5 FAM 900
INFORMATION TECHNOLOGY (IT) ACQUISITION
5 FAM 910
INFORMATION TECHNOLOGY (IT)
ACQUISITION POLICIES
(CT:IM-324; 06-28-2024)
(Office of Origin: DT/BMP/ITA/CS)
5 FAM 911 general
(CT:IM-317; 05-07-2024)
This subchapter outlines Department policies for acquiring IT and communication products and services, including IT acquisition roles and responsibilities.
5 FAM 912 SCOPE
(CT:IM-317; 05-07-2024)
The acquisition of IT hardware, software, services and support is accomplished through a process that includes planning, budgeting, and program management of IT and communication resources. This policy is applicable domestically and overseas.
5 FAM 912.1 IT Requirements in Other FAM Volumes and FAH Volumes
(CT:IM-322; 06-14-2024)
Generally, the IT lifecycle begins with planning and budgeting, and considers how the new technology will operate, its lifespan, and total operating costs, as part of overall planning prior to an acquisition. Below are additional policy references:
(1) 14 FAM 200, Acquisitions, describes general acquisitions policy.
(2) 5 FAM, Information Management, describes IT-related policies that span the Department's IT lifecycle.
(a) The Department's planning processes, including IT, are discussed in 5 FAM 1000, IT Planning.
(b) 5 FAM 1060, Information Assurance Management, provides more detail on the Authority to Operate processes.
(c) The operation and management of installed IT assets (i.e., system installation and maintenance, system security, training, and the Internet) are discussed in 5 FAM 800, Information Systems Management.
(d) The development and management of Departmental IT systems are contained in 5 FAM 600, IT Systems.
(e) The Department’s IT Systems Handbook is in 5 FAH-5.
5 FAM 913 Leading Practices and Other Resources
(CT:IM-317; 05-07-2024)
a. Requirement writers must follow leading practices when writing requirements. Examples include:
(1) The Federal Cloud Computing Strategy - Cloud Smart is strategic guidance provided by the Office of Management and Budget (OMB) to Federal agencies on driving cloud adoption, located at Cloud.CIO.gov.
(2) TechFAR recommends using contractors to support an iterative development process emphasizing Agile software development, a technique for modular contracting, and a proven commercial methodology characterized by incremental and iterative processes where releases are produced in close collaboration with the customer. It concentrates primarily on software development procurements (excluding non-developmental and commercially available off-the-shelf items).
(3) The Digital Services Playbook is a compilation of strategies and best practices developed by the U.S. Digital Service on building federal digital services and specifies Agile iterative development as a critical component for success. The playbook consists of key “plays” that can help the Government build effective digital services, including encouraging agencies to specify in contracts that software and data generated by third parties remains under the Department’s control and can be reused and released to the public as appropriate and in accordance with the law.
(4) The Application Rationalization Handbook is a practical guide for how to strategically identify business applications across an organization to determine which to keep, replace, retire, or consolidate. Successful efforts improve IT portfolio management capabilities, empower leaders to make better decisions, and enhance the delivery of key mission and business services.
(5) Code.gov serves as the Federal Government's platform for sharing America's open-source software and establishes requirements per OMB Memo M-16-21 for releasing custom-developed source code, including securing the rights necessary to make some custom-developed code releasable to the public as open-source software.
(6) The Technology Modernization Fund is an innovative funding vehicle that gives agencies additional and quicker ways to deliver services to the American public, better secure sensitive systems and data, and use taxpayer dollars more efficiently.
(7) US Web Design System is a design system that reflects the guidance codified in the 21st Century IDEA Act and maintained by GSA.
(8) Periodic Table of Acquisition Innovations is a knowledge management portal for innovative acquisition practices and technologies, which is maintained by a public-private partnership and published on FAI.gov.
(9) FedRAMP is a government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to risk assessment for cloud technologies and federal agencies in accordance with FISMA, OMB Circular A-130, and FedRAMP policy.
5 FAM 914 RESPONSIBILITIES
(CT:IM-317; 05-07-2024)
5 FAM 914.1 Requiring Offices
(CT:IM-317; 05-07-2024)
a. The requiring office must:
(1) Acquire IT in accordance with the Department’s IT Strategic Plan.
