Collapse to view only § 5728. Authorization of appropriations

§ 5721. Purpose

The purpose of the Information Security Program is to establish a program to provide security for Department information and information systems commensurate to the risk of harm, and to communicate the responsibilities of the Secretary, Under Secretaries, Assistant Secretaries, other key officials, Assistant Secretary for Information and Technology, Associate Deputy Assistant Secretary for Cyber and Information Security, and Inspector General of the Department of Veterans Affairs as outlined in the provisions of subchapter III of chapter 35 of title 44 (also known as the “Federal Information Security Management Act of 2002”, which was enacted as part of the E-Government Act of 2002 (Public Law 107–347)).

(Added Pub. L. 109–461, title IX, § 902(a), Dec. 22, 2006, 120 Stat. 3450.)
§ 5722. Policy
(a)In General.—The security of Department information and information systems is vital to the success of the mission of the Department. To that end, the Secretary shall establish and maintain a comprehensive Department-wide information security program to provide for the development and maintenance of cost-effective security controls needed to protect Department information, in any media or format, and Department information systems.
(b)Elements.—The Secretary shall ensure that the Department information security program includes the following elements:
(1) Periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the Department.
(2) Policies and procedures that—
(A) are based on risk assessments;
(B) cost-effectively reduce security risks to an acceptable level; and
(C) ensure that information security is addressed throughout the life cycle of each Department information system.
(3) Selection and effective implementation of minimum, mandatory technical, operational, and management security controls, or other compensating countermeasures, to protect the confidentiality, integrity, and availability of each Department system and its information.
(4) Subordinate plans for providing adequate security for networks, facilities, systems, or groups of information systems, as appropriate.
(5) Annual security awareness training for all Department employees, contractors, and all other users of VA sensitive data and Department information systems that identifies the information security risks associated with the activities of such employees, contractors, and users and the responsibilities of such employees, contractors, and users to comply with Department policies and procedures designed to reduce such risks.
(6) Periodic testing and evaluation of the effectiveness of security controls based on risk, including triennial certification testing of all management, operational, and technical controls, and annual testing of a subset of those controls for each Department system.
(7) A process for planning, developing, implementing, evaluating, and documenting remedial actions to address deficiencies in information security policies, procedures, and practices.
(8) Procedures for detecting, immediately reporting, and responding to security incidents, including mitigating risks before substantial damage is done as well as notifying and consulting with the US-Computer Emergency Readiness Team of the Department of Homeland Security, law enforcement agencies, the Inspector General of the Department, and other offices as appropriate.
(9) Plans and procedures to ensure continuity of operations for Department systems.
(c)Compliance With Certain Requirements.—The Secretary shall comply with the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements promulgated by the National Institute of Standards and Technology and the Office of Management and Budget that define Department information system mandates.
(Added Pub. L. 109–461, title IX, § 902(a), Dec. 22, 2006, 120 Stat. 3450.)
§ 5723. Responsibilities
(a)Secretary of Veterans Affairs.—In accordance with the provisions of subchapter III of chapter 35 of title 44, the Secretary is responsible for the following:
(1) Ensuring that the Department adopts a Department-wide information security program and otherwise complies with the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements.
(2) Ensuring that information security protections are commensurate with the risk and magnitude of the potential harm to Department information and information systems resulting from unauthorized access, use, disclosure, disruption, modification, or destruction.
(3) Ensuring that information security management processes are integrated with Department strategic and operational planning processes.
(4) Ensuring that the Under Secretaries, Assistant Secretaries, and other key officials of the Department provide adequate security for the information and information systems under their control.
(5) Ensuring enforcement and compliance with the requirements imposed on the Department under the provisions of subchapter III of chapter 35 of title 44.
(6) Ensuring that the Department has trained program and staff office personnel sufficient to assist in complying with all the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements.
(7) Ensuring that the Assistant Secretary for Information and Technology, in coordination with the Under Secretaries, Assistant Secretaries, and other key officials of the Department report to Congress, the Office of Management and Budget, and other entities as required by law and Executive Branch direction on the effectiveness of the Department information security program, including remedial actions.
(8) Notifying officials other than officials of the Department of data breaches when required under this subchapter.
