President Biden signed into law on Dec. 27 the Strengthening VA Cybersecurity Act of 2022, which requires the Department of Veterans Affairs (VA) to obtain an independent cybersecurity assessment of its most critical information systems, as well as its cyber posture as a whole.
The law also requires the VA to develop a timeline and budget to fix any weaknesses and deficiencies identified by the independent assessment.
Sens. Jacky Rosen, D-Nev., and Marsha Blackburn, R-Tenn. introduced the legislation in the Senate last year, and Reps. Frank Mrvan, D-Ind., Nancy Mace, R-S.C., Susie Lee, D-Nev., and Andrew Garbarino, R-N.Y., introduced the House version.
“According to VA officials, in 2020, regrettably 46,000 veterans had their personal information compromised after hackers breached VA’s computer systems,” Rep. Mrvan said when the bill was introduced.
“This is unacceptable, and action must be taken to improve VA’s cybersecurity,” he said. “This legislation will move us in the right direction to give VA the tools it needs to effectively protect against new and emerging cybersecurity threats and safeguard our veterans’ personal information.”
The VA operates the largest integrated healthcare network in the United States. However, despite the agency’s large IT budget, it has spent less on cybersecurity in comparison to other Federal agencies, the bill’s sponsors said.
The legislation is aimed at helping to better protect the agency against advanced cybersecurity threats, ransomware, denial of service attacks, insider threats, foreign actor threats, phishing, and credential theft, among other cyber threats.
The measure also requires the VA secretary to submit a detailed report and plan of implementation to Congress within 120 days of the independent assessment, and the Government Accountability Office (GAO) to review the VA’s plan and evaluate whether the cost estimates and timelines are realistic.
Additionally, the independent assessment will examine the effectiveness of the VA’s information security systems, including the use of “shadow information technology.”
While shadow IT may sound ominous, its origins are innocent, according to James Walkinshaw, the former chief of staff to Rep. Gerald E. Connolly, D-Va., and current advisor to MeriTalk.
Walkinshaw explained that examples of shadow IT could include a VA employee using a non-approved VoIP [Voice over Internet Protocol] tool to meet with a colleague, downloading a non-approved file sharing service to send a large file, transferring data with a personal flash drive, or running an out-of-compliance hardware-based server.