USAID Acquisition Regulation (AIDAR): Security and Information Technology Requirements
| Published date | 20 March 2024 |
| Record Number | 2024-05748 |
| Citation | 89 FR 19754 |
| Court | Agency For International Development |
| Section | Rules and Regulations |
Federal Register, Volume 89 Issue 55 (Wednesday, March 20, 2024)
[Federal Register Volume 89, Number 55 (Wednesday, March 20, 2024)]
[Rules and Regulations]
[Pages 19754-19760]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-05748]
=======================================================================
-----------------------------------------------------------------------
AGENCY FOR INTERNATIONAL DEVELOPMENT
48 CFR Chapter 7
RIN 0412-AA87
USAID Acquisition Regulation (AIDAR): Security and Information
Technology Requirements
AGENCY: U.S. Agency for International Development.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule amends the U.S. Agency for International
Development (USAID) Acquisition Regulation (AIDAR) to incorporate a
revised definition of ``information technology'' (IT) and new contract
clauses relating to information security, cybersecurity, and IT
resources. The purpose of these revisions is to provide increased
oversight of contractor acquisition and use of IT resources.
DATES: This final rule is effective May 20, 2024.
FOR FURTHER INFORMATION CONTACT: Jasen Andersen, Procurement Analyst,
USAID M/OAA/P, at 202-286-3116 or [email protected] for
clarification of content or information pertaining to status or
publication schedules. All communications regarding this rule must cite
RIN No. 0412-AA87.
SUPPLEMENTARY INFORMATION:
A. Background
USAID published a proposed rule on March 21, 2019 (84 FR 10469) to
amend the AIDAR to implement various requirements related to
information security and IT resources that support the operations and
assets of the agency, including those managed by contractors. These new
requirements will strengthen protections of agency information systems
and facilities. The public comment period closed on May 20, 2019.
B. Discussion and Analysis
USAID updated the final rule to incorporate feedback from public
comments, streamline requirements by removing duplicative or
unnecessary elements from the rule, and maintain consistency with the
Federal Acquisition Regulation (FAR). USAID received four public
comments in response to the proposed rule. USAID assessed the public
comments in the development of the final rule. The full text of the
comments is available at the Federal Rulemaking Portal,
www.regulations.gov. A summary of the comments, USAID's responses, and
changes made to the rule as a result are as follows:
(1) Summary of Significant Changes
The following significant changes from the proposed rule are made
in the final rule, organized below using the section titles from the
proposed rule:
(i) AIDAR Part 739, Acquisition of Information Technology. No
changes were made to the definition of ``information technology'' as a
result of the public comments received. Minor administrative changes
were made to revise AIDAR Part 739 to add a section regarding the scope
of the part, as well as the prescriptions for the applicable contract
clauses included in this final rule.
(ii) AIDAR 752.204-72 Homeland Security Presidential Directive-12
(HSPD-12) and Personal Identity Verification (PIV). Several changes
were made to this clause as a result of the public comments received.
In response to a commenter's concerns that the proposed rule limited
access to only U.S. citizens and resident aliens, USAID revised the
clause to clarify that various types of credentials are available to
different types of users--including non-U.S. citizens--who require
physical access to USAID facilities and/or logical access to USAID
information systems. Similarly, revisions also update the forms of
identity source documents that must be presented to the Enrollment
Office personnel, based on the credential type, as well as
applicability of any security background investigation. To avoid
confusion generated by the reference to the PIV credential, which may
only be issued to U.S. citizens and resident aliens, USAID reverted the
title of the clause back to its prior name, ``Access to USAID
Facilities and USAID's Information Systems.'' The revisions also
provide clarity regarding the contents of the monthly staffing report
required by the clause. Finally, a new Subpart 704.13 was created to
house the prescription for this clause, with this prescription moved
from AIDAR 704.404 to AIDAR 704.1303.
(iii) AIDAR 752.204-XX USAID-Financed Third-Party Websites. The
public comments led to several revisions in this clause. One commenter
highlighted that the clause did not differentiate appropriately between
a contractor's website used to implement a project versus a Federal
agency's website maintained by a contractor on behalf of the agency. In
its subsequent analysis, USAID further determined that ``third-party
website,'' as defined in OMB Memorandum No. M-10-23 (``Guidance for
Agency Use of Third-Party Websites and Applications''), was not the
correct terminology for this clause. While the contract funds the
website, the contractor does not operate the website on the agency's
behalf. Instead, the final rule now defines a new term and establishes
applicability of the clause to ``project websites.'' As further
explained in this new definition, there are multiple differentiators
that distinguish a ``project website'' from a ``Federal agency
website'' under OMB Memorandum No. M-23-10 (``The Registration and Use
of .gov Domains in the Federal Government'')--where it is hosted, who
is responsible for all operations and management, whether the website
is operated on behalf of USAID, and whether the website provides
official communications, information, or services from USAID. USAID
renamed the clause to ``USAID-Financed Project Websites'' to reflect
this change in terminology. In addition, based on public comments,
USAID removed certain requirements from the clause, such as the
notification to and approval from the Contracting Officer's
Representative and the USAID Legislative and Public Affairs (LPA)
division, or the authorization of USAID to conduct periodic
vulnerability scans. Instead, the contractor is solely responsible for
all project website content, operations, management, information
security, and disposition. Other requirements were removed from the
clause because they are covered by other standard contract
requirements--for example, USAID branding/marking requirements were
removed from this
[[Page 19755]]
clause, as they are typically addressed in a branding/marking plan
required elsewhere in the contract.
