USAID Acquisition Regulation (AIDAR): Security and Information Technology Requirements, 19754-19760 [2024-05748]

Agencies

• Agency for International Development

[Federal Register Volume 89, Number 55 (Wednesday, March 20, 2024)]
[Rules and Regulations]
[Pages 19754-19760]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-05748]


=======================================================================
-----------------------------------------------------------------------

AGENCY FOR INTERNATIONAL DEVELOPMENT

48 CFR Chapter 7

RIN 0412-AA87


USAID Acquisition Regulation (AIDAR): Security and Information 
Technology Requirements

AGENCY: U.S. Agency for International Development.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule amends the U.S. Agency for International 
Development (USAID) Acquisition Regulation (AIDAR) to incorporate a 
revised definition of ``information technology'' (IT) and new contract 
clauses relating to information security, cybersecurity, and IT 
resources. The purpose of these revisions is to provide increased 
oversight of contractor acquisition and use of IT resources.

DATES: This final rule is effective May 20, 2024.

FOR FURTHER INFORMATION CONTACT: Jasen Andersen, Procurement Analyst, 
USAID M/OAA/P, at 202-286-3116 or [email protected] for 
clarification of content or information pertaining to status or 
publication schedules. All communications regarding this rule must cite 
RIN No. 0412-AA87.

SUPPLEMENTARY INFORMATION:

A. Background

    USAID published a proposed rule on March 21, 2019 (84 FR 10469) to 
amend the AIDAR to implement various requirements related to 
information security and IT resources that support the operations and 
assets of the agency, including those managed by contractors. These new 
requirements will strengthen protections of agency information systems 
and facilities. The public comment period closed on May 20, 2019.

B. Discussion and Analysis

    USAID updated the final rule to incorporate feedback from public 
comments, streamline requirements by removing duplicative or 
unnecessary elements from the rule, and maintain consistency with the 
Federal Acquisition Regulation (FAR). USAID received four public 
comments in response to the proposed rule. USAID assessed the public 
comments in the development of the final rule. The full text of the 
comments is available at the Federal Rulemaking Portal, 
www.regulations.gov. A summary of the comments, USAID's responses, and 
changes made to the rule as a result are as follows:

(1) Summary of Significant Changes

    The following significant changes from the proposed rule are made 
in the final rule, organized below using the section titles from the 
proposed rule:
    (i) AIDAR Part 739, Acquisition of Information Technology. No 
changes were made to the definition of ``information technology'' as a 
result of the public comments received. Minor administrative changes 
were made to revise AIDAR Part 739 to add a section regarding the scope 
of the part, as well as the prescriptions for the applicable contract 
clauses included in this final rule.
    (ii) AIDAR 752.204-72 Homeland Security Presidential Directive-12 
(HSPD-12) and Personal Identity Verification (PIV). Several changes 
were made to this clause as a result of the public comments received. 
In response to a commenter's concerns that the proposed rule limited 
access to only U.S. citizens and resident aliens, USAID revised the 
clause to clarify that various types of credentials are available to 
different types of users--including non-U.S. citizens--who require 
physical access to USAID facilities and/or logical access to USAID 
information systems. Similarly, revisions also update the forms of 
identity source documents that must be presented to the Enrollment 
Office personnel, based on the credential type, as well as 
applicability of any security background investigation. To avoid 
confusion generated by the reference to the PIV credential, which may 
only be issued to U.S. citizens and resident aliens, USAID reverted the 
title of the clause back to its prior name, ``Access to USAID 
Facilities and USAID's Information Systems.'' The revisions also 
provide clarity regarding the contents of the monthly staffing report 
required by the clause. Finally, a new Subpart 704.13 was created to 
house the prescription for this clause, with this prescription moved 
from AIDAR 704.404 to AIDAR 704.1303.
    (iii) AIDAR 752.204-XX USAID-Financed Third-Party Websites. The 
public comments led to several revisions in this clause. One commenter 
highlighted that the clause did not differentiate appropriately between 
a contractor's website used to implement a project versus a Federal 
agency's website maintained by a contractor on behalf of the agency. In 
its subsequent analysis, USAID further determined that ``third-party 
website,'' as defined in OMB Memorandum No. M-10-23 (``Guidance for 
Agency Use of Third-Party Websites and Applications''), was not the 
correct terminology for this clause. While the contract funds the 
website, the contractor does not operate the website on the agency's 
behalf. Instead, the final rule now defines a new term and establishes 
applicability of the clause to ``project websites.'' As further 
explained in this new definition, there are multiple differentiators 
that distinguish a ``project website'' from a ``Federal agency 
website'' under OMB Memorandum No. M-23-10 (``The Registration and Use 
of .gov Domains in the Federal Government'')--where it is hosted, who 
is responsible for all operations and management, whether the website 
is operated on behalf of USAID, and whether the website provides 
official communications, information, or services from USAID. USAID 
renamed the clause to ``USAID-Financed Project Websites'' to reflect 
this change in terminology. In addition, based on public comments, 
USAID removed certain requirements from the clause, such as the 
notification to and approval from the Contracting Officer's 
Representative and the USAID Legislative and Public Affairs (LPA) 
division, or the authorization of USAID to conduct periodic 
vulnerability scans. Instead, the contractor is solely responsible for 
all project website content, operations, management, information 
security, and disposition. Other requirements were removed from the 
clause because they are covered by other standard contract 
requirements--for example, USAID branding/marking requirements were 
removed from this

