DFARS Part 239 Acquisition Of Information Technology

The DFARS – 2025
The Defense Federal Acquisition Regulation
Supplement
A Complimentary Webinar Series
JSchaus & Associates – Washington DC – hello@Jenniferschaus.com

The DFARS – 2025 - The Defense Federal Acquisition Regulation Supplement
ABOUT THE SERIES:
We’ll cover each PART of THE DFARS
Typically held Wednesdays + Fridays @ 12pm ET
Complimentary + Recorded
VIDEOS Posted on YouTube
https://www.youtube.com/@jenniferschaus/videos
PPTs Posted on SlideShare
https://www.slideshare.net
Sponsor/Advertising Options Available

ABOUT THE SERIES:
WHERE TO REGISTER

ABOUT THE SERIES:

ABOUT US:
Services for FED GOV CONTRACTORS:
Washington DC based;
Professional services for established gov cons:
Market Analysis,
Proposal Writing
GSA Schedules; VA Schedules, FEDLink, etc.
Contract Administration, etc.

LINK:
https://www.whitehouse.gov/fact-sheets/2025/03/fact-sheet-president-donald-j-trump-eliminates-waste-and-
saves-taxpayer-dollars-by-consolidating-procurement/

ABOUT US:
Services for THOSE SELLING TO FED GOV CONTRACTORS:
Newsletter Advertising
Webinar Sponsorship
Event Sponsorship
Sponsored Content Newsletters + Webinars
Social Media Postings
Video Hosting - YouTube
Ask us for a MEDIA KIT!

Marketing TO Federal Contractors?
Digital Advertising Offer
38.5K+ Newsletter Subscribers
85% Federal Contractors
28% Open Rates (12 Mo Ave)
4% - 12% Click Rates (12 Mo Ave)
--------------------------------
hello@JenniferSchaus.com for details

THANK YOU TO OUR WEBINAR IN KIND SPONSORS

DFARS Part 239 Acquisition Of Information Technology

THANK YOU TO OUR WEBINAR PAID SPONSORS

VISIT: https://wrkplan.com
POC: AnitaB@wrkplan.com
SOFTWARE FEATURES:

• Ataira Government
• Cloud Licenses and
Services
• Managed IT Administration
and Security Services
• Business Intelligence, Data
Engineering and Analytics
• Security Assessments,
Hardening, Compliance
• Microsoft Cloud Software for
Government and
Contractors
• Contact Us
• sales@ataira.com
• https://www.ataira.com/Government/Services
UEI: XUNLJXK5RSS5

Reach the government and military community
with your public sector content, thought
leadership, products, services, and more.
Make the Most of Your Expertise
Build trust and
credibility
Boost awareness
of your brand
Elevate your
expertise
Promote your
products or services
Improve SEO
Support content
marketing efforts
with syndication
options
Your complimentary membership allows you to post
your white papers, research reports, datasheets, and
more, for free!
Have the expertise, but not the content? Our team
can help! Please contact
Stephanie.Gravel@govevents.com

THE DFARS – PART 239

DFARS PART 239
Acquisition Of Information
Technology
SPEAKER: Megan VanHorn
FIRM: Bridge4Acquisitions Inc.
EMAIL: megan@bridge4acq.com
TODAYS SPEAKER + TOPIC

Agenda
I. General Policy and Applicability
II. Exchange or Sale of Information Technology
III. Security and Privacy for Computer Systems
IV. Standards
V. Telecommunications Services
VI. Cloud Computing

DFARS 239.001 Applicability
• DFARS 239 applies to all DoD IT acquisitions — including National Security Systems
(NSS)
“Notwithstanding FAR 39.001, this part applies to acquisitions of information technology,
including national security systems.”
• FAR 39.001 excludes NSS from coverage, referring instead to 40 U.S.C. §11302 and
OMB A-130 oversight
• DFARS overrides this exclusion — explicitly pulling NSS under DFARS rules for DoD
• Covers a broad range of Information and Communication Technology (ICT)
(See FAR 2.101) — Includes hardware, software, websites, videos, telecom equipment,
electronic documents, and more
• FAR exceptions (39.204) and exemptions (39.205) do not limit DFARS applicability
for NSS —
DFARS governs unless otherwise specified in DFARS itself

