<?xml version="1.0" encoding="UTF-8" standalone="no"?><?xml-stylesheet type="text/css" href="uslm.css"?><statuteCompilation xmlns="http://schemas.gpo.gov/xml/uslm" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:gpo="http://www.gpo.gov/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" style="-uslm-dtd:statute" xml:lang="en" xsi:schemaLocation="http://schemas.gpo.gov/xml/uslm https://www.govinfo.gov/schemas/xml/uslm/uslm-2.0.10.xsd">
    <meta style="-uslm-dtd:compilation-act-form">
        <dc:title>Strengthening VA Cybersecurity Act of 2022</dc:title>
        <citableAs>Public Law 117–302</citableAs>
        <citableAsShortTitle>Strengthening VA Cybersecurity Act of 2022</citableAsShortTitle>
        <docNumber>302</docNumber>
        <currentThroughPublicLaw>117–302</currentThroughPublicLaw>
        <dc:type>Statute Compilation</dc:type>
        <dc:creator>United States House of Representatives</dc:creator>
        <dc:creator>Office of the Legislative Counsel</dc:creator>
        <dc:format>text/xml</dc:format>
        <dc:language>EN</dc:language>
        <dc:rights>Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.</dc:rights>
        <processedBy>GPO Statute Compilations USLM converter, version 20210527.1</processedBy>
        <processedDate>2023-03-10</processedDate>
        <containsShortTitle>Strengthening VA Cybersecurity Act of 2022</containsShortTitle>
        <containsShortTitle>SVAC Act of 2022</containsShortTitle>
        <property role="fileId">17293</property>
        <congress>117</congress>
        <approvedDate>2022-12-27</approvedDate>
    </meta>
    <preface style="-uslm-dtd:compilation-act-form">
        <property role="compShortTitle" style="-uslm-dtd:comp-short-title">Strengthening VA Cybersecurity Act of 2022</property>
        <citationNote style="-uslm-dtd:public-law">[(<citableAs>Public Law 117–302</citableAs>)]</citationNote>
        <editionNote style="-uslm-dtd:updated-through-note">[This law has not been amended]</editionNote>
        <explanationNote style="-uslm-dtd:explanatory-note"><b>[</b>Currency: This publication is a compilation of the text of Public Law 117-302. It was last amended by the public law listed in the As Amended Through note above and below at the bottom of each page of the pdf version and reflects current law through the date of the enactment of the public law listed at https://www.govinfo.gov/app/collection/comps/<b>]</b></explanationNote>
        <explanationNote style="-uslm-dtd:explanatory-note"><b>[</b>Note: While this publication does  not represent an official version of any Federal statute, substantial efforts have been made to ensure the accuracy of its contents. The official version of Federal law is found in the United States Statutes at Large and in the United States Code. The legal effect to be given to the Statutes at Large and the United States Code is established by statute (1 U.S.C. 112, 204).<b>]</b></explanationNote>
    </preface>
    <main style="-uslm-dtd:legis-body"><longTitle><docTitle style="-uslm-dtd:legis-type">AN ACT</docTitle><officialTitle style="-uslm-dtd:official-title">To require the Secretary of Veterans Affairs to obtain an independent cybersecurity assessment of information systems of the Department of Veterans Affairs, and for other purposes.</officialTitle></longTitle><enactingFormula style="-uslm-dtd:enacting-clause">Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,</enactingFormula>
        <section identifier="/us/sComp/117/302/s1" style="-uslm-dtd:section" styleType="OLC">
            <num style="-uslm-dtd:enum" value="1">SECTION 1. </num><heading style="-uslm-dtd:header">SHORT TITLE. </heading>
            <content class="block" style="-uslm-dtd:text">This Act may be cited as the “<shortTitle style="-uslm-dtd:quote">Strengthening VA Cybersecurity Act of 2022</shortTitle>” or the “<shortTitle style="-uslm-dtd:quote">SVAC Act of 2022</shortTitle>”.</content>
        </section>
        <section identifier="/us/sComp/117/302/s2" style="-uslm-dtd:section" styleType="OLC">
            <num style="-uslm-dtd:enum" value="2">SEC. 2. </num><heading style="-uslm-dtd:header">INDEPENDENT CYBERSECURITY ASSESSMENT OF INFORMATION SYSTEMS OF DEPARTMENT OF VETERANS AFFAIRS. </heading>
            <subsection identifier="/us/sComp/117/302/s2/a" style="-uslm-dtd:subsection" styleType="OLC">
