The U.S. Department of Veterans Affairs (VA) is reviewing and reworking regulations aimed at contractor cybersecurity and privacy practices. All companies within the VA supply chain must be aware of and comply with these regulations. This greatly increases the obligation in certain situations. This includes the requirement for prompt notification of violations and the payment of damages for violations. It also enables unscheduled on-site inspections of contractor information technology (IT). system. Below is a summary of some of the key policies and contract terms that affect contractors.
Basic Protection of Covered Contractor Information Systems: First, the VA will create a new subpart (804.19) that establishes policies and procedures for protecting certain VA Information: “VA Information, Information Systems, and VA Confidential Information.” This part is intended for the acquisition of commercial products and services, excluding commercial off-the-shelf products. While “VA Information” is not defined, the definitions of “Information Systems” and “VA Sensitive Information” represent a broad and comprehensive approach. For example, “VA Confidential Information” includes:
Information whose improper use or disclosure could adversely affect VA’s ability to accomplish its mission, proprietary information, and individuals requiring protection under various confidentiality provisions, such as privacy laws and the HIPAA Privacy Rule. Records, and information that can be withheld under the Freedom of Information Act. Examples of VA confidential information include: Personally Identifiable Medical, Benefits and Human Resources Information. Financial, budgetary, research, quality assurance, confidential commercial, critical infrastructure, research and law enforcement information. Information that is confidential and privileged in litigation, such as information protected by deliberative process privileges, attorney deliverable privileges, and attorney client privileges. Any other information that, if disclosed, could violate law, cause harm or unfairness to individuals or groups, or adversely affect national interests or the conduct of federal programs.
While not exactly the same as the definition of controlled unconfidential information (CUI), similarly, the definition of “VA confidential” information is very broad, with most information contractors contracting or subcontracting.
Contractors with covered contracts must, among other things: 1) comply with all VA information security and privacy policies; 2) Complete VA Security Awareness Training annually. and 3) disclose all security or privacy incidents. one hour of discovery to the contracting officer and the contracting officer’s representative. This disclosure is required even if an incident is suspected.
Compensation for damages: VA will add a new subpart (811.5) dedicated to liquidated damages in contracts containing VA Confidential Personal Information. This is narrower than his VA Sensitive Information definition above and basically adds personally identifiable information as a limiting factor. In the event of a data breach involving this type of information, the liquidated damages will be used to pay for credit monitoring services and other costs detailed below. There is no indication that the contractor (or subcontractor) had to act contrary to the VA’s cybersecurity requirements to be held liable for damages. It seems like a strict liability standard.
Protection of personal privacy: A new section has been added within subpart 824.1. This includes a section calling for the inclusion of new clauses to ensure the privacy of individuals with protected health information, a requirement to flow down business associate agreements, and a section calling for the inclusion of an indemnity clause. It is included.
Acquisition of information technology: The formerly reserved VA adds new Part 839, which specifically governs policies for IT acquisitions. Under this part, VA requires contractors that provide IT products and services, among other things, to comply with VA Directive 6500 and to use appropriate common security configurations available from the National Institute of Standards and Technology (NIST). ”. Exact NIST standards are not defined within the policy, except to refer to the NIST checklist.
The above policies are implemented through the following clauses that VA inserts into the relevant agreements.
Information and information system security: This clause requires FAR 52.204-21, “Basic Protection of Covered Contractor Information Systems,” and requires “VA information, information systems, or information technology (IT) or IT-related goods or services.” Provision and Access.” VA Directive 6500 is comprehensive and contains over 150 individual controls, including the need for an incident response plan. In addition to VA Directive 6500, the contractor is also expected to comply with her VA Handbook and other listed requirements.
Depending on the type of information involved, the prime contractor and subcontractor may be required to enter into a business collaboration agreement. In addition, contractors must develop software and perform services in the United States “to the greatest extent practicable.” Services proposed to be performed under contract that are not prohibited by law outside the United States must be disclosed in the proposal and include a detailed information technology security plan. Other notable requirements are:
- Four hours’ notice is required if an employee with access to VA information (including due to work on VA information systems) is terminated or reassigned.
- Use only data from VA or use data developed by a contractor under contract for the purposes described in the contract
- Separation of VA information from other information owned by contractors
- Data sanitization according to VA Directive 6500
- Providing “all necessary access” to VA and U.S. Government Accountability Office staff for routine and unscheduled onsite inspections of contractor information system assets by VA
- Destroy data in accordance with VA policies, including VA Directive 6371, within 30 days of termination and comply with other policies regarding copying, retention, use, return and destruction of related information.
- Encryption of data according to Federal Information Processing Standard 140-3
- Meets VA guidelines for firewall and web service security controls
- Compliance with relevant privacy laws
- Report the cybersecurity incident or imminent cybersecurity incident in writing to the contracting officer and a representative of the contracting officer within one hour of discovery
- Provide training to specific employees who have access to VA information or VA information systems
- Communicate this clause to subcontractors subject to the above requirements
Compensation for damages: Contractors with access to sensitive personal information are required to provide damages in the event of a breach leading to disclosure of that information. The contractor may instead provide actual damages if they can prove it. In any event, damage calculations should take into account the costs of notification, credit monitoring, data breach analysis and impact assessment, fraud alerts, and identity theft insurance. In addition, under other contractual terms, VA may obtain damages for repurchasing goods and services.
Gray Market and Counterfeit Goods: The VA is proposing a significant update to the existing provision (852.212-71) that previously concerned only gray market goods. The new provision also prohibits the sale of counterfeit goods to VA. While this may seem obvious, the definition of “counterfeit” is broad and encompasses “used goods displayed as new, or misidentification of grade, serial number, lot number, date code, or performance characteristics.” Includes substitutes defined as included. There is also a new provision (852.212-72) that specifically permits “used, refurbished, or remanufactured parts” under certain circumstances. Gray markets and counterfeit goods remain prohibited.
Other notes: In addition to the above, here are some of the terms the VA is proposing to revise or add:
- Information Technology Resource Security Requirements (852.239-70): Contractors with access to VA information are responsible for the security of that information and must submit an information system security plan within 90 days of signing the contract, obtain system security certification, and grant access to the federal government when requested. Allow (including subcontractor systems) and flow. These requirements apply throughout the supply chain, where applicable.
- Security Management Compliance Testing (852.239-74): VA, including the VA Inspector General (10 business days’ notice), is hereby authorized to each location where VA Information is “processed or stored or information systems are developed, operated, maintained or used on behalf of VA”. access is allowed. VA may also conduct evaluations without notice.
Taken together, contractors doing business with the VA face significant new cybersecurity and privacy responsibilities. These responsibilities apply not only to the contractor with personally identifiable information, but to information the contractor encounters or creates in most contracts for her IT products and services. Contractors subject to this should review these regulations to ensure compliance or risk adverse effects from the VA.