(2) Conduct all IT acquisition activities in accordance with Department-wide acquisition policy (see 14 FAM 220, General Acquisitions) and Department-wide IT acquisition policy herein.
(3) Follow policy issued by ITA, Contract Services Division (DT/BMP/ITA/CS) for developing IT requirements to meet agency needs.
(4) Maintain documentation with all required approvals for all IT acquisitions.
(5) Incorporate leading IT project and product management principles (9 FAM 913.2) and regulatory security considerations in the design and development of plans, strategies, and requirements for IT acquisitions.
(6) Require vendors to apply leading IT project and product management (9 FAM 913.2), regulatory security considerations, and IT delivery practices in their approaches to satisfying the Department’s IT requirements.
(7) Maintain and update documentation throughout the life of an IT acquisition that demonstrates traceability for all IT assets, components, and subassemblies, for all hardware and software subject to 14 FAM 400.
(8) Reflect all anticipated IT assets, services, and associated security considerations needs in each Bureau Resource Request (BRR).
(9) Require all individuals assigned a program manager role for major IT investments to acquire and maintain a FAC-P/PM certification.
b. Bureau Executive Directors will adhere to processes, procedures, and requirements for tracking and reporting on all IT acquisition and IT investment planning, budgeting, and spending actions (9 FAM 915.2).
5 FAM 914.2 Bureau of Diplomatic Technology
(CT:IM-317; 05-07-2024)
a. The Department’s Chief Information Officer (CIO) will;
(1) Provide advice and other assistance to the Secretary of State and senior management on policies and procedures to ensure offices acquire and manage IT and information resources in accordance with law, policy, and guidance.
(2) Maintain the CIO Assignment Plan in accordance with FITARA implementation guidance from OMB.
(3) Review IT investment requests across the enterprise and provide guidance to IT program managers through the Capital Planning and Investment Control (CPIC) and Managing State Projects programs.
(4) Establish and communicate IT priorities through a Department IT Strategic Plan and direct programmatic changes through investment planning and control process reviews in collaboration with the Director of Budget and Planning (BP).
(5) Participate in the planning of IT initiatives via the pre-select phase for major investments during the budget review and initial baseline processes to provide feedback and guidance.
(6) Meet OMB Circular A-11 requirements to review and certify the major IT investment portion of the Department’s budget request in coordination with the Director of BP.
(7) Meet OMB Circular A-130 requirements to establish and apply Federal and Department-wide security and privacy policies and standards.
(8) Develop guidelines that executive stakeholders (e.g., the Department CFO and CAO) must apply to the planning of all IT resources during budget formulation, including programs with IT components that are not primarily IT oriented.
(9) Approve the IT investment plans produced by the Department’s annual and multi-year planning, programming, budgeting, and execution activities.
(10) Certify IT investments are adequately implementing incremental development, as defined in capital planning guidance issued by OMB.
(11) Define and maintain overall policies for all capital planning, enterprise architecture, project management, and reporting for IT resources (see 1 FAM 270).
b. The Office of the Enterprise Chief Information Security Officer (DT/E-CISO) will provide guidance to develop, document, and implement the Department’s information security program in compliance with all prevailing Federal and agency authorities, including and not limited to laws, statutes, regulations, policies, and guidance.
c. The Information Technology Acquisitions Office, Contract Services Division (DT/BMP/ITA/CS) will:
(1) Establish and maintain Department-wide IT Acquisition policies for developing IT requirements; and
(2) Provide guidance to develop IT requirements in accordance with this policy through Procure IT and other methods.
d. The Office of the Chief Architect (DT/PDCIO/OCA) will:
(1) Provide oversight and coordination of introduction of new hardware and software products, operating systems, upgrades and changes to existing baselines, publishing updates, divesting, removal, or prohibited use, for IT subscriptions, services, and product changes.
(2) Implement E-Gov governance to support the goals and objectives during the operational execution of IT.
5 FAM 914.3 Bureau of Administration
(CT:IM-317; 05-07-2024)
a. The Department’s Chief Acquisition Officer (CAO) will:
(1) Ensure contracting officers, specialists, and other representatives who they assign to procurements for IT resources adhere to continuous learning requirements and maintain both appropriate and relevant certifications (i.e., FAC/C and FAC-C-DS) from Federally recognized issuing organizations, including specialized IT certifications as applicable. Certification requirements are documented in policy issued by the Senior Procurement Executive’s office and the FAM.
