[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 7299 Referred in Senate (RFS)]

<DOC>
117th CONGRESS
  2d Session
                                H. R. 7299


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           November 17, 2022

Received; read twice and referred to the Committee on Veterans' Affairs

_______________________________________________________________________

                                 AN ACT


 
 To require the Secretary of Veterans Affairs to obtain an independent 
 cybersecurity assessment of information systems of the Department of 
               Veterans Affairs, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Strengthening VA Cybersecurity Act 
of 2022'' or the ``SVAC Act of 2022''.

SEC. 2. INDEPENDENT CYBERSECURITY ASSESSMENT OF INFORMATION SYSTEMS OF 
              DEPARTMENT OF VETERANS AFFAIRS.

    (a) Independent Assessment Required.--
            (1) In general.--Not later than 60 days after the date of 
        the enactment of this Act, the Secretary of Veterans Affairs 
        shall seek to enter into an agreement with a federally funded 
        research and development center to provide to the Secretary an 
        independent cybersecurity assessment of--
                    (A) five high-impact information systems of the 
                Department of Veterans Affairs; and
                    (B) the effectiveness of the information security 
                program and information security management system of 
                the Department.
            (2) Detailed analysis.--The independent cybersecurity 
        assessment provided under paragraph (1) shall include a 
        detailed analysis of the ability of the Department--
                    (A) to ensure the confidentiality, integrity, and 
                availability of the information, information systems, 
                and devices of the Department; and
                    (B) to protect against--
                            (i) advanced persistent cybersecurity 
                        threats;
                            (ii) ransomware;
                            (iii) denial of service attacks;
                            (iv) insider threats;
                            (v) threats from foreign actors, including 
                        state sponsored criminals and other foreign 
                        based criminals;
                            (vi) phishing;
                            (vii) credential theft;
                            (viii) cybersecurity attacks that target 
                        the supply chain of the Department;
                            (ix) threats due to remote access and 
                        telework activity; and
                            (x) other cyber threats.
            (3) Types of systems.--The independent cybersecurity 
        assessment provided under paragraph (1) shall cover on-
        premises, remote, cloud-based, and mobile information systems 
        and devices used by, or in support of, Department activities.
            (4) Shadow information technology.--The independent 
        cybersecurity assessment provided under paragraph (1) shall 
        include an evaluation of the use of information technology 
        systems, devices, and services by employees and contractors of 
        the Department who do so without the heads of the elements of 
        the Department that are responsible for information technology 
        at the Department knowing or approving of such use.
            (5) Methodology.--In conducting the cybersecurity 
        assessment to be provided under paragraph (1), the federally 
        funded research and development center shall take into account 
        industry best practices and the current state-of-the-art in 
        cybersecurity evaluation and review.
    (b) Plan.--
            (1) In general.--Not later than 120 days after the date on 
        which an independent assessment is provided to the Secretary by 
        a federally funded research and development center pursuant to 
        an agreement entered into under subsection (a), the Secretary 
        shall submit to the Committees on Veterans' Affairs of the 
        House of Representatives and the Senate a plan to address the 
        findings of the federally funded research and development 
        center set forth in such assessment.
            (2) Elements.--The plan submitted under paragraph (1) shall 
        include the following:
                    (A) Improvements to the security controls of the 
                information systems of the Department assessed under 
                subsection (a) to--
                            (i) achieve the goals specified in 
                        subparagraph (A) of paragraph (2) of such 
                        subsection; and
                            (ii) protect against the threats specified 
                        in subparagraph (B) of such paragraph.
                    (B) Improvements to the information security 
                program and information security management system of 
                the Department to achieve such goals and protect 
                against such threats.
                    (C) A cost estimate for implementing the plan.
                    (D) A timeline for implementing the plan.
                    (E) Such other elements as the Secretary considers 
                appropriate.
    (c) Comptroller General of the United States Evaluation and 
Review.--Not later than 180 days after the date of the submission of 
the plan under subsection (b)(1), the Comptroller General of the United 
States shall--
            (1) commence an evaluation and review of--
                    (A) the independent cybersecurity assessment 
                provided under subsection (a); and
                    (B) the response of the Department to such 
                assessment; and
            (2) provide to the Committees on Veterans' Affairs of the 
        House of Representatives and the Senate a briefing on the 
        results of the evaluation and review, including any 
        recommendations made to the Secretary regarding the matters 
        covered by the briefing.

            Passed the House of Representatives November 17, 2022.

            Attest:

                                             CHERYL L. JOHNSON,

                                                                 Clerk.