PRIA Logo
Take the PRIA Score
Title 38Veterans' BenefitsRelease 119-73

§5727 Definitions

Title 38 › Part PART IV— - GENERAL ADMINISTRATIVE PROVISIONS › Chapter CHAPTER 57— - RECORDS AND INVESTIGATIONS › Subchapter SUBCHAPTER III— - INFORMATION SECURITY › § 5727

Last updated Apr 6, 2026|Official source

Summary

Defines key information-security words used in the subchapter so everyone knows what they mean for VA rules. Availability means making sure people can get and use information when they need it. Confidentiality means keeping access and sharing of information limited to authorized people, protecting privacy and business secrets. Control techniques are methods to guide how information systems run to meet security rules. Data breach means losing, having stolen, or otherwise having unauthorized access to sensitive personal information, not including access that is part of someone’s job. Data breach analysis is the process to see if a breach led to misuse of that sensitive information. Fraud resolution services help a person recover and fix their credit after identity theft. Identity theft has the meaning given in section 603 of the Fair Credit Reporting Act (15 U.S.C. 1681a). Identity theft insurance pays costs tied to fixing identity theft, such as travel, notary and postage fees, lost wages, and legal costs. Information owner is the agency official who controls specific information and sets rules for its handling. Information resources are information in any form plus related people, equipment, money, and technology. Information security means protecting information and systems from unauthorized actions so they stay accurate, private, and available. Information security requirements are rules made under law or set by the Secretary of Commerce, NIST, OMB, and, for national security systems, the President. Information system is a set of resources organized to collect, process, store, use, share, or dispose of information. Integrity means guarding against improper changes or destruction and ensuring information is authentic. National security system is an information system protected by special policies because it handles classified defense or foreign policy information. Plan of action and milestones is the OMB quarterly reporting plan that lists a security weakness, who will fix it, needed resources, dates, milestones, source, and status. Principal credit reporting agency has the meaning in FCRA section 603(p) (15 U.S.C. 1681a(p)). Security incident is an event that did or could harm VA assets or sensitive information or that breaks VA security rules. Sensitive personal information is any agency-held info about a person, including education, financial, medical, criminal or employment history, and identifiers like name, Social Security number, birth data, mother’s maiden name, or biometrics. Subordinate plan or system security plan is a plan that describes the security controls for a network, facility, system, or group of systems within its accreditation boundary. Training is teaching someone how to perform a security task or learn the common body of information-security knowledge. VA National Rules of Behavior are the Department’s rules describing employees’ responsibilities and expected behavior for using information systems. VA sensitive data is any Department data that needs protection because its disclosure, change, or destruction could harm VA’s mission, includes proprietary data, or records about people that must stay confidential.

Full Legal Text

Title 38, §5727

Veterans' Benefits — Source: USLM XML via OLRC

In this subchapter:
(1)The term “availability” means ensuring timely and reliable access to and use of information.
(2)The term “confidentiality” means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.
(3)The term “control techniques” means methods for guiding and controlling the operations of information systems to ensure adherence to the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements.
(4)The term “data breach” means the loss, theft, or other unauthorized access, other than those incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data.
(5)The term “data breach analysis” means the process used to determine if a data breach has resulted in the misuse of sensitive personal information.
(6)The term “fraud resolution services” means services to assist an individual in the process of recovering and rehabilitating the credit of the individual after the individual experiences identity theft.
(7)The term “identity theft” has the meaning given such term under section 603 of the Fair Credit Reporting Act (15 U.S.C. 1681a).
(8)The term “identity theft insurance” means any insurance policy that pays benefits for costs, including travel costs, notary fees, and postage costs, lost wages, and legal fees and expenses associated with efforts to correct and ameliorate the effects and results of identity theft of the insured individual.
(9)The term “information owner” means an agency official with statutory or operational authority for specified information and responsibility for establishing the criteria for its creation, collection, processing, dissemination, or disposal, which responsibilities may extend to interconnected systems or groups of interconnected systems.
(10)The term “information resources” means information in any medium or form and its related resources, such as personnel, equipment, funds, and information technology.
(11)The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.
(12)The term “information security requirements” means information security requirements promulgated in accordance with law, or directed by the Secretary of Commerce, the National Institute of Standards and Technology, and the Office of Management and Budget, and, as to national security systems, the President.
(13)The term “information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, whether automated or manual.
(14)The term “integrity” means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
(15)The term “national security system” means an information system that is protected at all times by policies and procedures established for the processing, maintenance, use, sharing, dissemination or disposition of information that has been specifically authorized under criteria established by statute or Executive Order to be kept classified in the interest of national defense or foreign policy.
(16)The term “plan of action and milestones”, means a plan used as a basis for the quarterly reporting requirements of the Office of Management and Budget that includes the following information:
(A)A description of the security weakness.
(B)The identity of the office or organization responsible for resolving the weakness.
(C)An estimate of resources required to resolve the weakness by fiscal year.
(D)The scheduled completion date.
(E)Key milestones with estimated completion dates.
(F)Any changes to the original key milestone date.
(G)The source that identified the weakness.
(H)The status of efforts to correct the weakness.
(17)The term “principal credit reporting agency” means a consumer reporting agency as described in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)).
(18)The term “security incident” means an event that has, or could have, resulted in loss or damage to Department assets, or sensitive information, or an action that breaches Department security procedures.
(19)The term “sensitive personal information”, with respect to an individual, means any information about the individual maintained by an agency, including the following:
(A)Education, financial transactions, medical history, and criminal or employment history.
(B)Information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records.
(20)The term “subordinate plan”, also referred to as a “system security plan”, means a plan that defines the security controls that are either planned or implemented for networks, facilities, systems, or groups of systems, as appropriate, within a specific accreditation boundary.
(21)The term “training” means a learning experience in which an individual is taught to execute a specific information security procedure or understand the information security common body of knowledge.
(22)The term “VA National Rules of Behavior” means a set of Department rules that describes the responsibilities and expected behavior of personnel with regard to information system usage.
(23)The term “VA sensitive data” means all Department data, on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information and includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, and records about individuals requiring protection under applicable confidentiality provisions.

Legislative History

Notes & Related Subsidiaries

Editorial Notes

Amendments

2010—Par. (20). Pub. L. 111–275 substituted “plan that defines” for “subordinate plan defines”.

Reference

Citations & Metadata

Citation

38 U.S.C. § 5727

Title 38Veterans' Benefits

Last Updated

Apr 6, 2026

Release point: 119-73