Every acquisition program should include language in their Request for Proposal (RFP) that addresses Information Assurance (IA) requirements for a contractor. These requirements should be clearly and unambiguously articulated to potential offeror’s and what is expect from them in terms of compliance and performance. Below is sample/explanation of IA RFP Content that was obtained from the Defense Acquisition Guidebook (DAG).
Main Request for Proposal (RFP) Sections
Statement of Objective (SOO)
The SOO is where specific IA requirements, functions and tasks should be communicated to the offeror’s. This may include identification of IA roles to be performed, specific IA controls to be satisfied, specific IA performance criteria (e.g., availability requirements). This section must clearly communicate what needs to be done with regards to IA.
Contract Data Requirements List (CDRL)
In this section, identify any IA-related data products that the potential contractor must produce. This may include reports, IA artifacts, or other IA documentation.
Section M: Evaluation Factors for Award
This section contains the evaluation factors and significant sub-factors by which offers will be evaluated and the relative importance that the Government places on these evaluation factors and sub-factors. IA is just one of numerous factors that may be assessed for the purposes of making a contract award decision. It may be a major contributing factor in a best value determination, or it may be a minimum qualification for an award based primarily on cost or price.
The extent to which IA considerations impact the award factors is a direct function of the clear communication and understanding of the potential loss or damage that an IA failure could subject to a system, organization or mission capability. For this reason, an IA professional should be tasked to assess the IA requirement and risks, and to advise the contracting officer accordingly. As appropriate, an IA professional should develop IA related evaluation factors, and participate in the negotiation of relative weightings of these factors. Correspondingly, an IA professional should also be part of the source selection evaluation board to ensure that the IA aspects of offeror’s proposals are assessed for technical and functional appropriateness, adequacy, and compliance with requirements.
Section H: Special Contract Requirements (Sample Language) 
It is DoD policy that Information Assurance (IA) requirements shall be identified and included in the design, acquisition, installation, operation, upgrade, or replacement of all DoD information systems. This includes systems and processes developed within the Defense Acquisition System; systems and processes developed at private expense; outsourced business processes supported by private sector information systems; and outsourced information technologies. Information technology services provided under this contract must comply with statutory and regulatory IA policy. (See IA Policy Requirements below)
Each proposal, or proposed task order under this contract, will be screened for compliance with applicable IA statutes, policies, and procedures. Specific requirements will be stated in the performance work statement/statement of objectives.
This special contract provision shall be updated by reference for any changes to source documents. Any new laws or policies applicable to IA subsequent to issuance of this contract will be incorporated into the basic contract unilaterally without equitable adjustment to the basic contract. Any equitable adjustment shall be assessed by individual task orders that may be affected by the change as applicable.
IA Policy Requirements
IT service contractor will have/may have to comply with the following main DoD IA policy’s. A complete list can be found in the DAG Chapter 188.8.131.52: 
- Title 40/Clinger-Cohen Act
- DoD Instruction 8500.01 Cybersecurity – 14 Mar 2014
- DoD Directive 8570.1 “Information Assurance Training, Certification, and Workforce Management” – 23 April 2007
- DoD Instruction 8580.1 “Information Assurance in the Defense Acquisition System”
- DoD Instruction 8510.01 Risk Management Framework (RMF) for DoD Information Technology (IT) – 12 Mar 2014
- CJCS Instruction 6510.01E “Information Assurance (IA) and Computer Network Defense (CND)”
- CJCS Instruction 6212.01 “Interoperability and Supportability of IT and National Security Systems”
AcqLinks and References: