Government contractors who do business with the Veterans Affairs Administration (VA) will soon have a great deal of increased cyber security and data privacy responsibilities after the VA recently updated cyber security compliance regulations. These new regulations better protect sensitive VA-related data stored in a contractor’s IT systems.
The VA Acquisition Regulation (VAAR) is increasing focus on immediate breach notification requirements, the liquidated damages related to those breaches as well as unscheduled and intermittent site visits to inspect the IT systems housing the VA-related data. Contractors need to be in compliance with the new regulations in order to avoid the possible heavy penalties.
Defining VA data is often difficult due to the definition being extremely broad. It includes almost all information contractors create, store or transmit while performing on a VA contract or subcontract. Sensitive data is now at least pared down to only include:
“Information where improper use or disclosure could adversely affect the ability of the VA to accomplish its mission, proprietary information, records about individuals requiring protection under various confidentiality provisions and information that can be withheld under the Freedom of Information Act.”
The addition of Subpart (811.5) that covers liquidated damages further narrows down the definition of VA sensitive data to personally identifiable information as a limiting factor. While still broad, this new information does provide at least more specific guidance to contractors working on a covered contract.
Contractors with covered contracts or who have access to VA sensitive data must:
Comply with all current and new VA information security and privacy policies
Complete annual VA security awareness training
Disclose all suspected breach incidents within one hour of discovery to the contracting officer as well as the contracting officer’s representatives
Comply with VA background checks and screenings
Ensure all levels of subcontractors are compliant with all requirements
The revised VAAR also outlines liquidated damages determined by estimating costs for credit monitoring services, data breach analysis and impact assessments, fraud alerts and identity theft insurance. The VA may also seek damages for the repurchase of goods and services. All costs are estimates generated by the VA unless the contractor can prove actual damages. All VA contracts must contain the clause allowing the VA to assess the damages that will vary based on the contract.
Most updates will seem familiar to contractors who also have DoD contracts as a lot of the VA updates mirror those already in place. In summary, the following ensures compliance with the newly-released updates to VA covered contracts:
Update cyber security controls to comply with NIST standards 800-171 with the understanding that there will be an update released in the near future
Ensure all flowdown subcontracts and business partners are aware of the updated requirements and comply via modifications to existing agreements, and the addition of updated verbiage in future agreements
Comply with breach response guidelines, including the very short real-time reporting windows under the new VA rule that include:
One-hour reporting window for suspected or actual breaches
A four-hour reporting window for the reassignment or termination (voluntary or involuntary) of employees working on or with access to information on a VA contract
Reporting of theft, break-in or other criminal activity to the VA authorities at the same time as reports to local law enforcement
Contact us here or call 800.899.4623.