By Neena Shukla, CPA, CFE, CGMA, FCPA, CTP
In the ever-changing landscape of cybersecurity regulations, government contractors must be prepared to adapt and comply with the latest requirements to safeguard sensitive information. While the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC) framework often steals the spotlight, it’s equally important to acknowledge the recent progress made by the U.S. Department of Veterans Affairs (VA). With a new rule that took effect on February 24, 2023, the VA has introduced a series of cybersecurity procedures and processes designed to protect sensitive VA information. As government contractors, it is not only crucial to comprehend and implement these new measures for compliance, but also to uphold the trust and security of sensitive data, to avoid potential penalties.
The Scope of Change
The VA’s revised Acquisition Regulation (VAAR) introduces an array of changes that impact contractors across all tiers. With an emphasis on protecting VA sensitive information, the revised regulations have broadened the scope of information that requires safeguarding. From proprietary data to records protected by the Privacy Act and HIPAA Privacy Rule, this comprehensive definition encompasses a range of data types that demand heightened security measures. It’s imperative that contractors assess whether they have access to “VA sensitive information” and proceed with the appropriate measures accordingly. This is defined as all VA data “which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information…”
Key Contractor Obligations
Contractors that handle VA-sensitive information must adhere to a set of new obligations to ensure compliance and avoid penalties. These obligations include:
A notable feature of the updated VAAR is the introduction of liquidated damages. In case of non-compliance with security and privacy requirements, contractors may be subjected to paying liquidated damages. This financial penalty underscores the seriousness of maintaining data security and can have a substantial impact on contractors’ bottom lines. The funds collected through liquidated damages will be utilized to provide credit protection services to individuals affected by breaches.
Nuanced Rules for Different Contracts
The new VA rules recognize that not all contracts are the same. Additional obligations are imposed on contractors with access to PHI or those performing IT contracts. These obligations include entering into Business Associate Agreements (BAAs) for PHI contracts and employing adequate security controls as guided by the National Institute of Standards and Technology (NIST). The complexity of these obligations reinforces the need for a tailored approach to compliance.
Reporting Obligations Enhanced
Perhaps the most challenging aspect of the new rule is the enhanced reporting obligations. Contractors are now required to report various incidents within remarkably short timeframes. This includes:
- Immediate reporting (no later than four hours) when employees working on VA information systems are reassigned or leave their roles,
- Within an hour, reporting of security incidents, and even theft or criminal activity.
- Within an hour reporting of business associates experiencing security or privacy incidents involving unsecured PHI.
Meeting these reporting deadlines demands efficient processes and robust incident response plans.
As government contractors navigate the seas of evolving cybersecurity regulations, the VA’s latest rules add a new layer of complexity and responsibility. While compliance might seem daunting, embracing these changes is essential not only to avoid penalties but also to uphold the integrity and security of sensitive VA data. Contractors must invest in comprehensive training, incident response planning, and effective communication throughout their supply chains. By doing so, they will not only meet the VA’s expectations but also establish themselves as partners committed to safeguarding sensitive information in an ever-connected world.