DFARS 239.101 Policy
• Preference for Commercial IT Solutions
Contracts over the SAT must not be awarded for non-commercial IT unless market research
determines no suitable commercial products/services exist (DFARS 239.101(1); FAR 10.001(a)(3))
• Software Licensing Policy – Commercial
Acquire under standard public licenses unless inconsistent with procurement law or agency
needs (DFARS 227.7202-1)
• Rights in Commercial Software
No requirement for technical data not customarily provided
No forced relinquishment of rights unless mutually agreed (DFARS 227.7202-1(c))
• Software Licensing Policy – Non-Commercial
Acquire only the rights needed to meet agency needs
Separate CLINs, delivery schedules, and pricing required
No forced relinquishment of rights for software developed at private expense (DFARS 227.7203-1)

DFARS 239.70 EXCHANGE OR SALE OF INFORMATION TECHNOLOGY
Policy (239.7001)
“Agencies shall follow the procedures in DoD Manual 4140.01, Volume 9, DoD Supply Chain Materiel
Management Procedures: Materiel Programs, when considering the exchange or sale of Government-
owned information technology.”
Key Requirements from DoD Manual 4140.01-V9, Section 8.2:
•Applies to non-excess IT assets only
•Items must be:
• Similar to those being acquired
• Required for an approved program
• Safe, demilitarized, or made innocuous, if applicable

DFARS 239.70 EXCHANGE OR SALE OF INFORMATION TECHNOLOGY
(cont.)
Key Requirements from DoD Manual 4140.01-V9, Section 8.2 (cont.):
•Must include:
• Written administrative determination showing economic advantage
• Records substantiating that proceeds or allowances were applied correctly
• Documentation of similarity between exchanged and acquired assets
• Limitations:
• Cannot be used for items in certain FSC groups (e.g., 10, 11, 42, 68) without GSA approval
• No exchanges allowed for excess/surplus property or certain restricted categories (e.g.,
controlled substances, strategic materials)

DFARS 239.71 SECURITY AND PRIVACY FOR COMPUTER SYSTEMS
Scope (239.7100):
• Applies to both Information Assurance (IA) and Privacy Act protections
• IA focuses on protecting systems and data; Privacy Act focuses on safeguarding personal
information
• Supplements, not replaces, FAR 24.1
Definition (239.7101):
• Information Assurance = Safeguards to protect and defend IT systems and the data they handle
• Ensures availability, integrity, authentication, confidentiality, non-repudiation, and ability to
restore systems if compromised

DFARS 239.71 SECURITY AND PRIVACY FOR COMPUTER SYSTEMS (cont.)
Policy Requirements (239.7102-1(a)):
• DoD IT acquisitions must comply with IA policies and laws, including:
• National Security Act, Clinger-Cohen Act, NSTISSP No. 11, FIPS
• DoDD 8500.1 & 8140.01, DoDI 8500.2, DoDM 8570.01-M
Requiring Activity Responsibilities (239.7102-1(b)):
• Must provide the KO with:
• A statement of work or objectives that addresses applicable IA requirements
• Inspection and acceptance criteria for IA compliance
• A determination of whether the IT must be protected against compromising emanations
(TEMPEST)—a security standard for shielding data from being intercepted via electromagnetic
signals

Compromising Emanations – TEMPEST Requirements (239.7102-2)
• Applies when IT systems require protection against compromising emanations
(i.e., signals unintentionally emitted by electronic equipment that could be intercepted)
• The requiring activity must provide the contracting officer with:
• The applicable protection standard, such as NSTISSAM TEMPEST 1-92 or another authorized
standard
• The necessary identification markings, including markings for TEMPEST-certified or equivalent
equipment
• Inspection and acceptance criteria to validate compliance with the selected standard
• The date through which the accreditation is valid for purposes of the acquisition