(iv) AIDAR 752.239-XX Limitation on Acquisition of Information
Technology and AIDAR 752.239-XX Use of Information Technology Approval.
As a result of the public comments received, these two overlapping
clauses from the proposed rule were combined into a single AIDAR
752.239-70 (``Information Technology Authorization'') clause in the
final rule. USAID believes this provides better clarity and promotes
consistency in the IT approval process. No change was made to the
definition of ``information technology'' used in this clause. Instead,
the revisions focus on clarifying procedures that a contractor must
follow in seeking approval of any IT not specified in the schedule of
the contract. The revised clause provides more details regarding the
contents of any approval request. In addition, the revised clause
allows written approval, removing the burden of requiring a contract
modification to indicate approval of additional IT by the Contracting
Officer.
(v) AIDAR 752.239-XX Software License. Based on the public comments
received, USAID re-evaluated the need for this clause. As noted in some
of the public comments, this clause presents challenges due to the
commercial nature of the transaction between the contractor and the
software vendor, as well as concerns regarding privity of contract, if
the U.S. Government imposes additional ``addendum'' requirements. After
consideration of the public comments and further analysis--including
assessing which elements of this clause may be addressed elsewhere in
the FAR, such as in the contract cost principles in FAR Part 31--USAID
determined that this clause is no longer needed and removed it from the
final rule. While this ``Software License'' clause is no longer part of
this rule, USAID reminds contractors that software acquisitions must
adhere to other applicable contractual requirements, including the IT
approval requirements outlined in the revised AIDAR 752.239-70
(``Information Technology Authorization'') clause.
(vi) AIDAR 752.239-XX Information and Communication Technology
Accessibility. Revisions were made to this clause to clarify the
requirements and applicability of Section 508 of the Rehabilitation Act
of 1973, as amended, to information and communication technology (ICT)
supplies and services. One significant change is the removal of the
full list of Section 508 accessibility standards. Instead, the clause
notes that the specific applicable standards must be identified
elsewhere in the contract (e.g., in Section C), in alignment with FAR
Subpart 39.1. USAID also revised the clause to incorporate procedures
to enable the Government to determine whether delivered supplies or
services conform to Section 508 accessibility standards. In order to
ensure full compliance of all ICT supplies and services delivered under
a contract with Section 508 requirements, USAID added a flow-down
requirement to apply the clause to subcontractors.
(vii) AIDAR 752.239-XX Skills and Certification Requirements for
Privacy and Security Staff. Based on the public comments received,
USAID re-evaluated the need for this clause. After further assessment,
USAID removed this clause from the final rule. In alignment with the
``National Cyber Workforce and Education Strategy'' issued by the
Office of the National Cyber Director in July 2023, USAID will use a
skills-based approach rather than relying solely on educational
qualifications and industry-recognized certifications.
(viii) Clause prescriptions. Throughout the final rule, the
prescriptions for each clause have been revised to ensure clarity in
the instructions, as well as alignment with the AIDAR text where the
topic is addressed.
(2) Summary of and Response to Public Comments
USAID reviewed the public comments in the development of the final
rule. A discussion of the comments is provided as follows:
(i) Definition of ``Information Technology'' and Applicability of the
Rule
Comment: Three commenters submitted comments regarding the
definition of ``information technology'' (IT) and the applicability of
the IT authorization requirements in two clauses in the proposed rule
(``Limitation on Acquisition of Information Technology'' and ``Use of
Information Technology Approval''). These commenters indicated the
definition of IT was confusing and that Contracting Officers may
interpret the definition differently, resulting in inconsistent
application of the rule and delays in contract performance. These
commenters questioned whether all technology acquisitions--such as
computers, laptops, printers, other commercial products and services,
and commercially available off-the-shelf (COTS) items procured by a
contractor--are within the scope of these IT authorization
requirements. These commenters suggested that this rule should only
apply to USAID infrastructure only, such as computer systems that
interface directly with USAID internal IT systems.