(9) Ensuring that the Assistant Secretary for Information and Technology has the authority and control necessary to develop, approve, implement, integrate, and oversee the policies, procedures, processes, activities, and systems of the Department relating to subchapter III of chapter 35 of title 44, including the management of all related mission applications, information resources, personnel, and infrastructure.
(10) Submitting to the Committees on Veterans’ Affairs of the Senate and House of Representatives, the Committee on Government Reform of the House of Representatives, and the Committee on Homeland Security and Governmental Affairs of the Senate, not later than March 1 each year, a report on the compliance of the Department with subchapter III of chapter 35 of title 44, with the information in such report displayed in the aggregate and separately for each Administration, office, and facility of the Department.
(11) Taking appropriate action to ensure that the budget for any fiscal year, as submitted by the President to Congress under section 1105 of title 31, sets forth separately the amounts required in the budget for such fiscal year for compliance by the Department with Federal law and regulations governing information security, including this subchapter and subchapter III of chapter 35 of title 44.
(12) Providing notice to the Director of the Office of Management and Budget, the Inspector General of the Department, and such other Federal agencies as the Secretary considers appropriate of a presumptive data breach of which notice is provided the Secretary under subsection (b)(16) if, in the opinion of the Assistant Secretary for Information and Technology, the breach involves the information of twenty or more individuals.
(b)Assistant Secretary for Information and Technology.—The Assistant Secretary for Information and Technology, as the Chief Information Officer of the Department, is responsible for the following:
(1) Establishing, maintaining, and monitoring Department-wide information security policies, procedures, control techniques, training, and inspection requirements as elements of the Department information security program.
(2) Issuing policies and handbooks to provide direction for implementing the elements of the information security program to all Department organizations.
(3) Approving all policies and procedures that are related to information security for those areas of responsibility that are currently under the management and the oversight of other Department organizations.
(4) Ordering and enforcing Department-wide compliance with and execution of any information security policy.
(5) Establishing minimum mandatory technical, operational, and management information security control requirements for each Department system, consistent with risk, the processes identified in standards of the National Institute of Standards and Technology, and the responsibilities of the Assistant Secretary to operate and maintain all Department systems currently creating, processing, collecting, or disseminating data on behalf of Department information owners.
(6) Establishing standards for access to Department information systems by organizations and individual employees, and to deny access as appropriate.
(7) Directing that any incidents of failure to comply with established information security policies be immediately reported to the Assistant Secretary.
(8) Reporting any compliance failure or policy violation directly to the appropriate Under Secretary, Assistant Secretary, or other key official of the Department for appropriate administrative or disciplinary action.
(9) Reporting any compliance failure or policy violation directly to the appropriate Under Secretary, Assistant Secretary, or other key official of the Department along with taking action to correct the failure or violation.
(10) Requiring any key official of the Department who is so notified to report to the Assistant Secretary with respect to an action to be taken in response to any compliance failure or policy violation reported by the Assistant Secretary.
(11) Ensuring that the Chief Information Officers and Information Security Officers of the Department comply with all cyber security directives and mandates, and ensuring that these staff members have all necessary authority and means to direct full compliance with such directives and mandates relating to the acquisition, operation, maintenance, or use of information technology resources from all facility staff.
(12) Establishing the VA National Rules of Behavior for appropriate use and protection of the information which is used to support Department missions and functions.
(13) Establishing and providing supervision over an effective incident reporting system.
(14) Submitting to the Secretary, at least once every quarter, a report on any deficiency in the compliance with subchapter III of chapter 35 of title 44 of the Department or any Administration, office, or facility of the Department.
(15) Reporting immediately to the Secretary on any significant deficiency in the compliance described by paragraph (14).
(16) Providing immediate notice to the Secretary of any presumptive data breach.
(c)Associate Deputy Assistant Secretary for Cyber and Information Security.—In accordance with the provisions of subchapter III of chapter 35 of title 44, the Associate Deputy Assistant Secretary for Cyber and Information Security, as the Senior Information Security Officer of the Department, is responsible for carrying out the responsibilities of the Assistant Secretary for Information and Technology under the provisions of subchapter III of chapter 35 of title 44, as set forth in subsection (b).