IA Contractor Training & Certification (239.7102-3)
• Applies to contracts where:
• Contractors perform IA functions for DoD systems, or
• Cleared contractor personnel access DoD systems to perform contract work
• Requiring activity must provide the KO with:
• A list of IA functional responsibilities by category (technical/management) and level (computing,
network, enclave)
• The required training, certification, and continuing education for each IA role
• Post-award responsibilities:
• Requiring activity must ensure all IA personnel certifications are:
• Compliant with DoDM 8570.01-M
• Identified, documented, and tracked throughout performance
• Applies to all IA functions, regardless of:
• Whether duties are full-time or part-time
• Whether work is under a DoD contract or an interagency agreement
See PGI 239.7102-3 for
guidance on
certification tracking
and documentation

DFARS 239.7103 – Contract Clauses: Use these clauses when applicable:
• DFARS 252.239-7000 – Protection Against Compromising Emanations
• Required when IT must be protected against compromising emanations (e.g., TEMPEST)
• DFARS 252.239-7001 – IA Contractor Training and Certification
• Required when contractors perform information assurance functions
DFARS 239.7103 – Contract Clauses: Clause(s) Overview
• DFARS Clause 252.239-7000 – Compromising Emanations
• Contractor must use IT accredited to NSA TEMPEST or other specified standard
• Must provide documentation of accreditation upon request
• Government may conduct independent testing even if accreditation exists
• Contractor must correct or replace deficient systems for 1 year post-installation, at no cost
• DFARS Clause 252.239-7001 – IA Training & Certification
• Contractor personnel must have current DoD-approved IA certifications
• Includes category/level-based certs and OS certs (as applicable)
• Must provide certification status upon request
• Personnel without valid certs are denied access to DoD systems

DFARS 239.72 STANDARDS
Solicitation Requirements (239.7201):
“Contracting officers shall ensure that all applicable Federal Information Processing Standards [FIPS] are
incorporated into solicitations.”
What are FIPS?
• Publicly announced standards developed by NIST and approved by the Secretary of Commerce
• Establish mandatory government-wide requirements when industry standards are insufficient
• Cover areas such as cryptography (AES, DES), security categorization (FIPS‑199), identity verification
(FIPS‑201), and more
Why they matter:
• Ensure security, interoperability, and compliance across federal IT systems
• Required under FISMA, with no waiver for NSS;
• Failure to include them could lead to non-compliance with federal cybersecurity mandates

DFARS 239.73 REQUIREMENTS FOR INFORMATION RELATING TO SUPPLY CHAIN
RISK
Scope (239.7300) and Applicability (239.7302):
• Purpose: Implements DoD’s supply chain risk authority under 10 U.S.C. §3252 and DoDI 5200.44 to protect
national security systems (NSS) and mission-critical functions from compromise via hardware, software, or
services.
• What It Applies To: Any DoD IT acquisition involving a covered system or covered item of supply where
supply chain risk is addressed through:
• A performance specification or evaluation factor tied to risk (in source selection)
• A task or delivery order under a contract that includes supply chain risk clauses
• Any contract action that includes a requirement related to supply chain risk
• Why This Matters:
Enables the DoD to:
• Exclude vendors or subcontractors due to credible supply chain threats
• Withhold consent for subcontracting when national security is at risk
• Limit disclosure of risk-based decisions and bypass protest rights (e.g., GAO/Federal court)
• Bottom Line: DFARS 239.73 mandates application of supply chain risk mitigation protocols—even when FAR
Part 39 would not otherwise apply—whenever national security or trust in critical IT systems is at stake.

RISK
Definitions (239.7301) – KEY DEFINITIONS ONLY *See full DFARS Subpart for complete list
• Covered System
A national security system (NSS) critical to intelligence, military command, or weapons systems.
Think: systems supporting military missions, not payroll or admin software.
• Covered Item of Supply
An IT product purchased for use in a covered system, where compromise could pose a national security risk.
• Supply Chain Risk
The risk that an adversary could tamper with or sabotage a system during design, manufacture, or delivery
to degrade or disrupt its function.
• Information Technology (IT)
Any equipment or system used to store, move, analyze, or control data—including hardware, software,
services, and/or peripherals.
Authorized Individuals (239.7303)
Only SecDef, Service Secretaries, or their designated representatives (subject to 239.7304), may take the actions
authorized under 239.7305; this authority may not be delegated below the USD(A&S) or Service Acquisition
Executives.

