By Neena Shukla, CPA, CFE, CGMA, FCPA, CTP

In the ever-changing landscape of cybersecurity regulations, government contractors must be prepared to adapt and comply with the latest requirements to safeguard sensitive information. While the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC) framework often steals the spotlight, it’s equally important to acknowledge the recent progress made by the U.S. Department of Veterans Affairs (VA). With a new rule that took effect on February 24, 2023, the VA has introduced a series of cybersecurity procedures and processes designed to protect sensitive VA information. As government contractors, it is not only crucial to comprehend and implement these new measures for compliance, but also to uphold the trust and security of sensitive data, to avoid potential penalties.

The Scope of Change

The VA’s revised Acquisition Regulation (VAAR) introduces an array of changes that impact contractors across all tiers. With an emphasis on protecting VA sensitive information, the revised regulations have broadened the scope of information that requires safeguarding. From proprietary data to records protected by the Privacy Act and HIPAA Privacy Rule, this comprehensive definition encompasses a range of data types that demand heightened security measures. It’s imperative that contractors assess whether they have access to “VA sensitive information” and proceed with the appropriate measures accordingly. This is defined as all VA data “which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information…”

Key Contractor Obligations

Contractors that handle VA-sensitive information must adhere to a set of new obligations to ensure compliance and avoid penalties. These obligations include:

Contractors must comply with VA information security and privacy program policies, as well as regulations such as HIPAA and the Privacy Act. This involves understanding and adhering to complex frameworks to maintain the security of sensitive information.

Annual VA security awareness training and VHA Privacy and HIPAA Training are mandatory for contractors dealing with Protected Health Information (PHI). This continuous training ensures that personnel are well-equipped to handle sensitive data effectively.

The revised regulations set tight timelines for reporting security and privacy incidents. Contractors must report any suspected incidents within one hour of discovery or suspicion. This real-time requirement demands a heightened level of vigilance and readiness.

VA contractors are required to comply with VA background investigation and screening requirements to ensure the integrity of personnel involved. This adds an additional layer of security to prevent unauthorized access.

Contractors must maintain records and compliance reports regarding HIPAA Security and Privacy Rules, showcasing their commitment to regulatory compliance.

Contractors must flow down these requirements to all subcontracts and Business Associate Agreements (BAAs) at any level, extending the commitment to data security throughout the supply chain.

Liquidated Damages

A notable feature of the updated VAAR is the introduction of liquidated damages. In case of non-compliance with security and privacy requirements, contractors may be subjected to paying liquidated damages. This financial penalty underscores the seriousness of maintaining data security and can have a substantial impact on contractors’ bottom lines. The funds collected through liquidated damages will be utilized to provide credit protection services to individuals affected by breaches.

Nuanced Rules for Different Contracts

The new VA rules recognize that not all contracts are the same. Additional obligations are imposed on contractors with access to PHI or those performing IT contracts. These obligations include entering into Business Associate Agreements (BAAs) for PHI contracts and employing adequate security controls as guided by the National Institute of Standards and Technology (NIST). The complexity of these obligations reinforces the need for a tailored approach to compliance.

Reporting Obligations Enhanced

Perhaps the most challenging aspect of the new rule is the enhanced reporting obligations. Contractors are now required to report various incidents within remarkably short timeframes. This includes:

  • Immediate reporting (no later than four hours) when employees working on VA information systems are reassigned or leave their roles,
  • Within an hour, reporting of security incidents, and even theft or criminal activity.
  • Within an hour reporting of business associates experiencing security or privacy incidents involving unsecured PHI.

Meeting these reporting deadlines demands efficient processes and robust incident response plans.

As government contractors navigate the seas of evolving cybersecurity regulations, the VA’s latest rules add a new layer of complexity and responsibility. While compliance might seem daunting, embracing these changes is essential not only to avoid penalties but also to uphold the integrity and security of sensitive VA data. Contractors must invest in comprehensive training, incident response planning, and effective communication throughout their supply chains. By doing so, they will not only meet the VA’s expectations but also establish themselves as partners committed to safeguarding sensitive information in an ever-connected world.