[[Page 19755]]

clause, as they are typically addressed in a branding/marking plan 
required elsewhere in the contract.
    (iv) AIDAR 752.239-XX Limitation on Acquisition of Information 
Technology and AIDAR 752.239-XX Use of Information Technology Approval. 
As a result of the public comments received, these two overlapping 
clauses from the proposed rule were combined into a single AIDAR 
752.239-70 (``Information Technology Authorization'') clause in the 
final rule. USAID believes this provides better clarity and promotes 
consistency in the IT approval process. No change was made to the 
definition of ``information technology'' used in this clause. Instead, 
the revisions focus on clarifying procedures that a contractor must 
follow in seeking approval of any IT not specified in the schedule of 
the contract. The revised clause provides more details regarding the 
contents of any approval request. In addition, the revised clause 
allows written approval, removing the burden of requiring a contract 
modification to indicate approval of additional IT by the Contracting 
Officer.
    (v) AIDAR 752.239-XX Software License. Based on the public comments 
received, USAID re-evaluated the need for this clause. As noted in some 
of the public comments, this clause presents challenges due to the 
commercial nature of the transaction between the contractor and the 
software vendor, as well as concerns regarding privity of contract, if 
the U.S. Government imposes additional ``addendum'' requirements. After 
consideration of the public comments and further analysis--including 
assessing which elements of this clause may be addressed elsewhere in 
the FAR, such as in the contract cost principles in FAR Part 31--USAID 
determined that this clause is no longer needed and removed it from the 
final rule. While this ``Software License'' clause is no longer part of 
this rule, USAID reminds contractors that software acquisitions must 
adhere to other applicable contractual requirements, including the IT 
approval requirements outlined in the revised AIDAR 752.239-70 
(``Information Technology Authorization'') clause.
    (vi) AIDAR 752.239-XX Information and Communication Technology 
Accessibility. Revisions were made to this clause to clarify the 
requirements and applicability of Section 508 of the Rehabilitation Act 
of 1973, as amended, to information and communication technology (ICT) 
supplies and services. One significant change is the removal of the 
full list of Section 508 accessibility standards. Instead, the clause 
notes that the specific applicable standards must be identified 
elsewhere in the contract (e.g., in Section C), in alignment with FAR 
Subpart 39.1. USAID also revised the clause to incorporate procedures 
to enable the Government to determine whether delivered supplies or 
services conform to Section 508 accessibility standards. In order to 
ensure full compliance of all ICT supplies and services delivered under 
a contract with Section 508 requirements, USAID added a flow-down 
requirement to apply the clause to subcontractors.
    (vii) AIDAR 752.239-XX Skills and Certification Requirements for 
Privacy and Security Staff. Based on the public comments received, 
USAID re-evaluated the need for this clause. After further assessment, 
USAID removed this clause from the final rule. In alignment with the 
``National Cyber Workforce and Education Strategy'' issued by the 
Office of the National Cyber Director in July 2023, USAID will use a 
skills-based approach rather than relying solely on educational 
qualifications and industry-recognized certifications.
    (viii) Clause prescriptions. Throughout the final rule, the 
prescriptions for each clause have been revised to ensure clarity in 
the instructions, as well as alignment with the AIDAR text where the 
topic is addressed.

