§5723 — Title 38 Veterans' Benefits | U.S. Code

Summary

Makes the Secretary responsible for making sure the Department has and follows a department-wide information security program under the federal information security law. The Secretary must match security protections to the risk of harm, build security into planning, make sure senior leaders protect the information and systems they control, enforce compliance, train enough staff, and require reports to Congress and other agencies on program effectiveness. The Secretary must send a compliance report not later than March 1 each year that shows overall results and separate results for each administration, office, and facility. The Secretary must make sure the Assistant Secretary for Information and Technology (the Department’s Chief Information Officer) has the authority to set and run policies, manage related systems and people, and notify others about breaches when needed, including telling OMB, the Inspector General, and other agencies if a presumptive breach involves the information of twenty or more individuals. The Secretary must also make sure the annual budget shows separate amounts needed for information security. Makes the Assistant Secretary (Chief Information Officer) responsible for creating, keeping, and checking Department-wide security policies, controls, training, and reporting. The CIO must issue implementation guidance, approve security policies across the Department, enforce them, set minimum technical and management controls consistent with NIST risk guidance, set access rules, require immediate reporting of failures, and require correction and follow-up. The CIO must ensure CIOs and security officers across the Department have the authority to enforce cyber directives, run an incident reporting system, send quarterly reports to the Secretary about compliance problems and tell the Secretary right away about significant deficiencies or any presumptive data breach. The Associate Deputy Assistant Secretary for Cyber and Information Security carries out the CIO’s duties as the Senior Information Security Officer. Department information owners, senior officials, and users must help set controls, decide who gets access, sign and enforce the VA National Rules of Behavior each year, test and fix controls, provide quarterly plans of action and milestones for fixes, follow CIO orders immediately (these orders take priority over other tasks), attend annual security training, and report incidents right away. The Inspector General must audit the program each year, send an independent annual report to OMB, and investigate complaints and referrals as needed.

Title 38, §5723

Veterans' Benefits — Source: USLM XML via OLRC

(a)In accordance with the provisions of subchapter III of chapter 35 of title 44, the Secretary is responsible for the following:

(1)Ensuring that the Department adopts a Department-wide information security program and otherwise complies with the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements.

(2)Ensuring that information security protections are commensurate with the risk and magnitude of the potential harm to Department information and information systems resulting from unauthorized access, use, disclosure, disruption, modification, or destruction.

(3)Ensuring that information security management processes are integrated with Department strategic and operational planning processes.

(4)Ensuring that the Under Secretaries, Assistant Secretaries, and other key officials of the Department provide adequate security for the information and information systems under their control.

(5)Ensuring enforcement and compliance with the requirements imposed on the Department under the provisions of subchapter III of chapter 35 of title 44.

(6)Ensuring that the Department has trained program and staff office personnel sufficient to assist in complying with all the provisions of subchapter III of chapter 35 of title 44 and other related information security requirements.

(7)Ensuring that the Assistant Secretary for Information and Technology, in coordination with the Under Secretaries, Assistant Secretaries, and other key officials of the Department report to Congress, the Office of Management and Budget, and other entities as required by law and Executive Branch direction on the effectiveness of the Department information security program, including remedial actions.

(8)Notifying officials other than officials of the Department of data breaches when required under this subchapter.

(9)Ensuring that the Assistant Secretary for Information and Technology has the authority and control necessary to develop, approve, implement, integrate, and oversee the policies, procedures, processes, activities, and systems of the Department relating to subchapter III of chapter 35 of title 44, including the management of all related mission applications, information resources, personnel, and infrastructure.

(10)Submitting to the Committees on Veterans’ Affairs of the Senate and House of Representatives, the Committee on Government Reform of the House of Representatives, and the Committee on Homeland Security and Governmental Affairs of the Senate, not later than March 1 each year, a report on the compliance of the Department with subchapter III of chapter 35 of title 44, with the information in such report displayed in the aggregate and separately for each Administration, office, and facility of the Department.

(11)Taking appropriate action to ensure that the budget for any fiscal year, as submitted by the President to Congress under section 1105 of title 31, sets forth separately the amounts required in the budget for such fiscal year for compliance by the Department with Federal law and regulations governing information security, including this subchapter and subchapter III of chapter 35 of title 44.

(12)Providing notice to the Director of the Office of Management and Budget, the Inspector General of the Department, and such other Federal agencies as the Secretary considers appropriate of a presumptive data breach of which notice is provided the Secretary under subsection (b)(16) if, in the opinion of the Assistant Secretary for Information and Technology, the breach involves the information of twenty or more individuals.

(b)The Assistant Secretary for Information and Technology, as the Chief Information Officer of the Department, is responsible for the following:

(1)Establishing, maintaining, and monitoring Department-wide information security policies, procedures, control techniques, training, and inspection requirements as elements of the Department information security program.

(2)Issuing policies and handbooks to provide direction for implementing the elements of the information security program to all Department organizations.

(3)Approving all policies and procedures that are related to information security for those areas of responsibility that are currently under the management and the oversight of other Department organizations.

(4)Ordering and enforcing Department-wide compliance with and execution of any information security policy.

(5)Establishing minimum mandatory technical, operational, and management information security control requirements for each Department system, consistent with risk, the processes identified in standards of the National Institute of Standards and Technology, and the responsibilities of the Assistant Secretary to operate and maintain all Department systems currently creating, processing, collecting, or disseminating data on behalf of Department information owners.

(6)Establishing standards for access to Department information systems by organizations and individual employees, and to deny access as appropriate.

(7)Directing that any incidents of failure to comply with established information security policies be immediately reported to the Assistant Secretary.

