Part 204 - ADMINISTRATIVE AND INFORMATION MATTERS
Subpart 204.1 - CONTRACT EXECUTION
204.101 Contracting officer's signature.
Subpart 204.2 - CONTRACT DISTRIBUTION
204.203 Taxpayer identification information.
204.270 Electronic Data Access.
Subpart 204.4 - SAFEGUARDING CLASSIFIED INFORMATION WITHIN INDUSTRY
204.403 Responsibilities of contracting officers.
204.404-70 Additional contract clauses.
204.470 U.S.-International Atomic Energy Agency Additional Protocol.
204.470-2 National security exclusion.
Subpart 204.6 - CONTRACT REPORTING
Subpart 204.8 - CONTRACT FILES
204.804 Closeout of contract files.
204.805 Disposal of contract files.
Subpart 204.9 - TAXPAYER IDENTIFICATION NUMBER INFORMATION
Subpart 204.11 - SYSTEM FOR AWARD MANAGEMENT
Subpart 204.12 - ANNUAL REPRESENTATIONS AND CERTIFICATIONS
204.1202 Solicitation provision and contract clause.
Subpart 204.16 - UNIFORM PROCUREMENTINSTRUMENT IDENTIFIERS
204.1670 Cross reference to Federal Procurement Data System.
204.1671 Order of application for modifications.
Subpart 204.17 - SERVICE CONTRACTS INVENTORY
204.1703 Reporting requirements.
Subpart 204.18 - COMMERCIAL AND GOVERNMENT ENTITY CODE
204.2105 Solicitation provisions and contract clause.
Subpart 204.71 - UNIFORM CONTRACT LINE ITEM NUMBERING SYSTEM
204.7103-1 Criteria for establishing.
204.7103-2 Numbering procedures.
204.7104 Contract subline items.
204.7104-1 Criteria for establishing.
204.7104-2 Numbering procedures.
204.7105 Contract exhibits and attachments.
204.7106 Contract modifications.
204.7108 Payment instructions.
Subpart 204.72 - ANTITERRORISM AWARENESS TRAINING
Subpart 204.73 - SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING
204.7304 Solicitation provision and contract clauses.
Subpart 204.74 - DISCLOSURE OF INFORMATION TO LITIGATION SUPPORT CONTRACTORS
Subpart 204.75 - CYBERSECURITY MATURITY MODEL CERTIFICATION
Subpart 204.1 - CONTRACT EXECUTION
204.101 Contracting officer's signature.
Follow the procedures at PGI 204.101 for signature of contract documents.
Subpart 204.2 - CONTRACT DISTRIBUTION
204.201 Procedures.
Follow the procedures at PGI 204.201 for the distribution of contracts and modifications.
(a) In lieu of the requirement at FAR 4.201(a), contracting officers shall distribute one signed copy or reproduction of the signed contract to the contractor.
204.203 Taxpayer identification information.
(b) The procedure at FAR 4.203(b) does not apply to contracts that include the provision at FAR 52.204-7, System for Award Management. The payment office obtains the taxpayer identification number and the type of organization from the System for Award Management database.
204.270 Electronic Data Access.
204.270-1 Policy.
(a) The Electronic Data Access (EDA) system, an online repository for contractual instruments and supporting documents, is DoD’s primary tool for electronic distribution of contract documents and contract data. Contract attachments shall be uploaded to EDA, except for contract attachments that are classified, are too sensitive for widespread distribution (e.g., personally identifiable information and Privacy Act and Health Insurance Portability and Accountability Act, or cannot be practicably converted to electronic format (e.g., samples, drawings, and models). Section J (or similar location when the Uniform Contract Format is not used) shall include the annotation “provided under separate cover” for any attachment not uploaded to EDA.
(b) Agencies are responsible for ensuring the following when posting documents, including contractual instruments, to EDA—
(1) The timely distribution of documents; and
(2) That internal controls are in place to ensure that—
(i) The electronic version of a contract document in EDA is an accurate representation of the contract; and
(ii) The contract data in EDA is an accurate representation of the underlying contract.
204.270-2 Procedures.
(b) The procedures at PGI 204.270-2 (b) provide details on how to record the results of data verification in EDA. When these procedures are followed, contract documents and data in EDA are an accurate representation of the contract and therefore may be used for audit purposes.
(c) The procedures at PGI 204.270-2 (c) provide details on the creation and processing of contract deficiency reports, which are used to correct problems with contracts distributed in EDA.
Subpart 204.4 - SAFEGUARDING CLASSIFIED INFORMATION WITHIN INDUSTRY
204.402 General.
DoD employees or members of the Armed Forces who are assigned to or visiting a contractor facility and are engaged in oversight of an acquisition program will retain control of their work products, both classified and unclassified (see PGI 204.402 ).
204.403 Responsibilities of contracting officers.
(1) Contracting officers shall ensure that solicitations comply with PGI 204.403 (1).
(2) For additional guidance on determining a project to be fundamental research in accordance with 252.204-7000 (a)(3), see PGI 204.403 (2).
204.404 Contract clause.
204.404-70 Additional contract clauses.
(a) Use the clause at 252.204-7000 , Disclosure of Information, in solicitations and contracts when the contractor will have access to or generate unclassified information that may be sensitive and inappropriate for release to the public.
(b) Use the clause at 252.204-7003 , Control of Government Personnel Work Product, in all solicitations and contracts.
204.470 U.S.-International Atomic Energy Agency Additional Protocol.
204.470-1 General.
Under the U.S.-International Atomic Energy Agency Additional Protocol (U.S.-IAEA AP), the United States is required to declare a wide range of public and private nuclear-related activities to the IAEA and potentially provide access to IAEA inspectors for verification purposes.
204.470-2 National security exclusion.
(a) The U.S.-IAEA AP permits the United States unilaterally to declare exclusions from inspection requirements for activities, or locations or information associated with such activities, with direct national security significance.
(b) In order to ensure that all relevant activities are reviewed for direct national security significance, both current and former activities, and associated locations or information, are to be considered for applicability for a national security exclusion.
(c) If a DoD program manager receives notification from a contractor that the contractor is required to report any of its activities in accordance with the U.S.-IAEA AP, the program manager will—
(1) Conduct a security assessment to determine if, and by what means, access may be granted to the IAEA; or
(2) Provide written justification to the component or agency treaty office for application of the national security exclusion at that location to exclude access by the IAEA, in accordance with DoD Instruction 2060.03, Application of the National Security Exclusion to the Agreements Between the United States of America and the International Atomic Energy Agency for the Application of Safeguards in the United States of America.
204.470-3 Contract clause.
Use the clause at 252.204-7010 , Requirement for Contractor to Notify DoD if the Contractor’s Activities are Subject to Reporting Under the U.S.-International Atomic Energy Agency Additional Protocol, in solicitations and contracts for research and development or major defense acquisition programs involving—
(a) Any fissionable materials (e.g., uranium, plutonium, neptunium, thorium, americium);
(b) Other radiological source materials; or
(c) Technologies directly related to nuclear power production, including nuclear or radiological waste materials.
Subpart 204.6 - CONTRACT REPORTING
204.602 General.
See PGI 204.602 for additional information on the Federal Procurement Data System (FPDS) and procedures for resolving technical or policy issues relating to FPDS.
204.604 Responsibilities.
(1) The process for reporting contract actions to FPDS should, where possible, be automated by incorporating it into contract writing systems.
