VA Tightens Contractor Rules for Info System Security Breaches
Published Date: 3/19/2026
Notice
Summary
The Department of Veterans Affairs is updating rules for contractors who handle VA information and computer systems to keep everything safe and secure. Contractors must report any security problems or data breaches and tell VA when employees lose access. Comments on these changes are open until April 20, 2026, with no new costs expected.
Analyzed Economic Effects
2 provisions identified: 0 benefits, 2 costs, 0 mixed.
Contractors Must Report Security Incidents
If your company is a VA contractor with access to VA information or VA information systems, you must report any known or suspected security or privacy incident or data breach related to VA information or systems. The information collection (OMB Control No. 2900-0900) covers an estimated 8,223 respondents with an estimated annual burden of 4,069 hours and an average burden of 30 minutes per respondent, frequency less than quarterly.
Notify VA When Staff Lose System Access
VA contractors who have access to VA information systems must notify VA when a contractor employee is reassigned or terminated and no longer needs access to a VA information system. The collection is part of OMB Control No. 2900-0900 and the agency estimates 8,223 respondents, an annual burden of 4,069 hours total, and an average burden of 30 minutes per respondent.
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Department and Agencies
Take It Personal
Get Your Personalized Policy View
Start a Free Government Policy Watch to see how policy affects your household, then upgrade to PRIA Full Coverage for year-round monitoring.
Already have an account? Sign in