An Official Website Of The United States Government

Part 539 - Acquisition of Information Technology

Part 539 - Acquisition of Information Technology

Part 539 - Acquisition of Information Technology

539.001 Applicability.

Subpart 539.1 - General

539.101 Policy.

      (a)   Standard Configurations. See section 511.170 for any applicable standard configurations for GSA information technology procurements.

      (b)   CIO Coordination. See sections 507.104, 511.170, and 543.102 for required coordination and approval by the GSA Chief Information Officer (CIO) for procurements involving GSA information technology. For interagency acquisitions, see section 517.502-70.

      (c)   GSA IT Standards Approval. See section 511.170 for any necessary GSA IT Standards Profile approvals.

      (d)   Internet Protocol Version 6 (IPv6).

           (1)  See 511.170(d) for guidance on developing requirements to ensure information technology that will have the capability to access the Internet or any network complies with Internet Protocol Version 6 (IPv6).

           (2)  The Contracting Officer or Contracting Officer's Representative must validate contractor compliance with IPv6 contract requirements as part of the review and acceptance process when products or systems are delivered. Evidence may include any of the following:

                (i) The Supplier's Declaration of Conformity (SDOC). The template for the SDOC can be found on the National Institute of Standards and Technology (NIST) website available at;

                (ii) Laboratory Certification. The product being acquired has been tested and shown to be IPv6 compliant by an accredited laboratory. A listing of tested/certified products can be found on the NIST available at; or

                (iii)  Practical Demonstration. The product can be shown to the GSA Contracting Officer or Contracting Officer's Representative to be IPv6 compliant via practical demonstration, or by an otherwise credible validation of technical support.

      (e)  Software Code. See 511.170(e) and 511.170(f) for guidance on procuring software code.

      (f)  Supply Chain Risk Management. See subpart  504.70 for guidance on identifying and mitigating supply chain risks.

Subpart 539.70 - Additional Requirements for Purchases Not in Support of National Security Systems

539.7000 Scope of subpart.

This subpart prescribes acquisition policies and procedures for use in acquiring information technology supplies, services and systems not in support of national security systems, as defined by FAR 39.

539.7001 Policy.

      (a)  GSA must provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. Section 3544(a)(1)(A)(ii) of the Federal Information Security Management Act (FISMA) describes Federal agency security responsibilities as including “information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.”

      (b)  Employees responsible for or procuring information technology supplies, services and systems shall possess the appropriate security clearance associated with the level of security classification related to the acquisition. They include, but are not limited to contracting officers, contract specialists, project/program managers, and contracting officer representatives.

      (c)  Contracting activities shall coordinate with requiring activities and program officials to ensure that the solicitation documents include the appropriate information security requirements. The information security requirements must be sufficiently detailed to enable service providers to fully understand the information security regulations, mandates, and requirements that they will be subject to under the contract or task order.

      (d)  GSA’s Office of the Senior Agency Information Security Officer issued CIO IT Security Procedural Guide 09-48, “Security Language for Information Technology Acquisitions Efforts,” to provide IT security standards, policies and reporting requirements that shall be inserted in all solicitations and contracts or task orders where an information system is contractor owned and operated on behalf of the Federal Government. The guide can be accessed at .

539.7002 Solicitation provisions and contract clauses.

      (a)  The contracting officer shall insert the provision at 552.239-70, Information Technology Security Plan and Security Authorization, in solicitations that include information technology supplies, services or systems in which the contractor will have physical or electronic access to government information that directly supports the mission of GSA.

      (b)  The contracting officer shall insert the clause at 552.239-71, Security Requirements for Unclassified Information Technology Resources, in solicitations and contracts containing the provision at 552.239-70. The provision and clause shall not be inserted in solicitations and contracts for personal services with individuals.