I
114th CONGRESS
1st Session
H. R. 1128
IN THE HOUSE OF REPRESENTATIVES
February 26, 2015
Mrs. Kirkpatrick introduced the following bill; which was referred to the Committee on Veterans’ Affairs
A BILL
To amend title 38, United States Code, to make certain improvements in the information security of the Department of Veterans Affairs, and for other purposes.
Short title
This Act may be cited as the Department of Veterans Affairs Cyber Security Protection Act
.
Department of Veterans Affairs information security improvements
Submittal of quarterly information security report to Congress
Paragraph (14) of subsection (b) of section 5723 of title 38, United States Code, is amended by inserting and to the Committees on Veterans’ Affairs of the Senate and House of Representatives
after to the Secretary
.
Plan for addressing known information security vulnerabilities
Such subsection is further amended by adding at the end the following new paragraph:
Submitting to the Chairs and Ranking Members of the Committees on Veterans’ Affairs of the Senate and House of Representatives, by not later than 30 days after the last day of each fiscal quarter, a summary of any plans of action and milestones for any known information security vulnerability, as identified pursuant to a widely accepted industry or Government standard, that includes—
specific information about the industry or Government standard used to identify the known information security vulnerability;
a detailed timeline with specific deadlines for addressing the known information security vulnerability; and
an update of any previously specified timeline and the rationale for any deviations from such timeline.
.
Plan for replacing outdated operating systems
Such subsection is further amended by adding at the end the following new paragraph:
Submitting to the Committees on Veterans’ Affairs of the Senate and House of Representatives, by not later than January 1 of each year, a plan for identifying and replacing operating systems of the Department that are unsupported and that includes—
in the case of an operating system other than an operating system covered under subparagraph (C), requirements that the operating system be removed from the network of the Department no later than 15 days after the date on which the operating system is identified as being out-of-date or unsupported;
information concerning the number of systems so identified during the year preceding the year in which the report is submitted, when each such system was so identified, and when each system so identified was removed from the network of the Department; and
in the case of an operating system the Secretary determines is essential for the proper operation of any medical device or equipment, a description of the operating system and a detailed discussion of steps taken to ensure the security of the operating system.
.
Software security
Such subsection is further amended by adding at the end the following new paragraph:
Ensuring that any software or Internet applications used on systems by the Department are as secure as practicable from any known vulnerabilities that could affect the confidentiality of sensitive personal information of veterans.
.
Third party validation
Not later than 60 days after the date of the enactment of this Act, the Secretary of Veterans Affairs shall submit to the Committees on Veterans’ Affairs of the Senate and House of Representatives a report on third party validation of Department of Veterans Affairs security. Such report shall include—
a description of any steps the Secretary has taken to provide for a systemic and ongoing evaluation of the information security of the Department by a non-Department entity; and
a description of any steps the Secretary plans to take to provide for such evaluation.
Information technology reporting requirements
In general
Chapter 57 of title 38, United States Code, is amended—
by redesignating sections 5727 and 5728 as sections 5729 and 5730, respectively; and
by inserting after section 5726 the following new sections:
Reporting requirements
Not later than 30 days after the last day of each fiscal quarter, the Secretary shall submit to the Committees on Veterans’ Affairs of the Senate and House of Representatives a report that includes the following information for that fiscal quarter:
A detailed description of any incidents of failure to comply with established information security policies that occurred during that quarter.
Any actions taken in response to such an incident.
Any reports made under paragraphs (8) through (10) of subsection (b) of section 5723 of this title during that quarter.
Written certification that the requirements of section 5722(c) of this title were followed during that quarter.
A detailed discussion of whether each recommendation made by the National Institute of Standards and Technology, the Office of Management and Budget, or the Department of Homeland Security relating to information security have been implemented by the Department, and if not, an explanation of why such recommendation was not implemented.
Steps taken to ensure the security of the Veterans Health Information Systems and Technology Architecture of the Department that allows for an integrated inpatient and outpatient electronic health record for patients and provides administrative tools to employees of the Department taken during that quarter.
Information security strategic plan
Plan required
Not later than one year after the date of the enactment of this section, the Secretary shall submit to the Committees on Veterans’ Affairs of the Senate and House of Representatives a strategic plan for improving the information security and information technology infrastructure of the Department. Such plan shall address—
an information security plan for protecting the sensitive personal information of veterans while not unduly interfering with the ability of the Department to provide benefits and services to veterans and their dependents;
how the Department can improve its compliance with information security requirements;
training and recruitment of employees with the necessary expertise and abilities in information security; and
the institutional capability of the Department to address information security threats and to implement best practices related to information security.
Biannual updates
The Secretary shall submit to the Committees on Veterans’ Affairs of the Senate and House of Representatives biannual updates to the plan required by subsection (a).
.
Clerical amendments
The table of sections at the beginning of such chapter is amended by striking the items relating to sections 5727 and 5728 and inserting the following new items:
5727. Reporting requirements.
5728. Information security strategic plan.
5729. Definitions.
5730. Authorization of appropriations.
.
Requirements for Department of Veterans Affairs contracts for data processing or maintenance
In general
Section 5725(a) of title 38, United States Code, is amended—
in paragraph (2), by striking the period and inserting ; and
; and
by adding at the end the following new paragraph:
the contractor shall provide protective measures to safeguard from possible information security threats any information provided by the Department that will be resident on or transiting through information systems controlled by the contractor.
.
Applicability
Paragraph (3) of section 5725(a) of title 38, United States Code, shall apply with respect to a contract entered into after the date of the enactment of this Act.
Report on departmental organization and response to information security incidents
Not later than five years after the date of the enactment of this Act, the Secretary of Veterans Affairs shall submit to the Committees on Veterans’ Affairs of the Senate and House of Representatives a report on information security protection and the accountability of the Department of Veterans Affairs for information security breeches and incidents. Such report shall include—
a discussion of any organizational changes that could be made within the Department to provide for an increased level of information security protection for veterans;
a discussion of any organizational changes that could be made within the Department to provide for greater accountability and responsibility for information security; and
a plan to develop a system of better assigning costs associated with data breeches and information security incidents, including the costs associated with notifications and credit monitoring services, where applicable, to the offices and subdivisions of the Department responsible for such breeches and incidents.