(2) Data in FPDS is stored indefinitely and is electronically retrievable. Therefore, the contracting officer may reference the contract action report (CAR) approval date in the associated Government contract file instead of including a paper copy of the electronically submitted CAR in the file. Such reference satisfies contract file documentation requirements of FAR 4.803(a).
(3) By December 15th of each year, the chief acquisition officer of each DoD component required to report its contract actions shall submit to the Principal Director, Defense Pricing, Contracting, and Acquisition Policy, its annual certification and data validation results for the preceding fiscal year in accordance with the DoD Data Improvement Plan requirements at https://www.acq.osd.mil/asda/dpc/ce/cap/index.html . The Principal Director, Defense Pricing, Contracting, and Acquisition Policy, will submit a consolidated DoD annual certification to the Office of Management and Budget by January 5th of each year.
204.606 Reporting data.
In addition to FAR 4.606, follow the procedures at PGI 204.606 for reporting data to FPDS.
Subpart 204.8 - CONTRACT FILES
204.802 Contract files.
(a) Any document posted to the Electronic Data Access (EDA) system is part of the contract file and is accessible by multiple parties, including the contractor. Do not include in EDA contract documents that are classified, too sensitive for widespread distribution (e.g., personally identifiable information and Privacy Act and Health Insurance Portability and Accountability Act), or attachments that cannot be practicably converted to electronic format (e.g., samples, drawings, and models). Inclusion of any document in EDA other than contracts, modifications, and orders is optional.
(f) A photocopy, facsimile, electronic, mechanically-applied and printed signature, seal, and date are considered to be an original signature, seal, and date.
204.804 Closeout of contract files.
(1) Except as provided in paragraph (3) of this section, contracting officers shall close out contracts in accordance with the procedures at PGI 204.804 . The closeout date for file purposes shall be determined and documented by the procuring contracting officer.
(2) The head of the contracting activity shall assign the highest priority to close out of contracts awarded for performance in a contingency area. Heads of contracting activities shall monitor and assess on a regular basis the progress of contingency contract closeout activities and take appropriate steps if a backlog occurs. For guidance on the planning and execution of closing out such contracts, see PGI 207.105 (b)(20)(C)(8) and PGI 225.373 (e).
(3)(i) In accordance with section 836 of the National Defense Authorization Act for Fiscal Year 2017 (Pub. L. 114-328), section 824 of the National Defense Authorization Act for Fiscal Year 2018 (Pub. L. 115-91), and section 820 of the National Defense Authorization Act for Fiscal Year 2021 (Pub. L. 116-283), contracting officers may close out contracts or groups of contracts through issuance of one or more modifications to such contracts without completing a reconciliation audit or other corrective action in accordance with FAR 4.804-5(a)(3) through (15), as appropriate, if each contract—
(A)( 1 ) For military construction (as defined at 10 U.S.C. 2801) or shipbuilding, was awarded at least 10 fiscal years before the current fiscal year; or
( 2 ) For a ll other contracts, was awarded at least 7 fiscal years before the current fiscal year;
(B) The performance or delivery was completed at least 4 years prior to the current fiscal year; and
(C) Has been determined by a contracting official, at least one level above the contracting officer, to be not otherwise reconcilable, because—
(1) The contract or related payment records have been destroyed or lost; or
(2) Although contract or related payment records are available, the time or effort required to establish the exact amount owed to the U.S. Government or amount owed to the contractor is disproportionate to the amount at issue.
(ii) Any contract or group of contracts meeting the requirements of paragraph (3)(i) of this section may be closed out through a negotiated settlement with the contractor. Except as provided in paragraph (3)(ii)(B) of this section, the contract closeout process shall include a bilateral modification of the affected contract, including those contracts that are closed out in accordance with a negotiated settlement.
(A) For a contract or groups of contracts, the contracting officer shall prepare a negotiation settlement memorandum that describes how the requirements of paragraph (3)(i) of this section have been met.
(B) For a group of contracts, a bilateral modification of at least one contract shall be made to reflect the negotiated settlement for a group of contracts, and unilateral modifications may be made, as appropriate, to other contracts in the group to reflect the negotiated settlement.
(iii) For contract closeout actions under paragraph (3) of this section, remaining contract balances—
(A) May be offset with balances in other contract line items within the same contract, regardless of the year or type of appropriation obligated to fund each contract line item and regardless of whether the appropriation obligated to fund such contract line item has closed; and
(B) May be offset with balances on other contracts, regardless of the year or type of appropriations obligated to fund each contract and regardless of whether such appropriations have closed.
(iv) USD(A&S) is authorized to waive any provision of acquisition law or regulation in order to carry out the closeout procedures authorized in paragraph (3)(i) of this section (see procedures at PGI 204.804 (3)(iv)).
(4) When using the clause at 252.204-7022, Expediting Contract Closeout, to expedite contract closeout, determine the residual dollar amount upon completion of all applicable closeout requirements of FAR 4.804.
204.804-70 Contract clause.
Use the clause at 252.204-7022, Expediting Contract Closeout, in solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial products and commercial services, when the contracting officer intends to expedite contract closeout through the mutual waiver of entitlement to a residual dollar amount of $1,000 or less determined at the time of contract closeout.
204.805 Disposal of contract files.
(1) The sources of the period for which contract files must be retained are General Records Schedule 3 (Procurement, Supply, and Grant Records) and General Records Schedule 6 (Accountable Officers' Accounts Records). Copies of the General Records Schedule may be obtained from the National Archives and Records Administration, Washington, DC 20408.
(2) Deviations from the periods cannot be granted by the Defense Acquisition Regulations Council. Forward requests for deviations to both the Government Accountability Office and the National Archives and Records Administration.
(3) Hold completed contract files in the office responsible for maintaining them for a period of 12 months after completion. After the initial 12 month period, send the records to the local records holding or staging area until they are eligible for destruction. If no space is available locally, transfer the files to the General Services Administration Federal Records Center that services the area.
(4) Duplicate or working contract files should contain no originals of materials that properly belong in the official files. Destroy working files as soon as practicable once they are no longer needed.
(5) Retain pricing review files, containing documents related to reviews of the contractor's price proposals, subject to certified cost or pricing data (see FAR 15.403-4), for six years. If it is impossible to determine the final payment date in order to measure the six-year period, retain the files for nine years.
Subpart 204.9 - TAXPAYER IDENTIFICATION NUMBER INFORMATION
204.902 General.
(b) DoD uses the Federal Procurement Data System (FPDS) to meet these reporting requirements.
Subpart 204.11 - SYSTEM FOR AWARD MANAGEMENT
204.1103 Procedures.
See PGI 204.1103 for helpful information on navigation and data entry in the System for Award Management (SAM) database.
(1) On contract award documents, use the contractor’s legal or “doing business as” name and physical address information as recorded in the SAM database at the time of award.
(2) When making a determination to exercise an option, or at any other time before issuing a modification other than a unilateral modification making an administrative change, ensure that—
(i) The contractor’s record is active in the SAM database; and
(ii) The contractor’s unique entity identifier (UEI), Commercial and Government Entity (CAGE) code, name, and physical address are accurately reflected in the contract document.
(3) At any time, if the UEI, CAGE code, contractor name, or physical address on a contract no longer matches the information on the contractor’s record in the SAM database, the contracting officer shall process a novation or change-of-name agreement, or an address change, as appropriate.
(4) See PGI 204.1103 for additional requirements relating to use of information in the SAM database.
(5) On contractual documents transmitted to the payment office, provide the CAGE code, instead of the UEI, in accordance with agency procedures.
