FAR 39.106—Contract clause.
Plain-English Summary
FAR 39.106 tells contracting officers when they must include the Privacy or Security Safeguards clause, FAR 52.239-1, in IT solicitations and contracts. It applies to procurements for information technology that require security of information technology, and to procurements for the design, development, or operation of a system of records when commercial information technology services or support services are involved. The section exists to ensure that contractors handling federal information systems or sensitive records are contractually bound to protect privacy and security requirements, rather than leaving those protections implied or optional. In practice, this means the contracting officer must identify whether the acquisition involves IT security obligations or a system of records and then insert a clause substantially the same as the prescribed clause. For contractors, the section signals that privacy and security safeguards are not just technical expectations but enforceable contract terms that can affect performance, compliance, and liability. For agencies, it helps standardize protection of government information and reduce the risk of unauthorized access, disclosure, or mishandling of records.
Key Rules
Insert required safeguard clause
The contracting officer must include a clause substantially the same as FAR 52.239-1, Privacy or Security Safeguards, in the covered solicitations and contracts. The clause is not optional when the rule applies.
Applies to secured IT acquisitions
The clause is required for information technology procurements that require security of information technology. This covers acquisitions where the government needs the contractor to protect IT assets, systems, or data as part of performance.
Applies to systems of records work
The clause is also required for contracts involving the design, development, or operation of a system of records when commercial information technology services or support services are used. The focus is on work that affects records maintained by the government and the IT services supporting them.
Use substantially the same language
The regulation requires a clause substantially the same as the prescribed clause, meaning the contracting officer should not materially alter the required protections. Any deviation should be carefully reviewed to ensure the clause still carries the intended privacy and security obligations.
Coverage depends on acquisition scope
The trigger is the nature of the procurement, not the contractor’s label or business type. The contracting officer must assess the statement of work, system functions, and security needs to determine whether the clause belongs in the solicitation and resulting contract.
Responsibilities
Contracting Officer
Determine whether the acquisition is for information technology requiring security or for the design, development, or operation of a system of records using commercial IT or support services. If so, insert a clause substantially the same as FAR 52.239-1 in the solicitation and contract.
Agency
Ensure acquisition planning and IT/security review processes identify covered procurements early enough for the required clause to be included. Support contracting personnel with policy, privacy, and security input as needed.
Contractor
Comply with the privacy and security safeguards required by the contract clause when performing covered IT or records-related work. Protect government information and systems according to the contractual requirements and any incorporated security procedures.
Practical Implications
This section is a clause-coverage check: if the procurement fits the trigger, the clause must be in the solicitation and contract before award.
A common pitfall is overlooking the clause in IT buys that seem routine but still require security controls, especially cloud, hosting, support, or maintenance services.
Another risk is missing system-of-records implications when commercial IT services handle, store, or process records that require privacy protections.
Contracting officers should coordinate early with IT, cybersecurity, privacy, and program staff so the solicitation reflects the actual security and records environment.
Contractors should treat the clause as a binding performance requirement and make sure their internal controls, subcontract flowdowns, and incident response practices can support compliance.
Official Regulatory Text
The contracting officer shall insert a clause substantially the same as the clause at 52.239-1 , Privacy or Security Safeguards, in solicitations and contracts for information technology which require security of information technology, and/or are for the design, development, or operation of a system of records using commercial information technology services or support services.