Acquisition Policy Flash! 16-13 - Office of Acquisition and Logistics (OAL)
Attention A T users. To access the menus on this page please perform the following steps. 1. Please switch auto forms mode to off. 2. Hit enter to expand a main menu option (Health, Benefits, etc). 3. To enter and activate the submenu links, hit the down arrow. You will now be able to tab or arrow up or down through the submenu options to access/activate the submenu links.
Attention A T users. To access the combo box on this page please perform the following steps. 1. Press the alt key and then the down arrow. 2. Use the up and down arrows to navigate this combo box. 3. Press enter on the item you wish to view. This will take you to the page listed.
Veterans Crisis Line Badge
My healthevet badge

Acquisition Policy Flash! 16-13


Use of VA Handbook 6500-6, Appendix A, Checklist for Information Security in VA Service Acquisitions

Purpose:  This acquisition flash clarifies the requirements for use of VA Handbook 6500-6, Appendix A, Checklist for Information Security, in Department of Veteran’s Affairs (VA) acquisitions.

Dated:  May 19, 2016

Effective Date:  Immediately

Expiration Date:  None

Background:  VA Handbook 6500-6, Contract Security, establishes VA procedures, responsibilities, and processes for implementing security policy as appropriate in VA acquisitions for services.  To ensure security is included in appropriate VA acquisitions, the handbook requires Appendix A, Checklist for Information Security, to be completed and included in the official Electronic Contract Management System (eCMS) contract file.

VA Handbook 6500-6, Section1, Purpose and Scope, states:

“b.  This handbook applies to all VA contracts in which VA sensitive information is stored, generated, transmitted or exchanged by a VA contractor, subcontractor or third-party, or on behalf of any of these entities regardless of format and whether it resides on a VA or a non-VA system, for the contractor, subcontractor, or third party to perform their contractual obligations to VA for the acquisition of goods or services where they stand in lieu of VA and act on VA’s behalf.”

VA Handbook 6500-6, Section 3.e.(2) states Appendix A, Checklist for Information Security, is to be completed for all service acquisitions. Appendix A to the handbook, Section 2, Instructions, states the checklist is to be completed for all Information Technology (IT) service acquisitions.  Question number 2 of Appendix A makes reference to commodities where the acquisition involves VA sensitive information.  Notwithstanding these prescriptions, use of the checklist is mandated by VA Handbook 6500-6 and is only required for those acquisitions within the scope of the handbook.

While an acquisition may not specifically be for IT services or may be for commodities, the acquisition may require access to, generation of, stored, transmitted, or exchanged VA sensitive information.  For this reason all service acquisitions and IT commodity acquisitions will be assessed to determine the applicability of the requirements of VA Handbook 6500-6.  If the assessment determines IT services will not be procured or VA sensitive information will not be accessed, no further action is required.  If the assessment determines the service requested is an IT service or that access to VA sensitive information will be required, the checklist must be completed.

Applicability:  In accordance with VA Handbook 6500-6, this acquisition flash applies to all VA contracts identified in Section 1, “Purpose and Scope.”

Action Required: As required by VA Handbook 6500-6, Appendix A, contracting officers shall, in conjunction with the Program manager, Contracting Officer’s Representative (COR), Information Security Officer, and Privacy Officer, complete VA Handbook 6500-6, Appendix A, Checklist for Information Security for all applicable contracts.

Additionally, when the checklist is required, contracting officers shall include the completed and signed checklist as part of the official contract file in eCMS.

Additional Information:  Direct questions or concerns to the Procurement Policy and Warrant Management Service via email at or (202) 632-5288.