Subpart 204.12 - ANNUAL REPRESENTATIONS AND CERTIFICATIONS
204.1202 Solicitation provision and contract clause.
When using the provision at FAR 52.204-8, Annual Representations and Certifications—
(1) Use the provision with 252.204-7007 , Alternate A, Annual Representations and Certifications; and
(2) When the provision at FAR 52.204-7, System for Award Management, is included in the solicitation, do not include separately in the solicitation the following provisions, which are included in DFARS 252.204-7007 :
(i) 252.204-7016 , Covered Defense Telecommunications Equipment or Services—Representation.
(ii) 252.209-7002 , Disclosure of Ownership or Control by a Foreign Government.
(iii) 252.216-7008 , Economic Price Adjustment–Wage Rates or Material Prices Controlled by a Foreign Government—Representation.
(iv) 252.225-7000 , Buy American—Balance of Payments Program Certificate.
(v) 252.225-7020 , Trade Agreements Certificate.
(vi) 252.225-7031 , Secondary Arab Boycott of Israel.
(vii) 252.225-7035 , Buy American—Free Trade Agreements—Balance of Payments Program Certificate.
(viii) 252.225-7042 , Authorization to Perform.
(ix) 252.225-7049 , Prohibition on Acquisition of Certain Foreign Commercial Satellite Services—Representations.
(x) 252.225-7050 , Disclosure of Ownership or Control by the Government of a Country that is a State Sponsor of Terrorism.
(xi) 252.226-7002 , Representation for Demonstration Project for Contractors Employing Persons with Disabilities.
(xii) 252.229-7012 , Tax Exemptions (Italy)—Representation.
(xiii) 252.229-7013 , Tax Exemptions (Spain)—Representation.
(xiv) 252.232-7015 , Performance-Based Payments—Representation.
Subpart 204.16 - UNIFORM PROCUREMENTINSTRUMENT IDENTIFIERS
204.1601 Policy.
(a) Establishment of a Procurement Instrument Identifier (PIID). Do not reuse a PIID once it has been assigned. Do not assign the same PIID to more than one task or delivery order, even if they are issued under different base contracts or agreements.
(b) Transition of PIID numbering. Effective October 1, 2016, all DoD components shall comply with the PIID numbering requirements of FAR subpart 4.16 and this subpart for all new solicitations, contracts, orders, and agreements issued, and any amendments and modifications to those new actions. See also PGI 204.1601 (b).
(c) Change in the PIID after its assignment. When a PIID is changed after contract award, the new PIID is known as a continued contract.
(i) A continued contract—
(A) Does not constitute a new procurement;
(B) Incorporates all prices, terms, and conditions of the predecessor contract effective at the time of issuance of the continued contract;
(C) Operates as a separate contract independent of the predecessor contract once issued; and
(D) Shall not be used to evade competition requirements, expand the scope of work, or extend the period of performance beyond that of the predecessor contract.
(ii) When issuing a continued contract, the contracting officer shall—
(A) Issue an administrative modification to the predecessor contract to clearly state that—
(1) Any future awards provided for under the terms of the predecessor contract (e.g., issuance of orders or exercise of options) will be accomplished under the continued contract; and
(2) Supplies and services already acquired under the predecessor contract shall remain solely under that contract for purposes of Government inspection, acceptance, payment, and closeout; and
(B) Follow the procedures at PGI 204.1601 (c).
204.1603 Procedures.
(a) Elements of a PIID. DoD-issued PIIDs are thirteen characters in length. Use only alpha-numeric characters, as prescribed in FAR 4.1603 and this subpart. Do not use the letter I or O in any part of the PIID.
(3) Position 9.
(A) DoD will use three of the letters reserved for departmental or agency use in FAR 4.1603(a)(3) in this position as follows:
(1) Use M to identify purchase orders and task or delivery orders issued by the enterprise FedMall system.
(2) Use S to identify broad agency announcements and commercial solutions openings.
(3) Use T to identify automated requests for quotations by authorized legacy contract writing systems. See PGI 204.1603 (a)(3)(A)(3) for the list of authorized systems.
(B) Do not use other letters identified in FAR 4.1603(a)(3) as “Reserved for future Federal Governmentwide use” or “Reserved for departmental or agency use” in position 9 of the PIID.
(C) Do not use the letter C or H for contracts or agreements with provisions for orders or calls.
(4) Positions 10 through 17. In accordance with FAR 4.1603(a)(4), DoD-issued PIIDs shall only use positions 10 through 13 to complete the PIID. Enter the serial number of the instrument in these positions. A separate series of serial numbers may be used for any type of instrument listed in FAR 4.1603(a)(3). DoD components assign such series of PIID numbers sequentially. A DoD component may reserve blocks of numbers or alpha-numeric numbers for use by its various activities. Use C in position 10 to identify the solicitation as a commercial solutions opening.
(b) Elements of a supplementary PIID. In addition to the supplementary PIID numbering procedures in FAR 4.1603(b), follow the procedures contained in paragraphs (b)(2)(ii)(1) and (2) of this section. See PGI 204.1603 (b) for examples of proper supplementary PIID numbering.
(2)(ii) Positions 2 through 6. In accordance with FAR 4.1603(b)(2)(ii), DoD-issued supplementary PIIDs shall, for positions 2 through 6 of modifications to contracts and agreements, comply with the following:
(1) Positions 2 and 3. These two digits may be either alpha or numeric characters, except—
(i) Use K, L, M, N, P, and Q only in position 2, and only if the modification is issued by the Air Force and is a provisioned item order;
(ii) Use S only in position 2, and only to identify modifications issued to provide initial or amended shipping instructions when—
(a) The contract has either FOB origin or destination delivery terms; and
(b) The price changes;
(iii) Use T, U, V, W, X, or Y only in position 2, and only to identify modifications issued to provide initial or amended shipping instructions when—
(a) The contract has FOB origin delivery terms; and
(b) The price does not change; and
(iv) Use Z only in position 2, and only to identify a modification which definitizes a letter contract or a previously issued undefinitized modification.
(2) Positions 4 through 6. These positions are always numeric. Use a separate series of serial numbers for each type of modification listed in paragraph (b)(2)(ii) of this section.
204.1670 Cross reference to Federal Procurement Data System.
Detailed guidance on mapping PIID and supplementary PIID numbers stored in the Electronic Data Access system to data elements reported in the Federal Procurement Data System can be found in PGI 204.1670.
204.1671 Order of application for modifications.
(a) Circumstances may exist in which the numeric order of the modifications to a contract is not the order in which the changes to the contract actually take effect.
(b) In order to determine the sequence of modifications to a contract or order, the modifications will be applied in the following order—
(1) Modifications will be applied in order of the effective date on the modification;
(2) In the event of two or more modifications with the same effective date, modifications will be applied in signature date order; and
(3) In the event of two or more modifications with the same effective date and the same signature date, procuring contracting office modifications will be applied in numeric order, followed by contract administration office modifications in numeric order.
Subpart 204.17 - SERVICE CONTRACTS INVENTORY
204.1700 Scope of subpart.
This subpart prescribes the requirement to report certain contracted services in accordance with 10 U.S.C. 4505 .
204.1701 Definitions.
As used in this subpart—
“First-tier subcontract” means a subcontract awarded directly by the contractor for the purpose of acquiring services for performance of a prime contract. It does not include the contractor’s supplier agreements with vendors, such as long-term arrangements for materials or supplies or services that benefit multiple contracts and/or the costs of which are normally applied to a contractor’s general and administrative expenses or indirect costs.