Response: This rule uses the definition of ``information
technology'' issued by the Office of Management and Budget (OMB) in OMB
Memorandum M-15-14 (``Management and Oversight of Federal Information
Technology''), pursuant to the Federal Information Technology
Acquisition Reform Act (FITARA). USAID continues to use this definition
in the final rule in order to maintain consistency with OMB guidance
and FITARA implementation principles.
To simplify the rule and promote consistency in its application,
USAID has combined the prior two clauses (``Limitation on Acquisition
of Information Technology'' and ``Use of Information Technology
Approval'') from the proposed rule into a single AIDAR 752.239-70
(``Information Technology Authorization'') clause in the final rule.
OMB's FITARA definition of IT adopted by USAID for this rule
applies to any services or equipment ``used by an agency,'' which--as
further defined in the clause--includes ``if used by the agency
directly or if used by a contractor under a contract with the agency .
. .'' This clause applies to all such IT, including hardware (e.g.,
computers, laptops, desktops, tablets, printers, etc.), infrastructure
equipment (e.g, networking equipment, routers, switches, firewalls,
etc.), software including software as a service (SaaS), cloud services,
artificial intelligence (AI) and emerging information technologies, and
other commercial items and COTS technology. The applicability of this
clause and the definition of ``information technology'' do not solely
depend on whether the items directly interface with USAID internal IT
systems or connect to the Agency's infrastructure.
To further assist Contracting Officers in the consistent
application of this rule, USAID provides direction and guidance to
Agency staff, such as in Automated Directives System (ADS) Chapter 509
available at https://www.usaid.gov/about-us/agency-policy/series-500/509, that is consistent with OMB resources and FITARA.
(ii) IT Procurements for Counterparts
Comment: One commenter indicated support for the proposed rule and
its importance in fulfilling the Agency's responsibility to govern the
organization's technology infrastructure, but questioned whether it was
within the FITARA statutory authority to apply
[[Page 19756]]
the rule's approval requirements to IT that do not become part of the
Agency's technology infrastructure. As an example, the commenter cited
procurements of IT for international development work with third
parties (e.g., procurements of IT for host country counterparts).
Response: USAID acknowledges the support for the rule and agrees
this rule is an important measure to promote the Agency's oversight and
stewardship of IT resources. USAID also agrees there are certain IT
acquisitions by a contractor that may not be subject to the IT approval
requirements established in the AIDAR 752.239-70 (``Information
Technology Authorization'') clause. For example, IT procured by a
contractor that is provided directly and immediately to a host country
counterpart does not fall into this FITARA definition of IT because it
does not meet this IT definition's qualifier of ``used by an agency.''
Examples of IT procured for a host country counterpart could include a
health information management system purchased for a host country
ministry of health or computers procured for a host country educational
institution. However, if USAID or the contractor first ``uses'' the
services or equipment before transferring it to a host country
counterpart, the items are then considered to be ``used by an agency,''
as defined in the FITARA definition, and therefore subject to the IT
approval requirements established in the AIDAR 752.239-70
(``Information Technology Authorization'') clause. For example, if a
contractor uses a health survey tool for any period of time that is
required as part of its performance of the contract, and then transfers
the tool to the host country government, that tool is considered to be
IT as defined in this FITARA definition. Because the scope of FITARA
does apply beyond the Agency's technology infrastructure, no changes
were made to the language in the rule.
(iii) IT ``Incidental to a Contract''
Comment: Two commenters raised concerns that the definition of
``information technology'' is not clear regarding equipment acquired by
a contractor that is ``incidental to a contract.'' One of these
commenters suggesting this ``incidental'' exception should be deleted
to avoid confusion.
Response: OMB's FITARA definition of IT specifically notes that the
term ``information technology'' does not include any equipment that is
acquired by a contractor incidental to a contract that does not require
use of the equipment. Examples of ``incidental'' IT could include a
contractor's corporate human resources systems, financial management
systems, or email management systems, as the contractor acquired them
to assist in managing its own resources assigned to a U.S. Government
contract. USAID believes this ``incidental'' exclusion is a critical
element of the definition of IT in order to maintain consistency with
OMB guidance and FITARA implementation principles. As such, no changes
were made to this language in the rule.
(iv) USAID Resources and Timing for IT Authorizations
Comment: For the ``Limitation on Acquisition of Information
Technology'' and ``Use of Information Technology Approval'' clauses in
the proposed rule, two commenters expressed concerns regarding the
availability of USAID resources to carry out the necessary approval
processes in an efficient manner. The commenters indicated that this
authorization process may lead to delays and significant hindrances to
the implementation of development work by contractors, if approval is
required to ``purchase of every piece of IT hardware.''
Response: USAID's Bureau For Management, Office of the Chief
Information Officer (M/CIO) has sufficient resources to efficiently
fulfill the IT approval requirements of this rule, now reflected in a
single AIDAR 752.239-70 (``Information Technology Authorization'')
clause in the final rule.
