[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4356 Introduced in House (IH)]

113th CONGRESS
  2d Session
                                H. R. 4356

To amend title 38, United States Code, to make certain improvements in 
the information security of the Department of Veterans Affairs, and for 
                            other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             April 1, 2014

Mrs. Kirkpatrick (for herself and Mr. Michaud) introduced the following 
     bill; which was referred to the Committee on Veterans' Affairs

_______________________________________________________________________

                                 A BILL


 
To amend title 38, United States Code, to make certain improvements in 
the information security of the Department of Veterans Affairs, and for 
                            other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Department of Veterans Affairs 
Information Security Protection Act''.

SEC. 2. DEPARTMENT OF VETERANS AFFAIRS INFORMATION SECURITY 
              IMPROVEMENTS.

    (a) Submittal of Quarterly Information Security Report to 
Congress.--Paragraph (14) of subsection (b) of section 5723 of title 
38, United States Code, is amended by inserting ``and to the Committees 
on Veterans' Affairs of the Senate and House of Representatives'' after 
``to the Secretary''.
    (b) Plan for Addressing Known Information Security 
Vulnerabilities.--Such subsection is further amended by adding at the 
end the following new paragraph:
            ``(17) Submitting to the Chairs and Ranking Members of the 
        Committees on Veterans' Affairs of the Senate and House of 
        Representatives, by not later than 30 days after the date of 
        the enactment of this paragraph, and quarterly thereafter, a 
        plan of action to address critical known information security 
        vulnerabilities that includes--
                    ``(A) specific milestones regarding timelines to 
                address such vulnerabilities;
                    ``(B) a summary of any reports provided to the 
                Assistant Secretary for Information and Technology 
                pursuant to subsection (e)(3) during the period covered 
                by the report;
                    ``(C) a discussion of any risk assessment analysis 
                undertaken by the Department that led to the inclusion 
                of any such vulnerability; and
                    ``(D) a summary of such plan of action that could 
                be made publicly available.''.
    (c) Plan for Replacing Outdated Operating Systems.--Such subsection 
is further amended by adding at the end the following new paragraph:
            ``(18) Submitting to the Committees on Veterans' Affairs of 
        the Senate and House of Representatives, by not later than 
        January 1 of each year, a plan for identifying and replacing 
        operating systems of the Department that are out-of-date or 
        unsupported and that includes--
                    ``(A) requirements that such an operating system be 
                removed from the network of the Department no later 
                than 15 days after the date on which the operating 
                system was identified as being out-of-date or 
                unsupported; and
                    ``(B) information concerning the number of systems 
                so identified during the year preceding the year in 
                which the report is submitted, when each such system 
                was so identified, and when each system so identified 
                was removed from the network of the Department.''.
    (d) Software Security.--Such subsection is further amended by 
adding at the end the following new paragraph:
            ``(19) Ensuring that any software or Internet applications 
        used on systems by the Department are secure from 
        vulnerabilities that could affect the confidentiality of 
        sensitive personal information of veterans.''.

SEC. 3. INFORMATION TECHNOLOGY REPORTING REQUIREMENTS.

    (a) In General.--Chapter 57 of title 38, United States Code, is 
amended--
            (1) by redesignating sections 5727 and 5728 as sections 
        5729 and 5730, respectively; and
            (2) by inserting after section 5726 the following new 
        sections:
``Sec. 5727. Reporting requirements
    ``Not later than 30 days after the last day of each fiscal quarter, 
the Secretary shall submit to the Committees on Veterans' Affairs of 
the Senate and House of Representatives a report that includes the 
following information for that fiscal quarter:
            ``(1) A detailed description of any incidents of failure to 
        comply with established information security policies that 
        occurred during that quarter.
            ``(2) Any actions taken in response to such an incident.
            ``(3) Any reports made under paragraphs (8) through (10) of 
        subsection (b) of section 5723 of this title during that 
        quarter.
            ``(4) Written certification that the requirements of 
        section 5722(c) of this title were followed during that 
        quarter.
            ``(5) A detailed discussion of whether each recommendation 
        made by the National Institute of Standards and Technology, the 
        Office of Management and Budget, or the Department of Homeland 
        Security relating to information security have been implemented 
        by the Department, and if not, an explanation of why such 
        recommendation was not implemented.
            ``(6) Steps taken to ensure the security of the Veterans 
        Health Information Systems and Technology Architecture of the 
        Department that allows for an integrated inpatient and 
        outpatient electronic health record for patients and provides 
        administrative tools to employees of the Department taken 
        during that quarter.
``Sec. 5728. Information security strategic plan
    ``(a) Plan Required.--Not later than one year after the date of the 
enactment of this section, the Secretary, in consultation with the 
Secretary of Homeland Security, the Director of the Office of 
Management and Budget, the Secretary of Defense, the Director of the 
National Institute of Standards and Technology, the heads of other 
appropriate Federal agencies, veterans groups, and appropriate industry 
specialists, shall submit to the Committees on Veterans' Affairs of the 
Senate and House of Representatives a strategic plan for improving the 
information security of the Department. Such plan shall address--
            ``(1) methods of protecting the sensitive personal 
        information of veterans while not unduly interfering with the 
        ability of the Department to provide benefits and services to 
        veterans and their dependents;
            ``(2) how the Department can improve its compliance with 
        information security requirements;
            ``(3) training and recruitment of employees with the 
        necessary expertise and abilities in information security; and
            ``(4) the institutional capability of the Department to 
        address information security threats and to implement best 
        practices related to information security.
    ``(b) Biannual Updates.--The Secretary shall submit to the 
Committees on Veterans' Affairs of the Senate and House of 
Representatives biannual updates to the plan required by subsection 
(a).''.
    (b) Clerical Amendments.--The table of sections at the beginning of 
such chapter is amended by striking the items relating to sections 5727 
and 5728 and inserting the following new items:

``5727. Reporting requirements.
``5728. Information security strategic plan.
``5729. Definitions.
``5730. Authorization of appropriations.''.

SEC. 4. REQUIREMENTS FOR DEPARTMENT OF VETERANS AFFAIRS CONTRACTS FOR 
              DATA PROCESSING OR MAINTENANCE.

    (a) In General.--Section 5725(a) of title 38, United States Code, 
is amended--
            (1) in paragraph (2), by striking the period and inserting 
        ``; and''; and
            (2) by adding at the end the following new paragraph:
            ``(3) the contractor shall provide protective measures to 
        safeguard from possible information security threats any 
        information provided by the Department that will be resident on 
        or transiting through information systems controlled by the 
        contractor.''.
    (b) Applicability.--Paragraph (3) of section 5725(a) of title 38, 
United States Code, shall apply with respect to a contract entered into 
after the date of the enactment of this Act.
                                 <all>