204.1703 Reporting requirements.
(a) Thresholds. Service contractor reporting of information is required in the System for Award Management (SAM) when a contract or order—
(i) Has a total estimated value, including options, that exceeds $3 million; and
(ii) Is for services in the following service acquisition portfolio groups (see PGI 204.1703 for a list of applicable product and service codes):
(A) Logistics management services.
(B) Equipment-related services.
(C) Knowledge-based services.
(D) Electronics and communications services.
(b) Agency reporting responsibilities. In the event the agency believes that revisions to the contractor-reported information are warranted, the agency shall notify the contractor.
(S-70) Contractor reporting.
(1) The basic and the alternate of the clause at 252.204-7023 Reporting Requirements for Contracted Services., Reporting Requirements for Contracted Services, require contractors to report annually, by October 31, on the services performed under the contract or order, including any first-tier subcontracts, during the preceding Government fiscal year.
(2) For indefinite-delivery contracts, basic ordering agreements, and blanket purchase agreements—
(i) Contractor reporting is required for each order issued under the contract or agreement that meets the requirements of paragraph (a) of this section; and
(ii) Service contract reporting is not required for the basic contract or agreement.
204.1705 Contract clauses.
(a)(i) Use the basic or the alternate of the clause at 252.204-7023 Reporting Requirements for Contracted Services., Reporting Requirements for Contracted Services, in solicitations, contracts, agreements, and orders, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial products and commercial services, that—
(A) Have a total estimated value, including options, that exceeds $3 million; and
(B)Are for services in the following service acquisition portfolio groups:
(1) Logistics management services.
(2) Equipment-related services.
(3) Knowledge-based services.
(4) Electronics and communications services.
(ii) Use the basic clause in solicitations and contracts, except solicitations and resultant awards of indefinite-delivery contracts, and orders placed under non-DoD contracts that meet the criteria in paragraph (a)(i) of this section.
(iii) Use the alternate I clause in solicitations and resultant awards of indefinite-delivery contracts, basic ordering agreements, and blanket purchase agreements, when one or more of the orders under the contract or agreement are expected to meet the criteria in paragraph (a)(i) of this section.
Subpart 204.18 - COMMERCIAL AND GOVERNMENT ENTITY CODE
204.1870 Procedures.
Follow the procedures and guidance at PGI 204.1870 concerning Commercial and Government Entity (CAGE) codes and CAGE file maintenance.
Subpart 204.21 - PROHIBITION ON CONTRACTING FOR CERTAIN TELECOMMUNICATIONS AND VIDEO SURVEILLANCE SERVICES OR EQUIPMENT
204.2100 Scope of subpart.
This subpart implements section 1656 of the National Defense Authorization Act for Fiscal Year 2018 (Pub. L. 115-91) and section 889(a)(1)(A) of the National Defense Authorization Act for Fiscal Year 2019 (Pub. L. 115-232).
204.2101 Definitions.
As used in this subpart—
“Covered defense telecommunications equipment or services” means—
(1) Telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation, or any subsidiary or affiliate of such entities;
(2) Telecommunications services provided by such entities or using such equipment; or
(3) Telecommunications equipment or services produced or provided by an entity that the Secretary of Defense reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country.
“Covered foreign country” means—
(1) The People’s Republic of China; or
(2) The Russian Federation.
“Covered missions” means—
(1) The nuclear deterrence mission of DoD, including with respect to nuclear command, control, and communications, integrated tactical warning and attack assessment, and continuity of Government; or
(2) The homeland defense mission of DoD, including with respect to ballistic missile defense.
204.2102 Prohibition.
(a) Prohibited equipment, systems, or services. In addition to the prohibition at FAR 4.2102(a), unless the covered defense telecommunications equipment or services are subject to a waiver described in 204.2104, the contracting officer shall not procure or obtain, or extend or renew a contract (e.g., exercise an option) to procure or obtain, any equipment, system, or service to carry out covered missions that uses covered defense telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.
204.2103 Procedures.
(a) Representations.
(1)(i) If the offeror selects “does not” in response to the provision at DFARS 252.204-7016, the contracting officer may rely on the representation, unless the contracting officer has an independent reason to question the representation. If the contracting officer has a reason to question the “does not” representation in FAR 52.204-26, FAR 52.212-3(v), or 252.204-7016, then the contracting officer shall consult with the requiring activity and legal counsel.
(ii) If the offeror selects “does” in paragraph (c) of the provision at DFARS 252.204-7016, the offeror must complete the representation at DFARS 252.204-7017.
(2)(i) If the offeror selects “will not” in paragraph (d) of the provision at DFARS 252.204-7017, the contracting officer may rely on the representation, unless the contracting officer has an independent reason to question the representation. If the contracting officer has a reason to question the “will not” representation in FAR 52.204-24 or DFARS 252.204-7017, then the contracting officer shall consult with the requiring activity and legal counsel.
(ii) If an offeror selects “will” in paragraph (d) of the provision at DFARS 252.204-7017, the offeror must provide the information required by paragraph (e) of the provision. When an offeror completes paragraph (e) of either of the provisions at FAR 52.204-24 or DFARS 252.204-7017, the contracting officer shall -
(A) Forward the offeror's representation and disclosure information to the requiring activity; and
(B) Not award to the offeror unless the requiring activity advises -
(1) For equipment, systems, or services that use covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, that a waiver as described at FAR 4.2104 has been granted; or
(2) For equipment, systems, or services to be used to carry out covered missions that use covered defense telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, that a waiver as described at DFARS 204.2104 has been granted.
(b) Reporting. If a contractor reports information to https://dibnet.dod.mil in accordance with the clause at FAR 52.204-25 or DFARS 252.204-7018, the Defense Cyber Crime Center will notify the contracting officer, who will consult with the requiring activity on how to proceed with the contract.
204.2104 Waivers.
The Secretary of Defense may waive the prohibition in 204.2102 (a) on a case-by-case basis for a single, one-year period, if the Secretary—
(a) Determines such waiver to be in the national security interests of the United States; and
(b) Certifies to the Congressional defense committees that—
(i) There are sufficient mitigations in place to guarantee the ability of the Secretary to carry out the covered missions; and
(ii) The Secretary is removing the use of covered defense telecommunications equipment or services in carrying out such missions.
204.2105 Solicitation provisions and contract clause.
(a) Use the provision at 252.204-7016 , Covered Defense Telecommunications Equipment or Services—Representation, in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial products and commercial services, and solicitations for task orders and delivery orders, basic ordering agreements (BOAs), orders against BOAs, blanket purchase agreements (BPAs), and calls against BPAs.
(b) Use the provision at 252.204-7017 , Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services—Representation, in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial products and commercial services, and solicitations for task orders and delivery orders, BOAs, orders against BOAs, BPAs, and calls against BPAs.
(c) Use the clause at 252.204-7018 , Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services, in all solicitations and resultant awards, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial products and commercial services, and solicitations and awards for task orders and delivery orders, BOAs, orders against BOAs, BPAs, and calls against BPAs.
Subpart 204.70 - [RESERVED]
Subpart 204.71 - UNIFORM CONTRACT LINE ITEM NUMBERING SYSTEM
204.7100 Scope.
This subpart prescribes policies and procedures for assigning contract line item numbers.
204.7101 Definitions.
“Accounting classification reference number (ACRN)” means any combination of a two position alpha/numeric code used as a method of relating the accounting classification citation to detailed line item information contained in the schedule.
“Attachment” means any documentation, appended to a contract or incorporated by reference, which does not establish a requirement for deliverables.
