PART 839 - ACQUISITION OF INFORMATION TECHNOLOGY
Authority: 38 U.S.C. 5723-5724, 5725(a)-(c); 40 U.S.C. 121(c), 11319(b)(1)(C); 41 U.S.C. 1121(c)(3), 1303 and 1702; and 48 CFR 1.301 through 1.304.
Source: 88 FR 4746, Jan. 25, 2023, unless otherwise noted.
839.000 Scope of part.
This part prescribes acquisition policies and procedures for use in acquiring VA information technology and information technology-related contracts (see 802.101) and applies to both VA-procured information technology systems as well as interagency acquisitions defined in FAR part 17 and part 817.
Subpart 839.1 - General
(1) In acquiring information technology, including information technology-related contracts which may involve services (including support services), and related resources (see the definition at FAR 2.101), contracting officers and requiring activities shall include in solicitations and contracts the requirement to comply with the following directives, policies, and procedures in order to protect VA information, information systems, and information technology -
(i) VA Directive 6500, VA Cybersecurity Program, and the directives and handbooks in the VA 6500 series, to include, but not limited to, VA Handbook 6500.6, Contract Security, which establishes VA's procedures, responsibilities, and processes for complying with current Federal law, Executive orders, policies, regulations, standards, and guidance for protecting and controlling VA sensitive information and ensuring that security requirements are included in acquisitions, solicitations, contracts, purchase orders, and task or delivery orders.
(ii) The VA directives, security requirements, procedures, and guidance in paragraph (a)(1)(i) of this section apply to all VA contracts and to contractors, subcontractors, and their employees in the performance of contractual obligations to VA for information technology products purchased from vendors, as well as for services acquired from contractors and subcontractors or business associates, through contracts and service agreements, in which access to VA information, VA sensitive information or sensitive personal information (including protected health information (PHI)) -
(A) That is created, received, maintained, or transmitted, or that will be stored, generated, accessed, exchanged, processed, or utilized by VA, a VA contractor, subcontractor, or third-party servicers or associates, or on behalf of any of these entities, in the performance of their contractual obligations to VA; and
(B) By or on behalf of any of the entities identified in this section, regardless of -
(1) Format; or
(2) Whether it resides on a VA or a non-VA system, or with a contractor, subcontractor, or third-party system or electronic information system(s), including cloud services, operating for or on the VA's behalf or as required by contract.
(c) Contractors, subcontractors, and third-party servicers or associates providing support to or on behalf of the entities identified in this section, shall employ adequate security controls and use appropriate common security configurations available from the National Institute of Standards and Technology (see FAR 39.101(c)) as appropriate in accordance with VA regulations in this chapter, directives, handbooks, and guidance, and established service level agreements and individual contracts, orders, and agreements. Contractors, subcontractors, and third-party servicers and associates will ensure that VA information or VA sensitive information that resides on a VA system or resides on a contractor/subcontractor/third-party entities/associates information and communication technology (ICT) system(s), operating for or on VA's behalf, or as required by contract, regardless of form or format, whether electronic or manual, and information systems, are protected from unauthorized access, use, disclosure, modification, or destruction to ensure information security (see FAR 2.101) is provided in order to ensure the integrity, confidentiality, and availability of such information and information systems.
839.105-70 Business Associate Agreements, information technology-related contracts and privacy.
In accordance with 824.103-70, contracting officers and contracting officer representatives (CORs) shall ensure that contractors, their employees, subcontractors, and third-parties under the contract complete Business Associate Agreements for -
(a) Information technology or information technology-related service contracts subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) where HIPAA PHI is created, received, maintained, or transmitted, or that will be stored, generated, accessed, exchanged, processed, or utilized in order to perform certain health care operations activities or functions on behalf of the Veterans Health Administration (VHA) as a covered entity (see 802.101 for the definition of information technology-related contracts); or
(b) Contractors supporting other VA organizations which support VHA in this regard and which would therefore require Business Associate Agreements in accordance with 824.103-70.
839.105-71 Liquidated damages - protection of information in information technology related contracts.
Contracting officers shall insert in information technology related contracts the liquidated damages clause as prescribed at 811.503-70.
839.106-70 Information security and privacy contract clauses.
(a) Contracting officers shall insert the clause at 852.239-70, Security Requirements for Information Technology Resources, and the clause at 852.239-71, Information System Security Plan and Accreditation, in all solicitations, contracts, and orders exceeding the micro-purchase threshold that include information technology services.
(b) Contracting officers shall insert the clause at 852.239-72, Information System Design and Development, in solicitations, contracts, orders, and agreements where services to perform information system design and development are required.
(c) Contracting officers shall insert the clause at 852.239-73, Information System Hosting, Operation, Maintenance or Use, in solicitations, contracts, orders, and agreements where services to perform information system hosting, operation, maintenance, or use are required.
(d) Contracting officers shall insert the clause at 852.239-74, Security Controls Compliance Testing, in solicitations, contracts, orders, and agreements, when the clause at 852.239-72 or 852.239-73 is inserted.
Subpart 839.2 - Information and Communication Technology
839.201 Scope of subpart.
This subpart applies to the acquisition of Information and Communication Technology (ICT) supplies and services. It concerns the access to and use of information and data by both Federal employees with disabilities and members of the public with disabilities in accordance with FAR 39.201. This subpart implements VA policy on section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d) and 36 CFR parts 1193 and 1194 as it applies to contracts and acquisitions when developing, procuring, maintaining, or using ICT.
(a) General. Solicitations for information technology (IT) (i.e., ICT) or IT-related supplies and services shall require the contractor to submit a VA Section 508 Checklist (see https://www.section508.va.gov/).
839.203-70 Information and communication technology accessibility standards - contract clause and provision.
(a) The contracting officer shall insert the provision at 852.239-75, Information and Communication Technology Accessibility Notice, in all solicitations.
(b) The contracting officer shall insert the clause at 852.239-76, Information and Communication Technology Accessibility, in all contracts and orders.