NOAA Acquisition Manual

Main Table of Contents

Subchapter F- Special Categories of Contracting


Part 1330-39 Acquisition of Information Technology

Subpart 1330-39.1 General

1330-39.101-70 Chief Information Officer Approval for IT Products and Services

1330-39.101-71 Supply Chain Risk Management for Acquiring High and Moderate Impact Information Systems

1330-39.170 Purchases for Incident Management Software

Subpart 1330-39.2 Electronic and Information Technology

1330-39.203 Applicability

 1330-39.204 Exceptions


Part 1330-39 Acquisition of Information Technology

Subpart 1330-39.1 General

1330-39.101-70 Chief Information Officer Approval for IT Products and Services

(a) All NOAA requisitions for procurement actions containing a preponderance of IT for either mission or infrastructure, above the micro-purchase threshold, shall be accompanied by a completed NOAALink Worksheet and routed via C-Suite to the NOAALink Program Office (NPO) for CIO approval. A NOAALink Worksheet and the procedures for completing the worksheet may be accessed through the NOAALink Forms and Documents page.

(b) Requisitions for IT-related procurement actions that are not accompanied by an approved NOAALink Worksheet will be returned to the requisitioner, and

(c) Requisitions requiring an acquisition plan shall receive CIO approval prior to submission to the contracting officer.  

Back to top

1330-39.101-71 Supply Chain Risk Management for Acquiring High and Moderate Impact Information Systems

(a) Section 515 of the Consolidated and Further Continuing Appropriations Act, 2015, P.L. 113-235, Div. B, Title V states that none of the funds appropriated or otherwise made available under this Act may be used by the Departments of Commerce (DOC) and Justice, the National Aeronautics and Space Administration (NASA), or the National Science Foundation (NSF) to acquire a high-impact or moderate-impact information system, as defined for security categorization in the National Institute of Standards and Technology’s (NIST) Federal Information Processing Standard Publication 199, ‘‘Standards for Security Categorization of Federal Information and Information Systems’’ (FIPS-199) unless the agency has—

  1. Reviewed the supply chain risk for the information systems against criteria developed by NIST to inform acquisition decisions for high-impact and moderate-impact information systems within the Federal Government;
  2. Reviewed the supply chain risk from the presumptive awardee against available and relevant threat information provided by the Federal Bureau of Investigation and other appropriate agencies; and
  3. In consultation with the Federal Bureau of Investigation or other appropriate Federal entity, conducted an assessment of any risk of cyber-espionage or sabotage associated with the acquisition of such system, including any risk associated with such system being produced, manufactured, or assembled by one or more entities identified by the United States Government as posing a cyber threat, including but not limited to, those that may be owned, directed, or subsidized by the People’s Republic of China.  

Back to top

Section 515 specifically references FIPS-199 for its definition of the terms “high-impact,” “moderate-impact,” and “information system.”  FIPS-199 defines information system as, “A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.”

(b) Contracting officers procuring Information Technology (IT) shall:

  1. Follow the policy and requirements of PM 2015-08 for moderate and high impact information systems, or any subsequent policy issued.
  2. The NOAA Chief Information Officer (CIO) shall determine if the acquisition is subject to a Supply Chain Risk Assessment (SCRA).  This determination may be delegated. The CIO has determined that purchases meeting any of the three categories below shall be treated as “Covered IT”: 
    1. The acquisition of a new Information System, i.e. purchase of an Information System that does not have an existing Authorization to Operate (ATO). 
    2. The acquisition of components to replace or upgrade 51 percent or more of an existing FIPS-199 Moderate Information System. 
    3. The acquisition of component(s) that, if installed, would cause a significant change to an existing FISMA system as determined by the Authorizing Official(s) or the NOAA CIO.
Back to top

3. Contracting officers shall ensure that the requisitioner includes with the purchase requisition an approved IT Compliance in Acquisition Checklist.

4. Contracting officers shall continue to use the contract language identified in PM 2015-08 Section 5.

5. Prior to making an award, the contracting officers shall comply with the approved SCR Assessment Determination and include the determination in the contract file.

1330-39.170 Purchases for Incident Management Software

(a) All acquisitions related to incident emergency management shall require that any purchase of incident management software or services include the requirement that it comply with the most current version of the Organization for the Advancement of Structured Information Standards (OASIS) Common Alerting Protocol (CAP) standard.

(b) The contracting officer shall insert the solicitation and contract language located at 1330-52.239-170 Incident Emergency Management, in solicitations and resulting contracts or orders to ensure compliance and use of most current version of OASIS CAP standard.

Back to top

Subpart 1330-39.2 Electronic and Information Technology

1330-39.203 Applicability

(b)(2) Exception determination requirements in this section also apply to BPAs.

(c)(2)(A) Use the Non-Availability Certification form.

(c)(2)(B) The approving official who signed the PR shall review and approve the Non-Availability Certification.

1330-39.204 Exceptions

(e)(2)(A) Use the Undue Burden form.

(e)(2)(B) The requiring official’s DAA or equivalent, and the agency’s Chief Information Officer (CIO) shall review and approve Undue Burden documentation.

Back to top

QUICK LINKS