Comment: One commenter suggested that contractor's notification to
the Contracting Officer's Representative (COR)--rather than an approval
from USAID--would be more appropriate for IT procurements included in
the offeror's proposal and/or prime contract.
Response: Under FITARA, the CIO is required to review and approve
all IT acquisitions. No changes are made to these requirements.
(v) USAID's IT Regulatory and Policy Framework
Comment: Two commenters questioned if this rule replaces the
procedures of USAID's ADS Chapter 548, or if any procedures from ADS
Chapter 548 should be included in this new rule.
Response: USAID's policies previously detailed in ADS Chapter 548
are obsolete and no longer applicable. These policies were archived in
May 2019.
Comment: Two commenters questioned whether the proposed rule would
apply to IT procurements conducted by recipients under USAID grants and
cooperative agreements.
Response: The content of this rule only applies to acquisition
awards (e.g., contracts); this rule does not apply to federal
assistance awards (e.g., grants and cooperative agreements). ADS
Chapter 509, available at https://www.usaid.gov/about-us/agency-policy/series-500/509, contains further clarification on the distinction
between acquisition and assistance for IT procurements.
(vi) Software License Clause
Comment: Two commenters provided comments on the AIDAR 752.239-XX
``Software License'' clause from the proposed rule, noting potential
challenges and confusion in complying with this clause, particularly
for commercial items and commercially available off-the-shelf (COTS)
items.
Response: USAID concurs with the concerns noted in these comments
and has removed this clause from the final rule.
(vii) USAID-Financed Project Websites Clause
Comment: One commenter provided several comments regarding the
requirements and process for the proposed rule's ``USAID-Financed
Third-Party Websites'' clause, highlighting that the clause did not
distinguish appropriately between a contractor's website used to
implement a project versus a Federal agency's website. The commenter
also questioned the need for notification by the contractor to the
Contracting Officer's Representative (COR) for USAID's Bureau for
Legislative and Public Affairs (LPA) evaluation and approval, as well
as the requirement for contractors to authorize USAID to conduct
periodic vulnerability scans.
Response: USAID agrees with several of the commenter's concerns.
The proposed rule did not adequately define the type of website subject
to requirements of this clause. The final rule contains several
revisions to this clause, most notably clarifying that it applies to a
``project website'' funded by USAID, which is now defined in the final
rule. This definition of ``project website'' is distinct from a
``third-party website'' and also provides a differentiation from
websites within the Federal Government domain (i.e., ``.gov''), in
accordance with guidance established in OMB Memorandum No. M-23-10. The
clause in this final rule has been renamed to ``USAID-Financed Project
websites'' to reflect this change in terminology. The final rule also
removes the COR/LPA notification and approval requirements. As the
contractor is solely responsible for all
[[Page 19757]]
security safeguards for the website, the final rule removes the
requirement for contractors to authorize USAID to conduct periodic
vulnerability scans.
Comment: One commenter questioned whether this rule affects
existing project websites funded by USAID.
Response: This AIDAR 752.239-72 (``USAID-Financed Project
websites'') clause applies to any project website developed, launched
or maintained under a prime contract that contains this clause.
(viii) Skills and Certification Requirements Clause
Comment: For the ``Skills and Certification Requirements for
Privacy and Security Staff'' clause, one commenter suggested that the
Certified Information Systems Security Professional (CISSP)
certification process is unclear and requested clarification regarding
the definition of ``significant information security
responsibilities.''
Response: USAID has removed this clause from the final rule to
maintain consistency with the FAR and the National Cyber Workforce and
Education Strategy issued by the Office of the National Cyber Director,
which support using a skills-based approach rather than relying solely
on educational qualifications and industry-recognized certifications.
(ix) Access to USAID Facilities and USAID's Information Systems Clause
Comment: One commenter suggested that the proposed personal
identity verification (PIV) clause unnecessarily restricts physical and
logical access only to U.S. citizens and resident aliens, prohibiting
access to cooperating country nationals (CCNs) and third country
nationals (TCNs).
Response: PIV cards may only be issued to U.S. citizens and
resident aliens; non-U.S. citizens are not authorized to receive PIV
cards. Instead, USAID issues PIV-Alternative (PIV-A) cards to eligible
CCNs and TCNs who require physical or logical access, as described
further in ADS Chapter 542, available at https://www.usaid.gov/about-us/agency-policy/series-500/542. USAID revised the clause to clarify
that various types of credentials are available to different types of
users who require physical access to USAID facilities and/or logical
access to USAID information systems.
Comment: One commenter expressed a concern that non-U.S. citizens
may not possess a U.S. Federal or State Government-issued picture ID
for purposes of the identity source documentation required for
obtaining credentials. One commenter noted the rule does not specify
how to identify the appropriate Enrollment Office to work with and
physically present the identity source documents.
