[117th Congress Public Law 302]
[From the U.S. Government Publishing Office]
[[Page 4383]]
STRENGTHENING VA CYBERSECURITY ACT OF 2022
[[Page 136 STAT. 4384]]
Public Law 117-302
117th Congress
An Act
To require the Secretary of Veterans Affairs to obtain an independent
cybersecurity assessment of information systems of the Department of
Veterans Affairs, and for other purposes. <<NOTE: Dec. 27, 2022 - [H.R.
7299]>>
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled, <<NOTE: Strengthening VA
Cybersecurity Act of 2022.>>
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Strengthening VA Cybersecurity Act of
2022'' or the ``SVAC Act of 2022''.
SEC. 2. <<NOTE: Deadlines.>> INDEPENDENT CYBERSECURITY ASSESSMENT
OF INFORMATION SYSTEMS OF DEPARTMENT OF
VETERANS AFFAIRS.
(a) Independent Assessment Required.--
(1) In general.-- <<NOTE: Contracts.>> Not later than 60
days after the date of the enactment of this Act, the Secretary
of Veterans Affairs shall seek to enter into an agreement with a
federally funded research and development center to provide to
the Secretary an independent cybersecurity assessment of--
(A) five high-impact information systems of the
Department of Veterans Affairs; and
(B) the effectiveness of the information security
program and information security management system of
the Department.
(2) Detailed analysis.--The independent cybersecurity
assessment provided under paragraph (1) shall include a detailed
analysis of the ability of the Department--
(A) to ensure the confidentiality, integrity, and
availability of the information, information systems,
and devices of the Department; and
(B) to protect against--
(i) advanced persistent cybersecurity threats;
(ii) ransomware;
(iii) denial of service attacks;
(iv) insider threats;
(v) threats from foreign actors, including
state sponsored criminals and other foreign based
criminals;
(vi) phishing;
(vii) credential theft;
(viii) cybersecurity attacks that target the
supply chain of the Department;
(ix) threats due to remote access and telework
activity; and
(x) other cyber threats.
[[Page 136 STAT. 4385]]
(3) Types of systems.--The independent cybersecurity
assessment provided under paragraph (1) shall cover on-premises,
remote, cloud-based, and mobile information systems and devices
used by, or in support of, Department activities.
(4) Shadow information technology.--
<<NOTE: Evaluation.>> The independent cybersecurity assessment
provided under paragraph (1) shall include an evaluation of the
use of information technology systems, devices, and services by
employees and contractors of the Department who do so without
the heads of the elements of the Department that are responsible
for information technology at the Department knowing or
approving of such use.
(5) Methodology.--In conducting the cybersecurity assessment
to be provided under paragraph (1), the federally funded
research and development center shall take into account industry
best practices and the current state-of-the-art in cybersecurity
evaluation and review.
(b) Plan.--
(1) In general.--Not later than 120 days after the date on
which an independent assessment is provided to the Secretary by
a federally funded research and development center pursuant to
an agreement entered into under subsection (a), the Secretary
shall submit to the Committees on Veterans' Affairs of the House
of Representatives and the Senate a plan to address the findings
of the federally funded research and development center set
forth in such assessment.
(2) Elements.--The plan submitted under paragraph (1) shall
include the following:
(A) Improvements to the security controls of the
information systems of the Department assessed under
subsection (a) to--
(i) achieve the goals specified in
subparagraph (A) of paragraph (2) of such
subsection; and
(ii) protect against the threats specified in
subparagraph (B) of such paragraph.
(B) Improvements to the information security program
and information security management system of the
Department to achieve such goals and protect against
such threats.
(C) <<NOTE: Cost estimate.>> A cost estimate for
implementing the plan.
(D) <<NOTE: Timeline.>> A timeline for implementing
the plan.
(E) Such other elements as the Secretary considers
appropriate.
(c) Comptroller General of the United States Evaluation and
Review.--Not later than 180 days after the date of the submission of the
plan under subsection (b)(1), the Comptroller General of the United
States shall--
(1) commence an evaluation and review of--
(A) the independent cybersecurity assessment
provided under subsection (a); and
(B) the response of the Department to such
assessment; and
(2) <<NOTE: Briefing. Recommenda- tions.>> provide to the
Committees on Veterans' Affairs of the House of Representatives
and the Senate a briefing on the
[[Page 136 STAT. 4386]]
results of the evaluation and review, including any
recommendations made to the Secretary regarding the matters
covered by the briefing.
Approved December 27, 2022.
LEGISLATIVE HISTORY--H.R. 7299:
---------------------------------------------------------------------------
CONGRESSIONAL RECORD, Vol. 168 (2022):
Nov. 14, considered in House.
Nov. 17, prior proceedings vacated; considered and passed
House.
Dec. 19, considered and passed Senate.
<all>