Attention A T users. To access the menus on this page please perform the following steps.
1. Please switch auto forms mode to off.
2. Hit enter to expand a main menu option (Health, Benefits, etc).
3. To enter and activate the submenu links, hit the down arrow.
You will now be able to tab or arrow up or down through the submenu options to access/activate the submenu links.
Locator
Contact
Search
Search
Attention A T users. To access the combo box on this page please perform the following steps.
1. Press the alt key and then the down arrow.
2. Use the up and down arrows to navigate this combo box.
3. Press enter on the item you wish to view. This will take you to the page listed.
Menu
VA »
Office of Acquisition and Logistics (OAL)
»
VA Acquisition Regulation (VAAR) »
Part 804 - Administrative and Information Matters
Office of Acquisition and Logistics (OAL)
Part 804 - Administrative and Information Matters
Part 801—Department of Veterans Affairs Acquisition Regulation System
Part 802—Definitions of words and terms
Part 803—Improper business practices and personal conflicts of interest
Part 804—Administrative and information matters
Part 806—Competition requirements
Part 808—Required sources of supplies and services
Part 809—Contractor qualifications
Part 810—Market Research
Part 811—Describing agency needs
Part 812—Acquisition of Commercial Products and Commercial Services
Part 813—Simplified acquisition procedures
Part 814—Sealed bidding
Part 815—Contracting by negotiation
Part 816—Types of contracts
Part 817—Special contracting methods
Part 819—Small business programs
Part 822—Application of labor laws to Government acquisitions
Part 823—Environment, Energy and Water Efficiency, Renewable Energy Technologies, Occupational Safety, and Drug-Free Workplace
Part 824—Protection of privacy and freedom of information
Part 826—Other Socioeconomic Programs
Part 827—Patents, Data, and Copyrights
Part 828—Bonds and insurance
Part 829—Taxes
Part 831—Contract cost principles and procedures
Part 832—Contract financing
Part 833—Protests, disputes, and appeals
Part 835—Research and Development Contracting
Part 836—Construction and architect-engineer contracts
Part 837—Service contracting
Part 839—Acquisition of Information Technology
Part 841—Acquisition of utility services
Part 842—Contract administration and audit services
Part 843—Contract Modifications
Part 844—Subcontracting Policies and Procedures
Part 845—Government Property
Part 846—Quality assurance
Part 847—Transportation
Part 849—Termination of contracts
Part 852—Solicitation provisions and contract clauses
Part 853—Forms
Part 871—Vocational rehabilitation and employment programs
Part 873—Simplified procedures for health-care resources
| Sec. | Title |
|---|---|
| Subpart 804.1—[Reserved] | |
| Subpart 804.13—Personal Identity Verification | |
| 804.1303 | Contract clause. |
| Subpart 804.19—Basic Safeguarding of Covered Contractor Information Systems | |
| 804.1900-70 | Scope of subpart. |
| 804.1902 | Applicability. |
| 804.1903 | Contract Clause. |
| 804.1970 | Information security policy—contractor general responsibilities. |
AUTHORITY: 38 U.S.C. 5723-5724, 5725(a)–(c); 40 U.S.C. 121(c); 41 U.S.C. 1702; and 48 CFR 1.301 through 1.304.
Subpart 804.1 - [Reserved]
Subpart 804.13 - Personal Identity Verification
The contracting officer shall insert the clause at 852.204-70, Personal Identity Verification of Contractor Personnel, in solicitations and contracts that require contractor employees to have routine access to a VA facility or to VA information systems. This clause is used in conjunction with FAR clause 52.204-9, Personal Identity Verification of Contractor Personnel.
Subpart 804.19 - Basic Safeguarding of Covered Contractor Information Systems
This subpart prescribes policies and procedures for information security and protection of VA information, information systems, and VA sensitive information, including sensitive personal information.
This subpart applies to all VA acquisitions, including acquisitions of commercial products or commercial services other than commercially available off-the-shelf items, when a contractor's information system may contain VA information.
When the clause at FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems is required to be included in accordance with FAR 4.1903, the contracting officer shall insert the clause at 852.204-71, Information and Information Systems Security.
804.1970 Information security policy—contractor general responsibilities.
Contractors, subcontractors, business associates, and their employees who are users of VA information or information systems, or have access to VA information and VA sensitive information shall—
(a) Comply with all VA information security and privacy program policies, procedures, practices, and related contract requirements, specifications, and clauses, this includes complying with VA privacy and confidentiality laws and implementing VA and Veterans Health Administration (VHA) regulations (see 38 U.S.C. 5701, 5705, 5721-5728, and 7332; 38 CFR 1.460 through 1.496, 1.500 through 1.527, and 17.500 through 17.511), the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. 104-191), and the Privacy Act of 1974 (as amended) (5 U.S.C. 522a);
(b) Complete VA security awareness training on an annual basis;
(c) Complete VHA's Privacy and HIPAA Training on an annual basis when access to protected health information (PHI) is required;
(d) Report all actual or suspected security/privacy incidents and report the information to the contracting officer and contracting officer's representative (COR), as identified in the contract or as directed in the contract, within one hour of discovery or suspicion;
(e) Comply with VA policy as it relates to personnel security and suitability program requirements for background screening of both employees and non-employees who have access to VA information systems and data;
(f) Comply with directions that may be issued by the contracting officer or COR, or from the VA Assistant Secretary for Information and Technology or a designated representative through the contracting officer or COR, directing specific activities when a security/privacy incident occurs;
(g) Sign an acknowledgment that they have read, understand, and agree to abide by the VA Information Security Rules of Behavior (VA National Rules of Behavior) as required by 38 U.S.C. 5723, FAR 39.105, and the clause at 852.204-71, Information and Information Systems Security, on an annual basis. The VA Information Security Rules of Behavior describe the responsibilities and expected behavior of contractors, subcontractors, business associates, and their employees who are users of VA information or information systems, information assets and resources, or have access to VA information;
(h) Maintain records and compliance reports regarding HIPAA Security and Privacy Rules (see 45 CFR part 160) compliance in order to provide such information to VA upon request to ascertain whether the business associate is complying with all applicable provisions under both rules' regulatory requirements; and
(i) Flow down requirements in all subcontracts and Business Associate Agreements (BAAs), at any level, as provided in the clause at 852.204-71, Information and Information Systems Security.
X
External Links Disclaimer
This page may contain links to pages and/or documents outside the Department of Veterans Affairs Domain. These are annotated as shown below. We hope your visit was informative.
U.S. Federal/Military/State Government Sites — You will leave the Department of Veterans Affairs web site by accessing links annotated with this graphic.
X
External Links Disclaimer
This page may contain links to pages and/or documents outside the Department of Veterans Affairs Domain. These are annotated as shown below. We hope your visit was informative.
Non-Government Sites — You will leave the Department of Veterans Affairs web site by accessing links annotated with this graphic. VA does not endorse and is not responsible for the content of the linked web site.