(2) Summary of and Response to Public Comments

    USAID reviewed the public comments in the development of the final 
rule. A discussion of the comments is provided as follows:
(i) Definition of ``Information Technology'' and Applicability of the 
Rule
    Comment: Three commenters submitted comments regarding the 
definition of ``information technology'' (IT) and the applicability of 
the IT authorization requirements in two clauses in the proposed rule 
(``Limitation on Acquisition of Information Technology'' and ``Use of 
Information Technology Approval''). These commenters indicated the 
definition of IT was confusing and that Contracting Officers may 
interpret the definition differently, resulting in inconsistent 
application of the rule and delays in contract performance. These 
commenters questioned whether all technology acquisitions--such as 
computers, laptops, printers, other commercial products and services, 
and commercially available off-the-shelf (COTS) items procured by a 
contractor--are within the scope of these IT authorization 
requirements. These commenters suggested that this rule should only 
apply to USAID infrastructure only, such as computer systems that 
interface directly with USAID internal IT systems.
    Response: This rule uses the definition of ``information 
technology'' issued by the Office of Management and Budget (OMB) in OMB 
Memorandum M-15-14 (``Management and Oversight of Federal Information 
Technology''), pursuant to the Federal Information Technology 
Acquisition Reform Act (FITARA). USAID continues to use this definition 
in the final rule in order to maintain consistency with OMB guidance 
and FITARA implementation principles.
    To simplify the rule and promote consistency in its application, 
USAID has combined the prior two clauses (``Limitation on Acquisition 
of Information Technology'' and ``Use of Information Technology 
Approval'') from the proposed rule into a single AIDAR 752.239-70 
(``Information Technology Authorization'') clause in the final rule.
    OMB's FITARA definition of IT adopted by USAID for this rule 
applies to any services or equipment ``used by an agency,'' which--as 
further defined in the clause--includes ``if used by the agency 
directly or if used by a contractor under a contract with the agency . 
. .'' This clause applies to all such IT, including hardware (e.g., 
computers, laptops, desktops, tablets, printers, etc.), infrastructure 
equipment (e.g, networking equipment, routers, switches, firewalls, 
etc.), software including software as a service (SaaS), cloud services, 
artificial intelligence (AI) and emerging information technologies, and 
other commercial items and COTS technology. The applicability of this 
clause and the definition of ``information technology'' do not solely 
depend on whether the items directly interface with USAID internal IT 
systems or connect to the Agency's infrastructure.
    To further assist Contracting Officers in the consistent 
application of this rule, USAID provides direction and guidance to 
Agency staff, such as in Automated Directives System (ADS) Chapter 509 
available at https://www.usaid.gov/about-us/agency-policy/series-500/509, that is consistent with OMB resources and FITARA.
(ii) IT Procurements for Counterparts
    Comment: One commenter indicated support for the proposed rule and 
its importance in fulfilling the Agency's responsibility to govern the 
organization's technology infrastructure, but questioned whether it was 
within the FITARA statutory authority to apply

[[Page 19756]]

the rule's approval requirements to IT that do not become part of the 
Agency's technology infrastructure. As an example, the commenter cited 
procurements of IT for international development work with third 
parties (e.g., procurements of IT for host country counterparts).
    Response: USAID acknowledges the support for the rule and agrees 
this rule is an important measure to promote the Agency's oversight and 
stewardship of IT resources. USAID also agrees there are certain IT 
acquisitions by a contractor that may not be subject to the IT approval 
requirements established in the AIDAR 752.239-70 (``Information 
Technology Authorization'') clause. For example, IT procured by a 
contractor that is provided directly and immediately to a host country 
counterpart does not fall into this FITARA definition of IT because it 
does not meet this IT definition's qualifier of ``used by an agency.'' 
Examples of IT procured for a host country counterpart could include a 
health information management system purchased for a host country 
ministry of health or computers procured for a host country educational 
institution. However, if USAID or the contractor first ``uses'' the 
services or equipment before transferring it to a host country 
counterpart, the items are then considered to be ``used by an agency,'' 
as defined in the FITARA definition, and therefore subject to the IT 
approval requirements established in the AIDAR 752.239-70 
(``Information Technology Authorization'') clause. For example, if a 
contractor uses a health survey tool for any period of time that is 
required as part of its performance of the contract, and then transfers 
the tool to the host country government, that tool is considered to be 
IT as defined in this FITARA definition. Because the scope of FITARA 
does apply beyond the Agency's technology infrastructure, no changes 
were made to the language in the rule.
(iii) IT ``Incidental to a Contract''
    Comment: Two commenters raised concerns that the definition of 
``information technology'' is not clear regarding equipment acquired by 
a contractor that is ``incidental to a contract.'' One of these 
commenters suggesting this ``incidental'' exception should be deleted 
to avoid confusion.
    Response: OMB's FITARA definition of IT specifically notes that the 
term ``information technology'' does not include any equipment that is 
acquired by a contractor incidental to a contract that does not require 
use of the equipment. Examples of ``incidental'' IT could include a 
contractor's corporate human resources systems, financial management 
systems, or email management systems, as the contractor acquired them 
to assist in managing its own resources assigned to a U.S. Government 
contract. USAID believes this ``incidental'' exclusion is a critical 
element of the definition of IT in order to maintain consistency with 
OMB guidance and FITARA implementation principles. As such, no changes 
were made to this language in the rule.
(iv) USAID Resources and Timing for IT Authorizations
    Comment: For the ``Limitation on Acquisition of Information 
Technology'' and ``Use of Information Technology Approval'' clauses in 
the proposed rule, two commenters expressed concerns regarding the 
availability of USAID resources to carry out the necessary approval 
processes in an efficient manner. The commenters indicated that this 
authorization process may lead to delays and significant hindrances to 
the implementation of development work by contractors, if approval is 
required to ``purchase of every piece of IT hardware.''
    Response: USAID's Bureau For Management, Office of the Chief 
Information Officer (M/CIO) has sufficient resources to efficiently 
fulfill the IT approval requirements of this rule, now reflected in a 
single AIDAR 752.239-70 (``Information Technology Authorization'') 
clause in the final rule.
    Comment: One commenter suggested that contractor's notification to 
the Contracting Officer's Representative (COR)--rather than an approval 
from USAID--would be more appropriate for IT procurements included in 
the offeror's proposal and/or prime contract.
    Response: Under FITARA, the CIO is required to review and approve 
all IT acquisitions. No changes are made to these requirements.
(v) USAID's IT Regulatory and Policy Framework
    Comment: Two commenters questioned if this rule replaces the 
procedures of USAID's ADS Chapter 548, or if any procedures from ADS 
Chapter 548 should be included in this new rule.
    Response: USAID's policies previously detailed in ADS Chapter 548 
are obsolete and no longer applicable. These policies were archived in 
May 2019.
    Comment: Two commenters questioned whether the proposed rule would 
apply to IT procurements conducted by recipients under USAID grants and 
cooperative agreements.
    Response: The content of this rule only applies to acquisition 
awards (e.g., contracts); this rule does not apply to federal 
assistance awards (e.g., grants and cooperative agreements). ADS 
Chapter 509, available at https://www.usaid.gov/about-us/agency-policy/series-500/509, contains further clarification on the distinction 
between acquisition and assistance for IT procurements.
(vi) Software License Clause
    Comment: Two commenters provided comments on the AIDAR 752.239-XX 
``Software License'' clause from the proposed rule, noting potential 
challenges and confusion in complying with this clause, particularly 
for commercial items and commercially available off-the-shelf (COTS) 
items.
    Response: USAID concurs with the concerns noted in these comments 
and has removed this clause from the final rule.
(vii) USAID-Financed Project Websites Clause
    Comment: One commenter provided several comments regarding the 
requirements and process for the proposed rule's ``USAID-Financed 
Third-Party Websites'' clause, highlighting that the clause did not 
distinguish appropriately between a contractor's website used to 
implement a project versus a Federal agency's website. The commenter 
also questioned the need for notification by the contractor to the 
Contracting Officer's Representative (COR) for USAID's Bureau for 
Legislative and Public Affairs (LPA) evaluation and approval, as well 
as the requirement for contractors to authorize USAID to conduct 
periodic vulnerability scans.
    Response: USAID agrees with several of the commenter's concerns. 
The proposed rule did not adequately define the type of website subject 
to requirements of this clause. The final rule contains several 
revisions to this clause, most notably clarifying that it applies to a 
``project website'' funded by USAID, which is now defined in the final 
rule. This definition of ``project website'' is distinct from a 
``third-party website'' and also provides a differentiation from 
websites within the Federal Government domain (i.e., ``.gov''), in 
accordance with guidance established in OMB Memorandum No. M-23-10. The 
clause in this final rule has been renamed to ``USAID-Financed Project 
websites'' to reflect this change in terminology. The final rule also 
removes the COR/LPA notification and approval requirements. As the 
contractor is solely responsible for all