(8)Reporting any compliance failure or policy violation directly to the appropriate Under Secretary, Assistant Secretary, or other key official of the Department for appropriate administrative or disciplinary action.

(9)Reporting any compliance failure or policy violation directly to the appropriate Under Secretary, Assistant Secretary, or other key official of the Department along with taking action to correct the failure or violation.

(10)Requiring any key official of the Department who is so notified to report to the Assistant Secretary with respect to an action to be taken in response to any compliance failure or policy violation reported by the Assistant Secretary.

(11)Ensuring that the Chief Information Officers and Information Security Officers of the Department comply with all cyber security directives and mandates, and ensuring that these staff members have all necessary authority and means to direct full compliance with such directives and mandates relating to the acquisition, operation, maintenance, or use of information technology resources from all facility staff.

(12)Establishing the VA National Rules of Behavior for appropriate use and protection of the information which is used to support Department missions and functions.

(13)Establishing and providing supervision over an effective incident reporting system.

(14)Submitting to the Secretary, at least once every quarter, a report on any deficiency in the compliance with subchapter III of chapter 35 of title 44 of the Department or any Administration, office, or facility of the Department.

(15)Reporting immediately to the Secretary on any significant deficiency in the compliance described by paragraph (14).

(16)Providing immediate notice to the Secretary of any presumptive data breach.

(c)In accordance with the provisions of subchapter III of chapter 35 of title 44, the Associate Deputy Assistant Secretary for Cyber and Information Security, as the Senior Information Security Officer of the Department, is responsible for carrying out the responsibilities of the Assistant Secretary for Information and Technology under the provisions of subchapter III of chapter 35 of title 44, as set forth in subsection (b).

(d)In accordance with the criteria of the Centralized IT Management System, Department information owners are responsible for the following:

(1)Providing assistance to the Assistant Secretary for Information and Technology regarding the security requirements and appropriate level of security controls for the information system or systems where sensitive personal information is currently created, collected, processed, disseminated, or subject to disposal.

(2)Determining who has access to the system or systems containing sensitive personal information, including types of privileges and access rights.

(3)Ensuring the VA National Rules of Behavior is signed on an annual basis and enforced by all system users to ensure appropriate use and protection of the information which is used to support Department missions and functions.

(4)Assisting the Assistant Secretary for Information and Technology in the identification and assessment of the common security controls for systems where their information resides.

(5)Providing assistance to Administration and staff office personnel involved in the development of new systems regarding the appropriate level of security controls for their information.

(e)In accordance with the provisions of subchapter III of chapter 35 of title 44, the Under Secretaries, Assistant Secretaries, and other key officials of the Department are responsible for the following:

(1)Implementing the policies, procedures, practices, and other countermeasures identified in the Department information security program that comprise activities that are under their day-to-day operational control or supervision.

(2)Periodically testing and evaluating information security controls that comprise activities that are under their day-to-day operational control or supervision to ensure effective implementation.

(3)Providing a plan of action and milestones to the Assistant Secretary for Information and Technology on at least a quarterly basis detailing the status of actions being taken to correct any security compliance failure or policy violation.

(4)Complying with the provisions of subchapter III of chapter 35 of title 44 and other related information security laws and requirements in accordance with orders of the Assistant Secretary for Information and Technology to execute the appropriate security controls commensurate to responding to a security bulletin of the Security Operations Center of the Department, with such orders to supersede and take priority over all operational tasks and assignments and be complied with immediately.

(5)Ensuring that—

(A)all employees within their organizations take immediate action to comply with orders from the Assistant Secretary for Information and Technology to—

(i)mitigate the impact of any potential security vulnerability;

(ii)respond to a security incident; or

(iii)implement the provisions of a bulletin or alert of the Security Operations Center; and

(B)organizational managers have all necessary authority and means to direct full compliance with such orders from the Assistant Secretary.

(6)Ensuring the VA National Rules of Behavior is signed and enforced by all system users to ensure appropriate use and protection of the information which is used to support Department missions and functions on an annual basis.

(f)Users of Department information and information systems are responsible for the following:

(1)Complying with all Department information security program policies, procedures, and practices.

(2)Attending security awareness training on at least an annual basis.

(3)Reporting all security incidents immediately to the Information Security Officer of the system or facility and to their immediate supervisor.

(4)Complying with orders from the Assistant Secretary for Information and Technology directing specific activities when a security incident occurs.

(5)Signing an acknowledgment that they have read, understand, and agree to abide by the VA National Rules of Behavior on an annual basis.

(g)In accordance with the provisions of subchapter III of chapter 35 of title 44, the Inspector General of the Department is responsible for the following:

(1)Conducting an annual audit of the Department information security program.

(2)Submitting an independent annual report to the Office of Management and Budget on the status of the Department information security program, based on the results of the annual audit.

(3)Conducting investigations of complaints and referrals of violations as considered appropriate by the Inspector General.

Notes & Related Subsidiaries

Editorial Notes

Amendments

2010—Subsec. (g)(2). Pub. L. 111–275 inserted “the” before “Department”.

Statutory Notes and Related Subsidiaries

Change of Name

Committee on Government Reform of House of Representatives changed to Committee on Oversight and Government Reform of House of Representatives by House Resolution No. 6, One Hundred Tenth Congress, Jan. 5, 2007. Committee on Oversight and Government Reform of House of Representatives changed to Committee on Oversight and Reform of House of Representatives by House Resolution No. 6, One Hundred Sixteenth Congress, Jan. 9, 2019. Committee on Oversight and Reform of House of Representatives changed to Committee on Oversight and Accountability of House of Representatives by House Resolution No. 5, One Hundred Eighteenth Congress, Jan. 9, 2023.

§5723 Responsibilities