[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1128 Introduced in House (IH)]

114th CONGRESS
  1st Session
                                H. R. 1128

To amend title 38, United States Code, to make certain improvements in 
the information security of the Department of Veterans Affairs, and for 
                            other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           February 26, 2015

 Mrs. Kirkpatrick introduced the following bill; which was referred to 
                   the Committee on Veterans' Affairs

_______________________________________________________________________

                                 A BILL


 
To amend title 38, United States Code, to make certain improvements in 
the information security of the Department of Veterans Affairs, and for 
                            other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Department of Veterans Affairs Cyber 
Security Protection Act''.

SEC. 2. DEPARTMENT OF VETERANS AFFAIRS INFORMATION SECURITY 
              IMPROVEMENTS.

    (a) Submittal of Quarterly Information Security Report to 
Congress.--Paragraph (14) of subsection (b) of section 5723 of title 
38, United States Code, is amended by inserting ``and to the Committees 
on Veterans' Affairs of the Senate and House of Representatives'' after 
``to the Secretary''.
    (b) Plan for Addressing Known Information Security 
Vulnerabilities.--Such subsection is further amended by adding at the 
end the following new paragraph:
            ``(17) Submitting to the Chairs and Ranking Members of the 
        Committees on Veterans' Affairs of the Senate and House of 
        Representatives, by not later than 30 days after the last day 
        of each fiscal quarter, a summary of any plans of action and 
        milestones for any known information security vulnerability, as 
        identified pursuant to a widely accepted industry or Government 
        standard, that includes--
                    ``(A) specific information about the industry or 
                Government standard used to identify the known 
                information security vulnerability;
                    ``(B) a detailed timeline with specific deadlines 
                for addressing the known information security 
                vulnerability; and
                    ``(C) an update of any previously specified 
                timeline and the rationale for any deviations from such 
                timeline.''.
    (c) Plan for Replacing Outdated Operating Systems.--Such subsection 
is further amended by adding at the end the following new paragraph:
            ``(18) Submitting to the Committees on Veterans' Affairs of 
        the Senate and House of Representatives, by not later than 
        January 1 of each year, a plan for identifying and replacing 
        operating systems of the Department that are unsupported and 
        that includes--
                    ``(A) in the case of an operating system other than 
                an operating system covered under subparagraph (C), 
                requirements that the operating system be removed from 
                the network of the Department no later than 15 days 
                after the date on which the operating system is 
                identified as being out-of-date or unsupported;
                    ``(B) information concerning the number of systems 
                so identified during the year preceding the year in 
                which the report is submitted, when each such system 
                was so identified, and when each system so identified 
                was removed from the network of the Department; and
                    ``(C) in the case of an operating system the 
                Secretary determines is essential for the proper 
                operation of any medical device or equipment, a 
                description of the operating system and a detailed 
                discussion of steps taken to ensure the security of the 
                operating system.''.
    (d) Software Security.--Such subsection is further amended by 
adding at the end the following new paragraph:
            ``(19) Ensuring that any software or Internet applications 
        used on systems by the Department are as secure as practicable 
        from any known vulnerabilities that could affect the 
        confidentiality of sensitive personal information of 
        veterans.''.
    (e) Third Party Validation.--Not later than 60 days after the date 
of the enactment of this Act, the Secretary of Veterans Affairs shall 
submit to the Committees on Veterans' Affairs of the Senate and House 
of Representatives a report on third party validation of Department of 
Veterans Affairs security. Such report shall include--
            (1) a description of any steps the Secretary has taken to 
        provide for a systemic and ongoing evaluation of the 
        information security of the Department by a non-Department 
        entity; and
            (2) a description of any steps the Secretary plans to take 
        to provide for such evaluation.

SEC. 3. INFORMATION TECHNOLOGY REPORTING REQUIREMENTS.