                <num style="-uslm-dtd:enum" value="a">(a) </num><heading style="-uslm-dtd:header">Independent Assessment Required.—</heading>
                <paragraph identifier="/us/sComp/117/302/s2/a/1" style="-uslm-dtd:paragraph" styleType="OLC">
                    <num style="-uslm-dtd:enum" value="1">(1) </num><heading style="-uslm-dtd:header">In general.—</heading><chapeau style="-uslm-dtd:text">Not later than 60 days after the date of the enactment of this Act, the Secretary of Veterans Affairs shall seek to enter into an agreement with a federally funded research and development center to provide to the Secretary an independent cybersecurity assessment of—</chapeau>
                    <subparagraph identifier="/us/sComp/117/302/s2/a/1/A" style="-uslm-dtd:subparagraph" styleType="OLC">
                        <num style="-uslm-dtd:enum" value="A">(A) </num><content style="-uslm-dtd:text">five high-impact information systems of the Department of Veterans Affairs; and</content>
                    </subparagraph>
                    <subparagraph identifier="/us/sComp/117/302/s2/a/1/B" style="-uslm-dtd:subparagraph" styleType="OLC">
                        <num style="-uslm-dtd:enum" value="B">(B) </num><content style="-uslm-dtd:text">the effectiveness of the information security program and information security management system of the Department.</content>
                    </subparagraph>
                </paragraph>
                <paragraph identifier="/us/sComp/117/302/s2/a/2" style="-uslm-dtd:paragraph" styleType="OLC">
                    <num style="-uslm-dtd:enum" value="2">(2) </num><heading style="-uslm-dtd:header">Detailed analysis.—</heading><chapeau style="-uslm-dtd:text">The independent cybersecurity assessment provided under paragraph (1) shall include a detailed analysis of the ability of the Department—</chapeau>
                    <subparagraph identifier="/us/sComp/117/302/s2/a/2/A" style="-uslm-dtd:subparagraph" styleType="OLC">
                        <num style="-uslm-dtd:enum" value="A">(A) </num><content style="-uslm-dtd:text">to ensure the confidentiality, integrity, and availability of the information, information systems, and devices of the Department; and</content>
                    </subparagraph>
                    <subparagraph identifier="/us/sComp/117/302/s2/a/2/B" style="-uslm-dtd:subparagraph" styleType="OLC">
                        <num style="-uslm-dtd:enum" value="B">(B) </num><chapeau style="-uslm-dtd:text">to protect against—</chapeau>
                        <clause identifier="/us/sComp/117/302/s2/a/2/B/i" style="-uslm-dtd:clause" styleType="OLC">
                            <num style="-uslm-dtd:enum" value="i">(i) </num><content style="-uslm-dtd:text">advanced persistent cybersecurity threats;</content>
                        </clause>
                        <clause identifier="/us/sComp/117/302/s2/a/2/B/ii" style="-uslm-dtd:clause" styleType="OLC">
                            <num style="-uslm-dtd:enum" value="ii">(ii) </num><content style="-uslm-dtd:text">ransomware;</content>
                        </clause>
                        <clause identifier="/us/sComp/117/302/s2/a/2/B/iii" style="-uslm-dtd:clause" styleType="OLC">
                            <num style="-uslm-dtd:enum" value="iii">(iii) </num><content style="-uslm-dtd:text">denial of service attacks;</content>
                        </clause>
                        <clause identifier="/us/sComp/117/302/s2/a/2/B/iv" style="-uslm-dtd:clause" styleType="OLC">
                            <num style="-uslm-dtd:enum" value="iv">(iv) </num><content style="-uslm-dtd:text">insider threats;</content>
                        </clause>
                        <clause identifier="/us/sComp/117/302/s2/a/2/B/v" style="-uslm-dtd:clause" styleType="OLC">
                            <num style="-uslm-dtd:enum" value="v">(v) </num><content style="-uslm-dtd:text">threats from foreign actors, including state sponsored criminals and other foreign based criminals;</content>
                        </clause>
                        <clause identifier="/us/sComp/117/302/s2/a/2/B/vi" style="-uslm-dtd:clause" styleType="OLC">
                            <num style="-uslm-dtd:enum" value="vi">(vi) </num><content style="-uslm-dtd:text">phishing;</content>
                        </clause>
                        <clause identifier="/us/sComp/117/302/s2/a/2/B/vii" style="-uslm-dtd:clause" styleType="OLC">