RISK
Determination and Notification Requirements (239.7304)
• Before exercising exclusion authority under DFARS 239.7305, designated officials must:
• Obtain a Joint Recommendation
From the USD(A&S) and DoD CIO, based on a risk assessment by the USD(I&S) identifying a significant
supply chain risk to a covered system.
• Make a Formal Determination (classified or unclassified), with concurrence of USD(A&S), stating:
• Exclusion is necessary to protect national security
• Less intrusive options are not viable
• Disclosure risks outweigh non-disclosure (if limiting info release)
• Notify Congress
Provide a classified/unclassified notice to the appropriate committees with:
• Statutory exception justification (per 10 U.S.C. 3204(e)(2))
• Market research and competition barrier info
• Joint recommendation and intelligence risk assessment summary
• Summary of determination and mitigation options considered

RISK
Exclusion Actions & Limits on Disclosure (239.7305)
• Authorized officials (per DFARS 239.7303), after meeting 239.7304 requirements, may:
• Exclude a Source
• If it fails qualification standards to reduce supply chain risk
• If it receives an unacceptable supply chain risk rating during source selection
• By withholding consent to subcontract or directing exclusion from subcontracting
• Limit Disclosure of Exclusion Rationale
May withhold full or partial disclosure of the basis for exclusion actions. If so:
• Actions are not subject to GAO (protest) or Federal court review
• Only necessary parties are notified, preserving national security
• Must coordinate with other DoD/Federal entities and maintain confidentiality

RISK
DFARS 239.7306 – Contract Clauses, Use these clauses when applicable:
• Contracting officers must include DFARS provision 252.239-7017 and clause 252.239-7018 in all solicitations
and contracts when acquiring information technology (IT), whether as a service or supply, that is a covered
system, part of a covered system, or in support of a covered system.
• Applies to both commercial and non-commercial IT acquisitions supporting national security systems.
DFARS 239.7306 – Contract Clauses, Clause(s) Overview
• DFARS 252.239-7017 – Notice of Supply Chain Risk (Provision):
• Alerts offerors that USG may assess supply chain risk
• Assessment may include public, non-public, and classified intel
• USG decisions limiting disclosure are not protestable under GAO or Federal court
• DFARS Clause 252.239-7001 – IA Training & Certification
• Contractor must mitigate supply chain risk in delivery of products/services
• USG may act on intel to manage risk—public or classified
• Exclusion actions not subject to protest
• Applies to broad IT scope: hardware, software, services, peripherals (not incidental equipment)

DFARS 239.74 TELECOMMUNICATIONS SERVICES
Scope (239.7400)
• Covers acquisition of telecom services and telecom security
• Telecom services are a subset of information technology
Key Definitions* (239.7401) *See DFARS for complete list of definitions
• Telecommunications: Transmission of signals/sounds/data via electronic/electromagnetic means
• Telecom Services: Leased or contracted services to meet USG telecom needs (includes equipment/facilities)
• Common Carrier: Regulated telecom service provider (ex, by FCC)
• Noncommon Carrier: Unregulated telecom provider (ex, private networks)
• Foreign Carrier: Provider outside US jurisdiction, not a US business
• Long-Haul Telecom: Long-distance telecom infrastructure/services beyond local switch
• USG Regulatory Body: FCC or state authority; excludes bodies with no judicial appeal or self-regulating
conflicts

Policy (239.7402)
• Acquisition Policy
• Acquire from common & noncommon carriers on a competitive basis (unless justified)
• Follow FCC and regulatory body rules for rates and cost principles
• Contracts should adopt:
• FCC-approved practices
• Or industry standards if no regulatory guidance exists
• Security Requirements
• Purchase requests must specify:
• Info requiring secure transmission
• Contractor’s security obligations
• Required interoperability with NSA-approved tools
• Approved security equipment (e.g., NSA catalog items)

Policy (239.7402)
• Security Requirements (cont.)
• Contractors must:
• Provide all required telecom security techniques/services
• Normally furnish their own secure equipment, unless agency provides it as GFP
• Meet ownership eligibility for COMSEC items
• Foreign Carriers
• Contracting with foreign telecom providers requires additional scrutiny
• Must consult PGI 239.7402(c) for guidance on risks, approvals, and restrictions
• Long-Haul Telecommunications Services
• Includes commercial satellite, long-distance facilities, and supporting local circuits
• Supports critical, often global, DoD comms—requires DISA coordination and strict security oversight
• Follow PGI 239.7402(d) for procurement procedures and coordination requirements

