SVAC Act of 2022 (H.R. 7299)

Summary

Orders the Department of Veterans Affairs to have its computer systems checked by an outside expert to find and fix security weaknesses.

What problem does this solve?

Veterans' personal and medical information stored by the government is at risk from many types of cyberattacks. This law requires an independent security review to find weaknesses and create a plan to fix them, making veterans' data safer.

What does this law do?

Mandates independent cybersecurity assessment

Requires the Secretary of Veterans Affairs to hire a federally funded research center to perform a security check on the VA's computer systems.

Focuses on high-impact systems and threats

The assessment must look at five important VA systems and check their ability to defend against threats like ransomware, phishing, and attacks from foreign countries.

Requires a plan to fix problems

After the assessment is done, the VA Secretary must create and send a plan to Congress outlining how the department will fix the security issues found.

Includes review of unapproved technology

The security check must also look for 'shadow IT,' which is when employees use technology or services without official approval, creating potential security risks.

Adds oversight from the Comptroller General

The Comptroller General will review the VA's security assessment and its plan to fix problems, and then report the findings to Congress.

Who does this affect?

Department of Veterans Affairs
U.S. Veterans
Federally funded research and development centers

What is the real world impact?

•

Protects veteran data

Ensures the sensitive personal and medical information of veterans held by the Department of Veterans Affairs is safe from hackers and other online threats by finding and fixing security holes.

•

Increases government accountability

Forces the VA to be transparent about its cybersecurity problems and creates a public plan to fix them, holding the agency accountable for protecting veteran information.

When does this start?

This law sets multiple deadlines for the Department of Veterans Affairs and other agencies to complete security reviews and reports.

Deadline for security assessment agreement

Within 60 days of the law passing, the Secretary of Veterans Affairs must try to make a deal with a research center to conduct the security check.

Deadline for VA action plan

Within 120 days after getting the security report, the Secretary must send a plan to Congress explaining how the VA will fix the identified problems.

Deadline for Comptroller General review

Within 180 days after the VA's plan is submitted, the Comptroller General must start a review of the assessment and the VA's response.