“Definitized item,” as used in this subpart, means an item for which a firm price has been established in the basic contract or by modification.
“Exhibit” means a document, referred to in a contract, which is attached and establishes requirements for deliverables. The term shall not be used to refer to any other kind of attachment to a contract. The DD Form 1423, Contract Data Requirements List, is always an exhibit, rather than an attachment.
“Nonseverable deliverable,” as used in this subpart, means a deliverable item that is a single end product or undertaking, entire in nature, that cannot be feasibly subdivided into discrete elements or phases without losing its identity.
“Undefinitized item,” as used in this subpart, means an item for which a price has not been established in the basic contract or by modification.
204.7102 Policy.
(a) The numbering procedures of this subpart shall apply to all—
(1) Solicitations;
(2) Solicitation line and subline item numbers;
(3) Contracts as defined in FAR Subpart 2.1;
(4) Contract line and subline item numbers;
(5) Exhibits;
(6) Exhibit line items; and
(7) Any other document expected to become part of the contract.
(b) The numbering procedures are mandatory for all contracts where separate contract line item numbers are assigned, unless—
(1) The contract is an indefinite-delivery type for petroleum products against which posts, camps, and stations issue delivery orders for products to be consumed by them; or
(2) The contract is a communications service authorization issued by the Defense Information Systems Agency's Defense Information Technology Contracting Organization.
204.7103 Contract line items.
Follow the procedures at PGI 204.7103 for establishing contract line items.
204.7103-1 Criteria for establishing.
Contracts shall identify the items or services to be acquired as separate contract line items unless it is not feasible to do so.
(a) Contract line items shall have all four of the following characteristics; however, there are exceptions within the characteristics, which may make establishing a separate contract line item appropriate even though one of the characteristics appears to be missing—
(1) Single unit price. The item shall have a single unit price or a single total price, except—
(i) If the item is not separately priced (NSP) but the price is included in the unit price of another contract line item, enter NSP instead of the unit price;
(ii) When there are associated subline items, established for other than informational reasons, and those subline items are priced in accordance with 204.7104 ;
(iii) When the items or services are being acquired on a cost-reimbursement contract;
(iv) When the contract is for maintenance and repair services (e.g., a labor hour contract) and firm prices have been established for elements of the total price of an item but the actual number and quantity of the elements are not known until performance. The contracting officer may structure these contracts to reflect a firm or estimated total amount for each line item;
(v) When the contract line item is established to refer to an exhibit or an attachment (if management needs dictate that a unit price be entered, the price shall be set forth in the item description block and enclosed in parentheses); or
(vi) When the contract is an indefinite delivery type contract and provides that the price of an item shall be determined at the time a delivery order is placed and the price is influenced by such factors as the quantity ordered (e.g., 10-99 @ $1.00, 100-249 @ $.98, 250+ @ $.95), the destination, the FOB point, or the type of packaging required.
(2) Separately identifiable. A contract line item must be identified separately from any other items or services on the contract.
(i) Supplies are separately identifiable if they have no more than one—
(A) National stock number (NSN);
(B) Item description; or
(C) Manufacturer's part number.
(ii) Services are separately identifiable if they have no more than one—
(A) Scope of work; or
(B) Description of services.
(iii) This requirement does not apply if there are associated subline items, established for other than informational reasons, and those subline items include the actual detailed identification in accordance with 204.7104 . Where this exception applies, use a general narrative description instead of the contract item description.
(3) Separate delivery schedule. Each contract line item or service shall have its own delivery schedule, period of performance, or completion date expressly stated (“as required” constitutes an expressly stated delivery term).
(i) The fact that there is more than one delivery date, destination, performance date, or performance point may be a determining factor in the decision as to whether to establish more than one contract line item.
(ii) If a contract line item has more than one destination or delivery date, the contracting officer may create individual contract line items for the different destinations or delivery dates, or may specify the different delivery dates for the units by destination in the delivery schedule.
(4) Single accounting classification citation.
(i) Each contract line item shall reference a single accounting classification citation except as provided in paragraph (a)(4)(ii) of this subsection.
(ii) The use of multiple accounting classification citations for a contract line item is authorized in the following situations:
(A) A single, nonseverable deliverable to be paid for with R&D or other funds properly incrementally obligated over several fiscal years in accordance with DoD policy;
(B) A single, nonseverable deliverable to be paid for with different authorizations or appropriations, such as in the acquisition of a satellite or the modification of production tooling used to produce items being acquired by several activities; or
(C) A modification to an existing contract line item for a nonseverable deliverable that results in the delivery of a modified item(s) where the item(s) and modification are to be paid for with different accounting classification citations.
(iii) When the use of multiple accounting classification citations is authorized for a single contract line item, establish informational subline items for each accounting classification citation in accordance with 204.7105 .
(b) All subline items and exhibit line items under one contract line item shall be the same contract type as the contract line item.
(c) For a contract that contains a combination of fixed-price line items, time-and-materials/labor-hour line items, and/or cost-reimbursement line items, identify the contract type for each contract line item in Section B, Supplies or Services and Prices/Costs, to facilitate appropriate payment.
(d) Exhibits may be used as an alternative to putting a long list of contract line items in the schedule. If exhibits are used, create a contract line item citing the exhibit's identifier. See 204.7105.
(e) If the contract involves a test model or a first article which must be approved, establish a separate contract line item or subline item for each item of supply or service which must be approved. If the test model or first article consists of a lot composed of a mixture of items, a single line item or subline item may be used for the lot.
(f) If a supply or service involves ancillary functions, like packaging and handling, transportation, payment of state or local taxes, or use of reusable containers, and these functions are normally performed by the contractor and the contractor is normally entitled to reimbursement for performing these functions, do not establish a separate contract line item solely to account for these functions. However, do identify the functions in the contract schedule. If the offeror separately prices these functions, contracting officers may establish separate contract line items for the functions; however, the separate line items must conform to the requirements of paragraph (a) of this subsection.
(g) Certain commercial products and initial provisioning spares for weapons systems are requested and subsequently solicited using units of measure such as kit, set, or lot. However, there are times when individual items within that kit, set, or lot are not grouped and delivered in a single shipment. This creates potential contract administration issues with inspection, acceptance, and payment. In such cases, solicitations should be structured to allow offerors to provide information about products that may not have been known to the Government prior to solicitation and propose an alternate line item structure as long as the alternate is consistent with the requirements of 204.71, which provides explicit guidance on the use of contract line items and subline items, and with PGI 204.71 .
204.7103-2 Numbering procedures.
Follow the procedures at PGI 204.7103-2 for numbering contract line items.
204.7104 Contract subline items.
204.7104-1 Criteria for establishing.
Contract subline items provide flexibility to further identify elements within a contract line item for tracking performance or simplifying administration. There are only two kinds of subline items: those which are informational in nature and those which consist of more than one item that requires separate identification.
(a) Informational subline items.
(1) This type of subline item identifies information that relates directly to the contract line item and is an integral part of it (e.g., parts of an assembly or parts of a kit). These subline items shall not be scheduled separately for delivery, identified separately for shipment or performance, or priced separately for payment purposes.
(2) The informational subline item may include quantities, prices, or amounts, if necessary to satisfy management requirements. However, these elements shall be included within the item description in the supplies/services column and enclosed in parentheses to prevent confusing them with quantities, prices, or amounts that have contractual significance. Do not enter these elements in the quantity and price columns.
