Previous PageTable Of ContentsNext Page

DARS PART 39—ACQUISITION OF INFORMATION TECHNOLOGY



PART 39—ACQUISITION OF INFORMATION TECHNOLOGY

TABLE OF CONTENTS

SUBPART 39.1—GENERAL

39.101 Policy.

39.104 Information Technology Services.

SUBPART 39.2—ELECTRONIC AND INFORMATION TECHNOLOGY

39.201 Scope of subpart.

SUBPART 239.73—REQUIREMENTS FOR INFORMATION RELATING TO SUPPLY CHAIN RISK

239.7300 Scope of subpart.

SUBPART 239.74—TELECOMMUNICATIONS SERVICES

239.7407 Type of contract.

239.7411 Contract clauses.

PART 39—ACQUISITION OF INFORMATION TECHNOLOGY

SUBPART 39.1—GENERAL

39.101 Policy.

(S-90) Contracting Officers shall ensure that the Federal Data Procurement System-Next Generation (FPDS-NG) accurately reports Clinger-Cohen Act (CCA) applicability for contract actions as indicated on the Requirements Package Checklist/Certifications & Section 508 Determination located at https://www.ditco.disa.mil/contracts/instruct_docs/Encl1_Rqmnts_ChecklistSection_508.pdf. (See DISAI 610-225-2 dated 19 Feb 15 and DoDI 5000.02 dated 7 Jan 15)

(S-91) Contracting Officers shall ensure that the Requiring Office obtains appropriate DISA CIO approvals or waivers for contract actions obligating funds for data servers and centers as indicated on the Requirements Package Checklist/Certifications & Section 508 Determination located at https://www.ditco.disa.mil/contracts/instruct_docs/Encl1_Rqmnts_ChecklistSection_508.pdf

(See DISAI 610-225-2 dated 19 Feb 15 and DoDI 5000.02 dated 7 Jan 15)

39.104 Information Technology Services.

(S-90) All solicitations and contracts for IT services acquired on behalf of DISA shall contain a requirement in either the Statement of Work (SOW) or Performance Work Statement (PWS) for contractor compliance with the Department of Defense Enterprise Service Management Framework (DESMF). Information on DESMF can be accessed at: https://community.apan.org/esmf_consortium_working_groups/m/desmf_ed_ii/default.aspx.

The required DESMF PWS/SOW language is included in the SOW and PWS templates on the “DITCO Information Technology & Telecommunications Acquisition Package Submission & Ordering Guide” web page. Contracting officers should submit any questions they receive from contractors regarding DESMF compliance to the DISA requirements office for a response. If the contracting officer and/or the requirements office are unable to provide a response, then the applicable DISA requirements office should contact the DISA Information Technology Service Management Division (CI5) for assistance.

SUBPART 39.2—ELECTRONIC AND INFORMATION TECHNOLOGY

39.201 Scope of subpart.

(S-90) Section 508 Compliance. The DoD Section 508 policies are located at http://dodcio.defense.gov/DoDSection508.aspx.

SUBPART 239.73—REQUIREMENTS FOR INFORMATION RELATING TO SUPPLY CHAIN RISK

239.7300 Scope of subpart.

(S-90) All information technology programs, projects, services, enterprise services, initiatives, pilots, and other acquisition-related matters that include information and communications technology require a supply chain risk management (SCRM) assessment.

(1) The DISA SCRM program is managed in accordance with DISA Instruction 240-110-44, Supply Chain Risk Management, dated 12 Sep 14. The SCRM assessment is mandatory for all DISA procurements. The DISA Mission Partner shall provide a SCRM Checklist form that has been completed and signed by the SCRM Focal Point Lead as part of their requirements package. The DISA Mission Partner will work with the SCRM focal point to determine the appropriate PWS/SOO/SOW and solicitation Section L language is incorporated into the contract and order(s).

(2) The TSN/SCRM focal point is Ms. Regan Duguid, DISA RME. For fastest response, send all contact to the TSN/SCRM Mailbox - disa.letterkenny.FSO.list.fs12-st3-scrm@mail.mil.

(S-91) There is a seven-stage supply chain risk planning approach that shall be followed for overall risk planning for each requirement.