(d)Department Information Owners.—In accordance with the criteria of the Centralized IT Management System, Department information owners are responsible for the following:
(1) Providing assistance to the Assistant Secretary for Information and Technology regarding the security requirements and appropriate level of security controls for the information system or systems where sensitive personal information is currently created, collected, processed, disseminated, or subject to disposal.
(2) Determining who has access to the system or systems containing sensitive personal information, including types of privileges and access rights.
(3) Ensuring the VA National Rules of Behavior is signed on an annual basis and enforced by all system users to ensure appropriate use and protection of the information which is used to support Department missions and functions.
(4) Assisting the Assistant Secretary for Information and Technology in the identification and assessment of the common security controls for systems where their information resides.
(5) Providing assistance to Administration and staff office personnel involved in the development of new systems regarding the appropriate level of security controls for their information.
(e)Other Key Officials.—In accordance with the provisions of subchapter III of chapter 35 of title 44, the Under Secretaries, Assistant Secretaries, and other key officials of the Department are responsible for the following:
(1) Implementing the policies, procedures, practices, and other countermeasures identified in the Department information security program that comprise activities that are under their day-to-day operational control or supervision.
(2) Periodically testing and evaluating information security controls that comprise activities that are under their day-to-day operational control or supervision to ensure effective implementation.
(3) Providing a plan of action and milestones to the Assistant Secretary for Information and Technology on at least a quarterly basis detailing the status of actions being taken to correct any security compliance failure or policy violation.
(4) Complying with the provisions of subchapter III of chapter 35 of title 44 and other related information security laws and requirements in accordance with orders of the Assistant Secretary for Information and Technology to execute the appropriate security controls commensurate to responding to a security bulletin of the Security Operations Center of the Department, with such orders to supersede and take priority over all operational tasks and assignments and be complied with immediately.
(5) Ensuring that—
(A) all employees within their organizations take immediate action to comply with orders from the Assistant Secretary for Information and Technology to—
(i) mitigate the impact of any potential security vulnerability;
(ii) respond to a security incident; or
(iii) implement the provisions of a bulletin or alert of the Security Operations Center; and
(B) organizational managers have all necessary authority and means to direct full compliance with such orders from the Assistant Secretary.
(6) Ensuring the VA National Rules of Behavior is signed and enforced by all system users to ensure appropriate use and protection of the information which is used to support Department missions and functions on an annual basis.
(f)Users of Department Information and Information Systems.—Users of Department information and information systems are responsible for the following:
(1) Complying with all Department information security program policies, procedures, and practices.
(2) Attending security awareness training on at least an annual basis.
(3) Reporting all security incidents immediately to the Information Security Officer of the system or facility and to their immediate supervisor.
(4) Complying with orders from the Assistant Secretary for Information and Technology directing specific activities when a security incident occurs.
(5) Signing an acknowledgment that they have read, understand, and agree to abide by the VA National Rules of Behavior on an annual basis.
(g)Inspector General of Department of Veterans Affairs.—In accordance with the provisions of subchapter III of chapter 35 of title 44, the Inspector General of the Department is responsible for the following:
(1) Conducting an annual audit of the Department information security program.
(2) Submitting an independent annual report to the Office of Management and Budget on the status of the Department information security program, based on the results of the annual audit.
(3) Conducting investigations of complaints and referrals of violations as considered appropriate by the Inspector General.
(Added Pub. L. 109–461, title IX, § 902(a), Dec. 22, 2006, 120 Stat. 3451; amended Pub. L. 111–275, title X, § 1001(m)(1), Oct. 13, 2010, 124 Stat. 2897.)
§ 5724. Provision of credit protection and other services
(a)Independent Risk Analysis.—
(1) In the event of a data breach with respect to sensitive personal information that is processed or maintained by the Secretary, the Secretary shall ensure that, as soon as possible after the data breach, a non-Department entity or the Office of Inspector General of the Department conducts an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach.
(2) If the Secretary determines, based on the findings of a risk analysis conducted under paragraph (1), that a reasonable risk exists for the potential misuse of sensitive personal information involved in a data breach, the Secretary shall provide credit protection services in accordance with the regulations prescribed by the Secretary under this section.
(b)Regulations.—Not later than 180 days after the date of the enactment of the Veterans Benefits, Health Care, and Information Technology Act of 2006, the Secretary shall prescribe interim regulations for the provision of the following in accordance with subsection (a)(2):
(1) Notification.
