[117th Congress Public Law 302]
[From the U.S. Government Publishing Office]



[[Page 4383]]

               STRENGTHENING VA CYBERSECURITY ACT OF 2022

[[Page 136 STAT. 4384]]

Public Law 117-302
117th Congress

                                 An Act


 
 To require the Secretary of Veterans Affairs to obtain an independent 
  cybersecurity assessment of information systems of the Department of 
Veterans Affairs, and for other purposes. <<NOTE: Dec. 27, 2022 -  [H.R. 
                                7299]>> 

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled, <<NOTE: Strengthening VA 
Cybersecurity Act of 2022.>> 
SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Strengthening VA Cybersecurity Act of 
2022'' or the ``SVAC Act of 2022''.
SEC. 2. <<NOTE: Deadlines.>>  INDEPENDENT CYBERSECURITY ASSESSMENT 
                    OF INFORMATION SYSTEMS OF DEPARTMENT OF 
                    VETERANS AFFAIRS.

    (a) Independent Assessment Required.--
            (1) In general.-- <<NOTE: Contracts.>> Not later than 60 
        days after the date of the enactment of this Act, the Secretary 
        of Veterans Affairs shall seek to enter into an agreement with a 
        federally funded research and development center to provide to 
        the Secretary an independent cybersecurity assessment of--
                    (A) five high-impact information systems of the 
                Department of Veterans Affairs; and
                    (B) the effectiveness of the information security 
                program and information security management system of 
                the Department.
            (2) Detailed analysis.--The independent cybersecurity 
        assessment provided under paragraph (1) shall include a detailed 
        analysis of the ability of the Department--
                    (A) to ensure the confidentiality, integrity, and 
                availability of the information, information systems, 
                and devices of the Department; and
                    (B) to protect against--
                          (i) advanced persistent cybersecurity threats;
                          (ii) ransomware;
                          (iii) denial of service attacks;
                          (iv) insider threats;
                          (v) threats from foreign actors, including 
                      state sponsored criminals and other foreign based 
                      criminals;
                          (vi) phishing;
                          (vii) credential theft;
                          (viii) cybersecurity attacks that target the 
                      supply chain of the Department;
                          (ix) threats due to remote access and telework 
                      activity; and
                          (x) other cyber threats.

[[Page 136 STAT. 4385]]

            (3) Types of systems.--The independent cybersecurity 
        assessment provided under paragraph (1) shall cover on-premises, 
        remote, cloud-based, and mobile information systems and devices 
        used by, or in support of, Department activities.
            (4) Shadow information technology.-- 
        <<NOTE: Evaluation.>> The independent cybersecurity assessment 
        provided under paragraph (1) shall include an evaluation of the 
        use of information technology systems, devices, and services by 
        employees and contractors of the Department who do so without 
        the heads of the elements of the Department that are responsible 
        for information technology at the Department knowing or 
        approving of such use.
            (5) Methodology.--In conducting the cybersecurity assessment 
        to be provided under paragraph (1), the federally funded 
        research and development center shall take into account industry 
        best practices and the current state-of-the-art in cybersecurity 
        evaluation and review.

    (b) Plan.--
            (1) In general.--Not later than 120 days after the date on 
        which an independent assessment is provided to the Secretary by 
        a federally funded research and development center pursuant to 
        an agreement entered into under subsection (a), the Secretary 
        shall submit to the Committees on Veterans' Affairs of the House 
        of Representatives and the Senate a plan to address the findings 
        of the federally funded research and development center set 
        forth in such assessment.
            (2) Elements.--The plan submitted under paragraph (1) shall 
        include the following:
                    (A) Improvements to the security controls of the 
                information systems of the Department assessed under 
                subsection (a) to--
                          (i) achieve the goals specified in 
                      subparagraph (A) of paragraph (2) of such 
                      subsection; and
                          (ii) protect against the threats specified in 
                      subparagraph (B) of such paragraph.
                    (B) Improvements to the information security program 
                and information security management system of the 
                Department to achieve such goals and protect against 
                such threats.
                    (C) <<NOTE: Cost estimate.>>  A cost estimate for 
                implementing the plan.
                    (D) <<NOTE: Timeline.>>  A timeline for implementing 
                the plan.
                    (E) Such other elements as the Secretary considers 
                appropriate.

    (c) Comptroller General of the United States Evaluation and 
Review.--Not later than 180 days after the date of the submission of the 
plan under subsection (b)(1), the Comptroller General of the United 
States shall--
            (1) commence an evaluation and review of--
                    (A) the independent cybersecurity assessment 
                provided under subsection (a); and
                    (B) the response of the Department to such 
                assessment; and
            (2) <<NOTE: Briefing. Recommenda- tions.>> provide to the 
        Committees on Veterans' Affairs of the House of Representatives 
        and the Senate a briefing on the

[[Page 136 STAT. 4386]]

        results of the evaluation and review, including any 
        recommendations made to the Secretary regarding the matters 
        covered by the briefing.

    Approved December 27, 2022.

LEGISLATIVE HISTORY--H.R. 7299:
---------------------------------------------------------------------------

CONGRESSIONAL RECORD, Vol. 168 (2022):
            Nov. 14, considered in House.
            Nov. 17, prior proceedings vacated; considered and passed 
                House.
            Dec. 19, considered and passed Senate.

                                  <all>