New Department of Veteran Affairs contractor cybersecurity obligations

Blog Post

The Department of Veterans Affairs (VA) has reconstructed and published their final rule concerning small and large contractors and all sub-contractors requiring new cybersecurity obligations. These new requirements and obligations significantly increase the measures and safeguards contractors need to apply to their internal and external electronic storage and communication systems to ensure all sensitive data is protected. Adherence to this new rule is mandatory and essential in protecting both your own business and the federal government. In some cases, the VA may be entitled to conduct unscheduled on-site inspections of all technical systems and storage of government data.

Term definition of “VA Sensitive Information

While government contractors have a general obligation to protect all Controlled Unclassified Information (CUI), Covered Defense Information (CDI), Controlled Technical Information (CTI), and Federal Contract Information (FCI), this new rule creates the term “VA Sensitive Information.” The new rule defines VA Sensitive Information as:

All VA data, on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information and includes sensitive personal information. The term includes information where improper use or disclosure could adversely affect the ability of VA to accomplish its mission, proprietary information, records about individuals requiring protection under various confidentiality provisions such as the Privacy Act and the HIPAA Privacy Rule, and information that can be withheld under the Freedom of Information Act. Examples of VA sensitive information include the following: individually-identifiable medical, benefits, and personnel information; financial, budgetary, research, quality assurance, confidential commercial, critical infrastructure, investigatory, and law enforcement information; information that is confidential and privileged in litigation such as information protected by the deliberative process privilege, attorney work-product privilege, and the attorney-client privilege; and other information which, if released, could result in violation of law or harm or unfairness to any individual or group, or could adversely affect the national interest or the conduct of Federal programs.

This new rule broadens the requirements contractors must follow because it can create an obligation for just about any data a contractor develops, stores, or transfers on behalf of the VA or prime contractor. Accordingly, it is crucial for contractors to understand where and how this data is stored within their environment.

New one-hour notification window for VA contractor data breaches

Although the general rule for government contractors is that they have 72-hours to notify concerning a suspected privacy and cybersecurity incident, this new rule requires a one-hour notification obligation. Applying to all contractors, this new standard requires them to:

Report all actual or suspected security/privacy incidents and report the information to the contracting officer and contracting officer’s representative (COR), as identified in the contract or as directed in the contract, within one hour of discovery.

It is therefore imperative that any VA or government contractor has an appropriate incident response plan concerning their cybersecurity obligations.

3 key takeaways for VA contractors

Overall, VA contractors should:

  1. Understand the definition of VA sensitive information.
  2. Develop process and procedure for one-hour notification
  3. Conduct a system audit of all internal and external electronic storage and communication systems.

With the new responsibilities and reporting requirements, the McDonald Hopkins’ national Data Privacy and Cybersecurity Practice Group can help you develop the appropriate policies, procedures, and best practices. If you are interested in more information concerning the bidding process, our attorneys in the Government Contracting and Procurement Practice Group are available to help or contact Michelle Kantor ( or 216.642.6482). If you have any questions or would like to discuss these obligations please reach out to our team or contact Stephen Robison ( or 216.348.5707).

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.