[[Page 19757]]

security safeguards for the website, the final rule removes the 
requirement for contractors to authorize USAID to conduct periodic 
vulnerability scans.
    Comment: One commenter questioned whether this rule affects 
existing project websites funded by USAID.
    Response: This AIDAR 752.239-72 (``USAID-Financed Project 
websites'') clause applies to any project website developed, launched 
or maintained under a prime contract that contains this clause.
(viii) Skills and Certification Requirements Clause
    Comment: For the ``Skills and Certification Requirements for 
Privacy and Security Staff'' clause, one commenter suggested that the 
Certified Information Systems Security Professional (CISSP) 
certification process is unclear and requested clarification regarding 
the definition of ``significant information security 
responsibilities.''
    Response: USAID has removed this clause from the final rule to 
maintain consistency with the FAR and the National Cyber Workforce and 
Education Strategy issued by the Office of the National Cyber Director, 
which support using a skills-based approach rather than relying solely 
on educational qualifications and industry-recognized certifications.
(ix) Access to USAID Facilities and USAID's Information Systems Clause
    Comment: One commenter suggested that the proposed personal 
identity verification (PIV) clause unnecessarily restricts physical and 
logical access only to U.S. citizens and resident aliens, prohibiting 
access to cooperating country nationals (CCNs) and third country 
nationals (TCNs).
    Response: PIV cards may only be issued to U.S. citizens and 
resident aliens; non-U.S. citizens are not authorized to receive PIV 
cards. Instead, USAID issues PIV-Alternative (PIV-A) cards to eligible 
CCNs and TCNs who require physical or logical access, as described 
further in ADS Chapter 542, available at https://www.usaid.gov/about-us/agency-policy/series-500/542. USAID revised the clause to clarify 
that various types of credentials are available to different types of 
users who require physical access to USAID facilities and/or logical 
access to USAID information systems.
    Comment: One commenter expressed a concern that non-U.S. citizens 
may not possess a U.S. Federal or State Government-issued picture ID 
for purposes of the identity source documentation required for 
obtaining credentials. One commenter noted the rule does not specify 
how to identify the appropriate Enrollment Office to work with and 
physically present the identity source documents.
    Response: In the credentialing process, two forms of identity 
source documents must be presented to the Enrollment Office personnel. 
The Federal or State Government-issued picture ID is required to obtain 
a PIV card, which is available to U.S. citizens only. For non-U.S. 
citizens, the contractor may contact the COR to request a list of 
acceptable forms of documentation, as this information varies by 
location. USAID updated the clause to clarify this information.
    Comment: One commenter requested additional information regarding 
the requirement for documentation of security background 
investigations.
    Response: Homeland Security Presidential Directive-12 (HSPD-12) 
requires that agencies complete background investigations on all 
employees and contractors when issuing credentials. ADS Chapter 542, 
available at https://www.usaid.gov/about-us/agency-policy/series-500/542, contains additional details regarding USAID's procedures related 
to background investigations in the credentialing process. USAID 
revised the clause to clarify that documentation of a security 
background investigation must be submitted as part of the credentialing 
process, when applicable.
    Comment: One commenter suggested that USAID harmonize access 
requirements for those contractors with CCN and TCN staff versus the 
requirements for USAID's CCN and TCN personal services contractors.
    Response: The same physical and logical access requirements apply 
to both contractor employees and individuals issued personal services 
contracts. As personal services contracts with individuals (issued 
under Appendices D and J of the AIDAR) are not within the scope of this 
rule, no changes were made to the rule.
(x) Outside the Scope of This Rule
    Comment: One commenter noted that the rule does not specify what 
the COR will do with the list of individuals reported by the contractor 
to the COR each month under paragraph (d) of this AIDAR 752.204-72 
clause.
    Response: The COR's responsibilities regarding the staffing list 
will be addressed in internal Agency policy. As such, no changes were 
made to the rule.
    Comment: One commenter questioned if the proposed rule impacted the 
use of USAID systems such as Development Experience Clearinghouse 
(DEC), Development Data Library (DDL), and TrainNet.
    Response: This rule does not affect the use of DEC, DDL, or 
TrainNet. This comment is outside the scope of this rule.
    Comment: One commenter noted that the language of the proposed rule 
seemed clear, but suggested the development of a supplemental 
``decision guide'' to facilitate the interpretation of the rule's IT 
approval requirements.
    Response: The commenter's suggestion is outside the scope of the 
rule.

