The U.S. Department of Veterans Affairs (VA) is overhauling and remaking its regulations aimed at contractor cybersecurity and privacy practices. Any companies in the VA supply chain should take note and ensure compliance with these regulations, which significantly increase obligations in certain circumstances – including immediate breach notification requirements and liquidated damages for breaches – and allow unscheduled on-site inspection of contractor information technology (IT) systems. The following is a summary of some of the significant policies and contract clauses impacting contractors.
Basic Safeguarding of Covered Contractor Information Systems: Initially, the VA creates a new Subpart (804.19) that sets out policies and procedures for the protection of certain VA information – namely, “VA information, information systems, and VA sensitive information.” This part covers the acquisition of commercial products and services, excluding commercial off-the-shelf items. While “VA information” is not defined, the definitions for “information system” and “VA sensitive information” indicated a broad and inclusive approach. For instance, “VA sensitive information” includes:
information where improper use or disclosure could adversely affect the ability of VA to accomplish its mission, proprietary information, records about individuals requiring protection under various confidentiality provisions such as the Privacy Act and the HIPAA Privacy Rule, and information that can be withheld under the Freedom of Information Act. Examples of VA sensitive information include the following: individually-identifiable medical, benefits, and personnel information; financial, budgetary, research, quality assurance, confidential commercial, critical infrastructure, investigatory, and law enforcement information; information that is confidential and privileged in litigation such as information protected by the deliberative process privilege, attorney work-product privilege, and the attorney-client privilege; and other information which, if released, could result in violation of law or harm or unfairness to any individual or group, or could adversely affect the national interest or the conduct of Federal programs.
While not exactly like the definition of controlled unclassified information (CUI), it is likewise arguable that the definition of “VA-sensitive” information is so broad and can include most information contractors create, store or transmit in the performance of a VA contract or subcontract.
Contractors who have a covered contract must, among other things: 1) comply with all VA information security and privacy policies; 2) complete VA security awareness training annually; and 3) disclose all security or privacy incidents within one hour of discovery to the contracting officer and contracting officer’s representative. This disclosure is even required if an incident is suspected.
Liquidated Damages: The VA adds a new Subpart (811.5) dedicated to liquidated damages in contracts that involve VA-sensitive personal information. This is narrower than the definition of VA-sensitive information noted above and essentially adds personally identifiable information as a limiting element. In the instances of a data breach involving this type of information, the liquidated damages would be used to pay for credit monitoring services and other things detailed below. There is no indication that the contractor (or subcontractor) would have had to act contra to VA cybersecurity requirements in order to be responsible for liquidated damages; it appears to be a strict liability standard.
Protection of Individual Privacy: New sections are added within Subpart 824.1, including ones to require the inclusion of new clauses ensuring privacy of individuals with protected health information, the requirement to flow down Business Associate Agreements and inclusion of the liquidated damages clause.
Acquisition of Information Technology: Previously reserved, the VA adds a new Part 839 specifically setting out policies for IT acquisitions. Under this Part, the VA would require contractors providing IT products and services to, among other things, comply with VA Directive 6500 and “use appropriate common security configurations available” from the National Institute of Standards and Technology (NIST). The exact NIST standards are not defined within the policy, except pointing to NIST’s checklists.
The above policies are implemented through the following clauses that the VA inserts into relevant contracts.
Information and Information Systems Security: This clause is required to be inserted whenever FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, is required and covers a broad base of contractors, including those with access to “VA information, information systems, or information technology (IT) or providing and accessing IT-related goods and services.” At its center, it requires that covered VA contractors adhere to VA Directive 6500. VA Directive 6500 is comprehensive and contains more than 150 separate controls, including the necessity of an incident response plan. Besides VA Directive 6500, contractors are also expected to comply with VA Handbooks, and other listed requirements.
Depending on the type of information involved, the prime contractor and subcontractors may be required to enter into Business Associate Agreements. Further, contractors are required to develop software and perform services within the U.S. “to the maximum extent practicable.” Services that are proposed to be performed under the contract that are not disallowed by law to be outside the U.S. must be disclosed in the proposal and include a detailed Information Technology Security Plan. Other notable requirements include:
- a four-hour notification requirement if employees with access to a VA information (including by virtue of working on a VA information system) leave or are reassigned
- using data only from the VA or developed by the contractor under the contract for the purposes outlined in the contract
- separation of VA information from other information the contractor possesses
- sanitation of data in accordance with VA Directive 6500
- provision of “all necessary access” to VA and U.S. Government Accountability Office staff for scheduled and unscheduled on-site inspections of contractor information systems assets by the VA
- destruction of data in accordance with VA policies, including VA Directive 6371, within 30 days after the termination of the contract and compliance with other policies concerning copying, retaining, using, returning and destroying relevant information
- encryption of data consistent with Federal Information Processing Standard 140-3
- meeting the VA’s guidelines for firewalls and web services security controls
- compliance with relevant privacy laws
- reporting cybersecurity incidents or imminent cybersecurity incidents in writing to the contracting officer and contracting officer representative within one hour of discovery
- providing training to certain employees who have access to VA information or VA information systems
- flowing down this clause to subcontractors covered by the above requirements
Liquidated Damages: Contractors with access to sensitive personal information must provide liquidated damages in the event of a breach that results in spillage of that information. The contractor may instead provide actual damages if they can be proven. Either way, the damage calculations should take into account costs for notifications, credit monitoring, data breach analysis and impact assessment, fraud alerts, and identity theft insurance. Further, under alternate contract language, the VA may obtain damages for the repurchase of goods and services.
Gray Market and Counterfeit Items: The VA proposes significantly updating an existing clause (852.212-71) that previously concerned only gray market goods. The new clause also prohibits the sale of counterfeit goods to the VA. While this may seem obvious, the definition of “counterfeit” is broad and includes substitutions defined as including “used items represented as new, or the false identification of grade, serial number, lot number, date code, or performance characteristics.” There is also a new clause (852.212-72) that would specifically allow “used, refurbished, or remanufactured parts” under certain circumstances. Gray market and counterfeit items would still be prohibited.
Other Clauses of Interest: In addition to the above, the following is a selection of clauses that the VA is proposing to revise or add:
- Security Requirements for Information Technology Resources (852.239-70): Contractors with access to VA information are responsible for the security of that information, have an Information System Security Plan submitted within 90 days of contract award, have their system security accredited, give access to the federal government when requested (including subcontractor systems) and flow these requirements down the supply chain when applicable.
- Security Controls Compliance Testing (852.239-74): This allows the VA, including the VA Inspector General (with 10 working days’ notice), access to each location where VA information is “processed or stored, or information systems are developed, operated maintained, or used on behalf of VA …” The VA may also conduct assessments without notice.
Taken together, contractors that do business with the VA will face significant new cybersecurity and privacy responsibilities. These responsibilities do not apply just to contractors with personally identifiable information, but information that contractors will come across or create on most contracts for IT products and services. Contractors covered by this should review these regulations and ensure compliance or risk adverse consequences from the VA.