Attention A T users. To access the menus on this page please perform the following steps. 1. Please switch auto forms mode to off. 2. Hit enter to expand a main menu option (Health, Benefits, etc). 3. To enter and activate the submenu links, hit the down arrow. You will now be able to tab or arrow up or down through the submenu options to access/activate the submenu links.
Attention A T users. To access the combo box on this page please perform the following steps. 1. Press the alt key and then the down arrow. 2. Use the up and down arrows to navigate this combo box. 3. Press enter on the item you wish to view. This will take you to the page listed.
Menu
Menu
Veterans Crisis Line Badge
My healthevet badge

Office of Acquisition and Logistics (OAL)

 

Part 839 - Acquisition of Information Technology

« VAAR Part 837 VAAR Table of Contents VAAR Part 841 »
 
Sec.  
839.000 Scope of part.
Subpart 839.1—General
839.101 Policy.
839.105 Privacy.
839.105-70 Business Associate Agreements, information technology-related contracts and privacy.
839.105-71 Liquidated damages—protection of information in information technology related contracts.
839.106-70 Information security and privacy contract clauses.
Subpart 839.2—Information and Communication Technology
839.201 Scope of subpart.
839.203 Applicability.
839.203-70 Information and communication technology accessibility standards—contract clause and provision.

AUTHORITY:  38 U.S.C. 5723-5724, 5725(a)–(c); 40 U.S.C. 121(c), 11319(b)(1)(C); 41 U.S.C. 1121(c)(3), 1303 and 1702; and 48 CFR 1.301 through 1.304.


Subpart 839.000 - Scope of part

This part prescribes acquisition policies and procedures for use in acquiring VA information technology and information technology-related contracts (see 802.101) and applies to both VA-procured information technology systems as well as interagency acquisitions defined in FAR part 17 and part 817.

Subpart 839.1 - General

839.101  Policy.

(a)(1) In acquiring information technology, including information technology-related contracts which may involve services (including support services), and related resources (see the definition at FAR 2.101), contracting officers and requiring activities shall include in solicitations and contracts the requirement to comply with the following directives, policies, and procedures in order to protect VA information, information systems, and information technology—

(i) VA Directive 6500, VA Cybersecurity Program, and the directives and handbooks in the VA 6500 series, to include, but not limited to, VA Handbook 6500.6, Contract Security, which establishes VA’s procedures, responsibilities, and processes for complying with current Federal law, Executive orders, policies, regulations, standards, and guidance for protecting and controlling VA sensitive information and ensuring that security requirements are included in acquisitions, solicitations, contracts, purchase orders, and task or delivery orders.

(ii) The VA directives, security requirements, procedures, and guidance in paragraph (a)(1)(i) of this section apply to all VA contracts and to contractors, subcontractors, and their employees in the performance of contractual obligations to VA for information technology products purchased from vendors, as well as for services acquired from contractors and subcontractors or business associates, through contracts and service agreements, in which access to VA information, VA sensitive information or sensitive personal information (including protected health information (PHI))—

(A) That is created, received, maintained, or transmitted, or that will be stored, generated, accessed, exchanged, processed, or utilized by VA, a VA contractor, subcontractor, or third-party servicers or associates, or on behalf of any of these entities, in the performance of their contractual obligations to VA; and

(B) By or on behalf of any of the entities identified in this section, regardless of—

(1) Format; or

(2) Whether it resides on a VA or a non-VA system, or with a contractor, subcontractor, or third-party system or electronic information system(s), including cloud services, operating for or on the VA’s behalf or as required by contract.

(c) Contractors, subcontractors, and third-party servicers or associates providing support to or on behalf of the entities identified in this section, shall employ adequate security controls and use appropriate common security configurations available from the National Institute of Standards and Technology (see FAR 39.101(c)) as appropriate in accordance with VA regulations in this chapter, directives, handbooks, and guidance, and established service level agreements and individual contracts, orders, and agreements. Contractors, subcontractors, and third-party servicers and associates will ensure that VA information or VA sensitive information that resides on a VA system or resides on a contractor/subcontractor/third-party entities/associates information and communication technology (ICT) system(s), operating for or on VA’s behalf, or as required by contract, regardless of form or format, whether electronic or manual, and information systems, are protected from unauthorized access, use, disclosure, modification, or destruction to ensure information security (see FAR 2.101) is provided in order to ensure the integrity, confidentiality, and availability of such information and information systems.

839.105  Privacy.

839.105-70  Business Associate Agreements, information technology-related contracts and privacy.

In accordance with 824.103-70, contracting officers and contracting officer representatives (CORs) shall ensure that contractors, their employees, subcontractors, and third-parties under the contract complete Business Associate Agreements for—

(a) Information technology or information technology-related service contracts subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) where HIPAA PHI is created, received, maintained, or transmitted, or that will be stored, generated, accessed, exchanged, processed, or utilized in order to perform certain health care operations activities or functions on behalf of the Veterans Health Administration (VHA) as a covered entity (see 802.101 for the definition of information technology-related contracts); or

(b) Contractors supporting other VA organizations which support VHA in this regard and which would therefore require Business Associate Agreements in accordance with 824.103-70.

839.105-71  Liquidated damages—protection of information in information technology related contracts.

Contracting officers shall insert in information technology related contracts the liquidated damages clause as prescribed at 811.503-70.

839.106-70  70 Information security and privacy contract clauses.

(a) Contracting officers shall insert the clause at 852.239-70, Security Requirements for Information Technology Resources, and the clause at 852.239-71, Information System Security Plan and Accreditation, in all solicitations, contracts, and orders exceeding the micro-purchase threshold that include information technology services.

(b) Contracting officers shall insert the clause at 852.239-72, Information System Design and Development, in solicitations, contracts, orders, and agreements where services to perform information system design and development are required.

(c) Contracting officers shall insert the clause at 852.239-73, Information System Hosting, Operation, Maintenance or Use, in solicitations, contracts, orders, and agreements where services to perform information system hosting, operation, maintenance, or use are required.

(d) Contracting officers shall insert the clause at 852.239-74, Security Controls Compliance Testing, in solicitations, contracts, orders, and agreements, when the clause at 852.239-72 or 852.239-73 is inserted.

Subpart 839.2 - Information and Communication Technology

839.201  Scope of subpart.

This subpart applies to the acquisition of Information and Communication Technology (ICT) supplies and services. It concerns the access to and use of information and data by both Federal employees with disabilities and members of the public with disabilities in accordance with FAR 39.201. This subpart implements VA policy on section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d) and 36 CFR 1194.1 as it applies to contracts and acquisitions when developing, procuring, maintaining, or using ICT.

839.203  Applicability.

(a) General. Solicitations for information technology (IT) (i.e., ICT) or IT-related supplies and services shall require the contractor to submit a VA Section 508 Checklist (see https://www.section508.va.gov/).

839.203-70  Information and communication technology accessibility standards—contract clause and provision.

(a) The contracting officer shall insert the provision at 852.239-75, Information and Communication Technology Accessibility Notice, in all solicitations.

(b) The contracting officer shall insert the clause at 852.239-76, Information and Communication Technology Accessibility, in all contracts and orders.

« VAAR Part 837 VAAR Table of Contents VAAR Part 841 »