(2) Data mining.
(3) Fraud alerts.
(4) Data breach analysis.
(5) Credit monitoring.
(6) Identity theft insurance.
(7) Credit protection services.
(c)Report.—
(1) For each data breach with respect to sensitive personal information processed or maintained by the Secretary, the Secretary shall promptly submit to the Committees on Veterans’ Affairs of the Senate and House of Representatives a report containing the findings of any independent risk analysis conducted under subsection (a)(1), any determination of the Secretary under subsection (a)(2), and a description of any services provided pursuant to subsection (b).
(2) In the event of a data breach with respect to sensitive personal information processed or maintained by the Secretary that is the sensitive personal information of a member of the Army, Navy, Air Force, Marine Corps, or Space Force or a civilian officer or employee of the Department of Defense, the Secretary shall submit the report required under paragraph (1) to the Committee on Armed Services of the Senate and the Committee on Armed Services of the House of Representatives in addition to the Committees on Veterans’ Affairs of the Senate and House of Representatives.
(Added Pub. L. 109–461, title IX, § 902(a), Dec. 22, 2006, 120 Stat. 3455; amended Pub. L. 116–283, div. A, title IX, § 926(h), Jan. 1, 2021, 134 Stat. 3831.)
§ 5725. Contracts for data processing or maintenance
(a)Contract Requirements.—If the Secretary enters into a contract for the performance of any Department function that requires access to sensitive personal information, the Secretary shall require as a condition of the contract that—
(1) the contractor shall not, directly or through an affiliate of the contractor, disclose such information to any other person unless the disclosure is lawful and is expressly permitted under the contract;
(2) the contractor, or any subcontractor for a subcontract of the contract, shall promptly notify the Secretary of any data breach that occurs with respect to such information.
(b)Liquidated Damages.—Each contract subject to the requirements of subsection (a) shall provide for liquidated damages to be paid by the contractor to the Secretary in the event of a data breach with respect to any sensitive personal information processed or maintained by the contractor or any subcontractor under that contract.
(c)Provision of Credit Protection Services.—Any amount collected by the Secretary under subsection (b) shall be deposited in or credited to the Department account from which the contractor was paid and shall remain available for obligation without fiscal year limitation exclusively for the purpose of providing credit protection services pursuant to section 5724(b) of this title.
(Added Pub. L. 109–461, title IX, § 902(a), Dec. 22, 2006, 120 Stat. 3456.)
§ 5726. Reports and notice to Congress on data breaches
(a)Quarterly Reports.—
(1) Not later than 30 days after the last day of a fiscal quarter, the Secretary shall submit to the Committees on Veterans’ Affairs of the Senate and House of Representatives a report on any data breach with respect to sensitive personal information processed or maintained by the Department that occurred during that quarter.
(2) Each report submitted under paragraph (1) shall identify, for each data breach covered by the report—
(A) the Administration and facility of the Department responsible for processing or maintaining the sensitive personal information involved in the data breach; and
(B) the status of any remedial or corrective action with respect to the data breach.
(b)Notification of Significant Data Breaches.—
(1) In the event of a data breach with respect to sensitive personal information processed or maintained by the Secretary that the Secretary determines is significant, the Secretary shall provide notice of such breach to the Committees on Veterans’ Affairs of the Senate and House of Representatives.
(2) In the event of a data breach with respect to sensitive personal information processed or maintained by the Secretary that is the sensitive personal information of a member of the Army, Navy, Air Force, or Marine Corps or a civilian officer or employee of the Department of Defense that the Secretary determines is significant under paragraph (1), the Secretary shall provide the notice required under paragraph (1) to the Committee on Armed Services of the Senate and the Committee on Armed Services of the House of Representatives in addition to the Committees on Veterans’ Affairs of the Senate and House of Representatives.
(3) Notice under paragraphs (1) and (2) shall be provided promptly following the discovery of such a data breach and the implementation of any measures necessary to determine the scope of the breach, prevent any further breach or unauthorized disclosures, and reasonably restore the integrity of the data system.
(Added Pub. L. 109–461, title IX, § 902(a), Dec. 22, 2006, 120 Stat. 3457.)
§ 5727. DefinitionsIn this subchapter:
(1)Availability.—The term “availability” means ensuring timely and reliable access to and use of information.
