Changeflow GovPing Government & Legislation VA Acquisition Regulation Contract Clause - Inf...
Priority review Notice Amended Consultation

VA Acquisition Regulation Contract Clause - Information Security

Favicon for www.regulations.gov Regs.gov: Department of Veterans Affairs
Published January 5th, 2026
Detected March 21st, 2026
Email

Summary

The Department of Veterans Affairs (VA) is seeking public comment on a revision to its information collection regarding the VA Acquisition Regulation (VAAR) contract clause for Information and Information Systems Security. This revision, driven by the Federal Information Security Modernization Act of 2014, requires contractors with access to VA data to report security incidents and manage system access.

View original document View source feed page

What changed

The Department of Veterans Affairs (VA) has issued a notice announcing its submission to the Office of Management and Budget (OMB) for review of a revised information collection concerning the VA Acquisition Regulation (VAAR) contract clause 852.204-71, "Information and Information System Security." This revision is in response to the Federal Information Security Modernization Act of 2014 and mandates that contractors with access to VA information or systems report security or privacy incidents and data breaches. It also requires notification to the VA upon termination or reassignment of contractor employees who no longer require system access.

This notice is part of a public comment period, with comments due by April 20, 2026. Contractors and other interested parties should review the proposed collection, which details the estimated annual burden of 4,069 hours for approximately 8,223 respondents, with an average burden of 30 minutes per respondent. Failure to comply with the reporting requirements outlined in the VAAR clause could lead to contractual penalties or other enforcement actions by the VA.

What to do next

  1. Submit comments and recommendations on the proposed information collection by April 20, 2026.
  2. Review the VAAR clause 852.204-71 and section 804.1970 for compliance requirements related to information security and data breach reporting.

Source document (simplified)

Content

ACTION:

Notice.

SUMMARY:

In compliance with the Paperwork Reduction Act (PRA) of 1995, this notice announces that the Office of Acquisition and Logistics
(OAL), Department of Veterans Affairs (VA), will submit the collection of information abstracted below to the Office of Management
and Budget (OMB) for review and comment. The PRA submission describes the nature of the information and its expected cost
and burden, and it includes the actual data collection instrument.

DATES:

Comments and recommendations on the proposed information collection should be sent by April 20, 2026.

ADDRESSES:

To submit comments and recommendations for the proposed information collection, please type the following link into your browser: www.reginfo.gov/public/do/PRAMain, select “Currently under Review—Open 

     for Public Comments”, then search the list for the information collection by Title or “OMB Control No. 2900-0900.”

FOR FURTHER INFORMATION CONTACT:

VA PRA information: Dorothy Glasgow, 202-461-1084, VAPRA@va.gov.

SUPPLEMENTARY INFORMATION:

Title: Department of Veterans Affairs Acquisition Regulation (VAAR) Contract Clause—Information and Information Systems Security.

OMB Control Number: 2900-0900 https://www.reginfo.gov/public/do/PRASearch.

Type of Review: Revision of a currently approved collection.

Abstract: Under Public Law 113-283, Federal Information Security Modernization Act of 2014, each agency of the Federal Government must
provide security for the information and information systems that support the operations and assets of the agency. To comply
with Public Law 113-283, VA developed VAAR clause, 852.204-71, Information and Information System Security, and section 804.1970,
Information security policy—contractor general responsibilities. The clause and the section apply to contractors with access
to VA information or information systems. Among other things, the clause and section require a contractor to report a known
or suspected security/privacy incident or data breach related to VA information or information systems. The clause also requires
a contractor to notify VA when a contractor employee has been reassigned or terminated and no longer needs access to a VA
information system.

An agency may not conduct or sponsor, and a person is not required to respond to a collection of information unless it displays
a currently valid OMB control number. The
Federal Register
Notice with a 60-day comment period soliciting comments on this collection of information was published at 91 FR 330, January
5, 2026.

Affected Public: Business or other for-profit.

Estimated Annual Burden: 4,069 hours.

Estimated Average Burden per Respondent: 30 minutes.

Frequency of Response: Less than quarterly.

Estimated Number of Respondents: 8,223.

Authority: 44 U.S.C. 3501 et seq.

Lanea Haynes, Alternate, VA PRA Clearance Officer, Office of Information Technology, Data Governance Analytics, Department of Veterans Affairs. [FR Doc. 2026-05400 Filed 3-18-26; 8:45 am] BILLING CODE 8320-01-P

Download File

Download

Named provisions

Information and Information Systems Security Information security policy—contractor general responsibilities

Related changes

Favicon for www.regulations.gov VA Notice to Renew Joint Brain, Mental Health Board
Routine Mar 21, 2026 Regs.gov: Department of Veterans Affairs Government & Legislation
Favicon for www.regulations.gov VA Health Systems Research Scientific Merit Review Board Renewal Notice
Routine Mar 21, 2026 Regs.gov: Department of Veterans Affairs Government & Legislation
Favicon for www.regulations.gov VA Notice: Renewal of Scientific Merit Review Board Charter
Routine Mar 21, 2026 Regs.gov: Department of Veterans Affairs Government & Legislation
Favicon for www.nist.gov NIST 5G Cybersecurity and Privacy Capabilities White Paper Series Introduction
Routine Mar 21, 2026 NIST Publications Data Privacy & Cybersecurity
Favicon for www.nist.gov NIST White Paper on 5G SUCI Encryption for Subscriber Identifier Protection
Routine Mar 21, 2026 NIST Publications Data Privacy & Cybersecurity
Favicon for www.nist.gov NIST SP 800-81r3 Secure DNS Deployment Guide
Routine Mar 21, 2026 NIST Publications Data Privacy & Cybersecurity

Source

Favicon for www.regulations.gov
Regs.gov: Department of Veterans Affairs regulations.gov/search?agencyIds=VA&sortBy=postedDate&sortDirection=desc
Government & Legislation
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
VA
Published
January 5th, 2026
Comment period closes
April 20th, 2026 (30 days)
Instrument
Notice
Legal weight
Non-binding
Stage
Consultation
Change scope
Substantive
Document ID
91 FR 330
Docket
VA-2026-VACO-0001-0093

Who this affects

Applies to
Employers
Industry sector
9211 Government & Public Administration 9261 Government Contracting
Activity scope
Information Security Data Breach Reporting
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Topics
Contracting Data Privacy

Browse Categories

Agriculture & Food Safety 61 Banking & Finance 221 Consumer Protection 39 Courts & Legal 285 Data Privacy & Cybersecurity 61 Defense & National Security 48 Education 20 Energy 102 Environment 85 Government & Legislation 257 Healthcare 116 Housing 15 Immigration 9 Insurance 58 Labor & Employment 111 Pharma & Drug Safety 78 Securities & Markets 75 Tax 62 Telecom & Technology 34 Trade & Sanctions 124 Transportation 56

Get Government & Legislation alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when Regs.gov: Department of Veterans Affairs publishes new changes.

Free. Unsubscribe anytime.