Public Law 117-302. Strengthening VA Cybersecurity Act of 2022
737 words·~3 min read·
/plaw/117/public/302A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
An Act To require the Secretary of Veterans Affairs to obtain an independent cybersecurity assessment of information systems of the Department of Veterans Affairs, and for other purposes.Dec. 27, 2022[[H.R. 7299](/us/bill/117/hr/7299)] * Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,* Strengthening VA Cybersecurity Act of 2022. ## SECTION 1 SHORT TITLE This Act may be cited as the “Strengthening VA Cybersecurity Act of 2022” or the “SVAC Act of 2022”. ## SEC. 2 INDEPENDENT CYBERSECURITY ASSESSMENT OF INFORMATION SYSTEMS OF DEPARTMENT OF VETERANS AFFAIRS Deadlines. ###
(a)Independent Assessment Required ####
(1)In general Contracts.Not later than 60 days after the date of the enactment of this Act, the Secretary of Veterans Affairs shall seek to enter into an agreement with a federally funded research and development center to provide to the Secretary an independent cybersecurity assessment of— #####
(A)five high-impact information systems of the Department of Veterans Affairs; and #####
(B)the effectiveness of the information security program and information security management system of the Department. ####
(2)Detailed analysis The independent cybersecurity assessment provided under paragraph
(1)shall include a detailed analysis of the ability of the Department— #####
(A)to ensure the confidentiality, integrity, and availability of the information, information systems, and devices of the Department; and #####
(B)to protect against— ######
(i)advanced persistent cybersecurity threats; ######
(ii)ransomware; ######
(iii)denial of service attacks; ######
(iv)insider threats; ######
(v)threats from foreign actors, including state sponsored criminals and other foreign based criminals; ######
(vi)phishing; ######
(vii)credential theft; ######
(viii)cybersecurity attacks that target the supply chain of the Department; ######
(ix)threats due to remote access and telework activity; and ######
(x)other cyber threats.136 STAT. 4385 ####
(3)Types of systems The independent cybersecurity assessment provided under paragraph
(1)shall cover on-premises, remote, cloud-based, and mobile information systems and devices used by, or in support of, Department activities. ####
(4)Shadow information technology Evaluation.The independent cybersecurity assessment provided under paragraph
(1)shall include an evaluation of the use of information technology systems, devices, and services by employees and contractors of the Department who do so without the heads of the elements of the Department that are responsible for information technology at the Department knowing or approving of such use. ####
(5)Methodology In conducting the cybersecurity assessment to be provided under paragraph (1), the federally funded research and development center shall take into account industry best practices and the current state-of-the-art in cybersecurity evaluation and review. ###
(b)Plan ####
(1)In general Not later than 120 days after the date on which an independent assessment is provided to the Secretary by a federally funded research and development center pursuant to an agreement entered into under subsection (a), the Secretary shall submit to the Committees on Veterans’ Affairs of the House of Representatives and the Senate a plan to address the findings of the federally funded research and development center set forth in such assessment. ####
(2)Elements The plan submitted under paragraph
(1)shall include the following: #####
(A)Improvements to the security controls of the information systems of the Department assessed under subsection
(a)to— ######
(i)achieve the goals specified in subparagraph
(A)of paragraph
(2)of such subsection; and ######
(ii)protect against the threats specified in subparagraph
(B)of such paragraph. #####
(B)Improvements to the information security program and information security management system of the Department to achieve such goals and protect against such threats. #####
(C)Cost estimate. A cost estimate for implementing the plan. #####
(D)Timeline. A timeline for implementing the plan. #####
(E)Such other elements as the Secretary considers appropriate. ###
(c)Comptroller General of the United States Evaluation and Review Not later than 180 days after the date of the submission of the plan under subsection (b)(1), the Comptroller General of the United States shall— ####
(1)commence an evaluation and review of— #####
(A)the independent cybersecurity assessment provided under subsection (a); and #####
(B)the response of the Department to such assessment; and ####
(2)Briefing.Recommenda-tions.provide to the Committees on Veterans’ Affairs of the House of Representatives and the Senate a briefing on the 136 STAT. 4386 results of the evaluation and review, including any recommendations made to the Secretary regarding the matters covered by the briefing. Approved December 27, 2022.
Connections3 cite this
Cited by 3 sections · top 2
statutes-at-large
- Public Law 117–301To amend the Trafficking Victims Protection Act of 2000 to direct the Secretary of Transportation to seek to provide for the posting of contact information of the national human trafficking hotline in the restrooms of each aircraft, airport, over-the-road bus, bus station, passenger train, and passe
- Public Law 117–302To require the Secretary of Veterans Affairs to obtain an independent cybersecurity assessment of information systems of the Department of Veterans Affairs, and for other purposes
Citation graph
cites case law
Public Law 117-302
Strengthening VA Cybersecurity Act of 2022
Stat.×3
Cites 0Cited by 3 across 1 source