Report text available as:

(PDF provides a complete and accurate display of this text.) Tip?


                                                                       
109th Congress                                            Rept. 109-651
                        HOUSE OF REPRESENTATIVES
 2d Session                                                      Part 1

======================================================================



 
           VETERANS IDENTITY AND CREDIT SECURITY ACT OF 2006

                                _______
                                

               September 13, 2006.--Ordered to be printed

                                _______
                                

   Mr. Buyer, from the Committee on Veterans' Affairs, submitted the 
                               following

                              R E P O R T

                        [To accompany H.R. 5835]

      [Including cost estimate of the Congressional Budget Office]

  The Committee on Veterans' Affairs, to whom was referred the 
bill (H.R. 5835) to amend title 38, United States Code, to 
improve information management within the Department of 
Veterans Affairs, and for other purposes, having considered the 
same, report favorably thereon with an amendment and recommend 
that the bill as amended do pass.

  The amendment is as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Veterans Identity and Credit Security 
Act of 2006''.

SEC. 2. FEDERAL AGENCY DATA BREACH NOTIFICATION REQUIREMENTS.

   (a) Authority of Director of Office of Management and Budget to 
Establish Data Breach Policies.--Section 3543(a) of title 44, United 
States Code, is amended--
          (1) by striking ``and'' at the end of paragraph (7);
          (2) by striking the period and inserting ``; and'' at the end 
        of paragraph (8); and
          (3) by adding at the end the following new paragraph:
          ``(9) establishing policies, procedures, and standards for 
        agencies to follow in the event of a breach of data security 
        involving the disclosure of sensitive personal information in 
        violation of section 552a of title 5, including a requirement 
        for timely notice to be given to those individuals whose 
        sensitive personal information could be compromised as a result 
        of such breach, except no notice shall be required if the 
        breach does not create a reasonable risk of identity theft, 
        fraud, or other unlawful conduct regarding such individual.''.
  (b) Authority of Chief Information Officer to Enforce Data Breach 
Policies.--Section 3544(a)(3) of title 44, United States Code, is 
amended by inserting after ``authority to ensure compliance with'' the 
following: ``and, to the extent determined necessary and explicitly 
authorized by the head of the agency, to enforce''.
  (c) Inclusion of Data Breach Notification in Agency Information 
Security Programs.--Section 3544(b) of title 44, United States Code, is 
amended--
          (1) by striking ``and'' at the end of paragraph (7);
          (2) by striking the period and inserting ``; and'' at the end 
        of paragraph (8); and
          (3) by adding at the end the following new paragraph:
          ``(9) procedures for notifying individuals whose sensitive 
        personal information is compromised consistent with policies, 
        procedures, and standards established under section 3543(a)(9) 
        of this title.''.
  (d) Sensitive Personal Information Definition.--Section 3542(b) of 
title 44, United States Code, is amended by adding at the end the 
following new paragraph:
          ``(4) The term `sensitive personal information' means any 
        information contained in a record, as defined in section 
        552a(4) of title 5.''.

SEC. 3. UNDER SECRETARY FOR INFORMATION SERVICES.

  (a) Under Secretary.--Chapter 3 of title 38, United States Code, is 
amended by inserting after section 307 the following new section:

``Sec. 307A. Under Secretary for Information Services

  ``(a) Under Secretary.--There is in the Department an Under Secretary 
for Information Services, who is appointed by the President, by and 
with the advice and consent of the Senate. The Under Secretary shall be 
the head of the Office of Information Services and shall perform such 
functions as the Secretary shall prescribe.
  ``(b) Service as Chief Information Officer.--Notwithstanding any 
other provision of law, the Under Secretary for Information Services 
shall serve as the Chief Information Officer of the Department under 
section 310 of this title.''.
  (b) Clerical Amendment.--The table of sections at the beginning of 
such chapter is amended by inserting after the item relating to section 
307 the following new item:

``307A. Under Secretary for Information Services.''.
  (c) Conforming Amendment.--Section 308(b) of such title is amended by 
striking paragraph (5) and redesignating paragraphs (6) through (11) as 
paragraphs (5) through (10), respectively.

SEC. 4. DEPARTMENT OF VETERANS AFFAIRS INFORMATION SECURITY.

  (a) Information Security.--Chapter 57 of title 38, United States 
Code, is amended by adding at the end the following new subchapter:

                 ``SUBCHAPTER III--INFORMATION SECURITY

``Sec. 5721. Definitions

  ``For the purposes of this subchapter:
          ``(1) The term `sensitive personal information' means the 
        name, address, or telephone number of an individual, in 
        combination with any of the following:
                  ``(A) The Social Security number of the individual.
                  ``(B) The date of birth of the individual.
                  ``(C) Any information not available as part of the 
                public record regarding the individual's military 
                service or health.
                  ``(D) Any financial account or other financial 
                information relating to the individual.
                  ``(E) The driver's license number or equivalent State 
                identification number of the individual.
                  ``(F) The deoxyribonucleic acid profile or other 
                unique biometric data of the individual, including the 
                fingerprint, voice print, retina or iris image, or 
                other unique physical representation of the individual.
          ``(2) The term `data breach' means the loss, theft, or other 
        unauthorized access to data containing sensitive personal 
        information, in electronic or printed form, that results in the 
        potential compromise of the confidentiality or integrity of the 
        data.
          ``(3) The term `data breach analysis' means the 
        identification of any misuse of sensitive personal information 
        involved in a data breach.
          ``(4) The term `fraud resolution services' means services to 
        assist an individual in the process of recovering and 
        rehabilitating the credit of the individual after the 
        individual experiences identity theft.
          ``(5) The term `identity theft' has the meaning given such 
        term under section 603 of the Fair Credit Reporting Act (15 
        U.S.C. 1681a).
          ``(6) The term `identity theft insurance' means any insurance 
        policy that pays benefits for costs, including travel costs, 
        notary fees, and postage costs, lost wages, and legal fees and 
        expenses associated with the identity theft of the insured 
        individual.
          ``(7) The term `principal credit reporting agency' means a 
        consumer reporting agency as described in section 603(p) of the 
        Fair Credit Reporting Act (15 U.S.C. 1681a(p)).

``Sec. 5722. Office of the Under Secretary for Information Services

  ``(a) Deputy Under Secretaries.--The Office of the Under Secretary 
for Information Services shall consist of the following:
          ``(1) The Deputy Under Secretary for Information Services for 
        Security, who shall serve as the Senior Information Security 
        Officer of the Department.
          ``(2) The Deputy Under Secretary for Information Services for 
        Operations and Management.
          ``(3) The Deputy Under Secretary for Information Services for 
        Policy and Planning.
  ``(b) Appointments.--Appointments under subsection (a) shall be made 
by the Secretary, notwithstanding the limitations of section 709 of 
this title.
  ``(c) Qualifications.--At least one of positions established and 
filled under subsection (a) shall be filled by an individual who has at 
least five years of continuous service in the Federal civil service in 
the executive branch immediately preceding the appointment of the 
individual as a Deputy Under Secretary. For purposes of determining 
such continuous service of an individual, there shall be excluded any 
service by such individual in a position--
          ``(1) of a confidential, policy-determining, policy-making, 
        or policy-advocating character;
          ``(2) in which such individual served as a noncareer 
        appointee in the Senior Executive Service, as such term is 
        defined in section 3132(a)(7) of title 5; or
          ``(3) to which such individual was appointed by the 
        President.