                            <num style="-uslm-dtd:enum" value="vii">(vii) </num><content style="-uslm-dtd:text">credential theft;</content>
                        </clause>
                        <clause identifier="/us/sComp/117/302/s2/a/2/B/viii" style="-uslm-dtd:clause" styleType="OLC">
                            <num style="-uslm-dtd:enum" value="viii">(viii) </num><content style="-uslm-dtd:text">cybersecurity attacks that target the supply chain of the Department;</content>
                        </clause>
                        <clause identifier="/us/sComp/117/302/s2/a/2/B/ix" style="-uslm-dtd:clause" styleType="OLC">
                            <num style="-uslm-dtd:enum" value="ix">(ix) </num><content style="-uslm-dtd:text">threats due to remote access and telework activity; and</content>
                        </clause>
                        <clause identifier="/us/sComp/117/302/s2/a/2/B/x" style="-uslm-dtd:clause" styleType="OLC">
                            <num style="-uslm-dtd:enum" value="x">(x) </num><content style="-uslm-dtd:text">other cyber threats.</content>
                        </clause>
                    </subparagraph>
                </paragraph>
                <paragraph identifier="/us/sComp/117/302/s2/a/3" style="-uslm-dtd:paragraph" styleType="OLC">
                    <num style="-uslm-dtd:enum" value="3">(3) </num><heading style="-uslm-dtd:header">Types of systems.—</heading><content style="-uslm-dtd:text">The independent cybersecurity assessment provided under paragraph (1) shall cover on-premises, remote, cloud-based, and mobile information systems and devices used by, or in support of, Department activities.</content>
                </paragraph>
                <paragraph identifier="/us/sComp/117/302/s2/a/4" style="-uslm-dtd:paragraph" styleType="OLC">
                    <num style="-uslm-dtd:enum" value="4">(4) </num><heading style="-uslm-dtd:header">Shadow information technology.—</heading><content style="-uslm-dtd:text">The independent cybersecurity assessment provided under paragraph (1) shall include an evaluation of the use of information technology systems, devices, and services by employees and contractors of the Department who do so without the heads of the elements of the Department that are responsible for information technology at the Department knowing or approving of such use.</content>
                </paragraph>
                <paragraph identifier="/us/sComp/117/302/s2/a/5" style="-uslm-dtd:paragraph" styleType="OLC">
                    <num style="-uslm-dtd:enum" value="5">(5) </num><heading style="-uslm-dtd:header">Methodology.—</heading><content style="-uslm-dtd:text">In conducting the cybersecurity assessment to be provided under paragraph (1), the federally funded research and development center shall take into account industry best practices and the current state-of-the-art in cybersecurity evaluation and review.</content>
                </paragraph>
            </subsection>
            <subsection identifier="/us/sComp/117/302/s2/b" style="-uslm-dtd:subsection" styleType="OLC">
                <num style="-uslm-dtd:enum" value="b">(b) </num><heading style="-uslm-dtd:header">Plan.—</heading>
                <paragraph identifier="/us/sComp/117/302/s2/b/1" style="-uslm-dtd:paragraph" styleType="OLC">
                    <num style="-uslm-dtd:enum" value="1">(1) </num><heading style="-uslm-dtd:header">In general.—</heading><content style="-uslm-dtd:text">Not later than 120 days after the date on which an independent assessment is provided to the Secretary by a federally funded research and development center pursuant to an agreement entered into under subsection (a), the Secretary shall submit to the Committees on Veterans’ Affairs of the House of Representatives and the Senate a plan to address the findings of the federally funded research and development center set forth in such assessment.</content>
                </paragraph>
                <paragraph identifier="/us/sComp/117/302/s2/b/2" style="-uslm-dtd:paragraph" styleType="OLC">
                    <num style="-uslm-dtd:enum" value="2">(2) </num><heading style="-uslm-dtd:header">Elements.—</heading><chapeau style="-uslm-dtd:text">The plan submitted under paragraph (1) shall include the following:</chapeau>
                    <subparagraph identifier="/us/sComp/117/302/s2/b/2/A" style="-uslm-dtd:subparagraph" styleType="OLC">
