(a)(1) In acquiring information technology, including information technology-related contracts which may involve services (including support services), and related resources (see the definition at FAR 2.101), contracting officers and requiring activities shall include in solicitations and contracts the requirement to comply with the following directives, policies, and procedures in order to protect VA information, information systems, and information technology—
(i) VA Directive 6500, VA Cybersecurity Program, and the directives and handbooks in the VA 6500 series, to include, but not limited to, VA Handbook 6500.6, Contract Security, which establishes VA's procedures, responsibilities, and processes for complying with current Federal law, Executive orders, policies, regulations, standards, and guidance for protecting and controlling VA sensitive information and ensuring that security requirements are included in acquisitions, solicitations, contracts, purchase orders, and task or delivery orders.
(ii) The VA directives, security requirements, procedures, and guidance in paragraph (a)(1)(i) of this section apply to all VA contracts and to contractors, subcontractors, and their employees in the performance of contractual obligations to VA for information technology products purchased from vendors, as well as for services acquired from contractors and subcontractors or business associates, through contracts and service agreements, in which access to VA information, VA sensitive information or sensitive personal information (including protected health information (PHI))—
(A) That is created, received, maintained, or transmitted, or that will be stored, generated, accessed, exchanged, processed, or utilized by VA, a VA contractor, subcontractor, or third-party servicers or associates, or on behalf of any of these entities, in the performance of their contractual obligations to VA; and
(B) By or on behalf of any of the entities identified in this section, regardless of—
(1) Format; or
(2) Whether it resides on a VA or a non-VA system, or with a contractor, subcontractor, or third-party system or electronic information system(s), including cloud services, operating for or on the VA's behalf or as required by contract.
(c) Contractors, subcontractors, and third-party servicers or associates providing support to or on behalf of the entities identified in this section, shall employ adequate security controls and use appropriate common security configurations available from the National Institute of Standards and Technology (see FAR 39.101(c)) as appropriate in accordance with VA regulations in this chapter, directives, handbooks, and guidance, and established service level agreements and individual contracts, orders, and agreements. Contractors, subcontractors, and third-party servicers and associates will ensure that VA information or VA sensitive information that resides on a VA system or resides on a contractor/subcontractor/third-party entities/associates information and communication technology (ICT) system(s), operating for or on VA's behalf, or as required by contract, regardless of form or format, whether electronic or manual, and information systems, are protected from unauthorized access, use, disclosure, modification, or destruction to ensure information security (see FAR 2.101) is provided in order to ensure the integrity, confidentiality, and availability of such information and information systems.
In accordance with 824.103-70, contracting officers and contracting officer representatives (CORs) shall ensure that contractors, their employees, subcontractors, and third-parties under the contract complete Business Associate Agreements for—
(a) Information technology or information technology-related service contracts subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) where HIPAA PHI is created, received, maintained, or transmitted, or that will be stored, generated, accessed, exchanged, processed, or utilized in order to perform certain health care operations activities or functions on behalf of the Veterans Health Administration (VHA) as a covered entity (see 802.101 for the definition of information technology-related contracts); or
(b) Contractors supporting other VA organizations which support VHA in this regard and which would therefore require Business Associate Agreements in accordance with 824.103-70.
Contracting officers shall insert in information technology related contracts the liquidated damages clause as prescribed at 811.503-70.
(a) Contracting officers shall insert the clause at 852.239-70, Security Requirements for Information Technology Resources, and the clause at 852.239-71, Information System Security Plan and Accreditation, in all solicitations, contracts, and orders exceeding the micro-purchase threshold that include information technology services.
(b) Contracting officers shall insert the clause at 852.239-72, Information System Design and Development, in solicitations, contracts, orders, and agreements where services to perform information system design and development are required.
(c) Contracting officers shall insert the clause at 852.239-73, Information System Hosting, Operation, Maintenance or Use, in solicitations, contracts, orders, and agreements where services to perform information system hosting, operation, maintenance, or use are required.
(d) Contracting officers shall insert the clause at 852.239-74, Security Controls Compliance Testing, in solicitations, contracts, orders, and agreements, when the clause at 852.239-72 or 852.239-73 is inserted.