``Sec. 5723. Information security management

  ``(a) Responsibilities of Chief Information Officer.--To support the 
economical, efficient, and effective execution of subtitle III of 
chapter 35 of title 44, and policies and plans of the Department, the 
Secretary shall ensure that the Chief Information Officer of the 
Department has the authority and control necessary to develop, approve, 
implement, integrate, and oversee the policies, procedures, processes, 
activities, and systems of the Department relating to that subtitle, 
including the management of all related mission applications, 
information resources, personnel, and infrastructure.
  ``(b) Annual Compliance Report.--Not later than March 1 of each year, 
the Secretary shall submit to the Committees on Veterans' Affairs of 
the Senate and House of Representatives, the Committee on Government 
Reform of the House of Representatives, and the Committee on Homeland 
Security and Governmental Affairs of the Senate, a report on the 
Department's compliance with subtitle III of chapter 35 of title 44. 
The information in such report shall be displayed in the aggregate and 
separately for each Administration, office, and facility of the 
Department.
  ``(c) Reports to Secretary of Compliance Deficiencies.--(1) At least 
once every month, the Chief Information Officer shall report to the 
Secretary any deficiency in the compliance with subtitle III of chapter 
35 of title 44 of the Department or any Administration, office, or 
facility of the Department.
  ``(2) The Chief Information Officer shall immediately report to the 
Secretary any significant deficiency in such compliance.
  ``(d) Data Breaches.--(1) The Chief Information Officer shall 
immediately provide notice to the Secretary of any data breach.
  ``(2) Immediately after receiving notice of a data breach under 
paragraph (1), the Secretary shall provide notice of such breach to the 
Director of the Office of Management and Budget, the Inspector General 
of the Department, and, if appropriate, the Federal Trade Commission 
and the United States Secret Service.
  ``(e) Budgetary Matters.--When the budget for any fiscal year is 
submitted by the President to Congress under section 1105 of title 31, 
the Secretary shall submit to Congress a report that identifies amounts 
requested for Department implementation and remediation of and 
compliance with this subchapter and subtitle III of chapter 35 of title 
44. The report shall set forth those amounts both for each 
Administration within the Department and for the Department in the 
aggregate and shall identify, for each such amount, how that amount is 
aligned with and supports such implementation and compliance.

``Sec. 5724. Congressional reporting and notification of data breaches

  ``(a) Quarterly Reports.--(1) Not later than 30 days after the last 
day of a fiscal quarter, the Secretary shall submit to the Committees 
on Veterans' Affairs of the Senate and House of Representatives a 
report on any data breach with respect to sensitive personal 
information processed or maintained by the Department that occurred 
during that quarter.
  ``(2) Each report submitted under paragraph (1) shall identify, for 
each data breach covered by the report, the Administration and facility 
of the Department responsible for processing or maintaining the 
sensitive personal information involved in the data breach.
  ``(b) Notification of Significant Data Breaches.--(1) In the event of 
a data breach with respect to sensitive personal information processed 
or maintained by the Secretary that the Secretary determines is 
significant, the Secretary shall provide notice of such breach to the 
Committees on Veterans' Affairs of the Senate and House of 
Representatives.
  ``(2) Notice under paragraph (1) shall be provided promptly following 
the discovery of such a data breach and the implementation of any 
measures necessary to determine the scope of the breach, prevent any 
further breach or unauthorized disclosures, and reasonably restore the 
integrity of the data system.

``Sec. 5725. Data breaches

  ``(a) Independent Risk Analysis.--(1) In the event of a data breach 
with respect to sensitive personal information that is processed or 
maintained by the Secretary, the Secretary shall ensure that, as soon 
as possible after the data breach, a non-Department entity conducts an 
independent risk analysis of the data breach to determine the level of 
risk associated with the data breach for the potential misuse of any 
sensitive personal information involved in the data breach.
  ``(2) If the Secretary determines, based on the findings of a risk 
analysis conducted under paragraph (1), that a reasonable risk exists 
for the potential misuse of sensitive information involved in a data 
breach, the Secretary shall provide credit protection services in 
accordance with section 5726 of this title.
  ``(b) Notification.--(1) In the event of a data breach with respect 
to sensitive personal information that is processed or maintained by 
the Secretary, the Secretary shall provide to an individual whose 
sensitive personal information is involved in that breach notice of the 
data breach--
          ``(A) in writing; or
          ``(B) by email, if--
                  ``(i) the Department's primary method of 
                communication with the individual is by email; and
                  ``(ii) the individual has consented to receive such 
                notification.
  ``(2) Notice provided under paragraph (1) shall--
          ``(A) describe the circumstances of the data breach and the 
        risk that the breach could lead to misuse, including identity 
        theft, involving the sensitive personal information of the 
        individual;
          ``(B) describe the specific types of sensitive personal 
        information that was compromised as a part of the data breach;
          ``(C) describe the actions the Department is taking to remedy 
        the data breach;
          ``(D) inform the individual that the individual may request a 
        fraud alert and credit security freeze under this section;
          ``(E) clearly explain the advantages and disadvantages to the 
        individual of receiving fraud alerts and credit security 
        freezes under this section; and
          ``(F) includes such other information as the Secretary 
        determines is appropriate.
  ``(3) The notice required under paragraph (1) shall be provided 
promptly following the discovery of a data breach and the 
implementation of any measures necessary to determine the scope of the 
breach, prevent any further breach or unauthorized disclosures, and 
reasonably restore the integrity of the data system.
  ``(c) Report.--For each data breach with respect to sensitive 
personal information processed or maintained by the Secretary, the 
Secretary shall promptly submit to the Committees on Veterans' Affairs 
of the Senate and House of Representatives a report containing the 
findings of any independent risk analysis conducted under subsection 
(a)(1), any determination of the Secretary under subsection (a)(2), and 
a description of any credit protection services provided under section 
5726 of this title.
  ``(d) Final Determination.--Notwithstanding sections 511 and 7104(a) 
of this title, any determination of the Secretary under subsection 
(a)(2) with respect to the reasonable risk for the potential misuse of 
sensitive information involved in a data breach is final and conclusive 
and may not be reviewed by any other official, administrative body, or 
court, whether by an action in the nature of mandamus or otherwise.
  ``(e) Fraud Alerts.--(1) In the event of a data breach with respect 
to sensitive personal information that is processed or maintained by 
the Secretary, the Secretary shall arrange, upon the request of an 
individual whose sensitive personal information is involved in the 
breach to a principal credit reporting agency with which the Secretary 
has entered into a contract under section 5726(d) and at no cost to the 
individual, for the principal credit reporting agency to provide fraud 
alert services for that individual for a period of not less than one 
year, beginning on the date of such request, unless the individual 
requests that such fraud alert be removed before the end of such 
period, and the agency receives appropriate proof of the identity of 
the individual for such purpose.
  ``(2) The Secretary shall arrange for each principal credit reporting 
agency referred to in paragraph (1) to provide any alert requested 
under such subsection in the file of the individual along with any 
credit score generated in using that file, for a period of not less 
than one year, beginning on the date of such request, unless the 
individual requests that such fraud alert be removed before the end of 
such period, and the agency receives appropriate proof of the identity 
of the individual for such purpose.
  ``(f) Credit Security Freeze.--(1) In the event of a data breach with 
respect to sensitive personal information that is processed or 
maintained by the Secretary, the Secretary shall arrange, upon the 
request of an individual whose sensitive personal information is 
involved in the breach and at no cost to the individual, for each 
principal credit reporting agency to apply a security freeze to the 
file of that individual for a period of not less than one year, 
beginning on the date of such request, unless the individual requests 
that such security freeze be removed before the end of such period, and 
the agency receives appropriate proof of the identity of the individual 
for such purpose.
  ``(2) The Secretary shall arrange for a principal credit reporting 
agency applying a security freeze under paragraph (1)--
          ``(A) to send a written confirmation of the security freeze 
        to the individual within five business days of applying the 
        freeze;
          ``(B) to refer the information regarding the security freeze 
        to other consumer reporting agencies;
          ``(C) to provide the individual with a unique personal 
        identification number or password to be used by the individual 
        when providing authorization for the release of the 
        individual's credit for a specific party or period of time; and
          ``(D) upon the request of the individual, to temporarily lift 
        the freeze for a period of time specified by the individual, 
        beginning not later than three business days after the date on 
        which the agency receives the request.