                        <num style="-uslm-dtd:enum" value="A">(A) </num><chapeau style="-uslm-dtd:text">Improvements to the security controls of the information systems of the Department assessed under subsection (a) to—</chapeau>
                        <clause identifier="/us/sComp/117/302/s2/b/2/A/i" style="-uslm-dtd:clause" styleType="OLC">
                            <num style="-uslm-dtd:enum" value="i">(i) </num><content style="-uslm-dtd:text">achieve the goals specified in subparagraph (A) of paragraph (2) of such subsection; and</content>
                        </clause>
                        <clause identifier="/us/sComp/117/302/s2/b/2/A/ii" style="-uslm-dtd:clause" styleType="OLC">
                            <num style="-uslm-dtd:enum" value="ii">(ii) </num><content style="-uslm-dtd:text">protect against the threats specified in subparagraph (B) of such paragraph.</content>
                        </clause>
                    </subparagraph>
                    <subparagraph identifier="/us/sComp/117/302/s2/b/2/B" style="-uslm-dtd:subparagraph" styleType="OLC">
                        <num style="-uslm-dtd:enum" value="B">(B) </num><content style="-uslm-dtd:text">Improvements to the information security program and information security management system of the Department to achieve such goals and protect against such threats.</content>
                    </subparagraph>
                    <subparagraph identifier="/us/sComp/117/302/s2/b/2/C" style="-uslm-dtd:subparagraph" styleType="OLC">
                        <num style="-uslm-dtd:enum" value="C">(C) </num><content style="-uslm-dtd:text">A cost estimate for implementing the plan.</content>
                    </subparagraph>
                    <subparagraph identifier="/us/sComp/117/302/s2/b/2/D" style="-uslm-dtd:subparagraph" styleType="OLC">
                        <num style="-uslm-dtd:enum" value="D">(D) </num><content style="-uslm-dtd:text">A timeline for implementing the plan.</content>
                    </subparagraph>
                    <subparagraph identifier="/us/sComp/117/302/s2/b/2/E" style="-uslm-dtd:subparagraph" styleType="OLC">
                        <num style="-uslm-dtd:enum" value="E">(E) </num><content style="-uslm-dtd:text">Such other elements as the Secretary considers appropriate.</content>
                    </subparagraph>
                </paragraph>
            </subsection>
            <subsection identifier="/us/sComp/117/302/s2/c" style="-uslm-dtd:subsection" styleType="OLC">
                <num style="-uslm-dtd:enum" value="c">(c) </num><heading style="-uslm-dtd:header">Comptroller General of the United States Evaluation and Review.—</heading><chapeau style="-uslm-dtd:text">Not later than 180 days after the date of the submission of the plan under subsection (b)(1), the Comptroller General of the United States shall—</chapeau>
                <paragraph identifier="/us/sComp/117/302/s2/c/1" style="-uslm-dtd:paragraph" styleType="OLC">
                    <num style="-uslm-dtd:enum" value="1">(1) </num><chapeau style="-uslm-dtd:text">commence an evaluation and review of—</chapeau>
                    <subparagraph identifier="/us/sComp/117/302/s2/c/1/A" style="-uslm-dtd:subparagraph" styleType="OLC">
                        <num style="-uslm-dtd:enum" value="A">(A) </num><content style="-uslm-dtd:text">the independent cybersecurity assessment provided under subsection (a); and</content>
                    </subparagraph>
                    <subparagraph identifier="/us/sComp/117/302/s2/c/1/B" style="-uslm-dtd:subparagraph" styleType="OLC">
                        <num style="-uslm-dtd:enum" value="B">(B) </num><content style="-uslm-dtd:text">the response of the Department to such assessment; and</content>
                    </subparagraph>
                </paragraph>
                <paragraph identifier="/us/sComp/117/302/s2/c/2" style="-uslm-dtd:paragraph" styleType="OLC">
                    <num style="-uslm-dtd:enum" value="2">(2) </num><content style="-uslm-dtd:text">provide to the Committees on Veterans’ Affairs of the House of Representatives and the Senate a briefing on the 
results of the evaluation and review, including any recommendations made to the Secretary regarding the matters covered by the briefing.</content>
                </paragraph>
            </subsection>
        </section>
    </main>
</statuteCompilation>