(2)Confidentiality.—The term “confidentiality” means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.
(3)Control techniques.—The term “control techniques” means methods for guiding and controlling the operations of information systems to ensure adherence to the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements.
(4)Data breach.—The term “data breach” means the loss, theft, or other unauthorized access, other than those incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data.
(5)Data breach analysis.—The term “data breach analysis” means the process used to determine if a data breach has resulted in the misuse of sensitive personal information.
(6)Fraud resolution systems.—The term “fraud resolution services” means services to assist an individual in the process of recovering and rehabilitating the credit of the individual after the individual experiences identity theft.
(7)Identity theft.—The term “identity theft” has the meaning given such term under section 603 of the Fair Credit Reporting Act (15 U.S.C. 1681a).
(8)Identity theft insurance.—The term “identity theft insurance” means any insurance policy that pays benefits for costs, including travel costs, notary fees, and postage costs, lost wages, and legal fees and expenses associated with efforts to correct and ameliorate the effects and results of identity theft of the insured individual.
(9)Information owner.—The term “information owner” means an agency official with statutory or operational authority for specified information and responsibility for establishing the criteria for its creation, collection, processing, dissemination, or disposal, which responsibilities may extend to interconnected systems or groups of interconnected systems.
(10)Information resources.—The term “information resources” means information in any medium or form and its related resources, such as personnel, equipment, funds, and information technology.
(11)Information security.—The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.
(12)Information security requirements.—The term “information security requirements” means information security requirements promulgated in accordance with law, or directed by the Secretary of Commerce, the National Institute of Standards and Technology, and the Office of Management and Budget, and, as to national security systems, the President.
(13)Information system.—The term “information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, whether automated or manual.
(14)Integrity.—The term “integrity” means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
(15)National security system.—The term “national security system” means an information system that is protected at all times by policies and procedures established for the processing, maintenance, use, sharing, dissemination or disposition of information that has been specifically authorized under criteria established by statute or Executive Order to be kept classified in the interest of national defense or foreign policy.
(16)Plan of action and milestones.—The term “plan of action and milestones”, means a plan used as a basis for the quarterly reporting requirements of the Office of Management and Budget that includes the following information:
(A) A description of the security weakness.
(B) The identity of the office or organization responsible for resolving the weakness.
(C) An estimate of resources required to resolve the weakness by fiscal year.
(D) The scheduled completion date.
(E) Key milestones with estimated completion dates.
(F) Any changes to the original key milestone date.
(G) The source that identified the weakness.
(H) The status of efforts to correct the weakness.
(17)Principal credit reporting agency.—The term “principal credit reporting agency” means a consumer reporting agency as described in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)).
(18)Security incident.—The term “security incident” means an event that has, or could have, resulted in loss or damage to Department assets, or sensitive information, or an action that breaches Department security procedures.
(19)Sensitive personal information.—The term “sensitive personal information”, with respect to an individual, means any information about the individual maintained by an agency, including the following:
(A) Education, financial transactions, medical history, and criminal or employment history.
(B) Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records.
(20)Subordinate plan.—The term “subordinate plan”, also referred to as a “system security plan”, means a plan that defines the security controls that are either planned or implemented for networks, facilities, systems, or groups of systems, as appropriate, within a specific accreditation boundary.
(21)Training.—The term “training” means a learning experience in which an individual is taught to execute a specific information security procedure or understand the information security common body of knowledge.
(22)Va national rules of behavior.—The term “VA National Rules of Behavior” means a set of Department rules that describes the responsibilities and expected behavior of personnel with regard to information system usage.
(23)Va sensitive data.—The term “VA sensitive data” means all Department data, on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information and includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, and records about individuals requiring protection under applicable confidentiality provisions.
(Added Pub. L. 109–461, title IX, § 902(a), Dec. 22, 2006, 120 Stat. 3457; amended Pub. L. 111–275, title X, § 1001(m)(2), Oct. 13, 2010, 124 Stat. 2897.)
§ 5728. Authorization of appropriations

There are authorized to be appropriated to carry out this subchapter such sums as may be necessary for each fiscal year.

(Added Pub. L. 109–461, title IX, § 902(a), Dec. 22, 2006, 120 Stat. 3460.)