(2) Collaborate with the Department CIO and, where appropriate, CFO to develop and maintain Department-wide processes to review all acquisitions, including, IT for opportunities to leverage acquisition initiatives, such as shared services, category management, strategic sourcing, and incremental or modular contracting.
(3) Implement processes to ensure the Department CIO’s approval is obtained for planned acquisition strategies, acquisition plans, and interagency agreements as required by this FAM Chapter.
(4) Ensure that CIO approval is obtained for all Department contract modifications that make changes that represent a material change to the original contract. This requirement only applies to contracts that previously required the CIO approvals described in 5 FAM 914.3 a (3).
(5) Coordinate with the CIO and Chief Human Capital Officer (CHCO) to ensure that the size of the acquisition workforce is commensurate with the Department-wide demand for their support and needs of the IT acquisition workforce are properly reflected in the Department’s Acquisition Human Capital Plan.
b. The Department’s Senior Procurement Executive (SPE):
(1) Has Department-wide responsibility to issue general acquisition policy, provide advice and guidance to the Department’s domestic and foreign contracting offices and staff, and promote innovation.
(2) Has Department-wide responsibility for managing the implementation of electronic commerce in the Department (see 1 FAM 212.2, Office of the Procurement Executive, for additional acquisition responsibilities held by A/OPE).
(3) Leads efforts to ensure modular contracts for IT, including orders for increments or useful segments of work, are awarded within 180 days after the solicitation is issued (see OMB Circular A-130).
(4) Leads efforts to ensure IT acquired using modular contracts, including orders for increments or useful segments of work, are delivered within 18 months after the solicitation resulting in a contract award (see OMB Circular A-130).
(5) Ensures that all contracting professionals assigned to acquisitions consisting primarily of digital services over the FAR Subpart 13.5 certain commercial item threshold, currently $7.5 million (or $15 million for acquisitions as described in 13.500(c)), obtain a FAC-C core-plus specialization in digital services (FAC-C-DS) certification by successfully completing Digital IT Acquisition Professional Training (DITAP). The SPE may grant waivers to this requirement.
5 FAM 914.4 Bureau of the Comptroller and Global Financial Services
(CT:IM-317; 05-07-2024)
The Department’s Comptroller works with executive stakeholders, including the CIO and the E-Gov Program Board, to develop a full and accurate accounting of IT expenditures, related expenses, and results outlined in the Paperwork Reduction Act (PRA) of 1995.
5 FAM 914.5 Bureau of Budget and Planning
(CT:IM-317; 05-07-2024)
The Bureau Director will:
(1) Coordinate with the CIO to review IT budget resources throughout the funding lifecycle, including but not limited to activities such as reviewing budget justifications, OMB budgetary passback, appeals, operating plans, and Congressional notifications.
(2) Coordinate with the CIO to validate and monitor major investment performance and mission alignment annually, including reviewing and approving baseline change requests (in accordance with the baseline change request process) for each major IT investment.
5 FAM 914.6 Bureau of Global Talent Management
(CT:IM-317; 05-07-2024)
a. The Department’s Chief Human Capital Officer (CHCO) will:
(1) Collaborate with the CIO, and CAO where appropriate, to develop and maintain a set of competency requirements for personnel who have any role in the lifecycle of an IT acquisition, including but not limited to contracting officers, contracting specialists, contracting officer’s representatives, government technical monitors, acquisition strategists, evaluation panel participants, program managers, project managers, product managers, product owners, and requirements analysts.
(2) Collaborate with the CIO and CAO to develop and maintain a current workforce planning process to ensure that the Department can a) anticipate and respond to changing mission requirements and the demands of those requirements on the personnel who play a role in the lifecycle of an IT acquisition; b) maintain workforce skills in a rapidly developing IT environment; and c) recruit and retain the IT talent needed to accomplish its mission.
(3) Collaborate with the CIO and the Acquisition Career Manager (ACM) to develop policies for strengthening the skills and capabilities of the personnel who have a role in any acquisition with IT, including topics such as the IT acquisition lifecycle at the Department and awareness and application of leading practices for planning, managing, and overseeing procurements that include IT resources.