(3) Informational subline items shall be used to identify each accounting classification citation assigned to a single contract line item number when use of multiple citations is authorized (see 204.7103-1 (a)(4)(ii)).
(b) Separately identified subline items.
(1) Subline items will be used instead of contract line items to facilitate payment, delivery tracking, contract funds accounting, or other management purposes. Such subline items shall be used when items bought under one contract line item number—
(i) Are to be paid for from more than one accounting classification. A subline item shall be established for the quantity associated with the single accounting classification citation. Establish a line item rather than a subline item if it is likely that a subline item may be assigned additional accounting classification citations at a later date. Identify the funding as described in 204.7104-1 (a)(3);
(ii) Are to be packaged in different sizes, each represented by its own NSN;
(iii) Have collateral costs, such as packaging costs, but those costs are not a part of the unit price of the contract line item;
(iv) Have different delivery dates or destinations or requisitions, or a combination of the three; or
(v) Identify parts of an assembly or kit which—
(A) Have to be separately identified at the time of shipment or performance; and
(B) Are separately priced.
(2) Each separately identified contract subline item shall have its own—
(i) Delivery schedule, period of performance, or completion date;
(ii) Unit price or single total price or amount (not separately priced (NSP) is acceptable as an entry for price or amount if the price is included in another subline item or a different contract line item). This requirement does not apply—
(A) If the subline item was created to refer to an exhibit or an attachment. If management needs dictate that a unit price be entered, the price shall be set forth in the item description block of the schedule and enclosed in parentheses; or
(B) In the case of indefinite delivery contracts described at 204.7103-1 (a)(1)(vi).
(iii) Identification (e.g., NSN, item description, manufacturer's part number, scope of work, description of services).
(3) Unit prices and extended amounts.
(i) The unit price and total amount for all subline items may be entered at the contract line item number level if the unit price for the subline items is identical. If there is any variation, the subline item unit prices shall be entered at the subline item level only.
(ii) The unit price and extended amounts may be entered at the subline items level.
(iii) The two methods in paragraphs (b)(3)(i) and (ii) of this section shall not be combined in a contract line item.
(iv) When the price for items not separately priced is included in the price of another contract line or subline item, it may be necessary to withhold payment on the priced contract line or subline item until the included line or subline items that are not separately priced have been delivered. See the clause at 252.204-7002 , Payment for Contract Line or Subline Items Not Separately Priced.
204.7104-2 Numbering procedures.
Follow the procedures at PGI 204.7104-2 for numbering contract subline items.
204.7105 Contract exhibits and attachments.
Follow the procedures at PGI 204.7105 for use and numbering of contract exhibits and attachments.
204.7106 Contract modifications.
(a) If new items are added, assign new contract line or subline item numbers or exhibit line item numbers, in accordance with the procedures established at 204.7103 , 204.7104 , and 204.7105 .
(b) Modifications to existing contract line items or exhibit line items.
(1) If the modification relates to existing contract line items or exhibit line items, the modification shall refer to those item numbers.
(2) If the contracting officer decides to assign new identifications to existing contract or exhibit line items, the following rules apply—
(i) Definitized and undefinitized items.
(A) The original line item or subline item number may be used if the modification applies to the total quantity of the original line item or subline.
(B) The original line item or subline item number may be used if the modification makes only minor changes in the specifications of some of the items ordered on the original line item or subline item and the resulting changes in unit price can be averaged to provide a new single unit price for the total quantity. If the changes in the specifications make the item significantly distinguishable from the original item or the resulting changes in unit price cannot be averaged, create a new line item.
(C) If the modification affects only a partial quantity of an existing contract line item or subline item or exhibit line item and the change does not involve either the delivery date or the ship-to/mark-for data, the original contract line item or subline item or exhibit line item number shall remain with the unchanged quantity. Assign the changed quantity the next available number.
(ii) Undefinitized items. In addition to the rules in paragraph (b)(2)(i), the following additional rules apply to undefinitized items—
(A) If the modification is undefinitized and increases the quantity of an existing definitized item, assign the undefinitized quantity the next available number.
(B) If the modification increases the quantity of an existing undefinitized item, the original contract line item or subline item or exhibit line item may be used if the unit price for the new quantity is expected to be the same as the price for the original quantity. If the unit prices of the two quantities will be different, assign the new quantity the next available number.
(C) If the modification both affects only a partial quantity of the existing contract line item or subline item or exhibit line item and definitizes the price for the affected portion, the definitized portion shall retain the original item number. If there is any undefinitized portion of the item, assign it the next available number. However, if the modification definitizes the price for the whole quantity of the line item, and price impact of the changed work can be apportioned equally over the whole to arrive at a new unit price, the quantity with the changes can be added into the quantity of the existing item.
(D) If the modification affects only a partial quantity of an existing contract line item or subline item or exhibit line item, but does not change the delivery schedule or definitize price, the unchanged portion shall retain the original contract line item or subline item or exhibit line item number. Assign the changed portion the next available number.
(3) If the modification will decrease the amount obligated—
(i) There shall be coordination between the administrative and procuring contracting offices before issuance of the modification; and
(ii) The contracting officer shall not issue the modification unless sufficient unliquidated obligation exists or the purpose is to recover monies owed to the Government.
204.7107 Contract accounting classification reference number (ACRN) and agency accounting identifier (AAI).
Traceability of funds from accounting systems to contract actions is accomplished using ACRNs and AAIs. Follow the procedures at PGI 204.7107 for use of ACRNs and AAIs.
204.7108 Payment instructions.
Follow the procedures at PGI 204.7108 for inclusion of payment instructions in contracts.
204.7109 Contract clauses.
(a) Use the clause at 252.204-7002 , Payment for Contract Line or Subline Items Not Separately Priced, in solicitations and contracts when the price for items not separately priced is included in the price of another contract line or subline item.
(b) Use the clause at 252.204-7006 , Billing Instructions-Cost Vouchers, in solicitations and contracts when a cost-reimbursement contract, a time-and-materials contract, or a labor-hour contract is contemplated.
Subpart 204.72 - ANTITERRORISM AWARENESS TRAINING
204.7200 Scope of subpart.
This subpart provides policy and guidance related to antiterrorism awareness training for contractor personnel who require routine physical access to a Federally-controlled facility or military installation.
204.7201 Definition.
As used in this subpart—
“Military installation” means a base, camp, post, station, yard, center, or other activity under the jurisdiction of the Secretary of a military department or, in the case of an activity in a foreign country, under the operational control of the Secretary of a military department or the Secretary of Defense (see 10 U.S.C. 2801(c)(4)).
204.7202 Policy.
It is DoD policy that—
(a) Contractor personnel who, as a condition of contract performance, require routine physical access to a Federally-controlled facility or military installation are required to complete Level I antiterrorism awareness training within 30 days of requiring access and annually thereafter; and
(b) In accordance with Department of Defense Instruction O-2000.16, Volume 1, DoD Antiterrorism (AT) Program Implementation: DoD AT Standards, Level I antiterrorism awareness training may be completed—
(1) Through a DoD-sponsored and certified computer or web-based distance learning instruction for Level I antiterrorism awareness; or
(2) Under the instruction of a qualified Level I antiterrorism awareness instructor.
204.7203 Contract clause.
Include the clause at 252.204-7004 , DoD Antiterrorism Awareness Training for Contractors, in solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial products and commercial services, when contractor personnel require routine physical access to a Federally-controlled facility or military installation.
Subpart 204.73 - SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING
204.7300 Scope.
(a) This subpart applies to contracts and subcontracts requiring contractors and subcontractors to safeguard covered defense information that resides in or transits through covered contractor information systems by applying specified network security requirements. It also requires reporting of cyber incidents.
