StacksVerified U.S. regulatory reference

48 CFR §511.171

Verified against eCFR.gov as of June 20, 2026View official text on eCFR.gov
  1. (a)CIO coordination. The contracting officer shall ensure the requirements office has coordinated and identified possible CIO policy inclusions with the GSA IT prior to publication of a Statement of Work, or equivalent as well as the Security Considerations section of the acquisition plan to determine if the CIO policies apply. The CIO policies and GSA IT points of contact are available on the Acquisition Portal at https://insite.gsa.gov/itprocurement.
  2. (b)GSA requirements. For GSA procurements (contracts, actions, or orders) that may involve GSA Information Systems, excluding GSA's government-wide contracts (e.g., Federal Supply Schedules and Governmentwide Acquisition Contracts), the contracting officer shall incorporate the applicable sections of the following policies in the Statement of Work, or equivalent:
    1. (1)CIO 09-48, IT Security Procedural Guide: Security and Privacy IT Acquisition Requirements; and
    2. (2)CIO 12-2018, IT Policy Requirements Guide.
  3. (c)Waivers.
    1. (1)In cases where it is not effective in terms of cost or time or where it is unreasonably burdensome to include CIO 09-48, IT Security Procedural Guide: Security and Privacy IT Acquisition Requirements or CIO 12-2018, IT Policy Requirements Guide in a contract or order, a waiver may be granted by the Acquisition Approving Official as identified in the thresholds listed at 507.103(b), the Information System Authorizing Official, and the GSA IT Approving Official.
    2. (2)The waiver request must provide the following information—
      1. (i)The description of the procurement and GSA Information Systems involved;
      2. (ii)Identification of requirement requested for waiver;
      3. (iii)Sufficient justification for why the requirement should be waived; and
      4. (iv)Any residual risks posed by waiving the requirement.
    3. (3)Waivers must be documented in the contract file.
  4. (d)Classified information. For any procurements that may involve access to classified information or a classified information system, see subpart 504.4 for additional requirements.