(4) Collaborate with the CIO, CAO, and ACM to analyze current IT acquisition staffing challenges and determine if developing or expanding the use of IT acquisition cadres would improve IT program results and/or mission performance.
(5) Collaborate with the CIO, CAO, and ACM to develop and maintain plans to pilot or expand IT acquisition cadres aligned to IT areas where an opportunity exists to improve IT acquisition outcomes and/or performance significantly.
5 FAM 915 GENERAL IT ACQUISITON POLICIES
(CT:IM-317; 05-07-2024)
5 FAM 915.1 IT Acquisitions Planning
(CT:IM-317; 05-07-2024)
Requiring offices must perform acquisition planning and conduct market research (FAR 10) for all acquisitions per FAR 7.102. Per FAR 7.104, acquisition planning should begin once an agency’s need is identified.
5 FAM 915.2 IT Acquisitions Planning
(CT:IM-317; 05-07-2024)
a. Requiring offices must ensure that all requirements directly for IT and those that are expected to be delivered using IT result in the procurement of IT that:
(1) aligns with mission and program objectives in coordination with program leadership and in accordance with the appropriate legislation and current guidance.
(2) aligns with the Department’s IT Strategic Plan.
(3) adheres to Government and Department IT policies and requirements, including but not limited to DT/PDCIO/OCA’s Enterprise Architecture, information security, privacy, accessibility, and the latest version of NIST series 500 and 800 publications.
(4) must identify and plan to retire end-of-life software and systems or migrate and modernize to improved solutions as they become available.
(5) is not duplicative of already available IT resources or other cost-effective alternatives
(6) comply with Section 508 of the Rehabilitation Act of 1973, FAR Part 39 and 5 FAH-8 H-510;
b. Requiring offices will consider the following factors when planning IT acquisitions:
(1) the goals, needs, and behaviors of current and prospective managers and users of the service to strengthen the understanding of the requirements for the IT acquisition;
(2) the ability to meet operational or mission requirements, total life cycle cost of ownership, performance, security, interoperability, privacy, accessibility, ability to share or reuse, resources required to switch vendors, and availability of quality support;
(3) the suitability of existing Federal IT and related services, including software, Federal shared services, and commercially available solutions, before embarking upon new software and IT developments;
(4) the suitability of existing contract vehicles to satisfy requirements, which reduce procurement lead times, and afford the Agency pre-negotiated discounts for IT hardware, cloud, and services; consider department issued vehicles first, followed by current and future Best-in-class (BIC) government-wide vehicles (current examples include GSA Multiple Award Schedule, NITAAC, Alliant, STARS, and NASA SEWP);
(5) The goals of the Department’s Greening Diplomacy Initiative (M/SS/GDI) as well as overarching executive branch guidance and policy.
c. Requiring offices must consider using suitable existing Federal IT resources and commercially available solutions to ensure effective management of Federal resources.
d. Requiring offices will affirm that information systems security levels are established for an IT acquisition commensurate with the impact that may result from unauthorized access, use, disclosure, disruption, modification, or destruction of such information. (see NIST FIPS Pub 199).
e. Requiring offices will affirm that appropriate provisions in contracts, and other agreements, are included in an IT acquisition to encourage recipients of Federal funding to maximize access to data developed under an award and to prepare data management plans that describe data to be created in funded programs and approaches for long-term preservation and access to created data.
f. Requiring offices must affirm that the terms and conditions for an IT acquisition involving the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of Federal information, incorporate security and privacy requirements (5 FAM 1060) and are sufficient to enable the Department to meet Federal and agency-specific requirements pertaining to the protection of Federal information.
g. Requiring offices will affirm that the terms and conditions for an IT acquisition incorporate all relevant FAR and DOSAR clauses regarding data rights per FAR Subpart 27.4 and DOSAR Part 627.
h. Requiring offices will ensure that the terms and conditions for an IT acquisition adhere to the requirements of OMB Memoranda regarding the purchase of various IT assets, including M-16-02 for the purchase of laptops.
5 FAM 916 CLOUD ACQUISITIONS
(CT:IM-317; 05-07-2024)
5 FAM 916.1 Security Considerations
(CT:IM-317; 05-07-2024)
a. Contracts requiring cloud products or services must include all applicable FedRAMP requirements as well as OMB, DHS and NIST directives. At a minimum, a contract for cloud services will:
(1) Require Cloud Service Providers (CSPs) to comply with FedRAMP security requirements.