(b) This subpart does not abrogate any other requirements regarding contractor physical, personnel, information, technical, or general administrative security operations governing the protection of unclassified information, nor does it affect requirements of the National Industrial Security Program.
204.7301 Definitions.
As used in this subpart—
“Adequate security” means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.
“Contractor attributional/proprietary information” means information that identifies the contractor(s), whether directly or indirectly, by the grouping of information that can be traced back to the contractor(s) (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company.
“Controlled technical information” means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
“Covered contractor information system” means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.
“Covered defense information” means unclassified controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html) that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—
(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
“Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
“Media” means physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which covered defense information is recorded, stored, or printed within a covered contractor information system.
“Rapidly report” means within 72 hours of discovery of any cyber incident.
“Technical information” means technical data or computer software, as those terms are defined in the clause at 252.227-7013 , Rights in Technical Data-Other Than Commercial Products and Commercial Services, regardless of whether or not the clause is incorporated in the solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.
204.7302 Policy.
(a)(1) Contractors and subcontractors are required to provide adequate security on all covered contractor information systems.
(2) Contractors required to implement NIST SP 800-171, in accordance with the clause at 252.204-7012, Safeguarding Covered Defense Information and Cyber incident Reporting, are required at time of award to have at least a Basic NIST SP 800-171 DoD Assessment that is current (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) (see 252.204-7019).
(3) The NIST SP 800-171 DoD Assessment Methodology is located at https://www.acq.osd.mil/asda/dpc/cp/cyber/safeguarding.html#nistSP800171 .
(4) High NIST SP 800-171 DoD Assessments will be conducted by Government personnel using NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information.”
(5) The NIST SP 800-171 DoD Assessment will not duplicate efforts from any other DoD assessment or the Cybersecurity Maturity Model Certification (CMMC) (see subpart 204.75), except for rare circumstances when a re-assessment may be necessary, such as, but not limited to, when cybersecurity risks, threats, or awareness have changed, requiring a re-assessment to ensure current compliance.
(b) Contractors and subcontractors are required to rapidly report cyber incidents directly to DoD at http://dibnet.dod.mil. Subcontractors provide the incident report number automatically assigned by DoD to the prime contractor. Lower-tier subcontractors likewise report the incident report number automatically assigned by DoD to their higher-tier subcontractor, until the prime contractor is reached.
(1) If a cyber incident occurs, contractors and subcontractors submit to DoD—
(i) A cyber incident report;
(ii) Malicious software, if detected and isolated; and
(iii) Media (or access to covered contractor information systems and equipment) upon request.
(2) Contracting officers shall refer to PGI 204.7303-4 (c) for instructions on contractor submissions of media and malicious software.
(c) Information shared by the contractor may include contractor attributional/ proprietary information that is not customarily shared outside of the company, and that the unauthorized use or disclosure of such information could cause substantial competitive harm to the contractor that reported the information. The Government shall protect against the unauthorized use or release of information that includes contractor attributional/proprietary information.
(d) A cyber incident that is reported by a contractor or subcontractor shall not, by itself, be interpreted as evidence that the contractor or subcontractor has failed to provide adequate security on their covered contractor information systems, or has otherwise failed to meet the requirements of the clause at 252.204-7012 , Safeguarding Covered Defense Information and Cyber Incident Reporting. When a cyber incident is reported, the contracting officer shall consult with the DoD component Chief Information Officer/cyber security office prior to assessing contractor compliance (see PGI 204.7303-3 (a)(3)). The contracting officer shall consider such cyber incidents in the context of an overall assessment of a contractor’s compliance with the requirements of the clause at 252.204-7012 .
(e) Support services contractors directly supporting Government activities related to safeguarding covered defense information and cyber incident reporting (e.g., forensic analysis, damage assessment, or other services that require access to data from another contractor) are subject to restrictions on use and disclosure of reported information.
204.7303 Procedures.
(a) Follow the procedures relating to safeguarding covered defense information at 204.7303
(b) The contracting officer shall verify that the summary level score of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old, unless a lesser time is specified in the solicitation) (see 252.204-7019) for each covered contractor information system that is relevant to an offer, contract, task order, or delivery order are posted in Supplier Performance Risk System (SPRS) (https://www.sprs.csd.disa.mil/), prior to—
(1) Awarding a contract, task order, or delivery order to an offeror or contractor that is required to implement NIST SP 800-171 in accordance with the clause at 252.204-7012; or
(2) Exercising an option period or extending the period of performance on a contract, task order, or delivery order with a contractor that is that is required to implement the NIST SP 800-171 in accordance with the clause at 252.204-7012.
204.7304 Solicitation provision and contract clauses.
(a) Use the provision at 252.204-7008 , Compliance with Safeguarding Covered Defense Information Controls, in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items.
(b) Use the clause at 252.204-7009 , Limitations on the Use or Disclosure of Third- Party Contractor Reported Cyber Incident Information, in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial products and commercial services, for services that include support for the Government’s activities related to safeguarding covered defense information and cyber incident reporting.
(c) Use the clause at 252.204-7012 , Safeguarding Covered Defense Information and Cyber Incident Reporting, in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations and contracts solely for the acquisition of COTS items.
(d) Use the provision at 252.204-7019 , Notice of NIST SP 800-171 DoD Assessment Requirements, in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items.
(e) Use the clause at 252.204-7020 , NIST SP 800-171 DoD Assessment Requirements, in all solicitations and contracts, task orders, or delivery orders, including those using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for those that are solely for the acquisition of COTS items.
Subpart 204.74 - DISCLOSURE OF INFORMATION TO LITIGATION SUPPORT CONTRACTORS
204.7400 Scope of subpart.
This subpart prescribes policies and procedures for the release and safeguarding of information to litigation support contractors. It implements the requirements at 10 U.S.C. 129d.
204.7401 Definitions.
As used in this subpart—
“Computer software” means computer programs, source code, source code listings, object code listings, design details, algorithms, processes, flow charts, formulae, and related material that would enable the software to be reproduced, recreated, or recompiled. Computer software does not include computer data bases or computer software documentation.
“Litigation information” means any information, including sensitive information, that is furnished to the contractor by or on behalf of the Government, or that is generated or obtained by the contractor in the performance of litigation support under a contract. The term does not include information that is lawfully, publicly available without restriction, including information contained in a publicly available solicitation.
“Litigation support” means administrative, technical, or professional services provided in support of the Government during or in anticipation of litigation.
“Litigation support contractor” means a contractor (including its experts, technical consultants, subcontractors, and suppliers) providing litigation support under a contract that contains the clause at 252.204-7014 , Limitations on the Use or Disclosure of Information by Litigation Support Contractors.
“Sensitive information” means controlled unclassified information of a commercial, financial, proprietary, or privileged nature. The term includes technical data and computer software, but does not include information that is lawfully, publicly available without restriction.
“Technical data” means recorded information, regardless of the form or method of the recording, of a scientific or technical nature (including computer software documentation). The term does not include computer software or data incidental to contract administration, such as financial and/or management information.
204.7402 Policy.
(a) Any release or disclosure of litigation information that includes sensitive information to a litigation support contractor, and the litigation support contractor’s use and handling of such information, shall comply with the requirements of 10 U.S.C. 129d.
(b) To the maximum extent practicable, DoD will provide notice to an offeror or contractor submitting, delivering, or otherwise providing information to DoD in connection with an offer or performance of a contract that such information may be released or disclosed to litigation support contractors.