Delegated Authority for Telecommunications Resources (239.7405*)
• DoD contracting officers may enter telecom service contracts for up to 10 years total duration
• Can be structured month-to-month or for defined longer terms
• Authority delegated from GSA to DoD—documentation and guidance available at PGI 239.7405
*DFARS 239.7403 and 239.7404 are RESERVED

Certified Cost or Pricing Data and data other than Certified Cost or Pricing Data (239.7406)
• Tariffed Services by Common Carriers
• No certified cost/pricing data required
• Considered prices set by regulation, even if tariff is set post-award
• Non-tariffed or Noncommon Carrier Services
• Not considered prices set by law/regulation; Price Reasonableness Still Required
• CO must obtain adequate data per FAR 15.403-3/-4
• See PGI 239.7406 for examples of when additional data is needed
• PGI 239.7406 – When Additional Data May Be Needed
• Non-tariffed services or special (non-tariffed) rates/charges
• Custom assembly, construction, or equipment charges
• Fixed contingent liabilities and proposed cancel/terminate fees
• Reuse arrangements or Government-unique service tariffs
• Voluntary tariffs from nondominant carriers or new service tariffs filed for Government use

Type of Contract (239.7407)
• Use of Basic Agreement + CSA
• Contracting officers may use a basic agreement (FAR 16.702) paired with Communication Service
Authorizations (CSA) to acquire telecom services (procedures outlined in PGI 239.7407)
• CSA Requirements (per PGI 239.7407):
• Use DD Form 428 (CSA) or approved digital substitute to award, modify, cancel, or terminate telcomm
services
• Each CSA must:
• Reference the basic agreement
• Identify service types, quantities, and prices (tariffed or not)
• Specify service location and billing address
• List disbursing office and funding info
• Include an expiration date
• Before CSA Award:
• Comply with all applicable FAR/DFARS requirements (competition, reviews and approvals, D&Fs, etc.)

Special Construction (239.7408) Part 1: General Policy
• Special construction = customized carrier-provided services/facilities beyond standard telecom (moves,
expedited builds, temp setups)
• Examples Include:
• Moving/relocating equipment
• Providing temporary or expedited facilities
• Custom channel builds for USG use
• Acquisition Guidance:
• Use DFARS 239.7408, not FAR Part 36
• May involve:
• Termination liability for early cancellation
• One-time or recurring construction charges
• Minimum service or relocation fees

Special Construction (239.7408) Part 1: General Policy
• Evaluation Requirements:
• Require a detailed special construction proposal
• Analyze to:
• Confirm adequacy
• Avoid excessive/duplicate work
• Select cost structure best for the USG
• Approval Timing:
• Aim for analysis/approval before service begins
• If not possible:
• Impose a cost ceiling before start
• CO must approve charges before final payment

Special Construction (239.7408) Part 2: Labor Standards
• Construction Labor Standards (FAR 22.4):
• Generally do not apply to special construction
• May apply if work meets FAR 22.401 definitions (construction, alteration, or repair of a public
building/work)
• Determination Criteria:
• Refer to FAR 22.402 to assess applicability
• Contract Requirements (if applicable):
• CSA or other contract must cite when FAR 22.4 labor standards apply

Special Assembly (239.7409)
• Definition:
• Involves custom design, assembly, or wiring of telecom equipment not achievable with general-use gear
• Key Points:
• Required when standard equipment won’t meet telecom needs
• Costs should be estimated and negotiated upfront
• If upfront negotiation isn’t possible:
• Use provisional rates, subject to later adjustment
• Modify CSA to reflect final negotiated rates/charges once settled
• Contracting Guidance:
• COs must ensure rates reflect reasonable estimated costs
• Always finalize terms as early as feasible to manage risk

Cancellation and Termination (239.7410)
• Definitions:
• Cancellation: Requirement is stopped after ordering but before service starts
• Termination: Requirement is stopped after service has begun
• Key Point:
• Charges for either are governed by the applicable tariff or contract terms