(2) Require maintenance of FedRAMP security authorizations.
(3) Require the CSPs route their traffic through the current Trusted Internet Connection (TIC) standard.
(4) Include contractual provisions that specify the security impact a CSP environment must meet and what specific security controls must be implemented to ensure the CSP environment meets department security standards.
b. CSPs must comply with the following department-specific security requirements:
(1) CSP must use only cryptographic mechanisms that incorporate the latest version of FIPS 140 validated modules.
(2) The CSP will support a secure, multi-factor method of remote authentication and authorization to identified system administrators and other designated personnel the ability to perform management duties on the system.
(3) The CSP must document activities associated with the transport of department information stored or transported on digital and non-digital media and employ cryptographic mechanisms to protect the confidentiality and integrity of this information.
(4) CSP will furnish documentation reflecting favorable adjudication of the appropriate background investigations, according to the level of classification for the system, for all personnel supporting the system.
(5) The CSP must provide security mechanisms for securing data at rest and in transit in accordance with the applicable encryption standard.
5 FAM 916.2 Software Enterprise Agreements (EA)
(CT:IM-322; 06-14-2024)
a. The Bureau of Diplomatic Technology, Directorate of Business, Management, and Planning, the Office for IT Acquisitions, and the Software and Sourcing Management Division (DT/BMP/ITA/SSM) are responsible for managing software Enterprise Agreements (EAs) by providing service including, but not limited to, executing Contracting Officer Representative (COR) functions throughout the acquisition life cycle, including contract administration, and leading renewal activities.
b. All EAs are enterprise in nature, meaning the agreement must support the needs of the Department at the agency’s utilization capacity.
c. EAs must be with an Original Equipment Manufacturer (OEM) or a reseller able to provide the required software items.
d. All EAs must have a designated product owner. The product owner is responsible for all configuration tasks, including maintenance, technical customer support, and ensuring the feasibility/governance of the products/solutions.
(1) Subsequent task/delivery orders or calls may be organized by requiring office in concert with the Office of Acquisitions Management (AQM) based on the funding levels and terms of the established agreement with the vendor(s).
e. The requiring office may prepare the procurement request package establishing the EA or they may request that ITA/SSM prepare it, which requires the requiring office to transfer contract administration functions to ITA/SSM. Requiring offices are encouraged to use ProcureIT when developing procurement request package. The following parameters are required for ITA/SSM to prepare procurement request packages:
(1) The overarching EA recurring financial obligation history or anticipated value must have a minimum annual threshold value of $6 million per fiscal year.
(2) Recurring purchases that are less than $6 million annually can be reviewed on a case-by-case basis by ITA leadership for consideration of EA status.
(3) EAs transferred in must have identified funding for the current year and the next two budget cycles.
(4) Have a minimum performance period of 3 years or be reviewed by ITA leadership for consideration of EA status.
f. When requesting a new EA, the Office Director of the requesting office must provide the following to ITA/SSM:
(1) Product Owner (Name, Email, Phone Number);
(2) Acknowledgement that the requiring office will provide funding until it can be added to the Bureau Resource Request (BRR (if being paid for by ITA/SSM);
(3) Period of Performance estimate; and
(4) At least 12 months lead time for the development of acquisition documents as required by A/OPE.
g. The Requiring office will produce or assist in the development of the pre-acquisition documentation in the development of the PR Package, including but not limited to:
(1) Requirements Statement of Work (SOW), Performance Work Statement (PWS), or Statement of Objectives (SOO);
(2) Market Research Report, Requests for Information, and Sources Sought Notice;
(3) Independent Government Cost Estimate (IGCE);
(4) Justifications for Other Than Full and Open Competition (if applicable);
(5) Analysis of Alternatives;
(6) CPIC Clearance; and
(7) FedRAMP, ATO, and Enterprise Architect approvals.