``Sec. 5726. Provision of credit protection services

  ``(a) Covered Individual.--For purposes of this section, a covered 
individual is an individual whose sensitive personal information that 
is processed or maintained by the Department (or any third-party entity 
acting on behalf of the Department) is involved, on or after August 1, 
2005, in a data breach for which the Secretary determines a reasonable 
risk exists for the potential misuse of sensitive personal information 
under section 5725(a)(2) of this title.
  ``(b) Notification.--(1) In addition to any notice required under 
subsection 5725(b) of this title, the Secretary shall provide to a 
covered individual notice in writing that--
          ``(A) the individual may request credit protection services 
        under this section;
          ``(B) clearly explains the advantages and disadvantages to 
        the individual of receiving credit protection services under 
        this section;
          ``(C) includes a notice of which principal credit reporting 
        agency the Secretary has entered into a contract with under 
        subsection (d), and information about requesting services 
        through that agency;
          ``(D) describes actions the individual can or should take to 
        reduce the risk of identity theft; and
          ``(E) includes such other information as the Secretary 
        determines is appropriate.
  ``(2) The notice required under paragraph (1) shall be made as 
promptly as possible and without unreasonable delay following the 
discovery of a data breach for which the Secretary determines a 
reasonable risk exists for the potential misuse of sensitive personal 
information under section 5725(a)(2) of this title and the 
implementation of any measures necessary to determine the scope of the 
breach, prevent any further breach or unauthorized disclosures, and 
reasonably restore the integrity of the data system.
  ``(3) The Secretary shall ensure that each notification under 
paragraph (1) includes a form or other means for readily requesting the 
credit protection services under this section. Such form or other means 
may include a telephone number, email address, or Internet website 
address.
  ``(c) Availability of Services Through Other Government Agencies.--If 
a service required to be provided under this section is available to a 
covered individual through another department or agency of the 
Government, the Secretary and the head of that department or agency may 
enter into an agreement under which the head of that department or 
agency agrees to provide that service to the covered individual.
  ``(d) Contract With Credit Reporting Agency.--Subject to the 
availability of appropriations and notwithstanding any other provision 
of law, the Secretary shall enter into contracts or other agreements as 
necessary with one or more principal credit reporting agencies in order 
to ensure, in advance, the provision of credit protection services 
under this section and fraud alerts and security freezes under section 
5725 of this title. Any such contract or agreement may include 
provisions for the Secretary to pay the expenses of such a credit 
reporting agency for the provision of such services.
  ``(e) Data Breach Analysis.--The Secretary shall arrange, upon the 
request of a covered individual and at no cost to the individual, to 
provide data breach analysis for the individual for a period of not 
less than one year, beginning on the date of such request.
  ``(f) Provision of Credit Monitoring Services and Identity Theft 
Insurance.--During the one-year period beginning on the date on which 
the Secretary notifies a covered individual that the individual's 
sensitive personal information is involved in a data breach, the 
Secretary shall arrange, upon the request of the individual and without 
charge to the individual, for the provision of credit monitoring 
services to the individual. Credit monitoring services under this 
subsection shall include each of the following:
          ``(1) One copy of the credit report of the individual every 
        three months.
          ``(2) Fraud resolution services for the individual.
          ``(3) Identity theft insurance in a coverage amount that does 
        not exceed $30,000 in aggregate liability for the insured.

``Sec. 5727. Contracts for data processing or maintenance

  ``(a) Contract Requirements.--If the Secretary enters into a contract 
for the performance of any Department function that requires access to 
sensitive personal information, the Secretary shall require as a 
condition of the contract that--
          ``(1) the contractor shall not, directly or through an 
        affiliate of the contractor, disclose such information to any 
        other person unless the disclosure is lawful and is expressly 
        permitted under the contract;
          ``(2) the contractor, or any subcontractor for a subcontract 
        of the contract, shall promptly notify the Secretary of any 
        data breach that occurs with respect to such information.
  ``(b) Liquidated Damages.--Each contract subject to the requirements 
of subsection (a) shall provide for liquidated damages to be paid by 
the contractor to the Secretary in the event of a data breach with 
respect to any sensitive personal information processed or maintained 
by the contractor or any subcontractor under that contract.
  ``(c) Provision of Credit Protection Services.--Any amount collected 
by the Secretary under subsection (b) shall be deposited in or credited 
to the Department account from which the contractor was paid and shall 
remain available for obligation without fiscal year limitation 
exclusively for the purpose of providing credit protection services in 
accordance with section 5726 of this title.

``Sec. 5728. Authorization of appropriations

  ``There are authorized to be appropriated to carry out this 
subchapter such sums as may be necessary for each fiscal year.''.
  (b) Clerical Amendment.--The table of sections at the beginning of 
such chapter is amended by adding at the end the following new items:

                  ``Subchapter III--Information Security

``5721. Definitions.
``5722. Office of the Under Secretary for Information Services.
``5723. Information security management.
``5724. Congressional reporting and notification of data breaches.
``5725. Data breaches.
``5726. Provision of credit protection services.
``5727. Contracts for data processing or maintenance.
``5728. Authorization of appropriations.''.

  (c) Deadline for Regulations.--Not later than 60 days after the date 
of the enactment of this Act, the Secretary of Veterans Affairs shall 
publish regulations to carry out subchapter III of chapter 57 of title 
38, United States Code, as added by subsection (a).

SEC. 5. REPORT ON FEASIBILITY OF USING PERSONAL IDENTIFICATION NUMBERS 
                    FOR IDENTIFICATION.

  Not later than 180 days after the date of the enactment of this Act, 
the Secretary of Veterans Affairs shall submit to Congress a report 
containing the assessment of the Secretary with respect to the 
feasibility of using personal identification numbers instead of Social 
Security numbers for the purpose of identifying individuals whose 
sensitive personal information (as that term is defined in section 5721 
of title 38, United States Code, as added by section 4) is processed or 
maintained by the Secretary.

SEC. 6. DEADLINE FOR APPOINTMENTS.

  (a) Deadline.--Not later than 180 days after the date of the 
enactment of this Act--
          (1) the President shall nominate an individual to serve as 
        the Under Secretary of Veterans Affairs for Information 
        Services under section 307A of title 38, United States Code, as 
        added by section 3; and
          (2) the Secretary of Veterans Affairs shall appoint an 
        individual to serve as each of the Deputy Under Secretaries of 
        Veterans Affairs for Information Services under section 5722 of 
        such title, as added by section 4.
  (b) Report.--Not later than 30 days after the date of the enactment 
of this Act, and every 30 days thereafter until the appointments 
described in subsection (a) are made, the Secretary of Veterans Affairs 
shall submit to Congress a report describing the progress of such 
appointments.

SEC. 7. INFORMATION SECURITY EDUCATION ASSISTANCE PROGRAM.