Contract Clauses (239.7411(a))
• Use the following clauses in all solicitations, contracts, and basic agreements for
telecommunications services. Do not modify unless necessary to mee the requirement of a
regulatory agency.
• 252.239-7002 Access
• Contractor granted access to USG-controlled telecom facilities, subject to security regulations
• If access is denied, USG assumes maintenance responsibility and liability for damage
• 252.239-7004 Orders for Facilities and Services
• Contractor must perform per tariffs or lowest available rates for similar services
• USG does not prepay; charges are paid monthly in arrears
• Expediting charges must be authorized and justified
• Equipment acquisition may be directed or furnished by the USG
• Changes or deferrals to orders require equitable adjustment

Contract Clauses (239.7411(b))
• Use the following clauses in all solicitations, contracts, and basic agreements for
telecommunications services when the acquisition includes special construction.
• 252.239-7011 Special Construction and Equipment Charges
• USG does not reimburse construction/equipment costs unless authorized
• If discontinued, contractor must credit USG based on reuse or salvage value
• Charges capped at actual, allocable costs; must exclude costs already covered elsewhere
• Recurring charges must not include previously reimbursed amounts
• If replacement is needed (beyond contractor's control), USG may cover costs if previously
reimbursed
• USG may terminate service instead of funding replacement
• 252.239-7012 Title to Telecommunication Facilities and Equipment
• Contractor retains title to all furnished facilities and equipment, even if costs were reimbursed
• Exceptions allowed via mutually accepted CSA
• Contractor responsible for operation and maintenance regardless of ownership

Clauses Applicable to Basic Agreements (239.7411(c))
• 252.239-7013, Term of Agreement and Continuation of Services
• Basic clause:
• Use when not superseding an existing basic agreement
• Basic agreement is not a contract; liability begins with issuance of CSA
• Continues year-to-year unless terminated with 30 days’ notice
• Termination of basic agreement does not cancel existing CSAs
• CSAs may be modified to incorporate terms of a new basic agreement
• Alternate I clause: use when superseding an existing basic agreement
• Adds required language identifying the superseded agreement
• Existing CSAs are modified to incorporate new agreement terms
• Allows for modification of CSAs to incorporate future agreements

Clauses Applicable to Contracts Requiring Secure Telecommunications (239.7411(d))
• 252.239-7016, Telecommunications Security Equipment, Devices, Techniques, and Services
• Defines securing, sensitive information, and telecommunications systems
• Requires securing of identified classified or sensitive information
• Contractor must use USG-approved equipment/techniques
• Contractor must furnish necessary security measures unless otherwise stated
• Clause must be flowed down to subcontractors requiring secure telecoms
*DFARS 239.75 is RESERVED

DFARS 239.76 CLOUD COMPUTING
Scope (239.7600) and Key Definitions* (239.7601) 8See DFARS for complete list of definitions
• Scope:
• Prescribes DoD policies and procedures for the acquisition of cloud computing services
• Key Definitions:
• Authorizing official: Senior DoD official authorized to accept risk and approve system
operation (per DoDI 8510.01)
• Cloud computing: On-demand network access to shared computing resources (SaaS, IaaS,
PaaS); includes rapid provisioning, resource pooling, broad network access
• Government data: Any info created or obtained by the USG during official business
• Government-related data: Info created or obtained by a contractor from handling USG data;
excludes contractor’s business records or proprietary data not uniquely applied to USG use
• Information system: Organized resources used to process, store, or disseminate information
• Media: Physical devices used to store or output information (tapes, disks, chips, printouts)

Policy and Responsibilities, General (239.7602-1)
• Commercial Terms
• Use commercial terms consistent with Federal law and agency needs (EULAs, TOS); CO must
review/consult legal
• Terms must be incorporated into contracts appropriately
• Provisional Authorization Requirement
• Cloud services must be from a provider with provisional authorization from DISA at the appropriate SRG
level
• Found at: https://public.cyber.mil/dccs/
• Exceptions to Provisional Authorization
• Waived by DoD CIO
• Private, on-premises cloud from USG facilities (authorization required before operational use)
• Requiring Activity Must Provide:
• Definitions of USG data and USG-related data
• Ownership, licensing, delivery, and disposition instructions
• Requirements for inspection, audit, or investigation access
• Requirements to support system-wide search and access