(8) Service Level Agreement (SLA) see 5 FAM 916.3
h. Procedures and templates established by ITA and AQM are used in the drafting and clearance process for all EAs. All clearances and approvals, as identified by L, DT, or AQM, in conjunction with statutory and regulatory guidance, are required to be obtained prior to solicitation and the award of any contract or agreement that establishes an EA.
i. If funding is transferred to DT in partnership with another Bureau for a software ELA, a memorandum of agreement (MOA) detailing the funding transfer schedule is required. The MOA must contain language that details the funding transfer will/must occur 150 days prior to the renewal or expiration of the term. Purchase Requests (PRs) must be fully approved and submitted to AQM 120 days ahead of the date of renewal.
j. Purchase of any software managed through an EA by ITA/SSM using other direct costs (ODCs) is not allowed.
k. All purchases of software managed through an EA by ITA/SSM must be purchased through the authorized Department of State reseller(s).
l. When transferring an existing contract or agreement to ITA/SSM, the Office Director of the requesting office must provide the following to ITA/SSM:
(1) Product Owner (Name, Email, and Phone Number);
(2) Contract/Agreement Details:
(a) All historical and current contract or agreement documents;
(b) Contracting Officer;
(c) Contracting Officer Representative;
(d) Period of Performance and Dates; and
(e) Contract Ceiling.
(3) Annual obligation; and
(4) List of participating offices.
5 FAM 916.3 Service Level Agreements (SLA) with Cloud Service Providers
(CT:IM-322; 06-14-2024)
Determining the needs and execution of SLA resides with the requesting office. Requesting offices will review the SLA’s provided by the Original Equipment Manufacturers (OEMs) and determine the sufficiency of the SLA to the program offices requirements. Requesting offices have the option to author SLAs. At a minimum a sufficient SLA will establish requirements for the:
(1) Availability of the platform or subscription;
(2) Continuous awareness of the confidentiality, integrity, and availability of its information in accordance with OMB, DHS and NIST guidance;
(3) The definitions of roles and responsibilities with commercial cloud service providers;
(4) Identify timelines for being alerted to lapses in SLA metrics;
(5) Establish clear performance metrics with these providers; and
(6) Implement remediation plans for non-compliance.
5 FAM 917 DIGITAL SERVICE ACQUISITIONS
(CT:IM-317; 05-07-2024)
5 FAM 917.1 Contract Considerations
(CT:IM-317; 05-07-2024)
a. IT Service contracts will be written to accommodate Agile and Lean or other similar methodologies.
b. Requiring offices and acquisition personnel should collaborate when developing acquisition plans and packages to consider the following:
(1) How to apply leading practices for Agile delivery contracts, including but not limited to using a statement of objectives (SOO), using prescriptive methods, and defining the definition of complete.
(2) Clarifying the government’s role and expectations as a product owner relative to defining requirements, setting priorities, and accepting work products.
(3) Including the number and cadence of increments as contractual deliverables for performance evaluation.
(4) How to provide flexibility for the buyer and vendor to adjust their activities (e.g., what features to develop incrementally) to maximize their delivery against the project vision and objectives.
5 FAM 917.2 Digital Services Contract Strategies
(CT:IM-317; 05-07-2024)
In creating digital service contracts, acquisition professionals and requiring offices should consider contractual strategies that increase performance. Examples include:
(1) Modular Contracting; and
(2) Sprint Based pricing structures.
5 FAM 917.3 Technical Evaluation Considerations
(CT:IM-317; 05-07-2024)
Digital services will be evaluated using best value methodologies. The integrated procurement team must consider using the following technical evaluation factors in their solicitation:
(1) Cybersecurity (e.g., SCRM);
(2) The Proposed Team (e.g., how long they have worked together and what they have produced in that time); and
(3) Technical Challenges (e.g., reviews of previous code repositories and/or on-the-spot technical questions during oral presentations).
5 FAM 917.4 Digital Services Contract Outcomes
(CT:IM-317; 05-07-2024)
a. Requiring offices will include measurable outcomes indicative of the desired outcomes sought from software development, deployment, and operations and disposal processes.
(1) Requiring Offices should be able to independently reproduce, recreate, or recompile the delivered source code to independently validate that the contractor has met the contract deliverable requirements.
(2) Requiring Offices need to ensure contract clauses specifically requiring that systems and software to be delivered are adequately secure for their purpose, including the appropriate use of software assurance approaches to address vulnerabilities.
b. Where product complexity does not allow for standard evaluation of outcome, the procurement team may use a reusable set of tailored questions to assess whether the desired outcome is achieved. It is essential programs periodically reevaluate the questions and measurements to ensure they are assessing the relevant concerns. A list of potential questions is included in Procure IT.