C. Regulatory Considerations and Determinations

(1) Executive Orders 12866, 13563, and 14094

    This final rule was drafted in accordance with Executive Order 
(E.O.) 12866, as amended by E.O. 13563 and E.O. 14094. OMB has 
determined that this rule is not a ``significant regulatory action,'' 
as defined in section 3(f) of E.O. 12866, as amended, and is therefore 
not subject to review by OMB.

(2) Expected Cost Impact on the Public

    There are no costs to the public associated with this rulemaking.

(3) Regulatory Flexibility Act

    The rule does not have a significant economic impact on a 
substantial number of small entities within the meaning of the 
Regulatory Flexibility Act, 5 U.S.C. 601, et seq. Therefore, a 
Regulatory Flexibility Analysis has not been performed.

(4) Paperwork Reduction Act

    This rule contains information collection requirements that were 
detailed in the proposed rule and have been submitted to the Office of 
Management and Budget (OMB) under the Paperwork Reduction Act (44 
U.S.C. chapter 35). This information collection requirement has been 
assigned OMB Control Number 0412-0603, entitled ``Information 
Collection under AIDAR Clause 752.204-72, Access to USAID Facilities 
and USAID's Information Systems.'' No comments were received on the 
information collection outlined in the proposed rule.

List of Subjects in 48 CFR Parts 704, 739, and 752

    Government procurement.

    For the reasons discussed in the preamble, USAID amends 48 CFR 
parts 704, 739, and 752 as set forth below:

[[Page 19758]]

PART 704--ADMINISTRATIVE MATTERS

0
1. The authority citation for 48 CFR part 704 continues to read as 
follows:

    Authority: Sec. 621, Pub. L. 87-195, 75 Stat. 445, (22 U.S.C. 
2381) as amended; E.O. 12163, Sept. 29, 1979, 44 FR 56673; 3 CFR, 
1979 Comp., p. 435.


Sec.  704.404  [Amended]

0
2. Amend Sec.  704.404 by removing and reserving paragraph (b).

0
3. Add Subpart 704.13 to read as follows:

Subpart 704.13--Personal Identity Verification

Sec.
704.1303 Contract clause.


Sec.  704.1303  Contract clause.

    When contract performance requires the contractor--including its 
employees, volunteers, or subcontractor employees at any tier--to have 
routine physical access to USAID-controlled facilities or logical 
access to USAID's information systems, the contracting officer must 
insert the clause found at FAR 52.204-9 and AIDAR 752.204-72 (``Access 
to USAID Facilities and USAID's Information Systems'') in the 
solicitation and contract.

0
4. Add part 739 to read as follows:

PART 739--ACQUISITION OF INFORMATION TECHNOLOGY

Sec.
739.000 Scope of part.
739.001 [Reserved]
739.002 Definitions.
Subpart 739.1--General.
739.106 Contract clauses.