  (a) Program Required.--Title 38, United States Code, is amended by 
inserting after chapter 78 the following new chapter:

    ``CHAPTER 79--INFORMATION SECURITY EDUCATION ASSISTANCE PROGRAM

``Sec.
``7901. Programs; purpose.
``7902. Scholarship program.
``7903. Education debt reduction program.
``7904. Preferences in awarding financial assistance.
``7905. Requirement of honorable discharge for veterans receiving 
assistance.
``7906. Regulations.
``7907. Termination.

``Sec. 7901. Programs; purpose

  ``(a) In General.--To encourage the recruitment and retention of 
Department personnel who have the information security skills necessary 
to meet Department requirements, the Secretary shall carry out programs 
in accordance with this chapter to provide financial support for 
education in computer science and electrical and computer engineering 
at accredited institutions of higher education.
  ``(b) Types of Programs.--The programs authorized under this chapter 
are as follows:
          ``(1) Scholarships for pursuit of doctoral degrees in 
        computer science and electrical and computer engineering at 
        accredited institutions of higher education.
          ``(2) Education debt reduction for Department personnel who 
        hold doctoral degrees in computer science and electrical and 
        computer engineering at accredited institutions of higher 
        education.

``Sec. 7902. Scholarship program

  ``(a) Authority.--(1) Subject to the availability of appropriations, 
the Secretary shall establish a scholarship program under which the 
Secretary shall, subject to subsection (d), provide financial 
assistance in accordance with this section to a qualified person--
          ``(A) who is pursuing a doctoral degree in computer science 
        or electrical or computer engineering at an accredited 
        institution of higher education; and
          ``(B) who enters into an agreement with the Secretary as 
        described in subsection (b).
  ``(2)(A) Except as provided under subparagraph (B), the Secretary may 
provide financial assistance under this section to an individual for up 
to five years.
  ``(B) The Secretary may waive the limitation under subparagraph (A) 
if the Secretary determines that such a waiver is appropriate.
  ``(3)(A) The Secretary may award up to five scholarships for any 
academic year to individuals who did not receive assistance under this 
section for the preceding academic year.
  ``(B) Not more than one scholarship awarded under subparagraph (A) 
may be awarded to an individual who is an employee of the Department 
when the scholarship is awarded.
  ``(b) Service Agreement for Scholarship Recipients.--(1) To receive 
financial assistance under this section an individual shall enter into 
an agreement to accept and continue employment in the Department for 
the period of obligated service determined under paragraph (2).
  ``(2) For the purposes of this subsection, the period of obligated 
service for a recipient of financial assistance under this section 
shall be the period determined by the Secretary as being appropriate to 
obtain adequate service in exchange for the financial assistance and 
otherwise to achieve the goals set forth in section 7901(a) of this 
title. In no event may the period of service required of a recipient be 
less than the period equal to two times the total period of pursuit of 
a degree for which the Secretary agrees to provide the recipient with 
financial assistance under this section. The period of obligated 
service is in addition to any other period for which the recipient is 
obligated to serve on active duty or in the civil service, as the case 
may be.
  ``(3) An agreement entered into under this section by a person 
pursuing an doctoral degree shall include terms that provide the 
following:
          ``(A) That the period of obligated service begins on a date 
        after the award of the degree that is determined under the 
        regulations prescribed under section 7906 of this title.
          ``(B) That the individual will maintain satisfactory academic 
        progress, as determined in accordance with those regulations, 
        and that failure to maintain such progress constitutes grounds 
        for termination of the financial assistance for the individual 
        under this section.
          ``(C) Any other terms and conditions that the Secretary 
        determines appropriate for carrying out this section.
  ``(c) Amount of Assistance.--(1) The amount of the financial 
assistance provided for an individual under this section shall be the 
amount determined by the Secretary as being necessary to pay--
          ``(A) the tuition and fees of the individual; and
          ``(B) $1500 to the individual each month (including a month 
        between academic semesters or terms leading to the degree for 
        which such assistance is provided or during which the 
        individual is not enrolled in a course of education but is 
        pursuing independent research leading to such degree) for 
        books, laboratory expenses, and expenses of room and board.
  ``(2) In no case may the amount of assistance provided for an 
individual under this section for an academic year exceed $50,000.
  ``(3) In no case may the total amount of assistance provided for an 
individual under this section exceed $200,000.
  ``(4) Notwithstanding any other provision of law, financial 
assistance paid an individual under this section shall not be 
considered as income or resources in determining eligibility for, or 
the amount of benefits under, any Federal or federally assisted 
program.
  ``(d) Repayment for Period of Unserved Obligated Service.--(1) An 
individual who receives financial assistance under this section shall 
repay to the Secretary an amount equal to the unearned portion of the 
financial assistance if the individual fails to satisfy the 
requirements of the service agreement entered into under subsection 
(b), except in certain circumstances authorized by the Secretary.
  ``(2) The Secretary may establish, by regulations, procedures for 
determining the amount of the repayment required under this subsection 
and the circumstances under which an exception to the required 
repayment may be granted.
  ``(3) An obligation to repay the Secretary under this subsection is, 
for all purposes, a debt owed the United States. A discharge in 
bankruptcy under title 11 does not discharge a person from such debt if 
the discharge order is entered less than five years after the date of 
the termination of the agreement or contract on which the debt is 
based.
  ``(e) Waiver or Suspension of Compliance.--The Secretary shall 
prescribe regulations providing for the waiver or suspension of any 
obligation of a individual for service or payment under this section 
(or an agreement under this section) whenever noncompliance by the 
individual is due to circumstances beyond the control of the individual 
or whenever the Secretary determines that the waiver or suspension of 
compliance is in the best interest of the United States.
  ``(f) Internships.--(1) The Secretary may offer a compensated 
internship to an individual for whom financial assistance is provided 
under this section during a period between academic semesters or terms 
leading to the degree for which such assistance is provided. 
Compensation provided for such an internship shall be in addition to 
the financial assistance provided under this section.
  ``(2) An internship under this subsection shall not be counted toward 
satisfying a period of obligated service under this section.
  ``(g) Ineligibility of Individuals Receiving Certain Education 
Assistance Payments.--An individual who receives a payment of 
educational assistance under chapter 30, 31, 32, 34, or 35 of this 
title or chapter 1606 or 1607 of title 10 for a month in which the 
individual is enrolled in a course of education leading to a doctoral 
degree in information security is not eligible to receive financial 
assistance under this section for that month.

