Department of Veterans Affairs Acquisition Regulation (VAAR) Contract Clause—Information and Information Systems Security

Under Public Law 113-283, Federal Information Security Modernization Act of 2014, each agency of the Federal Government must provide security for the information and information systems that support the operations and assets of the agency. To comply with Public Law 113-283, VA developed VAAR clause, 852.204-71, Information and Information System Security, and section 804.1970, Information security policy—contractor general responsibilities. The clause and the section apply to contractors with access to VA information or information systems. Among other things, the clause and section require a contractor to report a known or suspected security/privacy incident or data breach related to VA information or information systems. The clause also requires a contractor to notify VA when a contractor employee has been reassigned or terminated and no longer needs access to a VA information system.

The latest form for Department of Veterans Affairs Acquisition Regulation (VAAR) Contract Clause—Information and Information Systems Security expires 2029-05-31 and can be found here.