Authority
Executive Order (E.O.) 14275, Restoring Common Sense to Federal Procurement (Section 2); E.O. 14265, Modernizing Defense Acquisitions and Spurring Innovation in the Defense Industrial Base (Section 4(a)); Office of Management and Budget Memorandum M-25-26, Overhauling the Federal Acquisition Regulation (May 2, 2025)
Summary
This deviation replaces Federal Acquisition Regulation (FAR) Part 39, Defense FAR Supplement (DFARS) Part 239 and DFARS Procedures, Guidance, and Information (PGI) 239 with revised versions effective 2026-02-01. It implements the Revolutionary FAR Overhaul directed by E.O. 14275 and E.O. 14265. The deviation remains in effect until rescinded or incorporated into the FAR, DFARS and DFARS PGI.
Contracting Officer Actions
1
Effective 2026-02-01, use the revised FAR Part 39 from the Revolutionary FAR Overhaul web page. It replaces the codified text at 48 CFR chapter 1.
2
Effective 2026-02-01, use the attached DFARS Part 239. It replaces the codified text at 48 CFR chapter 2.
3
Effective 2026-02-01, use the attached DFARS PGI 239. It replaces the PGI text published on the Defense Pricing, Contracting, and Acquisition Policy web page.
4
For information technology services solicitations, insert provision 252.239-7009, Representation of Use of Cloud Computing, including solicitations using FAR part 12 commercial procedures.
5
For information technology services solicitations and contracts, insert clause 252.239-7010, Cloud Computing Services. Include solicitations and contracts using FAR part 12 commercial procedures.
6
For telecommunications services solicitations, contracts and basic agreements, insert clauses 252.239-7002, 252.239-7004 and 252.239-7007.
7
When a telecommunications acquisition includes or may include special construction, also insert clauses 252.239-7011 and 252.239-7012.
8
In basic agreements for telecommunications services, insert the basic or Alternate I of clause 252.239-7013, Term of Agreement and Continuation of Services, as prescribed at 239.7411(c).
9
When contract performance requires secure telecommunications, insert clause 252.239-7016, Telecommunications Security Equipment, Devices, Techniques, and Services.
10
For cloud computing contracts, award only to cloud service providers with a provisional authorization from the Defense Information Systems Agency (DISA), unless the DoD Chief Information Officer grants a waiver or the requirement is for a private on-premises service from U.S. Government facilities.
11
Before authorizing storage of Government data outside the United States and outlying areas, obtain written authorization from the authorizing official per PGI 239.7602-2.
12
For acquisitions exceeding the simplified acquisition threshold for information technology products or services that are not commercial, obtain a written determination from the head of the contracting activity that no commercial items are suitable.
13
Direct inquiries about this deviation to osd.pentagon.ousd-a-s.mbx.dfars@mail.mil.
Expiration
The deviation has no fixed expiration date. It remains in effect until rescinded or incorporated into the FAR, DFARS and DFARS PGI.
FAR Part 39 source
The revised FAR Part 39 is published on the Revolutionary FAR Overhaul web page, not in the Code of Federal Regulations. Contracting officers must use that version, not the codified text at 48 CFR chapter 1.
Cloud computing provisional authorization
The Cloud Computing Security Requirements Guide (SRG) is found at https://public.cyber.mil/dccs/. Contracting officers must verify a cloud service provider's provisional authorization before award using the DoD Cloud Service Catalog.
Telecommunications security
The National Security Agency's Information Systems Security Products and Services Catalogue lists approved telecommunications security equipment. Purchase requests must identify the nature of information requiring security and interoperability requirements.
Long-haul telecommunications
DISA acquires all long-haul telecommunications services for DoD. See DoD Directive 5105.19 for further information.
Cyber incident reporting
Contractors must report cloud computing cyber incidents via http://dibnet.dod.mil/. The DoD Cyber Crime Center (DC3) will send the contracting officer an unclassified encrypted email with the cyber incident report.
Affected Provisions and Clauses
252.239-7000 Protection against compromising emanations.
CLAUSE
Modified by RFO class deviation
MODIFIED
252.239-7001 Information Assurance Contractor Training and Certification.
CLAUSE
Modified by RFO class deviation
MODIFIED
252.239-7017 Notice of Supply Chain Risk.
CLAUSE
Modified by RFO class deviation
MODIFIED