5 FAM 918 APPROVALS FOR IT ACQUISITIONS
(CT:IM-322; 06-14-2024)
The requirements for approvals and documentation for IT acquisitions are based on the dollar threshold of the acquisition, inclusive of all options using the following ranges:
(1) For IT acquisitions with a total dollar value up to the Simplified Acquisition Threshold (SAT), the requiring office must prepare an IT Acquisition Request (ITAR) containing all documentation required by the requiring office’s policies and procedures. The requiring office must provide all necessary reviews and approvals prior to submitting the approved request to the procurement office.
(2) IT acquisition requests of $10,000 or more require CIO approval including procurements intended as foreign assistance, as well as those that will never be connected to a Department of State network. Approval routing using the correct product service code is automated through the acquisition software.
(3) For IT acquisitions with a total dollar value above the SAT up to $9,999,999:
(a) The requiring office will prepare an ITAR consisting of the following documents:
(i) A procurement request package (PRP) that meets the requirements in 14 FAH-2 H-330, PRP.
(ii) A simplified benefit cost analysis (BCA), if required by 5 FAM 660 (See 5 FAM 660, BCA and 5 FAH-5 H-620, Benefit Cost Analysis Process).
(b) Once completed, submit the ITAR to the Office Director of the requiring office. Once approved, the ITAR must be submitted to the procurement office.
(4) For IT acquisitions with a total dollar value between $10,000,000 and $29,999,999:
(a) The requiring office will prepare an ITAR consisting of the following documents:
(i) A PRP that meets the requirements in 14 FAH-2 H-330, PRP.
(ii) A full BCA (see 5 FAM 660, BCA) and 5 FAH-5 H-620, BCA Process).
(b) The relevant Deputy Assistant Secretary in the requiring office’s bureau reviews/approves the PRP and BCA prior to submitting the request to procurement office.
(c) The Department CIO must approve, in writing, the PRP and BCA for acquisitions with a value of $10 million or more per fiscal year before the ITAR is submitted to the procurement office.
(5) For IT acquisitions with a total dollar value of $30,000,000 or above:
(a) The requiring office will prepare an ITAR consisting of the following documents:
(i) A PRP that meets the requirements in 14 FAH-2 H-330, PRP.
(ii) A full BCA (see 5 FAM 660, BCA and 5 FAH-5 H-620, BCA Process).
(b) The Assistant Secretary in the requiring office’s bureau reviews/approves the ITAR prior to submitting the request to the procurement office. The contracting activity will coordinate the review of the solicitation with the CIO, CFO, and A/OPE.
(c) The Department CIO also approves, in writing, the ITAR, if it has a value of $10 million or more per fiscal year, before the request is submitted to the procurement office.
5 FAM 919 REFERENCES
(CT:IM-317; 05-07-2024)
5 FAM 919.1 Acronyms
(CT:IM-317; 05-07-2024)
Acquisition Career Manager (ACM)
Bureau Resource Request (BRR)
Capital Planning and Investment Control (CPIC)
Chief Acquisition Officer (CAO)
Chief Financial Officer (CFO)
Chief Human Capital Officer (CHCO)
Chief Information Officer (CIO)
Cloud Service Provider (CSP)
Federal Information Security Modernization Act (FISMA)
Independent Government Cost Estimate (IGCE)
Information Technology (IT)
Information Technology Acquisitions (ITA)
IT Acquisition Request (ITAR)
Office of Management and Budget (OMB)
Performance Work Statement (PWS)
Senior Procurement Executive (SPE)
Simplified Acquisition Threshold (SAT)
Statement of Objectives (SOO)
Statement of Work (SOW)
Trusted Internet Connection (TIC)
5 FAM 919.2 Definitions
(CT:IM-317; 05-07-2024)
For purposes of this subchapter, the following definitions apply:
Agile: An approach using iterative, incremental, and collaborative processes to deliver small, frequent software releases.
Authority to Operate (ATO): A formal declaration by an Authorizing Official (AO) that authorizes the operation of a business product and explicitly accepts the risk to agency operations.
Category Management: A government-wide initiative led by the Office of Management and Budget (OMB) to improve how agencies buy common products and services.