Policy and Responsibilities, Data Storage Requirements (239.7602-2)
• Default Requirement:
• USG data must be stored within the 50 States, DC, or US outlying areas, unless hosted on DoD
premises
• Any exceptions require written authorization from the Authorizing Official (per DoDI 8510.01
and SRG)
• PGI Guidance (239.7602-2(b)):
• Before data may be stored outside the US., the contracting officer must obtain written
authorization from the Authorizing Official
• Once authorized, the contracting officer must issue written notice to the contractor approving
external storage

Procedures (239.7603)
• DFARS 239.7603 Procedures
• Contracting officers must follow the procedures outlined in PGI 239.7603 when acquiring cloud
computing services.
• PGI 239.7603-1 General Procedures
• If the offeror indicates the use of cloud services per DFARS 252.239-7009:
• Contracting officer must verify provisional authorization in the DoD Cloud Service Catalog prior to
award.
• If cloud services were not anticipated but requested after award per DFARS 252.239-7010(b)(1):
• Obtain requiring activity's approval.
• Verify provisional authorization in the Cloud Service Catalog prior to use.
• PGI 239.7603-2 Third Party Access Requests
• When contractor notifies of a third-party request for USG or USG-related data (DFARS 252.239-7010(j)):
• Contracting officer conveys the request to the requiring activity.
• Requiring activity coordinates the response with the mission/data owner.

• PGI 239.7603-3 Cyber Incident and Compromise Reporting
• Upon cyber incident report:
• DC3 sends encrypted email to contracting officer listed on ICF.
• PCO must notify requiring activities for affected contracts.
• If ACO receives report, they notify PCO, who notifies requiring activity.
• DoD may designate a single contracting officer if multiple contracts are affected.
• If requested:
• CO provides contractor with malware submission instructions (never receives malware
directly).
• CO issues written requests for access to info or equipment if required by requiring activity.
• Reference FAQ:
http://www.acq.osd.mil/dpap/pdi/network_penetration_reporting_and_contracting.html

• PGI 239.7603-4 DoD Damage Assessment Activities
• Before initiating assessment:
• CO verifies if DFARS 252.239-7010 clause is in contract.
• If not present, notify requiring activity that assessment may be a contract change.
• For media requests:
• CO issues written request, provides submission instructions, and copies DC3 & requiring
activity.
• If media not required, notify contractor and share with DC3 and requiring activity.
• Documentation:
• All CO actions and communications must be documented in the contract file.
• Upon receipt:
• DC3 confirms media receipt in writing.
• Requiring activity provides assessment findings.
• CO files the report and shares with contractor.

Provisions and Clauses (239.7604)
• Required in all solicitations and contracts for IT services, including under FAR Part 12 for commercial
products/services.
• 252.239-7009 – Representation of Use of Cloud Computing (Provision)
• Offeror must declare if they plan to use cloud computing.
• Used at solicitation stage.
• Helps COs assess compliance needs before award.
• 252.239-7010 – Cloud Computing Services (Clause)
• Use of cloud must be pre-approved by the CO.
• Cloud provider must have DISA provisional authorization (unless waived).
• Must comply with the Cloud Computing SRG.
• Data must be stored within the US or outlying areas (unless authorized).
• Covers cyber incident reporting, spillage, media retention, and records access.
• Requires flowdown to all subs that may involve cloud services.

THANK YOU For Attending!
QUESTIONS?
Please Contact Our Speaker:
SPEAKER: Megan VanHorn
FIRM: Bridge4Acquisitions Inc.
EMAIL: megan@bridge4acq.com

Please subscribe to our YouTube Channel
for Gov Con Content Uploads
including THESE WEBINARS!
https://www.youtube.com/@jenniferschaus/videos

Thank You For Attending!
The DFARS – 2025
The Defense Federal Acquisition Regulation
Supplement
A Complimentary Webinar Series

DFARS Part 239 Acquisition Of Information Technology

More Related Content

Similar to DFARS Part 239 Acquisition Of Information Technology (20)

More from JSchaus & Associates (17)

Recently uploaded (20)

DFARS Part 239 Acquisition Of Information Technology