United States Department of Veterans Affairs
United States Department of Veterans Affairs

Information Protection and Risk Management Home

Security and Privacy Requirements for Contractors

VA’s CIO has recently released a document that outlines the security/privacy requirements for IT contracts and contractors.
 
To obtain a copy of the requirements document clink on the following hyperlink: 

Security and Privacy Requirements for IT Contracts

In accordance with the Federal Information Security Management Act (FISMA), the Privacy Act of 1974, as amended, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as applicable, and Public Law 109-461, §5725, contractor access to VA information and information systems must be maintained at the highest level of protection in order to thwart unauthorized disclosure of sensitive information (as defined in VA Handbook 6500, Information Security Program).

Federal Acquisition Regulation part 2.101 provides the following definition of contract. "Contract means a mutually binding legal relationship obligating the seller to furnish the supplies or services (including construction) and the buyer to pay for them. It includes all types of commitments that obligate the Government to an expenditure of appropriated funds and that, except as otherwise authorized, are in writing. In addition to bilateral instruments, contracts include (but are not limited to) awards and notices of awards; job orders or task letters issued under basic ordering agreements; letter contracts; orders, such as purchase orders, under which the contract becomes effective by written acceptance or performance; and bilateral contract modifications. Contracts do no not include grants and cooperative agreements covered by 31 U.S.C. 8301, et. seq."

Per OMB M-07-19, FY 2007 Reporting Instructions for FISMA and Agency Privacy Management, there are five primary categories of contractors as they relate to securing systems and information: 1) service providers, 2) contractor support, 3) Government owned, contractor operated facilities, 4) laboratories and research centers, and 5) management and operating contracts.
The requirements document provides standardized security/privacy requirements for VA contractors that support activity involving access to, and use of, sensitive information across the Department. The requirements apply to:

 (1)  All VA or contracted services and information resources located and operated at contract facilities, at other government agencies that support VA mission requirements, or any other third party using VA sensitive information in order to perform a VA authorized activity.

 (2)  All contracts in which VA sensitive information is used, stored, generated, transmitted, or exchanged by VA, a contractor, subcontractor or a third party, or on behalf of any of these entities, regardless of format (e.g., paper, microfiche, electronic or magnetic portable media) or whether it resides on a VA owned system or contractor/subcontractor's system operating for or on behalf of VA.

The requirements document will be incorporated into an Office of Information and Technology handbook that will be issued at a later date.

Click on the following hyperlink to obtain a copy of the requirements:

Security and Privacy Requirements for IT Contracts