Response: In the credentialing process, two forms of identity
source documents must be presented to the Enrollment Office personnel.
The Federal or State Government-issued picture ID is required to obtain
a PIV card, which is available to U.S. citizens only. For non-U.S.
citizens, the contractor may contact the COR to request a list of
acceptable forms of documentation, as this information varies by
location. USAID updated the clause to clarify this information.
Comment: One commenter requested additional information regarding
the requirement for documentation of security background
investigations.
Response: Homeland Security Presidential Directive-12 (HSPD-12)
requires that agencies complete background investigations on all
employees and contractors when issuing credentials. ADS Chapter 542,
available at https://www.usaid.gov/about-us/agency-policy/series-500/542, contains additional details regarding USAID's procedures related
to background investigations in the credentialing process. USAID
revised the clause to clarify that documentation of a security
background investigation must be submitted as part of the credentialing
process, when applicable.
Comment: One commenter suggested that USAID harmonize access
requirements for those contractors with CCN and TCN staff versus the
requirements for USAID's CCN and TCN personal services contractors.
Response: The same physical and logical access requirements apply
to both contractor employees and individuals issued personal services
contracts. As personal services contracts with individuals (issued
under Appendices D and J of the AIDAR) are not within the scope of this
rule, no changes were made to the rule.
(x) Outside the Scope of This Rule
Comment: One commenter noted that the rule does not specify what
the COR will do with the list of individuals reported by the contractor
to the COR each month under paragraph (d) of this AIDAR 752.204-72
clause.
Response: The COR's responsibilities regarding the staffing list
will be addressed in internal Agency policy. As such, no changes were
made to the rule.
Comment: One commenter questioned if the proposed rule impacted the
use of USAID systems such as Development Experience Clearinghouse
(DEC), Development Data Library (DDL), and TrainNet.
Response: This rule does not affect the use of DEC, DDL, or
TrainNet. This comment is outside the scope of this rule.
Comment: One commenter noted that the language of the proposed rule
seemed clear, but suggested the development of a supplemental
``decision guide'' to facilitate the interpretation of the rule's IT
approval requirements.
Response: The commenter's suggestion is outside the scope of the
rule.
C. Regulatory Considerations and Determinations
(1) Executive Orders 12866, 13563, and 14094
This final rule was drafted in accordance with Executive Order
(E.O.) 12866, as amended by E.O. 13563 and E.O. 14094. OMB has
determined that this rule is not a ``significant regulatory action,''
as defined in section 3(f) of E.O. 12866, as amended, and is therefore
not subject to review by OMB.
(2) Expected Cost Impact on the Public
There are no costs to the public associated with this rulemaking.
(3) Regulatory Flexibility Act
The rule does not have a significant economic impact on a
substantial number of small entities within the meaning of the
Regulatory Flexibility Act, 5 U.S.C. 601, et seq. Therefore, a
Regulatory Flexibility Analysis has not been performed.
(4) Paperwork Reduction Act
This rule contains information collection requirements that were
detailed in the proposed rule and have been submitted to the Office of
Management and Budget (OMB) under the Paperwork Reduction Act (44
U.S.C. chapter 35). This information collection requirement has been
assigned OMB Control Number 0412-0603, entitled ``Information
Collection under AIDAR Clause 752.204-72, Access to USAID Facilities
and USAID's Information Systems.'' No comments were received on the
information collection outlined in the proposed rule.
List of Subjects in 48 CFR Parts 704, 739, and 752
Government procurement.
For the reasons discussed in the preamble, USAID amends 48 CFR
parts 704, 739, and 752 as set forth below:
[[Page 19758]]
PART 704--ADMINISTRATIVE MATTERS
0
1. The authority citation for 48 CFR part 704 continues to read as
follows:
Authority: Sec. 621, Pub. L. 87-195, 75 Stat. 445, (22 U.S.C.
2381) as amended; E.O. 12163, Sept. 29, 1979, 44 FR 56673; 3 CFR,
1979 Comp., p. 435.
Sec. 704.404 [Amended]
0
2. Amend Sec. 704.404 by removing and reserving paragraph (b).
0
3. Add Subpart 704.13 to read as follows:
Subpart 704.13--Personal Identity Verification
Sec.
704.1303 Contract clause.
Sec. 704.1303 Contract clause.
When contract performance requires the contractor--including its
employees, volunteers, or subcontractor employees at any tier--to have
routine physical access to USAID-controlled facilities or logical
access to USAID's information systems, the contracting officer must
insert the clause found at FAR 52.204-9 and AIDAR 752.204-72 (``Access
to USAID Facilities and USAID's Information Systems'') in the
solicitation and contract.
0
4. Add part 739 to read as follows:
PART 739--ACQUISITION OF INFORMATION TECHNOLOGY
Sec.
