
	

113 HR 4356 IH: Department of Veterans Affairs Information Security Protection Act
U.S. House of Representatives
2014-04-01
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



		I
		113th CONGRESS
		2d Session
		H. R. 4356
		IN THE HOUSE OF REPRESENTATIVES
		
			April 1, 2014
			Mrs. Kirkpatrick (for herself and Mr. Michaud) introduced the following bill; which was referred to the Committee on Veterans’ Affairs
		
		A BILL
		To amend title 38, United States Code, to make certain improvements in the information security of
			 the Department of Veterans Affairs, and for other purposes.
	
	
		1.Short titleThis Act may be cited as the Department of Veterans Affairs Information Security Protection Act.
		2.Department of Veterans Affairs information security improvements
			(a)Submittal of quarterly information security report to CongressParagraph (14) of subsection (b) of section 5723 of title 38, United States Code, is amended by
			 inserting and to the Committees on Veterans’ Affairs of the Senate and House of Representatives after to the Secretary.
			(b)Plan for addressing known information security vulnerabilitiesSuch subsection is further amended by adding at the end the following new paragraph:
				
					(17)Submitting to the Chairs and Ranking Members of the Committees on Veterans’ Affairs of the Senate
			 and House of Representatives, by not later than 30 days after the date of
			 the enactment of this paragraph, and quarterly thereafter, a plan of
			 action to address critical known information security vulnerabilities that
			 includes—
						(A)specific milestones regarding time­lines to address such vulnerabilities;
						(B)a summary of any reports provided to the Assistant Secretary for Information and Technology
			 pursuant to subsection (e)(3) during the period covered by the report;
						(C)a discussion of any risk assessment analysis undertaken by the Department that led to the inclusion
			 of any such vulnerability; and
						(D)a summary of such plan of action that could be made publicly available..
			(c)Plan for replacing outdated operating systemsSuch subsection is further amended by adding at the end the following new paragraph:
				
					(18)Submitting to the Committees on Veterans’ Affairs of the Senate and House of Representatives, by
			 not later than January 1 of each year, a plan for identifying and
			 replacing operating systems of the Department that are out-of-date or
			 unsupported and that includes—
						(A)requirements that such an operating system be removed from the network of the Department no later
			 than 15 days after the date on which the operating system was identified
			 as being out-of-date or unsupported; and
						(B)information concerning the number of systems so identified during the year preceding the year in
			 which the report is submitted, when each such system was so identified,
			 and when each system so identified was removed from the network of the
			 Department..
			(d)Software securitySuch subsection is further amended by adding at the end the following new paragraph:
				
					(19)Ensuring that any software or Internet applications used on systems by the Department are secure
			 from vulnerabilities that could affect the confidentiality of sensitive
			 personal information of veterans..
			3.Information technology reporting requirements
			(a)In generalChapter 57 of title 38, United States Code, is amended—
				(1)by redesignating sections 5727 and 5728 as sections 5729 and 5730, respectively; and
				(2)by inserting after section 5726 the following new sections:
					
						5727.Reporting requirementsNot later than 30 days after the last day of each fiscal quarter, the Secretary shall submit to the
			 Committees on Veterans’ Affairs of the Senate and House of Representatives
			 a report that includes the following information for that fiscal quarter:
							(1)A detailed description of any incidents of failure to comply with established information security
			 policies that occurred during that quarter.
							(2)Any actions taken in response to such an incident.
							(3)Any reports made under paragraphs (8) through (10) of subsection (b) of section 5723 of this title
			 during that quarter.
							(4)Written certification that the requirements of section 5722(c) of this title were followed during
			 that quarter.
							(5)A detailed discussion of whether each recommendation made by the National Institute of Standards
			 and Technology, the Office of Management and Budget, or the Department of
			 Homeland Security relating to information security have been implemented
			 by the Department, and if not, an explanation of why such recommendation
			 was not implemented.
							(6)Steps taken to ensure the security of the Veterans Health Information Systems and Technology
			 Architecture of the Department that allows for an integrated inpatient and
			 outpatient electronic health record for patients and provides
			 administrative tools to employees of the Department taken during that
			 quarter.
							5728.Information security strategic plan
							(a)Plan requiredNot later than one year after the date of the enactment of this section, the Secretary, in
			 consultation with the Secretary of Homeland Security, the Director of the
			 Office of Management and Budget, the Secretary of Defense, the Director of
			 the National Institute of Standards and Technology, the heads of other
			 appropriate Federal agencies, veterans groups, and appropriate industry
			 specialists, shall submit to the Committees on Veterans’ Affairs of the
			 Senate and House of Representatives a strategic plan for improving the
			 information security of the Department. Such plan shall address—
								(1)methods of protecting the sensitive personal information of veterans while not unduly interfering
			 with the ability of the Department to provide benefits and services to
			 veterans and their dependents;
								(2)how the Department can improve its compliance with information security requirements;
								(3)training and recruitment of employees with the necessary expertise and abilities in information
			 security; and
								(4)the institutional capability of the Department to address information security threats and to
			 implement best practices related to information security.
								(b)Biannual updatesThe Secretary shall submit to the Committees on Veterans’ Affairs of the Senate and House of
			 Representatives biannual updates to the plan required by subsection (a)..
				(b)Clerical amendmentsThe table of sections at the beginning of such chapter is amended by striking the items relating to
			 sections 5727 and 5728 and inserting the following new items:
				
					
						5727. Reporting requirements.
						5728. Information security strategic plan.
						5729. Definitions.
						5730. Authorization of appropriations..
			4.Requirements for Department of Veterans Affairs contracts for data processing or maintenance
			(a)In generalSection 5725(a) of title 38, United States Code, is amended—
				(1)in paragraph (2), by striking the period and inserting ; and; and
				(2)by adding at the end the following new paragraph:
					
						(3)the contractor shall provide protective measures to safeguard from possible information security
			 threats any information provided by the Department that will be resident
			 on or transiting through information systems controlled by the contractor..
				(b)ApplicabilityParagraph (3) of section 5725(a) of title 38, United States Code, shall apply with respect to a
			 contract entered into after the date of the enactment of this Act.
			
