FAR 39.1—Subpart 39.1

Policy.

FAR 39.101 is the core policy section for acquiring information technology and related technology-dependent products and services. It tells agencies and contracting officers what requirements must be built into IT acquisitions, including compliance with OMB Circular A-130, sustainable products and services requirements, power management and energy-efficiency features, and best practices for energy-efficient server and data center management. It also addresses financial management systems under OMB Circular A-127 and limits agencies to core financial management software certified by the Joint Financial Management Improvement Program. In addition, it requires agencies to include appropriate IT security policies and standards, Internet Protocol compliance requirements, and market-research-based acquisition strategies that account for rapid technology change and refreshment. The section also incorporates several government-wide procurement prohibitions and restrictions, including the ban on Kaspersky Lab products and services, restrictions on covered telecommunications equipment and services, the TikTok/covered application prohibition, FASCSA order-based prohibitions on covered articles and sources, and unmanned aircraft system prohibitions. In practice, this section is a compliance checkpoint: it forces agencies to screen IT buys for security, privacy, sustainability, interoperability, supply-chain risk, and statutory or executive-branch prohibitions before award or renewal.

Management of risk.

FAR 39.102 explains how agencies should manage risk when acquiring information technology. It requires agencies to analyze risks, benefits, and costs before awarding an IT contract, and it ties that analysis to requirements definition, project selection, and program implementation. The section identifies common IT risk categories such as schedule, technical obsolescence, cost, contract type risk, technical feasibility, system dependencies, workload from multiple high-risk projects, funding availability, and overall program management risk. It also directs agencies to use practical risk-management techniques, including prudent project management, modular contracting, acquisition planning aligned with budget planning, continuous risk-based data collection and evaluation, prototyping, post-implementation reviews, and quantifiable measures of risk and return. In practice, this section is meant to keep agencies from treating IT acquisitions as purely transactional purchases; instead, it pushes them to make disciplined investment decisions and to monitor performance throughout the life of the project.

Modular contracting.

FAR 39.103 explains when and how agencies should use modular contracting for information technology acquisitions, especially major IT systems. It covers the policy goal of reducing program risk, improving contractor performance incentives, and keeping pace with rapidly changing technology, while tying the approach to the agency’s information technology architecture. The section describes what makes an acquisition “modular,” including breaking a system into smaller increments that are easier to manage, deliver, test, and improve over time. It also addresses compatibility and architecture requirements, performance and interface planning, the need to choose a contract structure that supports later increments, and the timing expectations for award and delivery to avoid obsolescence. In practice, this section pushes agencies to buy IT in manageable pieces rather than as one large, rigid effort, and it requires contracting officers to structure contracts so the Government is not locked into buying more increments than it wants or needs.

Information technology services.

FAR 39.104 addresses a narrow but important rule for acquiring information technology services: solicitations generally may not impose minimum experience or educational requirements on proposed contractor personnel. The section also identifies the limited circumstances in which such requirements are allowed—when the contracting officer determines the agency’s needs cannot be met without them, or when the acquisition must be conducted using something other than a performance-based acquisition under FAR subpart 37.6. In practice, this provision is meant to keep IT service procurements focused on outcomes and performance rather than unnecessary staffing credentials, which can restrict competition and drive up costs. It also forces the contracting officer to justify any personnel qualification requirements up front, rather than using them by default. For contractors, the rule matters because it can prevent solicitations from over-specifying labor qualifications and can affect how proposals are staffed and priced. For agencies, it reinforces the policy preference for performance-based acquisition and careful acquisition planning.

Privacy.

FAR 39.105 requires agencies to build privacy protections into information technology contracts and to align those contracts with the Privacy Act (5 U.S.C. 552a) and FAR part 24. In practice, this section is about making sure contractors handling systems of records do not merely deliver technical services, but also operate under clear privacy-related controls. It specifically addresses contracts for the design, development, or operation of a system of records when commercial information technology services or IT support services are involved. The rule requires agencies to include contractor conduct rules, identify anticipated threats and hazards, specify the safeguards the contractor must provide, and establish a Government inspection program during performance. Its purpose is to reduce the risk of unauthorized disclosure, misuse, or loss of personal information and to ensure privacy protections remain effective throughout contract performance.

Contract clause.

FAR 39.106 tells contracting officers when they must include the Privacy or Security Safeguards clause, FAR 52.239-1, in IT solicitations and contracts. It applies to procurements for information technology that require security of information technology, and to procurements for the design, development, or operation of a system of records when commercial information technology services or support services are involved. The section exists to ensure that contractors handling federal information systems or sensitive records are contractually bound to protect privacy and security requirements, rather than leaving those protections implied or optional. In practice, this means the contracting officer must identify whether the acquisition involves IT security obligations or a system of records and then insert a clause substantially the same as the prescribed clause. For contractors, the section signals that privacy and security safeguards are not just technical expectations but enforceable contract terms that can affect performance, compliance, and liability. For agencies, it helps standardize protection of government information and reduce the risk of unauthorized access, disclosure, or mishandling of records.