739.000 Scope of part.
739.001 [Reserved]
739.002 Definitions.
Subpart 739.1--General.
739.106 Contract clauses.
Authority: Sec. 621, Pub. L. 87-195, 75 Stat. 445 (22 U.S.C.
2381), as amended; E.O. 12163, Sept. 29, 1979, 44 FR 56673; and 3
CFR, 1979 Comp., p. 435.
Sec. 739.000 Scope of part.
This part prescribes acquisition policies and procedures for use in
acquiring--
(a) Information technology, as defined in this part, consistent
with the Federal Information Technology Acquisition Reform Act
(FITARA).
(b) Information and communication technology (ICT), as defined in
FAR 2.101.
Sec. 739.001 [Reserved]
Sec. 739.002 Definitions.
As used in this part--
Information Technology (IT) means
(1) Any services or equipment, or interconnected system(s) or
subsystem(s) of equipment, that are used in the automatic acquisition,
storage, analysis, evaluation, manipulation, management, movement,
control, display, switching, interchange, transmission, or reception of
data or information by the agency; where
(2) Such services or equipment are ``used by an agency'' if used by
the agency directly or if used by a contractor under a contract with
the agency that requires either use of the services or equipment or
requires use of the services or equipment to a significant extent in
the performance of a service or the furnishing of a product.
(3) The term ``information technology'' includes computers,
ancillary equipment (including imaging peripherals, input, output, and
storage devices necessary for security and surveillance), peripheral
equipment designed to be controlled by the central processing unit of a
computer, software, firmware and similar procedures, services
(including provisioned services such as cloud computing and support
services that support any point of the lifecycle of the equipment or
service), and related resources.
(4) The term ``information technology'' does not include any
equipment that is acquired by a contractor incidental to a contract
that does not require use of the equipment.
Subpart 739.1--General.
Sec. 739.106 Contract clauses.
(a) [Reserved]
(b) Contracting officers must insert the clause at 752.239-70,
Information Technology Authorization, in all solicitations and
contracts.
(c) Contracting officers must insert the clause at 752.239-71,
Information and Communication Technology Accessibility, in
solicitations and contracts that include acquisition of information and
communication technology (ICT) supplies and/or services for use by
Federal employees or members of the public.
(d) Contracting officers must insert the clause at 752.239-72,
USAID-Financed Project websites, in solicitations and contracts fully
or partially funded with program funds.
PART 752--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
5. The authority citation for part 752 continues to read as follows:
Authority: Sec. 621, Pub. L. 87-195, 75 Stat. 445, (22 U.S.C.
2381) as amended; E.O. 12163, Sept. 29, 1979, 44 FR 56673; 3 CFR,
1979 Comp., p. 435.
0
6. Revise Sec. 752.204-72 to read as follows:
Sec. 752.204-72 Access to USAID Facilities and USAID's Information
Systems.
As prescribed in AIDAR 704.1303, insert the following clause in
Section I of solicitations and contracts:
Access to USAID Facilities and USAID's Information Systems (May 2024)
(a) The Contractor must ensure that individuals engaged in the
performance of this award as employees or volunteers of the
Contractor, or as subcontractors or subcontractor employees at any
tier, comply with all applicable personal identity verification
(PIV) and Homeland Security Presidential Directive-12 (HSPD-12)
procedures, including those summarized below, and any subsequent
USAID or Government-wide procedures and policies related to PIV or
HSPD-12.
(b) An individual engaged in the performance of this award may
obtain access to USAID facilities or logical access to USAID's
information systems only when and to the extent necessary to carry
out this award. USAID issues various types of credentials to users
who require physical access to Agency facilities and/or logical
access to Agency information systems, in accordance with USAID's
Automated Directives System (ADS) 542, available at https://www.usaid.gov/about-us/agency-policy/series-500/542.
(c) (1) No later than five (5) business days after award, unless
the Contracting Officer authorizes a longer time period, the
Contractor must provide to the Contracting Officer's Representative
a complete list of individuals that require access to USAID
facilities or information systems under this contract.
(2) Before an individual may obtain a USAID credential (new or
replacement) authorizing the individual routine access to USAID
facilities, or logical access to USAID's information systems, the
individual must physically present two forms of identity source
documents in original form to the Enrollment Office personnel when
undergoing processing. To obtain a PIV card, one identity source
document must be a valid Federal or State Government-issued picture
ID from the I-9 list available at https://www.uscis.gov/i-9-central/form-i-9-acceptable-documents. For other types of credentials the
Contractor can obtain the list of acceptable forms from the
Contracting Officer's Representative. Submission of these documents,
as well as documentation of any applicable security background
investigation, is mandatory in order for the individual to receive a
credential granting facilities and/or logical access.