Stage 1 – Determine if you are an Applicable System: Applicable Systems under DoDI 5200.44 are those which are National Security Systems, MAC 1, or designated by a CAE or CIO. An Applicable System under DoDI 5200.44 will also be a Covered System under Section 806. It must be noted that the definition of National Security Systems (NSS) does not include DoD’s Non-Secure Internet Protocol Router Network (NIPRNet) and its enclaves in its entirety. However, any portions of the NIPRNet which are critical to the direct fulfillment of military or intelligence missions (as in, a military or intelligence mission will fail without access to this system) are NSSs and should be treated as Applicable Systems.

Stage 2 - Determine Level of Criticality: Consistent with DoDI 5200.44, a criticality analysis for “Applicable Systems” should be performed to identify critical components. For many information systems and networks, all or nearly all components can undermine or disrupt the critical functions of the system because of the system’s design. In this scenario, all components should be treated as critical components.

Stage 3 – Obtain Threat Information / Plan Mitigation Strategy: For critical components, an early look at existing threat information on potential suppliers – if available - may be possible and helpful in procurement planning, especially for commodity Information and Communications Technology (ICT) common to multiple systems. If this is analysis does not reveal risky suppliers or components, then programs may choose to consider traditional procurement options. If there are potentially risky suppliers or components, then programs should take steps for the possible use of technical solutions and alternative procurement approaches to mitigate risk. Programs may also consider exercising Section 806 authority.

Stage 4 – Determine Procurement Pathway: Based on the level of risk and availability of mitigations, programs should determine an appropriate pathway for each procurement.

Stage 5 – Issue Solicitation: Solicitations for critical components or for systems including critical components must include a number of provisions required by the Defense Federal Acquisition Regulation Supplement (DFARS). Some of these are required in every solicitation for ICT that is or could be for an NSS, and whether or not there are critical components.

Stage 6 – Develop Residual Risk Mitigation Plan: Under circumstances where there is a remaining risk that could not be mitigated during Stage 3, programs should conduct a residual risk analysis and develop mitigation strategy to address the findings. Results of this analysis should be captured in the Supply Chain Risk Management Plan and the Program Protection Plan.

Stage 7 – Continual Updates: The following may require an update to the SCRM mitigation planning:

Major changes to the Vendor, Program, System, and/or technology that would affect risk to the supply chain (e.g. changes in company ownership, changes in senior company leadership, supplier changes, subcontractor changes, and ICT supply chain compromises)

SUBPART 239.74—TELECOMMUNICATIONS SERVICES

239.7407 Type of contract.

(S-90) When acquiring telecommunications services using the Inquiry/Quote/Order (IQO) process or communication service authorizations (CSAs), refer to the IQO Acquisition Deskbook located at https://www.ditco.disa.mil/hq/deskbooks.asp.

(S-91) When acquiring telecommunications services, the contracting officer may also use an Indefinite Delivery/Indefinite Quantity (IDIQ) contract in conjunction with communication service authorizations (CSA). PGI 239.7407 (1) and (2) apply when using an IDIQ contract in conjunction with a CSA. Additionally, a CSA change order or discontinue modification may be issued unilaterally if an equitable adjustment in contract/order price or delivery terms has been agreed upon and documented in advance (i.e. completion notice/report, bilateral modification to IDIQ contract). If an equitable adjustment in contract/order price or delivery terms has been agreed upon and documented in advance, only the unilateral CSA change order or discontinue modification is required. The Contractor shall acknowledge the change order or discontinue modification as required by the contract.

239.7411 Contract clauses.

(S-90) Use the clause at DARS 52.239-9000, Outage Credits, in solicitations, contracts and basic agreements for telecommunications services, unless the acquisition requires a more comprehensive outage credit requirement, which is included as a "special contract requirement" (Section H of the solicitation and contract).

(S-91) Use the clause at DARS 52.239-9002, Billing Dates, in all solicitations, contracts, and basic agreements for telecommunications services acquired based on Telecommunication Service Requests (TSRs) or Telecommunication Service Orders (TSOs).

Previous PageTop Of PageTable Of ContentsNext Page