[Congressional Record Volume 168, Number 175 (Monday, November 14, 2022)]
[House]
[Pages H8464-H8465]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




               STRENGTHENING VA CYBERSECURITY ACT OF 2022

  Mr. TAKANO. Mr. Speaker, I move to suspend the rules and pass the 
bill (H.R. 7299) to require the Secretary of Veterans Affairs to obtain 
an independent cybersecurity assessment of information systems of the 
Department of Veterans Affairs, and for other purposes, as amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 7299

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Strengthening VA 
     Cybersecurity Act of 2022'' or the ``SVAC Act of 2022''.

     SEC. 2. INDEPENDENT CYBERSECURITY ASSESSMENT OF INFORMATION 
                   SYSTEMS OF DEPARTMENT OF VETERANS AFFAIRS.

       (a) Independent Assessment Required.--
       (1) In general.--Not later than 60 days after the date of 
     the enactment of this Act, the Secretary of Veterans Affairs 
     shall seek to enter into an agreement with a federally funded 
     research and development center to provide to the Secretary 
     an independent cybersecurity assessment of--
       (A) five high-impact information systems of the Department 
     of Veterans Affairs; and
       (B) the effectiveness of the information security program 
     and information security management system of the Department.
       (2) Detailed analysis.--The independent cybersecurity 
     assessment provided under paragraph (1) shall include a 
     detailed analysis of the ability of the Department--
       (A) to ensure the confidentiality, integrity, and 
     availability of the information, information systems, and 
     devices of the Department; and
       (B) to protect against--
       (i) advanced persistent cybersecurity threats;
       (ii) ransomware;
       (iii) denial of service attacks;
       (iv) insider threats;
       (v) threats from foreign actors, including state sponsored 
     criminals and other foreign based criminals;
       (vi) phishing;
       (vii) credential theft;
       (viii) cybersecurity attacks that target the supply chain 
     of the Department;
       (ix) threats due to remote access and telework activity; 
     and
       (x) other cyber threats.
       (3) Types of systems.--The independent cybersecurity 
     assessment provided under paragraph (1) shall cover on-
     premises, remote, cloud-based, and mobile information systems 
     and devices used by, or in support of, Department activities.
       (4) Shadow information technology.--The independent 
     cybersecurity assessment provided under paragraph (1) shall 
     include an evaluation of the use of information technology 
     systems, devices, and services by employees and contractors 
     of the Department who do so without the heads of the elements 
     of the Department that are responsible for information 
     technology at the Department knowing or approving of such 
     use.
       (5) Methodology.--In conducting the cybersecurity 
     assessment to be provided under paragraph (1), the federally 
     funded research and development center shall take into 
     account industry best practices and the current state-of-the-
     art in cybersecurity evaluation and review.
       (b) Plan.--
       (1) In general.--Not later than 120 days after the date on 
     which an independent assessment is provided to the Secretary 
     by a federally funded research and development center 
     pursuant to an agreement entered into under subsection (a), 
     the Secretary shall submit to the Committees on Veterans' 
     Affairs of the House of Representatives and the Senate a plan 
     to address the findings of the federally funded research and 
     development center set forth in such assessment.
       (2) Elements.--The plan submitted under paragraph (1) shall 
     include the following:
       (A) Improvements to the security controls of the 
     information systems of the Department assessed under 
     subsection (a) to--
       (i) achieve the goals specified in subparagraph (A) of 
     paragraph (2) of such subsection; and
       (ii) protect against the threats specified in subparagraph 
     (B) of such paragraph.
       (B) Improvements to the information security program and 
     information security management system of the Department to 
     achieve such goals and protect against such threats.
       (C) A cost estimate for implementing the plan.
       (D) A timeline for implementing the plan.

[[Page H8465]]

       (E) Such other elements as the Secretary considers 
     appropriate.
       (c) Comptroller General of the United States Evaluation and 
     Review.--Not later than 180 days after the date of the 
     submission of the plan under subsection (b)(1), the 
     Comptroller General of the United States shall--
       (1) commence an evaluation and review of--
       (A) the independent cybersecurity assessment provided under 
     subsection (a); and
       (B) the response of the Department to such assessment; and
       (2) provide to the Committees on Veterans' Affairs of the 
     House of Representatives and the Senate a briefing on the 
     results of the evaluation and review, including any 
     recommendations made to the Secretary regarding the matters 
     covered by the briefing.

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
California (Mr. Takano) and the gentleman from Texas (Mr. Ellzey) each 
will control 20 minutes.
  The Chair recognizes the gentleman from California.


                             General Leave

  Mr. TAKANO. Mr. Speaker, I ask unanimous consent that all Members 
have 5 legislative days in which to revise and extend their remarks and 
include extraneous material on H.R. 7299, as amended.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from California?
  There was no objection.
  Mr. TAKANO. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise today to support H.R. 7299, the Strengthening VA 
Cybersecurity Act of 2022. This bill represents a bipartisan, bicameral 
effort to oversee the Department of Veterans Affairs' cybersecurity 
efforts.
  This legislation requires independent assessment of the VA's 
cybersecurity readiness by a federally funded research and development 
center, or FFRDC.
  This bill is necessary because of the poor performance of VA in 
audits required by the Federal Information Security Modernization Act, 
also known as FISMA, and independent audits from the VA OIG on 
individual VA sites.
  The bill also seeks to address the issue of ``shadow IT'' which is 
has been a priority of the committee this Congress. If VA does not know 
what is on its networks and can't identify assets being utilized 
outside of the Office of Information Technology, then VA can't secure 
it.
  VA's repository of veterans' health information needs to be 
protected. We owe it to veterans to address these challenges now so 
that Congress and veterans can be assured that VA will secure their 
personal information.
  Mr. Speaker, I urge all my colleagues to support H.R. 7299, as 
amended, and I reserve the balance of my time.
  Mr. ELLZEY. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise today in support of H.R. 7299, as amended, the 
Strengthening VA Cybersecurity Act of 2022.
  VA is the second largest Federal agency, and it handles 9 million 
veterans' personal information. The Department is a big target for 
cyber criminals, and the Veterans' Affairs Committee is responsible for 
making sure their data is being protected.
  Unfortunately, it can be hard to assess how well VA is truly 
performing on cybersecurity, and how successfully the money invested 
translates into better security for veterans' information.
  This bill would require a third-party cybersecurity audit of VA to 
fill in the gaps left by the existing audits. While necessary, those 
audits tend to be compliance exercises.
  In contrast, this legislation requires a hard look at actual VA 
systems and real-world vulnerabilities. The bill also requires VA to 
submit a detailed plan to remediate whatever weaknesses the third-party 
auditor finds.
  Hostile nations are working around the clock to exploit any 
vulnerability in our networks or systems, especially with health 
records. We must stay one step ahead of them, and I appreciate Mr. 
Mrvan's work on this important issue.
  Mr. Speaker, I encourage my colleagues to support the bill, and I 
yield back the balance of my time.
  Mr. TAKANO. Mr. Speaker, I urge all of my colleagues to support H.R. 
7299, as amended, and I yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentleman from California (Mr. Takano) that the House suspend the rules 
and pass the bill, H.R. 7299, as amended.
  The question was taken.
  The SPEAKER pro tempore. In the opinion of the Chair, two-thirds 
being in the affirmative, the ayes have it.
  Mr. ROSENDALE. Mr. Speaker, on that I demand the yeas and nays.
  The yeas and nays were ordered.
  The SPEAKER. Pursuant to clause 8 of rule XX, further proceedings on 
this motion will be postponed.

                          ____________________