(d) (1) No later than the 5th day of each month, the Contractor
must provide the Contracting Officer's Representative with the
following:
(i) a list of individuals with access who were separated in the
past sixty (60) calendar days, and
[[Page 19759]]
(ii) a list of individuals hired in the past sixty (60) calendar
days who require access under this contract.
(2) This information must be submitted even if no separations or
hiring occurred during the past sixty (60) calendar days.
(3) Failure to comply with the requirements in paragraph (d)(1)
may result in the suspension of all facilities and/or logical access
associated with this contract.
(e) The Contractor must ensure that individuals do not share
logical access to USAID information systems and sensitive
information.
(f) USAID may suspend or terminate the access to any systems
and/or facilities in the event of any violation, abuse, or misuse.
The suspension or termination may last until the situation has been
corrected or no longer exists.
(g) The Contractor must notify the Contracting Officer's
Representative and the USAID Service Desk ([email protected] or
202-712-1234) at least five (5) business days prior to the removal
of any individuals with credentials from the contract. For unplanned
terminations, the Contractor must immediately notify the Contracting
Officer's Representative and the USAID Service Desk. Unless
otherwise instructed by the Contracting Officer, the Contractor must
return all credentials and remote authentication tokens to the
Contracting Officer's Representative prior to departure of the
individual or upon completion or termination of the contract,
whichever occurs first.
(h) The Contractor must insert this clause, including this
paragraph (h), in any subcontracts that require the subcontractor or
a subcontractor employee to have routine physical access to USAID
facilities or logical access to USAID's information systems. The
Contractor is responsible for providing the Contracting Officer's
Representative with the information required under paragraphs (c)(1)
and (d)(1) of this clause for any applicable subcontractor or
subcontractor employee.
(End of clause)
0
7. Add section 752.239-70 to read as follows:
752.239-70 Information Technology Authorization.
As prescribed in AIDAR 739.106(b), insert the following clause in
Section I of solicitations and contracts:
Information Technology Authorization (May 2024)
(d) Definitions. As used in this contract:
Information Technology means
(1) Any services or equipment, or interconnected system(s) or
subsystem(s) of equipment, that are used in the automatic
acquisition, storage, analysis, evaluation, manipulation,
management, movement, control, display, switching, interchange,
transmission, or reception of data or information by the agency;
where
(2) such services or equipment are ``used by an agency'' if used
by the agency directly or if used by a contractor under a contract
with the agency that requires either use of the services or
equipment or requires use of the services or equipment to a
significant extent in the performance of a service or the furnishing
of a product.
(3) The term ``information technology'' includes computers,
ancillary equipment (including imaging peripherals, input, output,
and storage devices necessary for security and surveillance),
peripheral equipment designed to be controlled by the central
processing unit of a computer, software, firmware and similar
procedures, services (including provisioned services such as cloud
computing and support services that support any point of the
lifecycle of the equipment or service), and related resources.
(4) The term ``information technology'' does not include any
equipment that is acquired by a contractor incidental to a contract
that does not require use of the equipment.
(b) Approval Requirements. The Federal Information Technology
Acquisition Reform Act (FITARA) requires Agency Chief Information
Officer (CIO) review and approval of acquisitions of information
technology and information technology services. Any information
technology specified in the Schedule of this contract has already
been approved by the CIO. The Contractor must not acquire any
additional information technology without the prior written approval
of the Contracting Officer as specified in this clause.
(c) Request for Approval Procedure.
(1) If the Contractor determines that any information technology
not specified in the Schedule will be necessary in the performance
of the contract, the Contractor must request prior written approval
from the Contracting Officer, including the Contracting Officer's
Representative and the Office of the CIO ([email protected])
on the request.
(2) In the request, the Contractor must provide an itemized
description of the information technology to be procured. For
equipment (including hardware and software), the Contractor must
include any applicable brand names, model/version numbers,
quantities, and estimated unit and total cost information. For
services, the Contractor must provide a detailed description of the
services, name(s) of the service provider(s), and estimated cost
information.
(3) The Contracting Officer will approve or deny in writing the
Contractor's request. If granted, the Contracting Officer will
specify in writing the information technology approved by the CIO
for purchase.
(d) Subcontracts. The Contractor must insert the substance of
this clause, including this paragraph (d), in all subcontracts. The
Contractor is responsible for requesting any approval required under
paragraphs (b) and (c) of this clause for any applicable
subcontractor information technology acquisition.
(End of clause)
0
8. Add Sec. 752.239-71 to read as follows:
Sec. 752.239-71 Information and Communication Technology
Accessibility.