``Sec. 7903. Education debt reduction program

  ``(a) Authority.--(1) Subject to the availability of appropriations, 
the Secretary shall establish an education debt reduction program under 
which the Secretary shall make education debt reduction payments under 
this section to qualified individuals eligible under subsection (b) for 
the purpose of reimbursing such individuals for payments by such 
individuals of principal and interest on loans described in paragraph 
(2) of that subsection.
  ``(2)(A) For each fiscal year, the Secretary may accept up to five 
individuals into the program established under paragraph (1) who did 
not receive such a payment during the preceding fiscal year.
  ``(B) Not more than one individual accepted into the program for a 
fiscal year under subsection (A) shall be a Department employee as of 
the date on which the individual is accepted into the program.
  ``(b) Eligibility.--An individual is eligible to participate in the 
program under this section if the individual--
          ``(1) has completed a doctoral degree in computer science or 
        electrical or computer engineering at an accredited institution 
        of higher education during the five-year period preceding the 
        date on which the individual is hired;
          ``(2) is an employee of the Department who serves in a 
        position related to information security (as determined by the 
        Secretary); and
          ``(3) owes any amount of principal or interest under a loan, 
        the proceeds of which were used by or on behalf of that 
        individual to pay costs relating to a doctoral degree in 
        computer science or electrical or computer engineering at an 
        accredited institution of higher education.
  ``(c) Amount of Assistance.--(1) Subject to paragraph (2), the amount 
of education debt reduction payments made to an individual under this 
section may not exceed $82,500 over a total of five years, of which not 
more than $16,500 of such payments may be made in each year.
  ``(2) The total amount payable to an individual under this section 
for any year may not exceed the amount of the principal and interest on 
loans referred to in subsection (b)(3) that is paid by the individual 
during such year.
  ``(d) Payments.--(1) The Secretary shall make education debt 
reduction payments under this section on an annual basis.
  ``(2) The Secretary shall make such a payment--
          ``(A) on the last day of the one-year period beginning on the 
        date on which the individual is accepted into the program 
        established under subsection (a); or
          ``(B) in the case of an individual who received a payment 
        under this section for the preceding fiscal year, on the last 
        day of the one-year period beginning on the date on which the 
        individual last received such a payment.
  ``(3) Notwithstanding any other provision of law, education debt 
reduction payments under this section shall not be considered as income 
or resources in determining eligibility for, or the amount of benefits 
under, any Federal or federally assisted program.
  ``(e) Performance Requirement.--The Secretary may make education debt 
reduction payments to an individual under this section for a year only 
if the Secretary determines that the individual maintained an 
acceptable level of performance in the position or positions served by 
the individual during the year.
  ``(f) Notification of Terms of Provision of Payments.--The Secretary 
shall provide to an individual who receives a payment under this 
section notice in writing of the terms and conditions that apply to 
such a payment.
  ``(g) Covered Costs.--For purposes of subsection (b)(3), costs 
relating to a course of education or training include--
          ``(1) ) tuition expenses; and
          ``(2) all other reasonable educational expenses, including 
        fees, books, and laboratory expenses;

``Sec. 7904. Preferences in awarding financial assistance

  ``In awarding financial assistance under this chapter, the Secretary 
shall give a preference to qualified individuals who are otherwise 
eligible to receive the financial assistance in the following order of 
priority:
          ``(1) Veterans with service-connected disabilities.
          ``(2) Veterans.
          ``(3) Persons described in section 4215(a)(1)(B) of this 
        title.
          ``(4) Individuals who received or are pursuing degrees at 
        institutions designated by the National Security Agency as 
        Centers of Academic Excellence in Information Assurance 
        Education.
          ``(5) Citizens of the United States.

``Sec. 7905. Requirement of honorable discharge for veterans receiving 
                    assistance

  ``No veteran shall receive financial assistance under this chapter 
unless the veteran was discharged from the Armed Forces under honorable 
conditions.

``Sec. 7906. Regulations

  ``The Secretary shall prescribe regulations for the administration of 
this chapter.

``Sec. 7907. Termination

  ``The authority of the Secretary to make a payment under this chapter 
shall terminate on July 31, 2017.''.
  (b) GAO Report.--Not later than three years after the date of the 
enactment of this Act, the Comptroller General shall submit to Congress 
a report on the scholarship and education debt reduction programs under 
chapter 79 of title 38, United States Code, as added by subsection (a).
  (c) Applicability of Scholarships.--Section 7902 of title 38, United 
States Code, as added by subsection (a), shall apply with respect to 
financial assistance provided for an academic semester or term that 
begins on or after August 1, 2007.
  (d) Clerical Amendment.--The tables of chapters at the beginning of 
such title, and at the beginning of part V of such title, are amended 
by inserting after the item relating to chapter 78 the following new 
item:

``79. Information Security Education Assistance Program.....    7901''.

                              Introduction

    The reported bill reflects the Committee's consideration of 
H.R. 5455, H.R. 5464, H.R. 5467, H.R. 5490, H.R. 5577, H.R. 
5588, H.R. 5636, H.R. 5783, and H.R. 5835, as amended.
     On May 23, 2006, the Honorable John T. Salazar introduced 
H.R. 5455, the Veterans' Identity Protection Act, which would 
require the Secretary of Veterans Affairs to provide free 
credit monitoring and credit reports for veterans and others 
affected by the theft of veterans' personal data, and to ensure 
that such persons are appropriately notified of such thefts.
    On May 24, 2006, the Honorable Marsha Blackburn introduced 
H.R. 5464, which would require that veterans be notified that 
their data was stolen, and that the veteran could request a 
free credit report every three months for the next year, and 
have a year of credit monitoring.
    On May 24, 2006, the Honorable Thelma D. Drake introduced 
H.R. 5467, which would amend title 38, United States Code, to 
establish criminal penalties for the unauthorized disclosure of 
records containing personal information about veterans.
    On May 25, 2006, the Honorable Darlene Hooley introduced 
H.R. 5487, which would require the Secretary of Veterans 
Affairs to take certain actions to mitigate the effects of the 
breach of data that occurred in May 2006.
    On May 25, 2006, the Honorable Robert E. Andrews introduced 
H.R. 5490, which would require the Secretary of Veterans 
Affairs to establish a personal identification number for each 
veteran in order to help preserve the confidentiality of the 
Department of Veterans Affairs' information on veterans.
    On May 25, 2006, the full Committee held a hearing with the 
Secretary of Veterans Affairs and the Inspector General of the 
Department of Veterans Affairs to review the loss of sensitive 
information of veterans.
    On June 8, 2006, full Committee Chairman Steve Buyer and 
Committee on Appropriations' Subcommittee on Military Quality 
of Life and Veterans Affairs Chairman James T. Walsh held a 
business roundtable with information technology experts from 
private sector companies, including the Goldman Sachs Group; 
EMC Corporation; VISA; Citigroup Inc.; TriWest Healthcare 
Alliance; and the American Bankers Association.
    On June 9, 2006, the Honorable Shelley Moore Capito 
introduced H.R. 5577, which would enhance protection of records 
of the Department of Veterans Affairs containing personal 
identifying information that is required by law to be 
confidential and privileged from disclosure except as 
authorized by law.
    On June 12, 2006, the Honorable John T. Salazar and the 
Honorable Lane Evans introduced H.R. 5588, the Comprehensive 
Veterans' Data Protection and Identity Theft Prevention Act of 
2006, which would require the Secretary of Veterans Affairs to 
protect sensitive personal information of veterans, to ensure 
that veterans are appropriately notified of any breach of data 
security with respect to such information, and to provide free 
credit monitoring and credit reports for veterans and others 
affected by any such breach of data security.
    On June 14, 2006, the full Committee held an oversight 
hearing on information security at the Department of Veterans 
Affairs.
     On June 16, 2006, the Honorable Kay Granger introduced 
H.R. 5636, the Social Security Number Privacy and Protection 
Act, to reduce the risk of identity theft by limiting the use 
of social security account numbers on certain Government-issued 
identification cards and Government documents.
    On June 20, 2006, the Subcommittees on Disability 
Assistance and Memorial Affairs and Economic Opportunity held a 
joint hearing on data security at the Veterans Benefits 
Administration.
    On June 21, 2006, the Subcommittee on Health held an 
oversight hearing on safeguarding veterans' medical information 
within the Veterans Health Administration.
    On June 22, 2006, the full Committee held an oversight 
hearing on the academic and legal implications of VA's data 
loss.
    On June 28, 2006, the full Committee held a hearing on what 
VA IT organizational structures would have best prevented VA's 
failures in information management.
    On June 29, 2006, the full Committee held a hearing with 
the Secretary of Veterans Affairs on the progress of the 
Department of Veterans Affairs in mitigating the nation's 
second largest data breach.
    On July 13, 2006, the Honorable Brian P. Bilbray introduced 
H.R. 5783, the Comprehensive Credit Services for Veterans Act 
of 2006, which would amend title 38, United States Code, to 
improve the security of sensitive personal data processed or 
maintained by the Secretary of Veterans Affairs.
    On July 18, 2006, the full Committee held a legislative 
hearing on draft legislation to review proposals and draft 
legislation the Committee was preparing as a response to the 
recent theft of the personal information of 26.5 million 
veterans and 2.2 million active duty and reserve component 
service members and their spouses, which included provisions 
and concepts from H.R. 5464, H.R. 5467, H.R. 5487, H.R. 5577, 
H.R. 5588, and H.R. 5783.
     On July 19, 2006, the Chairman and Acting Ranking Member, 
the Honorable Steve Buyer and the Honorable Bob Filner, 
respectively, along with Mr. Michael Bilirakis, Mr. Lane Evans, 
Mr. Cliff Stearns, Mr. Luis V. Gutierrez, Mr. Dan Burton, Ms. 
Corrine Brown of Florida, Mr. Henry E. Brown, Jr., of South 
Carolina, Mr. Michael H. Michaud, Mr. Jeff Miller of Florida, 
Ms. Stephanie Herseth, Mr. John Boozman, Mr. Ted Strickland, 
Mr. Jeb Bradley, Mr. Silvestre Reyes, Mrs. Ginny Brown-Waite, 
Ms. Shelley Berkley, Mr. Brian P. Bilbray, Mr. John T. Salazar, 
Mr. Tom Davis of Virginia, Mr. Henry A. Waxman, Mr. James T. 
Walsh, Mr. Chet Edwards, Mr. John D. Dingell, and Ms. Janice D. 
Schakowsky introduced H.R. 5835, the Veterans Information and 
Credit Security Act of 2006.
    On July 20, 2006, the full Committee met to markup H.R. 
5835, and ordered it reported favorably with an amendment in 
the nature of a substitute to the House by unanimous voice 
vote.