Cybersecurity Supply Chain Risk Management (C-SCRM): A systematic process for managing supply chain risk exposures, threats, and vulnerabilities throughout the supply chain and developing risk response strategies to the risks presented by the supplier, the supplied products and services, or the supply chain.
Data: Recorded information, regardless of form or the media on which the data is recorded.
Data Rights: A contractor and/or the government’s legal rights including technical, intellectual property, and software data. Data can include a proposal, source selection, software, management, concepts, and technical packages. There are three general classes of rights the government may assert for data under a government contract. They are “unlimited rights,” “limited rights,” and “restricted computer software.” (FAR 27.4)
DevOps: Collaboration of operations and development engineers fulfilling business needs by delivering stable, secure, and reliable services to customers.
DevSecOps: An approach to culture, automation, and platform design that integrates application and infrastructure security seamlessly into Agile and DevOps processes and tools to address security issues as they emerge.
Digital Service: Services delivered over the internet or an electronic network rendering their supply essentially automated and involving minimal human intervention.
Enterprise License Agreements (ELA): A Department-wide contract allowing the purchase of a software product at a discounted, fixed rate for a certain time period.
Federal Acquisition Certification in Contracting – Digital Services (FAC-C-DS): A federal acquisition certification that an IT acquisition professional may obtain only after completing the Digital IT Acquisition Program (DITAP).
Federal Risk and Authorization Management Program (FedRAMP): A government-wide program promoting the adoption of secure cloud services across the federal government. It provides a standardized approach to security and risk assessment for cloud technologies to the Federal agencies.
Information Resources: Information and related resources, such as personnel, equipment, funds, and IT (44 U.S.C. 3502(6)).
IT Lifecycle: the process of managing the stages of technology or equipment from acquiring to disposal or replacement. It involves planning, procurement/ deployment, operations, support refresh and retirement.
Machine Learning: an area of computer science that uses data to extract algorithms and learning models. It applies learned generalizations to new situations and tasks, which don’t involve direct human programming. It has also become a major part of big data and analytics practices, helping to identify hidden insights and make smarter recommendations that inform human decision-making.
Major IT Investment: An IT investment requiring special management attention because of its importance to the mission or function to the government; significant program or policy implications; high executive visibility; high development, operating, or maintenance costs; unusual funding mechanism; or definition as major by the agency’s capital planning and investment control process. This includes all “major acquisitions” defined in the OMB Circular A-11 Capital Programming Guide consisting of information resources. Investments not considered “major” are “non-major.”
Minimal Viable Product: Represents the earliest version of a product with enough completed features to be usable by early customers, who can then provide feedback for future product development.
Modular Contracting: An acquisition strategy where a product is acquired in successive, interoperable increments, intending to reduce program risk and incentivize contractor performance, meeting the government's need for timely access to rapidly changing technology. (See 41 U.S.C. 2308, FAR 39.103).
Open Source: Software for which the original source code is freely available and may be redistributed and modified.
Product Management: An organizational function that aims to maximize the value of a product by optimizing every step of the product lifecycle.
Procure IT: An automated, guided tool to assist requiring offices determine their IT acquisition needs.
Service-Level Agreement (SLA): Defines the level of service expected from a vendor, laying out the metrics by which service is measured, as well as remedies or penalties should agreed-on service levels not be achieved. It is a critical component of any technology vendor contract.
5 FAM 919.3 Authorities
(CT:IM-317; 05-07-2024)
N/A
5 FAM 919.4 Exhibits
(CT:IM-317; 05-07-2024)
N/A
5 FAM 919.5 Related FAM/FAH
(CT:IM-324; 06-28-2024)
a. 1 FAM 270, Bureau of Diplomatic Technology (DT);
b. 1 FAM 212.2, Office of the Procurement Executive (A/OPE);
c. 1 FAM 273.4;
d. 5 FAM 600, Information Technology Systems;
e. 5 FAM 660, Benefit Cost Analysis (BCA);
f. 5 FAM 800, Information Systems Management;
g. 5 FAM 1000, Information Technology (IT) Planning;
h. 5 FAM 1060, Information Assurance Management;
i. 14 FAM 200, Acquisitions;
j. 14 FAM 220, General Acquisitions;
k. 5 FAH-5 H-620, Benefit-Cost Analysis (BCA) Process;
l. 14 FAH-2 H-330, Procurement Request Package (PRP).