1. Consistent with applicable Federal acquisition requirements, make use of adequate competition, analyze risks (including supply chain risks), associated with potential awards, allocate risk between government and contractor, and maximize return on investment (ROI) when acquiring information technology;
  2. Conduct definitive technical, cost, and risk analyses of alternative design implementations, including consideration of migration and retraining costs, scaled to the size and complexity of individual requirements (definitive acquisition planning provisions are set forth in Federal Acquisition Regulation [FAR] subpart 7.1, Acquisition Plans, and subpart 10, Market Research);
  3. Consider existing Federal contract solutions available to meet agency needs to avoid duplicative investments;
  4. Structure acquisitions for major IT investments into useful segments with a narrow scope and brief duration in order to reduce risk, promote flexibility and interoperability, increase accountability, and better match mission need with current technology and market conditions;
  5. To the extent practicable, award all contracts which include IT within 180 days after the solicitation is issued and, if this deadline is not reached, consider the cancellation of the work related to the contract, and the IT acquired should be delivered within 18 months after the solicitation resulting in award of the contract was issued (41 U.S.C. § 2308);
  6. Ensure all acquisition strategies or acquisition plans (as described in FAR Part 7) or interagency agreements (such as those used to support purchases through another agency) that include IT are reviewed and approved by the agency CIO. The CIO shall consider the following factors when reviewing acquisition strategies and acquisition plans:

1. Alignment with mission and program objectives in coordination with program leadership;
2. Appropriateness with respect to the mission and business objectives supported by the IT strategic plan;
3. Appropriateness of contract type for IT-related resources;
4. Appropriateness of IT-related portions of statement of needs or statement of work;
5. Ability to deliver functionality in short increments; and
6. Opportunities to migrate from end-of-life software and systems, and to retire those systems.

  1. All IT resources (see definitions) are included in IT investment planning documents or artifacts;
  2. Significant decisions related to major IT investments are supported by business cases with appropriate evidence;
  3. All IT investments appropriately implement incremental development and modular approaches as defined in OMB guidance;
  4. IT investments support and enable core mission and operational functions and processes related to the agency's missions and business requirements;
  5. Decisions to improve, enhance, or modernize existing information technology investments or to develop new information technology investments are made only after conducting an alternatives analysis that includes both government-provided (internal, interagency, and intra-agency where applicable) and commercially provided options and the most advantageous option to the government has been selected;
  6. Qualitative and quantitative research methods are used to determine the goals, needs, and behaviors of current and prospective managers and users of the service to strengthen the understanding of requirements;
  7. Analysis of alternatives first consider using available and suitable existing Federal information systems, technologies, and shared services or information processing facilities, to acquiring commercially available off-the-shelf and, where allowable, open source software and technologies. Once existing Federal solutions, commercial solutions, or open solutions are considered, analysis turns to developing or acquiring custom or duplicative solutions in a technology neutral manner that is merit-based and considers factors such as performance, cost, security, interoperability, ability to share or re-use, and availability of quality support. Decisions to acquire custom or duplicative solutions must be justified based on overall cost-effectiveness of the solution throughout the life cycle, the ability to meet acceptable levels of security, or the ability to meet specific and high-priority mission or operational requirements;
  8. Information technology needs are met through acquiring scalable, provisioned IT services when it is cost-effective to do so rather than the agency developing its own information system or equipment;
  9. Information systems security levels are commensurate with the impact that may result from unauthorized access, use, disclosure, disruption, modification, or destruction of such information consistent with guidance from NIST;
  10. Information systems built in a way that maximizes interoperability and access to information through application programming interfaces (APIs) and other means, maintains internal and external data asset inventories, while enhancing information safeguards;
  11. Information technology investments must facilitate interoperability, application portability, and scalability across networks of heterogeneous hardware, software, and telecommunications platforms;
  12. Information systems and processes must support interoperability and access to information , maximize the usefulness of information, minimize the burden on the public, and preserve the appropriate integrity, usability, availability, confidentiality, and disposition of information throughout the life cycle of the information, in accordance with the Paperwork Reduction Act, Federal Information Security Modernization Act, and Privacy Act (as amended) and the Federal Records Act (as amended);
  13. Information systems and processes must facilitate accessibility under the Rehabilitation Act of 1973, as amended; in particular, see specific electronic and information technology accessibility requirements commonly known as "section 508" requirements (29 U.S.C. § 794d);
  14. Records management functions and retention requirements are incorporated into the design, development, and implementation of information systems, particularly Internet resources to include storage solutions and cloud-based services such as software as a service, platform as a service, and infrastructure as a service; and
  15. Investments use an EVMS and Integrated Baseline Review (IBR), when appropriate, as required by Federal Acquisition Regulation Subpart 34.2 or, when an EVMS is not required, implement a baseline validation process as part of an overall investment risk management strategy consistent with OMB guidance.