The U.S. Department of Veterans Affairs (VA) released a final rule, effective February 24, 2023, amending the VA’s Acquisition Regulation (VAAR) to impose new cybersecurity procedures and processes to protect sensitive VA data and health information. Although much of the recent cybersecurity buzz has centered around the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC) framework, the VA did not want to be left out. These VAAR additions will force affected contractors at all tiers to implement internal controls to properly handle sensitive information for VA systems and impose unreasonably short reporting requirements for breaches. Both prime contractors and subcontractors handling sensitive information on VA contracts need to observe the following new duties and obligations to avoid costly penalties.
Adherence to many of the final rule’s obligations largely depends on whether contractors have access to “VA sensitive information.” The VAAR now defines “VA sensitive information” as all VA data “which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information…” This term broadly includes (among other things) proprietary information, records protected under the Privacy Act and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, information that can be withheld under the Freedom of Information Act, and “financial, budgetary, research, quality assurance, confidential commercial, critical infrastructure, investigatory, and law enforcement information.”
If a contractor has access to VA sensitive information, the contractor must:
- comply with all VA information security and privacy program policies, procedures, practices, and related contract requirements, including the Veterans Health Administration (VHA) regulations (38 U.S.C. §§ 5701, 5705, 5721-5728; 38 C.F.R. §§ 1.460-1.527, 500-17.511), HIPAA, and the Privacy Act (5 U.S.C. § 522a);
- annually complete VA security awareness training and VHA Privacy and HIPAA Training (if Protected Health Information (PHI) is required);
- report all actual or suspected security and privacy incidents within one hour of discovery or suspicion;
- comply with VA background investigation and screening requirements;
- maintain records and compliance reports regarding HIPAA Security and Privacy Rules (45 C.F.R. Part 160); and
- flow down these requirements in all subcontracts and Business Associate Agreements (BAA) at any level.
A significant change to the VAAR is the imposition of liquidated damages for failing to comply with these security privacy requirements. Any contract containing VA-sensitive personal information must include a liquidated damages clause, requiring the contractor to pay the VA a certain amount (which will vary based on the contract) in the event of a data breach. These damages will allow the VA to provide credit protection services to individuals affected by the breach.
Nuanced Rules for Different Types of VA Contracts
Beyond the basic safeguarding requirements, VA’s new cybersecurity rules impose additional obligations on contractors who have access to PHI or perform information technology (IT) contracts. Contracts with PHI will require contractors to enter into a BAA, which also must be flowed down to all lower-tier subcontractors with similar access. As it relates to VA IT procurements, contractors, subcontractors, third-party service vendors, and associates (as it relates to BAAs) must employ adequate security controls and use appropriate, common security configurations, pursuant to National Institute of Standards and Technology (NIST) guidance. The obligation to employ adequate security controls as described by NIST 800-171 mirrors the obligations imposed on many defense contractors.
In addition, within 90 days after contract award for IT services, contractors must submit an Information System Security Plan (ISSP). An ISSP will likely be a significant burden for many contractors to comply with. Among other things, an ISSP must contain an overview of the security requirements for systems connected to the VA network. The ISSP will need to describe security procedures used by the contractor regarding information systems developed, processed, or used under the contract. Notably, and similar to the PHI requirements, the relevant clause (VAAR 852.239-70) requiring the creation and implementation of the ISSP must be flowed down to subcontractors.
Enhanced Reporting Obligations
The most troubling aspect of the new rule is the real time reporting requirements imposed on VA contractors. Under the rule, contractors and subcontractors will have several new reporting obligations, including:
- immediately, but no later than four hours, after an employee working on a VA information system or with access to VA information is reassigned, leaves their role on the relevant VA contract, or is the subject of an “unfriendly” termination;
- within one hour after a known or suspected security incident occurs that (i) actually or imminently jeopardizes the integrity, confidentiality, or availability of contractor data or operations or (ii) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies;
- within one hour after business associates encounter security or privacy incidents regarding unsecured PHI; and
- concurrently report instances of theft, break-in, or criminal activity to appropriate law enforcement, the VA Office of Inspector General, and VA Office of Security and Law Enforcement.
The new VA cybersecurity rule should be familiar to contractors in many ways, as it dovetails with obligations imposed on DOD contractors and mirrors the proposed rule released in November 2021. Nonetheless, VA contractors should pay close attention to the details of the rules to avoid unnecessary penalties through liquidated damages, contract termination, or withheld payments. In particular, we recommend that VA contractors:
- audit cybersecurity controls under NIST 800-171 (and the soon-to-be-released update) to ensure compliance;
- review agreements with any subcontractors on VA projects to ensure that necessary flowdown clauses are added to the subcontracts and update any templates to ensure these flowdowns are captured on future subcontracts;
- update (or develop) breach response plans, which includes the very short reporting windows required under the new VA rule; and
- revise other protocols as needed to ensure that systems are in place to obtain the necessary information and make the required reports within the short timeframes.
If you have questions about the new VAAR requirements and how to prepare for compliance with them, or any other cybersecurity questions, please contact Kevin Barnett and Daniel Figuenick, the authors of this client alert, or another member of PilieroMazza’s Government Contracts or Cybersecurity & Data Privacy practice groups.