As prescribed in AIDAR 739.106(c), insert the following clause in
Section I of solicitations and contracts:
Information and Communication Technology Accessibility (May 2024)
(a) Section 508 of the Rehabilitation Act of 1973, as amended
(29 U.S.C. 794d) requires (1) Federal agencies to offer access to
information and communication technology (ICT) to individuals with
disabilities who are Federal employees or members of the public
seeking information or services, and (2) that this access be
comparable to that which is offered to Federal employees or members
of the public who are not individuals with disabilities. Standards
for complying with this law are prescribed by the Architectural and
Transportation Barriers Compliance Board (``Access Board'') in 36
CFR part 1194, are viewable at https://www.access-board.gov/ict/.
(b) Except as indicated elsewhere in the contract, all ICT
supplies, services, information, documentation, and deliverables
developed, acquired, maintained, or delivered under this contract
must meet the applicable Section 508 accessibility standards at 36
CFR part 1194, as amended by the Access Board.
(c) The Section 508 accessibility standards applicable to this
contract are identified in Section C or other applicable sections of
this contract.
(d) The Contractor must, upon written request from the
Contracting Officer, or if so designated, the Contracting Officer's
Representative, provide the information necessary to assist the
Government in determining that the ICT supplies or services conform
to Section 508 accessibility standards.
(e) If it is determined by the Government that any ICT supplies
or services delivered by the Contractor do not conform to the
required accessibility standards, remediation of the supplies or
services to the level of conformance specified in the contract will
be the responsibility of the Contractor at its own expense.
(f) The Contractor must insert this clause in all subcontracts
that involve the acquisition of ICT supplies and/or services. The
Contractor is responsible for the submission of any information as
required under paragraph (e) of this clause.
(End of clause)
0
9. Add Sec. 752.239-72 to read as follows:
Sec. 752.239-72 USAID-Financed Project Websites.
As prescribed in AIDAR 739.106(d), insert the following clause in
Section I of solicitations and contracts:
USAID-Financed Project Websites (May 2024)
(a) Definitions. As used in this contract: Project Website means
a website that is:
(1) funded under this contract;
[[Page 19760]]
(2) hosted outside of a Federal Government domain (i.e.,
``.gov'');
(3) operated exclusively by the Contractor, who is responsible
for all website content, operations and management, information
security, and disposition of the website;
(4) not operated by or on behalf of USAID; and
(5) does not provide official USAID communications, information,
or services.
(b) Requirements. The Contractor must adhere to the following
requirements when developing, launching, or maintaining a Project
website:
(1) Domain name. The domain name of the website must not contain
the term ``USAID''. The domain name must be registered in the
Contractor's business name with the relevant domain registrar on the
relevant domain name registry.
(2) Information to be collected. In the website, the Contractor
may collect only the amount of information necessary to complete the
specific business need. The Contractor must not collect or store
privacy information that is unnecessary for the website to operate,
or is prohibited by statute, regulation, or Executive Order.
(3) Disclaimer. The website must be marked on the index page of
the site and every major entry point to the website with a
disclaimer that states: ``The information provided on this website
is not official U.S. Government information and does not represent
the views or positions of the U.S. Agency for International
Development or the U.S. Government.''
(4) Accessibility. To comply with the requirements of the
Section 508 of the Rehabilitation Act, as amended (29 U.S.C. 794d),
the Contractor must ensure the website meets all applicable
accessibility standards (``Web-based intranet and internet
information and applications'') at 36 CFR part 1194, Appendix D.
(5) Information security: The Contractor is solely responsible
for the information security of the website. This includes incident
response activities as well as all security safeguards, including
adequate protection from unauthorized access, alteration,
disclosure, or misuse of information collected, processed, stored,
transmitted, or published on the website. The Contractor must
minimize and mitigate security risks, promote the integrity and
availability of website information, and use state-of-the-art:
system/software management; engineering and development; event
logging; and secure-coding practices that are equal to or better
than USAID standards and information security best practices.
Rigorous security safeguards, including but not limited to, virus
protection; network intrusion detection and prevention programs; and
vulnerability management systems must be implemented and critical
security issues must be resolved within 30 calendar days.
(c) Disposition. At least 120 days prior to the contract end
date, unless otherwise approved by the Contracting Officer, the
Contractor must submit for the Contracting Officer's approval a
disposition plan that addresses how any Project website funded under
this contract will be transitioned to another entity or
decommissioned and archived. If the website will be transitioned to
another entity, the disposition plan must provide details on the
Contractor's proposed approach for the transfer of associated
electronic records, technical documentation regarding the website's
development and maintenance, and event logs. Prior to the end of the
contract, the Contractor must comply with the disposition plan
approved by the Contracting Officer.
(d) Subcontracts. The Contractor must insert this clause in all
subcontracts that involve the development, launch, or maintenance of
a Project website. The Contractor is responsible for the submission
of any information as required under paragraphs (b) and (c) of this
clause.
(End of clause)
Jami J. Rodgers,
Chief Acquisition Officer.
[FR Doc. 2024-05748 Filed 3-19-24; 8:45 am]
BILLING CODE 6116-01-P
