Department of Veterans Affairs Cyber Security Protection Act

Department of Veterans Affairs Cyber Security Protection Act

Directs the Assistant Secretary of Veterans Affairs for Information and Technology to submit to the congressional veterans committees (under current law only to the Secretary of Veterans Affairs) quarterly reports on Department of Veterans Affairs (VA) compliance with federally-required information security improvements.

Directs the Assistant Secretary to submit to such committees: (1) quarterly, a plan of action to address critical known VA information security vulnerabilities; and (2) annually, a plan for identifying and replacing VA operating systems that are out-of-date or unsupported.

Directs the Assistant Secretary to ensure that any software or Internet applications used on VA operating systems are secure from vulnerabilities that could affect the confidentiality of sensitive personal information on veterans.

Directs the Secretary to:

• report quarterly to such committees on any incidents of failure to comply with established information security policies, any actions taken in response to such incidents, and certain related information;
• submit a strategic plan to such committees for improving VA information security and to update such plan at least every two years; and
• report to such committees within five years on information security protection and accountability of the VA for information security breeches and incidents.

Requires VA contractors with access to sensitive personal information to provide protective measures to safeguard from possible information security threats any information provided by the VA that will be resident on, or transiting through, information systems controlled by that contractor.