    Authority: Sec. 621, Pub. L. 87-195, 75 Stat. 445 (22 U.S.C. 
2381), as amended; E.O. 12163, Sept. 29, 1979, 44 FR 56673; and 3 
CFR, 1979 Comp., p. 435.


Sec.  739.000  Scope of part.

    This part prescribes acquisition policies and procedures for use in 
acquiring--
    (a) Information technology, as defined in this part, consistent 
with the Federal Information Technology Acquisition Reform Act 
(FITARA).
    (b) Information and communication technology (ICT), as defined in 
FAR 2.101.


Sec.  739.001  [Reserved]


Sec.  739.002  Definitions.

    As used in this part--
    Information Technology (IT) means
    (1) Any services or equipment, or interconnected system(s) or 
subsystem(s) of equipment, that are used in the automatic acquisition, 
storage, analysis, evaluation, manipulation, management, movement, 
control, display, switching, interchange, transmission, or reception of 
data or information by the agency; where
    (2) Such services or equipment are ``used by an agency'' if used by 
the agency directly or if used by a contractor under a contract with 
the agency that requires either use of the services or equipment or 
requires use of the services or equipment to a significant extent in 
the performance of a service or the furnishing of a product.
    (3) The term ``information technology'' includes computers, 
ancillary equipment (including imaging peripherals, input, output, and 
storage devices necessary for security and surveillance), peripheral 
equipment designed to be controlled by the central processing unit of a 
computer, software, firmware and similar procedures, services 
(including provisioned services such as cloud computing and support 
services that support any point of the lifecycle of the equipment or 
service), and related resources.
    (4) The term ``information technology'' does not include any 
equipment that is acquired by a contractor incidental to a contract 
that does not require use of the equipment.

Subpart 739.1--General.


Sec.  739.106  Contract clauses.

    (a) [Reserved]
    (b) Contracting officers must insert the clause at 752.239-70, 
Information Technology Authorization, in all solicitations and 
contracts.
    (c) Contracting officers must insert the clause at 752.239-71, 
Information and Communication Technology Accessibility, in 
solicitations and contracts that include acquisition of information and 
communication technology (ICT) supplies and/or services for use by 
Federal employees or members of the public.
    (d) Contracting officers must insert the clause at 752.239-72, 
USAID-Financed Project websites, in solicitations and contracts fully 
or partially funded with program funds.

PART 752--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
5. The authority citation for part 752 continues to read as follows:

    Authority: Sec. 621, Pub. L. 87-195, 75 Stat. 445, (22 U.S.C. 
2381) as amended; E.O. 12163, Sept. 29, 1979, 44 FR 56673; 3 CFR, 
1979 Comp., p. 435.


0
6. Revise Sec.  752.204-72 to read as follows:


Sec.  752.204-72  Access to USAID Facilities and USAID's Information 
Systems.

    As prescribed in AIDAR 704.1303, insert the following clause in 
Section I of solicitations and contracts:

Access to USAID Facilities and USAID's Information Systems (May 2024)

    (a) The Contractor must ensure that individuals engaged in the 
performance of this award as employees or volunteers of the 
Contractor, or as subcontractors or subcontractor employees at any 
tier, comply with all applicable personal identity verification 
(PIV) and Homeland Security Presidential Directive-12 (HSPD-12) 
procedures, including those summarized below, and any subsequent 
USAID or Government-wide procedures and policies related to PIV or 
HSPD-12.
    (b) An individual engaged in the performance of this award may 
obtain access to USAID facilities or logical access to USAID's 
information systems only when and to the extent necessary to carry 
out this award. USAID issues various types of credentials to users 
who require physical access to Agency facilities and/or logical 
access to Agency information systems, in accordance with USAID's 
Automated Directives System (ADS) 542, available at https://www.usaid.gov/about-us/agency-policy/series-500/542.
    (c) (1) No later than five (5) business days after award, unless 
the Contracting Officer authorizes a longer time period, the 
Contractor must provide to the Contracting Officer's Representative 
a complete list of individuals that require access to USAID 
facilities or information systems under this contract.
    (2) Before an individual may obtain a USAID credential (new or 
replacement) authorizing the individual routine access to USAID 
facilities, or logical access to USAID's information systems, the 
individual must physically present two forms of identity source 
documents in original form to the Enrollment Office personnel when 
undergoing processing. To obtain a PIV card, one identity source 
document must be a valid Federal or State Government-issued picture 
ID from the I-9 list available at https://www.uscis.gov/i-9-central/form-i-9-acceptable-documents. For other types of credentials the 
Contractor can obtain the list of acceptable forms from the 
Contracting Officer's Representative. Submission of these documents, 
as well as documentation of any applicable security background 
investigation, is mandatory in order for the individual to receive a 
credential granting facilities and/or logical access.
    (d) (1) No later than the 5th day of each month, the Contractor 
must provide the Contracting Officer's Representative with the 
following:
    (i) a list of individuals with access who were separated in the 
past sixty (60) calendar days, and