    (a) In General.--Chapter 57 of title 38, United States Code, is 
amended--
            (1) by redesignating sections 5727 and 5728 as sections 
        5729 and 5730, respectively; and
            (2) by inserting after section 5726 the following new 
        sections:
``Sec. 5727. Reporting requirements
    ``Not later than 30 days after the last day of each fiscal quarter, 
the Secretary shall submit to the Committees on Veterans' Affairs of 
the Senate and House of Representatives a report that includes the 
following information for that fiscal quarter:
            ``(1) A detailed description of any incidents of failure to 
        comply with established information security policies that 
        occurred during that quarter.
            ``(2) Any actions taken in response to such an incident.
            ``(3) Any reports made under paragraphs (8) through (10) of 
        subsection (b) of section 5723 of this title during that 
        quarter.
            ``(4) Written certification that the requirements of 
        section 5722(c) of this title were followed during that 
        quarter.
            ``(5) A detailed discussion of whether each recommendation 
        made by the National Institute of Standards and Technology, the 
        Office of Management and Budget, or the Department of Homeland 
        Security relating to information security have been implemented 
        by the Department, and if not, an explanation of why such 
        recommendation was not implemented.
            ``(6) Steps taken to ensure the security of the Veterans 
        Health Information Systems and Technology Architecture of the 
        Department that allows for an integrated inpatient and 
        outpatient electronic health record for patients and provides 
        administrative tools to employees of the Department taken 
        during that quarter.
``Sec. 5728. Information security strategic plan
    ``(a) Plan Required.--Not later than one year after the date of the 
enactment of this section, the Secretary shall submit to the Committees 
on Veterans' Affairs of the Senate and House of Representatives a 
strategic plan for improving the information security and information 
technology infrastructure of the Department. Such plan shall address--
            ``(1) an information security plan for protecting the 
        sensitive personal information of veterans while not unduly 
        interfering with the ability of the Department to provide 
        benefits and services to veterans and their dependents;
            ``(2) how the Department can improve its compliance with 
        information security requirements;
            ``(3) training and recruitment of employees with the 
        necessary expertise and abilities in information security; and
            ``(4) the institutional capability of the Department to 
        address information security threats and to implement best 
        practices related to information security.
    ``(b) Biannual Updates.--The Secretary shall submit to the 
Committees on Veterans' Affairs of the Senate and House of 
Representatives biannual updates to the plan required by subsection 
(a).''.
    (b) Clerical Amendments.--The table of sections at the beginning of 
such chapter is amended by striking the items relating to sections 5727 
and 5728 and inserting the following new items:

``5727. Reporting requirements.
``5728. Information security strategic plan.
``5729. Definitions.
``5730. Authorization of appropriations.''.

SEC. 4. REQUIREMENTS FOR DEPARTMENT OF VETERANS AFFAIRS CONTRACTS FOR 
              DATA PROCESSING OR MAINTENANCE.

    (a) In General.--Section 5725(a) of title 38, United States Code, 
is amended--
            (1) in paragraph (2), by striking the period and inserting 
        ``; and''; and
            (2) by adding at the end the following new paragraph:
            ``(3) the contractor shall provide protective measures to 
        safeguard from possible information security threats any 
        information provided by the Department that will be resident on 
        or transiting through information systems controlled by the 
        contractor.''.
    (b) Applicability.--Paragraph (3) of section 5725(a) of title 38, 
United States Code, shall apply with respect to a contract entered into 
after the date of the enactment of this Act.

SEC. 5. REPORT ON DEPARTMENTAL ORGANIZATION AND RESPONSE TO INFORMATION 
              SECURITY INCIDENTS.

    Not later than five years after the date of the enactment of this 
Act, the Secretary of Veterans Affairs shall submit to the Committees 
on Veterans' Affairs of the Senate and House of Representatives a 
report on information security protection and the accountability of the 
Department of Veterans Affairs for information security breeches and 
incidents. Such report shall include--
            (1) a discussion of any organizational changes that could 
        be made within the Department to provide for an increased level 
        of information security protection for veterans;
            (2) a discussion of any organizational changes that could 
        be made within the Department to provide for greater 
        accountability and responsibility for information security; and
            (3) a plan to develop a system of better assigning costs 
        associated with data breeches and information security 
        incidents, including the costs associated with notifications 
        and credit monitoring services, where applicable, to the 
        offices and subdivisions of the Department responsible for such 
        breeches and incidents.
                                 <all>