of the following policies into solicitations and contracts:
(1)CIO 09-48, IT Security Procedural Guide: Security and Privacy IT Acquisition Requirements; and
(2)CIO 12-2018, IT Policy Requirements Guide.
(1)In cases where it is not effective in terms of cost or time or where it is unreasonably burdensome to include CIO 09-48, IT Security Procedural Guide: Security and Privacy IT Acquisition Requirements or CIO 12-2018, IT Policy Requirements Guide in a contract or order, a waiver may be granted by the Acquisition Approving Official in accordance with the thresholds listed at 507.103(b), the Information System Authorizing Official, and the GSA IT Approving Official.
(2)The waiver request must provide the following information-
(A)The description of the procurement and GSA Information Systems;
(B)Identification of requirement requested for waiver;
(C)Sufficient justification for why the requirements should be waived; and
(D)Any residual risks that will be encountered by waiving the requirements.
(3)Waivers must be documented in the contract file.
(d)Classified Information. For any procurements that may involve access to classified information or a classified information system, see subpart 504.4 for additional requirements.