39.106
Contract clause
Include the 52.239-1 Privacy or Security Safeguards clause in IT contracts that require information security or involve systems of records using commercial IT services.
Overview
FAR 39.106 requires contracting officers to include the clause at 52.239-1, Privacy or Security Safeguards, in solicitations and contracts for information technology (IT) when those contracts involve the security of IT or the design, development, or operation of a system of records using commercial IT services or support. This clause ensures that contractors are contractually obligated to implement adequate privacy and security measures to protect sensitive information handled or processed under the contract. The regulation is designed to address the increasing risks associated with IT systems and the handling of personal or sensitive data in government contracts.
Key Rules
- Clause Inclusion Requirement
- The clause at 52.239-1 must be included in applicable IT solicitations and contracts.
- Applicability to IT Security and Systems of Records
- Applies to contracts requiring IT security or involving systems of records using commercial IT services/support.
Responsibilities
- Contracting Officers: Must ensure the correct clause is included in relevant IT contracts and solicitations.
- Contractors: Must comply with the privacy and security safeguards outlined in the clause.
- Agencies: Should oversee compliance and ensure that IT contracts address privacy and security risks.
Practical Implications
- This section exists to protect sensitive government and personal data in IT contracts.
- It impacts daily contracting by mandating specific privacy and security requirements in IT procurements.
- Common pitfalls include failing to include the clause in applicable contracts or misunderstanding the scope of "system of records" and IT security requirements.