[[Page 19759]]

    (ii) a list of individuals hired in the past sixty (60) calendar 
days who require access under this contract.
    (2) This information must be submitted even if no separations or 
hiring occurred during the past sixty (60) calendar days.
    (3) Failure to comply with the requirements in paragraph (d)(1) 
may result in the suspension of all facilities and/or logical access 
associated with this contract.
    (e) The Contractor must ensure that individuals do not share 
logical access to USAID information systems and sensitive 
information.
    (f) USAID may suspend or terminate the access to any systems 
and/or facilities in the event of any violation, abuse, or misuse. 
The suspension or termination may last until the situation has been 
corrected or no longer exists.
    (g) The Contractor must notify the Contracting Officer's 
Representative and the USAID Service Desk ([email protected] or 
202-712-1234) at least five (5) business days prior to the removal 
of any individuals with credentials from the contract. For unplanned 
terminations, the Contractor must immediately notify the Contracting 
Officer's Representative and the USAID Service Desk. Unless 
otherwise instructed by the Contracting Officer, the Contractor must 
return all credentials and remote authentication tokens to the 
Contracting Officer's Representative prior to departure of the 
individual or upon completion or termination of the contract, 
whichever occurs first.
    (h) The Contractor must insert this clause, including this 
paragraph (h), in any subcontracts that require the subcontractor or 
a subcontractor employee to have routine physical access to USAID 
facilities or logical access to USAID's information systems. The 
Contractor is responsible for providing the Contracting Officer's 
Representative with the information required under paragraphs (c)(1) 
and (d)(1) of this clause for any applicable subcontractor or 
subcontractor employee.


(End of clause)

0
7. Add section 752.239-70 to read as follows:


752.239-70  Information Technology Authorization.

    As prescribed in AIDAR 739.106(b), insert the following clause in 
Section I of solicitations and contracts:

Information Technology Authorization (May 2024)

    (d) Definitions. As used in this contract:
    Information Technology means
    (1) Any services or equipment, or interconnected system(s) or 
subsystem(s) of equipment, that are used in the automatic 
acquisition, storage, analysis, evaluation, manipulation, 
management, movement, control, display, switching, interchange, 
transmission, or reception of data or information by the agency; 
where
    (2) such services or equipment are ``used by an agency'' if used 
by the agency directly or if used by a contractor under a contract 
with the agency that requires either use of the services or 
equipment or requires use of the services or equipment to a 
significant extent in the performance of a service or the furnishing 
of a product.
    (3) The term ``information technology'' includes computers, 
ancillary equipment (including imaging peripherals, input, output, 
and storage devices necessary for security and surveillance), 
peripheral equipment designed to be controlled by the central 
processing unit of a computer, software, firmware and similar 
procedures, services (including provisioned services such as cloud 
computing and support services that support any point of the 
lifecycle of the equipment or service), and related resources.
    (4) The term ``information technology'' does not include any 
equipment that is acquired by a contractor incidental to a contract 
that does not require use of the equipment.
    (b) Approval Requirements. The Federal Information Technology 
Acquisition Reform Act (FITARA) requires Agency Chief Information 
Officer (CIO) review and approval of acquisitions of information 
technology and information technology services. Any information 
technology specified in the Schedule of this contract has already 
been approved by the CIO. The Contractor must not acquire any 
additional information technology without the prior written approval 
of the Contracting Officer as specified in this clause.
    (c) Request for Approval Procedure.
    (1) If the Contractor determines that any information technology 
not specified in the Schedule will be necessary in the performance 
of the contract, the Contractor must request prior written approval 
from the Contracting Officer, including the Contracting Officer's 
Representative and the Office of the CIO ([email protected]) 
on the request.
    (2) In the request, the Contractor must provide an itemized 
description of the information technology to be procured. For 
equipment (including hardware and software), the Contractor must 
include any applicable brand names, model/version numbers, 
quantities, and estimated unit and total cost information. For 
services, the Contractor must provide a detailed description of the 
services, name(s) of the service provider(s), and estimated cost 
information.
    (3) The Contracting Officer will approve or deny in writing the 
Contractor's request. If granted, the Contracting Officer will 
specify in writing the information technology approved by the CIO 
for purchase.
    (d) Subcontracts. The Contractor must insert the substance of 
this clause, including this paragraph (d), in all subcontracts. The 
Contractor is responsible for requesting any approval required under 
paragraphs (b) and (c) of this clause for any applicable 
subcontractor information technology acquisition.


(End of clause)

0
8. Add Sec.  752.239-71 to read as follows:


Sec.  752.239-71  Information and Communication Technology 
Accessibility.

