Department of Veterans Affairs pilot program to modernize digital identity proofing and authentication systems

(a)

Establishment of pilot program

The Secretary of Veterans Affairs shall, in accordance with chapter 57 of title 38, United States Code, carry out a pilot program to modernize digital identity proofing and authentication systems of the Department of Veterans Affairs. Under such pilot program, the Secretary shall be responsible for— (1)replacing legacy knowledge-based or single-factor identity verification mechanisms with multi-layered, high-assurance digital identity solutions; (2)reducing fraud and improper payments; (3)improving secure access to digital service platforms of the Department for veterans and other individuals eligible for benefits under laws administered by the Secretary; and (4)assessing cost savings and operational efficiencies before carrying out a full-scale deployment of any digital identity solution developed pursuant to the pilot program. (b)

Selection

The Secretary shall select, for participation in the pilot program, not more than three high-volume digital service platforms of the Department, each of which may consist of one or more underlying systems, applications, or services, including— (1)disability compensation claims system; (2)veterans health care enrollment portal; (3)the system to administer educational benefits; or (4)the system to administer home loan benefits. (c)

Risk-tiered implementation

As part of the pilot, the Secretary shall— (1)map categories of digital transactions within participating platforms to graduated levels of identity assurance based on— (A)transaction sensitivity; (B)fraud risk; and (C)potential harm; (2)implement adaptive authentication mechanisms capable of adjusting authentication requirements based on contextual and behavioral risk signals; and (3)ensure, to the extent practicable under applicable Federal standards, more rigorous authentication requirements are applied only where warranted by risk. (d)

Standards for digital identity solutions

Any digital identity solution implemented pursuant to the pilot program shall— (1)be commercially available and may not be developed exclusively for use by the Department; (2)be independently certified to meet or exceed Identity Assurance Level 2 (IAL2), as defined in National Institute of Standards and Technology Special Publication 800–63 (or any successor document); (3)incorporate multi-factor authentication consistent with Authentication Assurance Level 2 (AAL2), as defined in NIST SP 800–63 (or any successor document), or higher; and (4)comply with applicable Federal cybersecurity and privacy requirements, including— (A)chapter 57 of title 38, United States Code; (B)the Privacy Act of 1974 (5 U.S.C. 522a); and (C)the Federal Information Security Modernization Act of 2014 (Public Law 113–283). (e)

Funding

(1)

In general

Of amounts authorized to be appropriated for Information Technology Systems under chapter 57 of title 38, United States Code, the Secretary may obligate or expend not more than $25,000,000, in the aggregate, may be obligated to carry out the pilot program. (2)

No additional authorization

No additional funds are authorized to be appropriated to carry out this section. (f)

Reporting requirements

(1)

Implementation plan

Not later than 120 days after the date of the enactment of this Act, the Secretary shall submit to the Committees on Veterans’ Affairs of the House of Representatives and the Senate a plan for implementing the pilot program under this section. (2)

Interim report

Not later than one year after the date on which the Secretary commences the pilot program, the Secretary shall submit to such committees an interim performance report that includes— (A)a summary of— (i)identity proofing completion rates; (ii)successful authentication rates; (iii)successful account recovery rates; and (iv)abandonment rates during proofing, authentication, and recovery workflows, for each participating digital service platform, compared to the baseline rates in effect before commencement of the pilot program; (B)fraud reduction metrics applicable to the digital service platforms of the Department selected for participation in the pilot program; (C)an assessment of the extent to which the pilot program has resulted in decreased overall costs to the Department; and (D)cybersecurity performance indicators. (3)

Final report

Not later than 90 days before the date specified in subsection (i)(1), the Secretary shall submit to such committees a final report that includes— (A)a comprehensive evaluation of the pilot program; and (B)legislative recommendations with respect to modernizing digital identity and authentication systems of the Department. (g)

GAO evaluation and report

Not later than 18 months after the date of the enactment of this Act, the Comptroller General of the United States shall carry out an independent evaluation of the pilot program under this section and submit to the Committees on Veterans’ Affairs of the House of Representatives and the Senate a report that includes the findings of such evaluation. Such report shall include the following: (1)An assessment of— (A)the extent to which the pilot program successfully implemented identity proofing and authentication mechanisms that meet or exceed Identity Assurance Level 2 (IAL2) and Authentication Assurance Level 2 (AAL2) standards under National Institute of Standards and Technology Special Publication 800–63 (or any successor document); (B)the degree to which the pilot program reduced identity-related fraud, improper payments, or unauthorized account access across participating digital service platforms; (C)the effect of the pilot program on veteran access to such digital service platforms, including effects on— (i)authentication success rates; (ii)account recovery and support requests; and (iii)barriers to access for veterans— (I)residing in rural areas; (II)with disabilities; or (III)with limited digital literacy; (D)costs associated with implementation of the pilot program compared with the financial benefits to the Department derived from fraud reduction, administrative efficiencies, and avoided improper payments; (E)the extent to which the digital identity solutions used in the pilot program complied with applicable Federal cybersecurity and privacy requirements; (F)the extent to which the Department successfully implemented risk-tiered authentication approaches that adjust identity verification requirements based on transaction sensitivity and fraud risk; and (G)the feasibility of scaling the pilot program across additional digital service platforms of the Department, including compatibility with existing Department identity infrastructure and potential integration with Government-wide identity verification services. (2)Recommendations of the Comptroller General with respect to whether the pilot program should be— (A)expanded to additional digital service platforms of the Department; (B)modified to address operational or cybersecurity risks; or (C)discontinued. (h)

Authorization period

(1)

Termination date

The authority of the Secretary to carry out the pilot program under this section shall terminate on the date that is two years after the date of the enactment of this Act. (2)

No presumption of continuation

The Secretary may not be expand the scope or funding cap beyond the levels described in this section unless expressly authorized by a subsequent Act of Congress.