(c) Information that is publicly available without restriction, including publicly available solicitations for litigation support services, will not be protected from disclosure as litigation information.
(d) When sharing sensitive information with a litigation support contractor, contracting officers shall ensure that all other applicable requirements for handling and safeguarding the relevant types of sensitive information are included in the contract (e.g., FAR subparts 4.4 and 24.1; DFARS subparts 204.4 and 224.1).
204.7403 Contract clauses.
(a) Use the clause at 252.204-7014 , Limitations on the Use or Disclosure of Information by Litigation Support Contractors, in all solicitations and contracts that involve litigation support services, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial products and commercial services.
(b) Use the clause at 252.204-7015 , Notice of Authorized Disclosure of Information for Litigation Support, in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial products and commercial services.
Subpart 204.75 - CYBERSECURITY MATURITY MODEL CERTIFICATION
204.7500 Scope of subpart.
(a) This subpart prescribes policies and procedures for including the Cybersecurity Maturity Model Certification (CMMC) level requirements in DoD contracts. CMMC is a framework that measures a contractor’s cybersecurity maturity to include the implementation of cybersecurity practices and institutionalization of processes (see https://www.acq.osd.mil/cmmc/index.html)..
(b) This subpart does not abrogate any other requirements regarding contractor physical, personnel, information, technical, or general administrative security operations governing the protection of unclassified information, nor does it affect requirements of the National Industrial Security Program.
204.7501 Policy.
(a) The contracting officer shall include in the solicitation the required CMMC level, if provided by the requiring activity. Contracting officers shall not award a contract, task order, or delivery order to an offeror that does not have a current (i.e., not more than 3 years old) CMMC certificate at the level required by the solicitation.
(b) Contractors are required to achieve, at time of award, a CMMC certificate at the level specified in the solicitation. Contractors are required to maintain a current (i.e., not more than 3 years old) CMMC certificate at the specified level, if required by the statement of work or requirement document, throughout the life of the contract, task order, or delivery order. Contracting officers shall not exercise an option period or extend the period of performance on a contract, task order, or delivery order, unless the contract has a current (i.e., not more than 3 years old) CMMC certificate at the level required by the contract, task order, or delivery order.
(c) The CMMC assessments shall not duplicate efforts from any other comparable DoD assessment, except for rare circumstances when a re-assessment may be necessary such as, but not limited to when there are indications of issues with cybersecurity and/or compliance with CMMC requirements.
204.7502 Procedures.
(a) When a requiring activity identifies a requirement for a contract, task order, or delivery order to include a specific CMMC level, the contracting officer shall not—
(1) Award to an offeror that does not have a CMMC certificate at the level required by the solicitation; or
(2) Exercise an option or extend any period of performance on a contract, task order, or delivery order unless the contractor has a CMMC certificate at the level required by the contract.
(b) Contracting officers shall use Supplier Performance Risk System (SPRS) (https://www.sprs.csd.disa.mil/) to verify an offeror or contractor’s CMMC level.
204.7503 Contract clause.
Use the clause at 252.204-7021 , Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement, as follows:
(a) Until September 30, 2025, in solicitations and contracts or task orders or delivery orders, including those using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations and contracts or orders solely for the acquisition of commercially available off-the-shelf (COTS) items, if the requirement document or statement of work requires a contractor to have a specific CMMC level. In order to implement a phased rollout of CMMC, inclusion of a CMMC requirement in a solicitation during this time period must be approved by OUSD(A&S).
(b) On or after October 1, 2025, in all solicitations and contracts or task orders or delivery orders, including those using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations and contracts or orders solely for the acquisition of COTS items.
Subpart 204.76 - SUPPLIER PERFORMANCE RISK SYSTEM
204.7600 Scope of subpart.
This subpart provides policies and procedures for use of the Supplier Performance Risk System (SPRS) risk assessments in the evaluation of a quotation or offer.
204.7601 Definitions.
As used in this subpart—
“Item risk” means the probability that a product, based on intended use, will introduce performance risk resulting in safety issues, mission degradation, or monetary loss.
“Price risk” means the measure of whether a proposed price for a product or service is consistent with historical prices paid for that item or service.
“Supplier risk” means the probability that an award may subject the procurement to the risk of unsuccessful performance or to supply chain risk (see 239.7301).
204.7602 Applicability.
Use of SPRS risk assessments is required for the evaluation of quotations or offers in response to solicitations for supplies and services, including solicitations using FAR part 12 procedures for the acquisition of commercial products and commercial services, excluding solicitations for the procurement of supplies or services exempted by the Department of Defense Instruction (DoDI) 5000.79, Defense-wide Sharing and Use of Supplier and Product Performance Information. SPRS retrieves item, price, quality, delivery, and contractor information from contracts in Government reporting systems in order to develop risk assessments of contractors. SPRS is available at https://piee.eb.mil/, and the SPRS user’s guides are available at https://www.sprs.csd.disa.mil/reference.htm.
204.7603 Procedures.
The contracting officer shall consider price risk and supplier risk, if available in SPRS, as a part of the award decision. For procurement of an end product identified by a material identifier that is available as described at 204.7603, the contracting officer shall also consider assessments of item risk, if available, as a part of the award decision. Offerors or quoters without a risk assessment in SPRS shall not be considered favorably or unfavorably. Contracting officers shall use their discretion in considering the information available in SPRS on item risk, price risk, and supplier risk as follows:
(a) Item risk.
(1) Consider item risk to determine whether the procurement of products represents a high performance risk to the Government. If an item has a high risk rating, then the SPRS item risk report will display the reason(s) an item is identified as high risk.
(2) Before issuing a solicitation for the procurement of an end product identified by a material identifier that is available as described at 204.7603, the contracting officer shall ensure a SPRS item risk search has been performed and shall consider any item risk warnings provided. When evaluating quotations or offers for an end product identified by a material identifier, a SPRS item risk search is required for any end product that did not have an item risk search performed prior to solicitation. If there are item risk warnings, the contracting officer shall consider strategies to mitigate risk, such as the following:
(i) Consulting with the program office.
(ii) Including mitigating requirements in the statement of work, as provided by the requiring activity.
(iii) Including FAR and DFARS clauses identified in the SPRS application, as appropriate.
(b) Price risk.
(1) When procuring a service or an end product identified by a material identifier that is available as described at 204.7603, the contracting officer shall consider price risk assessment in determining if a proposed price is consistent with historical prices paid for an item or otherwise creates a risk to the Government. Contracting officers shall not rely solely on the price risk assessment when determining prices to be fair and reasonable.
(2) The contracting officer shall consider strategies to mitigate price risk, such as the following:
(i) Not awarding to offerors or quoters with high risk price ratings unless there is a way to justify the price through additional price or cost analysis.
(ii) Utilizing appropriate price negotiation techniques and procedures.
(iii) Using price reasonableness or price realism techniques at FAR 13.106 or 15.4. See also 215.403-3 when making award decisions.
(c) Supplier risk. The contracting officer shall consider supplier risk, to assess the risk of unsuccessful performance and supply chain risk, in award decisions. Supplier risk assessments in SPRS include quality, delivery, and other contractor performance information.
204.7604 Solicitation provision.
Except for supplies or services exempted by DoDI 5000.79, use the provision at 252.204-7024, Notice on the Use of the Supplier Performance Risk System, in solicitations for supplies and services, including solicitations using FAR part 12 procedures for the acquisition of commercial products and commercial services.