    As prescribed in AIDAR 739.106(c), insert the following clause in 
Section I of solicitations and contracts:

Information and Communication Technology Accessibility (May 2024)

    (a) Section 508 of the Rehabilitation Act of 1973, as amended 
(29 U.S.C. 794d) requires (1) Federal agencies to offer access to 
information and communication technology (ICT) to individuals with 
disabilities who are Federal employees or members of the public 
seeking information or services, and (2) that this access be 
comparable to that which is offered to Federal employees or members 
of the public who are not individuals with disabilities. Standards 
for complying with this law are prescribed by the Architectural and 
Transportation Barriers Compliance Board (``Access Board'') in 36 
CFR part 1194, are viewable at https://www.access-board.gov/ict/.
    (b) Except as indicated elsewhere in the contract, all ICT 
supplies, services, information, documentation, and deliverables 
developed, acquired, maintained, or delivered under this contract 
must meet the applicable Section 508 accessibility standards at 36 
CFR part 1194, as amended by the Access Board.
    (c) The Section 508 accessibility standards applicable to this 
contract are identified in Section C or other applicable sections of 
this contract.
    (d) The Contractor must, upon written request from the 
Contracting Officer, or if so designated, the Contracting Officer's 
Representative, provide the information necessary to assist the 
Government in determining that the ICT supplies or services conform 
to Section 508 accessibility standards.
    (e) If it is determined by the Government that any ICT supplies 
or services delivered by the Contractor do not conform to the 
required accessibility standards, remediation of the supplies or 
services to the level of conformance specified in the contract will 
be the responsibility of the Contractor at its own expense.
    (f) The Contractor must insert this clause in all subcontracts 
that involve the acquisition of ICT supplies and/or services. The 
Contractor is responsible for the submission of any information as 
required under paragraph (e) of this clause.


(End of clause)

0
9. Add Sec.  752.239-72 to read as follows:


Sec.  752.239-72  USAID-Financed Project Websites.

    As prescribed in AIDAR 739.106(d), insert the following clause in 
Section I of solicitations and contracts:

USAID-Financed Project Websites (May 2024)

    (a) Definitions. As used in this contract: Project Website means 
a website that is:
    (1) funded under this contract;

[[Page 19760]]

    (2) hosted outside of a Federal Government domain (i.e., 
``.gov'');
    (3) operated exclusively by the Contractor, who is responsible 
for all website content, operations and management, information 
security, and disposition of the website;
    (4) not operated by or on behalf of USAID; and
    (5) does not provide official USAID communications, information, 
or services.
    (b) Requirements. The Contractor must adhere to the following 
requirements when developing, launching, or maintaining a Project 
website:
    (1) Domain name. The domain name of the website must not contain 
the term ``USAID''. The domain name must be registered in the 
Contractor's business name with the relevant domain registrar on the 
relevant domain name registry.
    (2) Information to be collected. In the website, the Contractor 
may collect only the amount of information necessary to complete the 
specific business need. The Contractor must not collect or store 
privacy information that is unnecessary for the website to operate, 
or is prohibited by statute, regulation, or Executive Order.
    (3) Disclaimer. The website must be marked on the index page of 
the site and every major entry point to the website with a 
disclaimer that states: ``The information provided on this website 
is not official U.S. Government information and does not represent 
the views or positions of the U.S. Agency for International 
Development or the U.S. Government.''
    (4) Accessibility. To comply with the requirements of the 
Section 508 of the Rehabilitation Act, as amended (29 U.S.C. 794d), 
the Contractor must ensure the website meets all applicable 
accessibility standards (``Web-based intranet and internet 
information and applications'') at 36 CFR part 1194, Appendix D.
    (5) Information security: The Contractor is solely responsible 
for the information security of the website. This includes incident 
response activities as well as all security safeguards, including 
adequate protection from unauthorized access, alteration, 
disclosure, or misuse of information collected, processed, stored, 
transmitted, or published on the website. The Contractor must 
minimize and mitigate security risks, promote the integrity and 
availability of website information, and use state-of-the-art: 
system/software management; engineering and development; event 
logging; and secure-coding practices that are equal to or better 
than USAID standards and information security best practices. 
Rigorous security safeguards, including but not limited to, virus 
protection; network intrusion detection and prevention programs; and 
vulnerability management systems must be implemented and critical 
security issues must be resolved within 30 calendar days.
    (c) Disposition. At least 120 days prior to the contract end 
date, unless otherwise approved by the Contracting Officer, the 
Contractor must submit for the Contracting Officer's approval a 
disposition plan that addresses how any Project website funded under 
this contract will be transitioned to another entity or 
decommissioned and archived. If the website will be transitioned to 
another entity, the disposition plan must provide details on the 
Contractor's proposed approach for the transfer of associated 
electronic records, technical documentation regarding the website's 
development and maintenance, and event logs. Prior to the end of the 
contract, the Contractor must comply with the disposition plan 
approved by the Contracting Officer.
    (d) Subcontracts. The Contractor must insert this clause in all 
subcontracts that involve the development, launch, or maintenance of 
a Project website. The Contractor is responsible for the submission 
of any information as required under paragraphs (b) and (c) of this 
clause.


(End of clause)

Jami J. Rodgers,
Chief Acquisition Officer.
[FR Doc. 2024-05748 Filed 3-19-24; 8:45 am]
BILLING CODE 6116-01-P