Policy
FAR 39.101 mandates strict compliance with security, sustainability, and prohibited source requirements for all federal IT acquisitions, requiring contractors to ensure their products and supply chains meet these standards.
Overview
FAR 39.101 establishes the core policy requirements for acquiring information technology (IT) in federal contracts. It mandates that agencies identify IT needs in accordance with OMB Circular A-130, emphasizing security, privacy, accessibility, and energy efficiency. Agencies must also comply with sustainability requirements, implement energy-efficient practices, and use best management practices for data centers. The section requires market research to address the fast-changing IT landscape and mandates the use of certified financial management software. IT acquisitions must incorporate appropriate security policies, including NIST security configurations, and comply with Internet Protocol requirements. The regulation strictly prohibits the purchase or use of products and services from Kaspersky Lab, covered telecommunications equipment or services (with specific deadlines and exceptions), TikTok, and certain covered articles or sources as determined by FASCSA orders. There are also prohibitions on unmanned aircraft systems as specified in FAR 40.202.
Key Rules
- Requirements Identification
- Agencies must define IT requirements per OMB Circular A-130, considering security, privacy, accessibility, and energy efficiency.
- Sustainability and Energy Efficiency
- IT acquisitions must meet sustainable product/service requirements and implement energy-efficient practices for electronics and data centers.
- Market Research and Technology Refresh
- Contracting officers should use market research and technology refresh strategies due to rapid IT changes.
- Certified Financial Management Systems
- Only certified core financial management software may be acquired.
- Security Policies
- IT contracts must include appropriate security requirements, including NIST configurations.
- Internet Protocol Compliance
- Contracts must include IP compliance requirements as per FAR 11.002(g).
- Prohibited Sources and Technologies
- Strict bans on Kaspersky Lab, covered telecommunications equipment/services, TikTok, certain covered articles/sources, and some unmanned aircraft systems.
Responsibilities
- Contracting Officers: Ensure all IT acquisitions comply with security, sustainability, and prohibited source requirements; conduct market research; consult with requiring officials; and verify compliance with all referenced FAR subparts and external orders.
- Contractors: Must not provide prohibited products/services, comply with sustainability and security requirements, and ensure their own supply chains are free from banned technologies or sources.
- Agencies: Oversee compliance, issue guidance, and enforce prohibitions and sustainability mandates.
Practical Implications
- This section ensures IT acquisitions are secure, sustainable, and free from high-risk or banned technologies. Contractors must be vigilant about supply chain risks, evolving prohibitions, and compliance with referenced standards and orders. Failure to comply can result in contract ineligibility or termination, making due diligence and documentation critical.