A DoD program should address Information Assurance (IA) in their Acquisition Strategy if they acquire Information Technology (IT) services by a contractor. The focus should be to ensure IA is implemented in the design, development, test, and production of the system being developed. In the case of an acquisition of IT services, the IA considerations are dependent on the specific nature of the services being acquired.
Answering the following questions will give the Program Manager (PM) good insight into what content should be included in the IA section of the Acquisition Strategy:
- What broad IA policies and guidance are applicable?
- What IA protections are relevant to the services being acquired?
- Are there any IT components or systems being delivered coincidental to the IT services?
- Is there an IA professional supporting the acquisition team? Has an IA professional contributed to the development of the solicitation?
- Does the solicitation clearly and unambiguously communicate IA requirements to prospective offeror’s?
- Does the performance work statement, specifications, or statement of objectives meet information assurance requirements as specified in DFARS Subpart 239.71 , “Security and Privacy for Computer Systems,” paragraph 239.7102-1(a)?
- Is the satisfaction of IA requirements a factor for award? Will an IA professional provide subject matter expert support to the source selection process?
- If an IDIQ contract is considered, what IA requirements are allocated to the basic contract as global requirements, and what IA requirements are allocated to the order level (and the responsibility of the ordering activity to invoke)? Does the ordering guide clearly communicate to requiring activities and the ordering offices their responsibilities with regards to IA?
- Has the solicitation been reviewed by the appropriate level of IA oversight (Designated Accrediting Authority/Program Executive Officer/Systems Command/Major Command/Component Senior Information Assurance Officer)?
- Will the services contractor have access to or control of Government data?
- Will the contractor need to connect to DoD systems or networks?
- Will the contractor need to certify and accredit his information system?
- Will the contractor’s personnel be performing roles that require IA training, IA professional certifications, or background investigations in order to comply with DoD IA?
AcqLinks and References:
-  Defense Acquisition Guidebook (DAG) – Chapter 7
- DoD Directive 5000.01 “Defense Acquisition System” – 20 Nov 2007