                      Summary of the Reported Bill

    H.R. 5835, as amended, would:
    1. Establish federal agency data breach notification 
requirements including the provision of enforcement authority 
to the Chief Information Officer of the Department of Veterans 
Affairs.
    2. Create a new Under Secretary of Information Services at 
the Department of Veterans Affairs, who would also serve as the 
Chief Information Officer.
    3. Create the Office of the Under Secretary for Information 
Security, which would contain three Deputy Under Secretaries 
appointed by the Secretary:
          a. Deputy Under Secretary for Security, who would 
        also serve as the Senior Information Security Officer 
        of the Department,
          b. Deputy Under Secretary for Operations and 
        Management, and
          c. Deputy Under Secretary for Policy and Planning.
    4. Define the responsibilities of the Under Secretary for 
Information Services under the Federal Information Security 
Management Act of 2002 (FISMA), which would include regular 
reporting of compliance or noncompliance with FISMA to the 
Secretary and Congress.
    5. Provide reporting and notification guidelines by the 
Secretary of Veterans Affairs to Congress in the event of a 
data security breach.
    6. Require an independent analysis of any data breaches to 
determine the level of risk associated for the potential misuse 
of any sensitive personal information involved in the data 
breach, and provide notification to affected individuals which 
would include:
          a. the availability of fraud alerts at the request of 
        the individual, and
          b. the availability of a credit security freeze at 
        the request of the individual.
    7. Permit the Secretary of Veterans Affairs to have final 
determination with respect to the reasonable risk for the 
potential misuse of sensitive information involved in a data 
breach based on the risk analysis performed.
    8. Allow remediation of identity theft, in the event the 
Secretary determines a reasonable risk exists for the potential 
misuse of the breached data, for a veteran or other individual 
whose sensitive personal information was compromised due to a 
data security breach at the Department, through the 
availability of credit protection services and, upon the 
request of that individual, fraud resolution services 
including;
          a. a definition of the covered individual,
          b. notification in writing or by email that the 
        individual's sensitive personal information was part of 
        a security breach,
          c. the availability of services through other 
        government entities,
          d. contracting with credit reporting agencies,
          e. the availability of a data breach analysis, and
          f. credit monitoring services and identity theft 
        insurance.
    9. Require, as a condition of contracting with the 
Department of Veterans Affairs for the processing or 
maintenance of sensitive personal information, that a 
contractor not disclose such information to any other person, 
unless the disclosure is lawful and is expressly permitted 
under the contract. Should a breach occur by either the 
contractor or the subcontractor, liquidated damages would be 
incurred by the contractor. Monies collected from contractors 
as liquidated damages would be used to provide credit 
protection services to covered individuals affected by the data 
breach for which the penalty is paid.
    10. Provide for an appropriation of such funds as may be 
necessary for each fiscal year for credit protection services.
    11. Require a report by the Department of Veterans Affairs 
on the feasibility of using personal identification numbers 
instead of social security numbers for the purpose of 
identifying individuals whose sensitive personal information is 
processed or maintained by the Secretary. The report is to be 
submitted to Congress no later than 180 days after the date of 
enactment.
    12. Set a deadline for appointments under this Act of not 
later than 180 days after enactment, with a report of not later 
than 30 days after the date of the enactment, and every 30 days 
thereafter until the appointments are made, from the Secretary 
describing the progress of the appointments.
    13. Create a scholarship program for up to five new 
scholarships each year at VA for recruitment of personnel who 
are in pursuit of a doctoral degree in information security, 
computer engineering, or electrical engineering at an 
accredited institution of higher learning. The recipients would 
be required to agree to a period of obligated service at the 
Department as determined by the Secretary, not less than two 
years for every one year of school tuition paid, and repayment 
would be required in the event an individual voluntarily 
terminates service prior to the end of the period of obligated 
service.
    14. Provide for repayment of education debts for five 
individuals each year who hold doctoral degrees in information 
security, computer engineering, or electrical engineering from 
an accredited institution of higher learning (only one may be a 
current employee of the Department). Debt reduction payments 
made to individuals under this section would not exceed $82,500 
over a total of 5 years of participation, or $16,500 per year 
in the program.
    15. Authorize the Secretary of Veterans Affairs to give 
preference in the award of either the scholarships or the 
repayment program to individuals who are: service-disabled 
veterans, veterans, surviving spouses of veterans who have died 
of a service-connected disability, or spouses of veterans who 
are 100-percent permanently and totally disabled; or 
individuals who have received or are pursuing a degree at a 
Center of Academic Excellence in Information Assurance 
Education.
    16. Require the Government Accountability Office (GAO) to 
report on the education programs 3 years after date of 
enactment.

