Skip to main content


Change Number: Change 183 GSAR Case 2022-G517
Effective Date: 07/08/2024

Part 539 - Acquisition of Information Technology

Part 539 - Acquisition of Information Technology

539.001 Applicability.

(a)In accordance with FAR 39.001, this part does not apply to acquisitions of information or information systems in support of national security systems. Refer to subpart 504.4 for guidance for any procurements that may involve access to classified information or a classified information system. See subpart 507.70 for guidance for purchases in support of national security systems involving weapons systems.

(b)Refer to 504.1370 and 542.302 for additional requirements for individual access management (i.e., HSPD-12) to GSA Information Systems.

(c)Refer to 511.170 for additional requirements for GSA Information Systems.

Subpart 539.1 - General

539.101 Policy.

(a) Standard Configurations. See section 511.170 for any applicable standard configurations for GSA information technology procurements.

(b) CIO Coordination. See sections 507.104, 511.170, and 543.102 for required coordination and approval by the GSA Chief Information Officer (CIO) for procurements involving GSA information technology. For interagency acquisitions, see section 517.502-70.

(c) GSA IT Standards Approval. See section 511.170 for any necessary GSA IT Standards Profile approvals.

(d) Internet Protocol Version 6 (IPv6).

(1)  See 511.170(d) for guidance on developing requirements to ensure information technology that will have the capability to access the Internet or any network complies with Internet Protocol Version 6 (IPv6).

(2)  The Contracting Officer or Contracting Officer's Representative must validate contractor compliance with IPv6 contract requirements as part of the review and acceptance process when products or systems are delivered. Evidence may include any of the following:

(i) The Supplier's Declaration of Conformity (SDOC). The template for the SDOC can be found on the National Institute of Standards and Technology (NIST) website available at;

(ii) Laboratory Certification. The product being acquired has been tested and shown to be IPv6 compliant by an accredited laboratory. A listing of tested/certified products can be found on the NIST available at; or

(iii)  Practical Demonstration. The product can be shown to the GSA Contracting Officer or Contracting Officer's Representative to be IPv6 compliant via practical demonstration, or by an otherwise credible validation of technical support.

(e)  Software Code. See 511.170(e) and 511.170(f) for guidance on procuring software code.

(f)  Supply Chain Risk Management. See subpart  504.70 for guidance on identifying and mitigating supply chain risks.

(g) Unmanned Aircraft Systems (UAS). See subpart  537.70 for guidance on UAS, commonly referred to as “drones”.

Subpart 539.70 Requirements for GSA Information Systems

539.7000 Scope of subpart.

This subpart prescribes acquisition policies and procedures for use in acquiring GSA Information Systems.

539.7001 Policy.

(a)GSA must provide information security for the information and information system that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

(b)Employees responsible for procuring or managing information technology supplies, services and systems shall possess the appropriate security clearance associated with the level of security classification related to the acquisition. They include, but are not limited to contracting officers, contract specialists, project/program managers, and contracting officer representatives.

(c)The contracting officer or contracting officer’s representative shall validate that all applicable contractor submissions meet contract requirements (e.g., statement of work, contractor’s accepted proposal) and are provided by the contractor in accordance with the contract schedule. The contracting officer or contracting officer’s representative shall coordinate with GSA IT as needed in determining contractor compliance. Guidance for identifying the applicable GSA IT point of contact is located on the Acquisition Portal at