VAAR – VA Acquisition Regulation Finalizes Cybersecurity Ruling

As of February 17, 2023, the Department of Veterans Affairs has finalized a ruling to revise, interpret definitions and clarify requirements for Cybersecurity Restrictions for VA Acquisition Regulation (VAAR). Officially issued under the Office of Federal Procurement Policy (OFPP) revisions to the VAAR will now include a portion covering Acquisition of Information Technology and revising coverage concerning Other Contracts for Goods and Services involving mandatory information, privacy, and security requirements. Coverage will include policy concerning VA sensitive personal information, information security, and liquidated damages requirements for data breach (86 FR 64132) within the following sections: Administrative and Information Matters; Describing Agency Needs; Protection of Privacy and Freedom of Information; as well as Acquisition of Commercial Products and Commercial Services.

The ruling adopts as final rule revision of a proposed published on November 17, 2021. The VA provided a 60-day comment period for the public to respond to the proposed rule for any comments and suggestions to improve this rule. Much of the feedback included clarifications over clauses and definitions of requirements. From these analysis, revisions and edits were made to clauses related to Information System Security, Design and Hosting.

Requirements for the Final Ruling

The clauses have been revised to provide clarity as a result of the analysis of the public comments. This includes revisions to heading, clarifying definitions and requirements to help a better understanding. Clauses that detail requirements include:

• Information Technology Resources, include Information System Security Plan and Accreditation (852.239-70);
  • This update is directed towards contactors is withing paragraph (d) of, clause 852.239-70. The required number of calendar days for submittal of an Information System Security Plan is increased from “30 days after contract award” to read “90 days after contract award.” This provides more time for contractors to accomplish the required submittal.
• Information System Security Plan and Accreditation (852.239-71);
• Information System Design and Development (852.239-72);
• Information System Hosting, Operation, Maintenance, or Use (852.239-73)
  • In this clause, editorial revisions were made for clarity and to incorporate the appropriate use of the term “information system security plan” in lieu of “security plan.”

Other notable updates include:

• At section 839.106-70, the heading of the section is changed to “Information system security and privacy contract clauses,” in lieu of “Information technology security and privacy clauses.” And in paragraph (a), the heading for the clause at 852.239-71 is revised from “Information Technology Security Plan and Accreditation” to “Information System Security Plan and Accreditation.”
• In the clause at 852.239-74, Security Controls Compliance Testing, VA is making a minor edit to revise the phrase “all of the security controls and privacy practices” to “all of the security and privacy controls” in the first sentence.

Within this revised security plan details, all guidelines will be continued to be followed, including Office of Management and Budget (OMB) Circular A-130, Managing Information as a Strategic Resource; and National Institute of Standards and Technology (NIST) Guidelines.

How does the ruling effect VA Contractors?

The VA is merely revising the VAAR by adding existing and current regulatory requirements and removes any redundant guidance where it may affect certain areas, and places guidance   applicable only to VA’s internal operating processes or procedures in the VA Acquisition Manual.

While this rulemaking does not change VA’s policy regarding small businesses and does not have a significant economic impact to individual businesses, it’s beneficial to Veteran- or service-disabled owned small businesses, as the VAAR updates provide needed guidance to ensure the contractors sufficiently protect and safeguard VA sensitive information, which includes an individual veteran’s sensitive personal information.

The rulemaking will also add a new VAAR part concerning Acquisition of Information Technology that codifies information collection burdens. This is a result of existing information collection requirements to ensure compliance across the Federal government and specifically when VA contractors, subcontractors, business associates and their employees require access to VA information (including VA sensitive information) or information systems. to the VAAR and placing guidance that is applicable only to VA’s internal operation processes or procedures into a VA Acquisition Manual.

More information regarding the rulemaking can be found here VA Acquisition Regulation. Our contract experts have helped many successful VA Schedule contract holders stay compliant with ongoing and up to date regulation updates. If you have any questions about your VA contract or are interested in obtaining a VA or GSA schedule, contact us today at hello@coleygsa.com, by phone at 210-402-6766 or schedule a call to get started on obtaining your VA Schedule—a critical step on your road to success in the government market.