                       Background and Discussion

    Federal Agency Data Breach Notification.--Section 2 of the 
bill would provide enforcement authority under the Federal 
Information Security Management Act of 2002 (FISMA). The 
Committee found in its investigation of the data breach of May 
3, 2006, the intent of Congress should be clarified with regard 
to the extent to which FISMA would authorize the Department 
Secretary or the Chief Information Officer to enforce 
compliance with FISMA at the Department. This language was 
written in cooperation with the Committee on Government Reform 
and would strengthen the Secretary and the CIO's authority and 
enforcement under FISMA for all government agencies. This 
section also would require timely notification to individuals 
whose sensitive personal information was included in a breach 
of data at the agency. The Committee strongly urges the 
Department of Veterans Affairs to follow the guidelines set 
forth in the Federal Information Security Management Act of 
2002 (FISMA) to ensure the protection of veterans' personal 
information. The Committee also expects that the Secretary 
would consider compliance with FISMA when evaluating an 
employee's performance for providing merit bonuses, consistent 
with the Secretary's goal of working to make VA the ``gold 
standard'' in information security.
    Under Secretary for Information Services.--Section 3 of the 
bill would create a new appointment-level Under Secretary for 
Information Services at the Department of Veterans Affairs. 
This Under Secretary would direct the Office of Information 
Services, and also serve as the Chief Information Officer of 
the Department of Veterans Affairs. The Committee intends that 
the Under Secretary for Information Services and Chief 
Information Officer would serve on the VA/DoD Joint Executive 
Council, just as the current Assistant Secretary for 
Information and Technology and Chief Information Officer does. 
The Committee also determined that, consistent with private 
sector practices, the Department would be better served by an 
Under Secretary appointee who would be in charge of all IT 
related services for the Department. In the private sector the 
CIO is often a corporate vice president.
    Department of Veterans Affairs Information Security.--
Section 4 of the bill would create the Office of the Under 
Secretary for Information Services. In the Office of 
Information Services, there would be three Deputy Under 
Secretaries: (1) Deputy Under Secretary for Security, who would 
also serve as the Chief Information Security Officer of the 
Department; (2) Deputy Under Secretary for Operations and 
Management; who would oversee day to day information technology 
operations within the Department of Veterans Affairs, and (3) 
Deputy Under Secretary for Policy and Planning who would 
provide policy guidelines and development planning for IT 
related issues at the Department.
    The section would also identify the responsibilities of the 
Chief Information Officer, and would require an annual report 
to be submitted to the House and Senate Committees on Veterans' 
Affairs, the House Committee on Government Reform and the 
Senate Committee on Homeland Security and Governmental Affairs 
on the Department's compliance under FISMA. The information 
would be for each Administration, office or facility of the 
Department.
    The Chief Information Officer would be required to report 
at least monthly to the Secretary any deficiency in the 
compliance of FISMA of the Department or any Administration, 
office, or facility of the Department. Should a significant 
deficiency in compliance be found at the Department or in any 
Administration, office or facility of the Department, the Chief 
Information Officer would be required to immediately report 
this to the Secretary.
    With respect to data breaches that may occur at the 
Department or at any Administration, office or facility of the 
Department, the Chief Information Officer would immediately 
provide notice of said breach to the Secretary. The Secretary 
would then provide notice of the breach to the Director of the 
Office of Management and Budget, the Inspector General of the 
Department, and if appropriate, the Federal Trade Commission 
and the United States Secret Service.
     Under section 5725(b)(1) the Department would be required 
to notify the individual whose sensitive personal information 
was part of the data breach. The Committee suggests that under 
this section the Department develop a mechanism through the 
Veterans Integrated Service Networks to notify the veterans of 
the data breach and provide an explanation of the services 
provided under this legislation.
    Report on Feasibility of Using Personal Identification 
Numbers for Identification.--Section 5 of the bill would 
require a report from the Secretary of Veterans Affairs to 
Congress, containing the assessment of the Secretary with 
respect to the feasibility of using personal identification 
numbers instead of Social Security numbers for the purpose of 
identifying individuals whose sensitive personal information is 
processed or maintained by the Secretary. Currently, social 
security numbers are maintained in the same database as all 
other veteran information, and used by claims processors to 
access files at the Department. Prior to 1973, a special C-file 
number was assigned to veterans claims and cases, and was used 
as the primary identifier for veterans information at the 
Department. The Committee seeks to determine the feasibility of 
changing to a system of identifiers which would not require the 
use of a Social Security Number stored within the veterans' 
primary record in order to protect the veterans personal 
identifying information.
    Deadline for Appointments.--Section 6 of the bill would 
require the Under Secretary for Information Services, and the 
Deputy Under Secretaries under the Office of Information 
Services to be appointed not later than 180 days after the 
enactment of the Act. Thirty days after enactment of this act, 
the Secretary would be required to report to Congress on the 
progress of the appointments, and then every 30 days until all 
appointments are made.
    Information Security Education Assistance Program.--Section 
7 of the bill would require VA to establish a financial 
assistance program that would include no more than five 
scholarships and five debt reduction payment programs per year 
through July 31, 2017 for individuals in pursuit of, or having 
received, a doctoral degree in computer science, electrical 
engineering, or computer engineering, in an effort to assist VA 
with recruiting new personnel with expertise in cyber security. 
The Committee intends for VA to broadly interpret the areas of 
doctoral degrees to include any disciplines in the information 
security systems arena. Finally, the Committee expects VA to 
give preference to service-disabled veterans, veterans, 
surviving spouses of veterans who have died of a service-
connected disability or spouses of veterans who are 100 percent 
permanently and totally disabled, and individuals who have 
received or are pursuing a degree at a Center of Academic 
Excellence in Information Assurance Education. The education 
assistance program was specifically drafted into the 
legislation in order to provide the Secretary with a recruiting 
and retention tool to obtain the most qualified individuals in 
the area of information technology and information security to 
work at the Department.

