The U.S. Department of Veterans Affairs (VA) released a final rule, effective February 24, 2023, amending the VA’s Acquisition Regulation (VAAR) to impose new cybersecurity procedures and processes to protect sensitive VA data and health information. Although much of the recent cybersecurity buzz has centered around the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC) framework, the VA did not want to be left out. These VAAR additions will force affected contractors at all tiers to implement internal controls to properly handle sensitive information for VA systems and impose unreasonably short reporting requirements for breaches. Both prime contractors and subcontractors handling sensitive information on VA contracts need to observe the following new duties and obligations to avoid costly penalties…

Key Takeaways

The new VA cybersecurity rule should be familiar to contractors in many ways, as it dovetails with obligations imposed on DOD contractors and mirrors the proposed rule released in November 2021. Nonetheless, VA contractors should pay close attention to the details of the rules to avoid unnecessary penalties through liquidated damages, contract termination, or withheld payments. In particular, we recommend that VA contractors:

• audit cybersecurity controls under NIST 800-171 (and the soon-to-be-released update) to ensure compliance;
• review agreements with any subcontractors on VA projects to ensure that necessary flowdown clauses are added to the subcontracts and update any templates to ensure these flowdowns are captured on future subcontracts;
• update (or develop) breach response plans, which includes the very short reporting windows required under the new VA rule; and
• revise other protocols as needed to ensure that systems are in place to obtain the necessary information and make the required reports within the short timeframes… Read the full article here.