                      Section-by-Section Analysis

    Section 1 of the bill would provide that this Act may be 
cited as the ``Veterans Identity and Credit Security Act of 
2006.''
    Section 2(a) of the bill would amend section 3543(a) of 
title 44, United States Code, by (1) striking ``and'' at the 
end of paragraph (7); (2) striking the period and inserting ``; 
and'' at the end of paragraph (8); and (3) adding at the end 
the following new paragraph: ``(9) establishing policies, 
procedures, and standards for agencies to follow in the event 
of a breach of data security involving the disclosure of 
sensitive personal information in violation of section 552a of 
title 5, United States Code, including a requirement for timely 
notice to be given to those individuals whose sensitive 
personal information could be compromised as a result of such 
breach, except no notice shall be required if the breach does 
not create a reasonable risk of identity theft, fraud, or other 
unlawful conduct regarding such individual.
    Section 2(b) of the bill would amend section 3544(a)(3) of 
title 44, United States Code, by inserting after ``authority to 
ensure compliance with'' the following: ``and, to the extent 
determined necessary and explicitly authorized by the head of 
the agency, to enforce''.
    Section 2(c) of the bill would amend section 3544(b) of 
title 44, United States Code, (1) by striking ``and'' at the 
end of paragraph (7); (2) by striking the period and inserting 
``; and'' at the end of paragraph (8); and by adding at the end 
the following new paragraph: (9) procedures for notifying 
individuals whose sensitive personal information is compromised 
consistent with policies, procedures, and standards established 
under section 3543(a)(9) of this title.''
    Section 2(d) of the bill would amend section 3542(b) of 
title 44, United States Code, by defining the term `sensitive 
personal information' as any information contained in a record, 
as defined in section 552a(4) of title 5, United States Code.
    Section 3 of the bill would amend Chapter 3 of title 38, 
United States Code, by inserting after section 307 the 
following new section: ``Sec. 307A. Under Secretary for 
Information Services''.
    New section 307A(a) of the bill would create the Under 
Secretary for Information Services, who is appointed by the 
President by and with the advice and consent of the Senate. The 
Under Secretary would be the head of the Office of Information 
Services and will perform such functions as the Secretary 
prescribes.
    New section 307A(b) of the bill would specify that the 
Under Secretary for Information Services serve as the Chief 
Information Officer of the Department under section 310 of 
title 38, United States Code, notwithstanding any other 
provision of law.
    Section 3(b) of the bill would make clerical amendments.
    Section 3( c) of the bill would make conforming amendments.
     Section 4(a) of the bill would amend Chapter 57 of title 
38, United States Code, by adding a new Subchapter III--
Information Security:
    New section 5721(1) of the bill would define the term 
`sensitive personal information' as the name, address, or 
telephone number of an individual, in combination with any of 
the following: (A) the Social Security number of the 
individual, (B) the date of the birth of the individual, (C) 
any information not available as part of the public record 
regarding the individual's military service or health, (D) any 
financial account or other financial information relating to 
the individual, (E) the driver's license number or equivalent 
State identification number of the individual, (F) the 
deoxyribonucleic acid profile or other unique biometric data of 
the individual, including the fingerprint, voice print, retina 
or iris image, or other unique physical representation of the 
individual.
    New section 5721(2) of the bill would define the term `data 
breach' to mean the loss, theft, or other unauthorized access 
to data containing sensitive personal information, in 
electronic or printed form, that results in the potential 
compromise of the confidentiality or integrity of the data.
    New section 5721(3) of the bill would define the term `data 
breach analysis' to mean the identification of any misuse of 
sensitive personal information involved in a data breach.
    New section 5721(4) of the bill would define the term 
`fraud resolution services' to mean services to assist an 
individual in the process of recovering and rehabilitating the 
credit of the individual after the individual experiences 
identity theft.
    New section 5721(5) of the bill would define the term 
`identity theft' as the meaning given under section 603 of the 
Fair Credit Reporting Act (15 U.S.C. 168Ia).
    New section 5721(6) of the bill would define the term 
`identity theft insurance' as any insurance policy that pays 
benefits for costs, including travel costs, notary fees, 
postage costs, lost wages, and legal fees and expenses 
associated with the identity of the insured individual.
    New section 5721(7) of the bill would define the term 
`principal credit reporting agency' as a consumer reporting 
agency as described in section 603(p) of the Fair Credit 
Reporting Act (15 U.S.C. 1681a(p)).
    New section 5722(a) of the bill would provide that the 
Office of the Under Secretary for Information Services consist 
of the following: (I) the Deputy Under Secretary for 
Information Services for Security, who shall serve as the 
Senior Information Security Officer of the Department, (2) the 
Deputy Under Secretary forInformation Services for Operations 
and Management, (3) the Deputy Under Secretary for Information Services 
for Policy and Planning.
    New section 5722(b) of the bill would provide that 
appointments under new section 5722(a) be made by the 
Secretary, notwithstanding the limitations of section 709 of 
title 38, United States Code.
    New section 5722(c) of the bill would provide that at least 
one of the positions established and filled under new section 
5722(a) be filled by an individual who has at least five years 
of continuous service in the Federal civil service in the 
executive branch immediately preceding the appointment of the 
individual as a Deputy Under Secretary. For purposes of 
determining such continuous service of an individual, there 
shall be excluded any service by such individual in a position 
(1) of a confidential, policy-determining, policy-making, or 
policy-advocating character; (2) in which such individual 
served as a non-career appointee in the Senior Executive 
Service, as defined in section 3132(a)(7) of title 5, United 
States Code; or (3) to which such individual was appointed by 
the President.
    New section 5723(a) would provide for the responsibilities 
of the Chief Information Officer. The Secretary shall ensure 
that the Chief Information Officer, in order to support the 
economical, efficient, and effective execution of subtitle III 
of chapter 35 of title 44, United States Code, have the 
authority and control necessary to develop, approve, implement, 
integrate, and oversee the policies, procedures, processes, 
activities, and systems of the Department relating to that 
subtitle, including the management of all related mission 
applications, information resources, personnel, and 
infrastructure.
    New section 5723(b) of the bill would require the Secretary 
to submit a report, not later than March 1 of each year, to the 
Committees on Veterans' Affairs of the Senate and House of 
Representatives, the Committee on Government Reform of the 
House of Representatives, and the Committee on Homeland 
Security and Governmental Affairs of the Senate, on the 
Department's compliance with subtitle III of chapter 35 of 
title 44, United States Code. The information in such report 
shall be displayed in the aggregate and separately for each 
Administration, office, and facility of the Department.
    New section 5723(c)(1) of the bill would require the Chief 
Information Officer to submit a report, at least once every 
month, to the Secretary noting any deficiency in the compliance 
with subtitle III of chapter 35 of title 44, United States 
Code, of the Department or any Administration, office, or 
facility of the Department.
    New section 5723(c)(2) of the bill would require the Chief 
Information Officer to immediately report to the Secretary any 
significant deficiency in such compliance.
    New section 5723(d)(1) of the bill would require the Chief 
Information Officer to immediately provide notice to the 
Secretary any data breach.
    New section 5723(d)(2) of the bill would require the 
Secretary, after receiving notice of a date breach under 
paragraph (1), to provide notice of such breach to the Director 
of the Office of Management and Budget, the Inspector General 
of the Department, and, if appropriate, the Federal Trade 
Commission and the United States Secret Service.
    New section 5723(e) of the bill would require the 
Secretary, when the budget for any fiscal year is submitted by 
the President to Congress under section 1105 of title 31, 
United States Code, to submit to Congress a report that 
identifies amounts requested for Department implementation and 
remediation of, and compliance with, this subchapter and 
subtitle III of chapter 35 of title 44, United States Code. The 
report shall set forth those amounts both for each 
Administration within the Department and for the Department in 
the aggregate and shall identify, for each such amount, how 
that amount is aligned with and supports such implementation 
and compliance.
    New section 5724(a)(I) of the bill would require the 
Secretary to submit a report, not later than 30 days after the 
last day of a fiscal quarter, to the Committees on Veterans' 
Affairs of the Senate and the House of Representatives, on any 
data breach with respect to sensitive personal information 
processed or maintained by the Department that occurred during 
that quarter.
    New section 5724(2) of the bill would require that each 
report submitted under paragraph (1) identify, for each data 
breach covered by the report, the Administration and facility 
of the Department responsible for processing or maintaining the 
sensitive personal information involved in the data breach.
    New section 5724(b)(1) of the bill would require the 
Secretary, in the event of a data breach with respect to 
sensitive personal information and which the Secretary 
determines is significant, to provide notice to the Committees' 
on Veterans' Affairs of the Senate and House of 
Representatives.
    New section 5724(b)(2) of the bill would require the 
Secretary, pursuant to paragraph (1), to provide prompt notice 
following the discovery of such a data breach and the 
implementation of any measures necessary to determine the scope 
of the breach, prevent any further breach or unauthorized 
disclosures, and reasonably restore the integrity of the data 
system.
    New section 5725(a)(1) of the bill would require that, in 
the event of a data breach with respect to sensitive personal 
information that is processed or maintained by the Secretary, 
the Secretary shall ensure that, as soon as possible after the 
data breach, a non Department entity conducts an independent 
risk analysis of the data breach to determine the level of risk 
associated with the data breach for the potential misuse of any 
sensitive personal information involved in the data breach.
    New section 5725(a)(2) of the bill would require the 
Secretary to provide credit protection services in accordance 
with section 5726 of title 38, United States Code, in the event 
of a data breach with respect to sensitive personal information 
that is processed or maintained by the Secretary.
    New section 5725(b)(1) of the bill would require the 
Secretary to provide to an individual whose sensitive personal 
information is involved in a data breach, notice (A) in 
writing; or (B) by e-mail, if (i) the Department's primary 
method of communication with the individual is by email; and 
(ii) if the individual has consented to receive such 
notification.
     New section 5725(b)(2) of the bill would provide that 
notice under paragraph (1) shall describe the circumstances of 
the data breach and the risk that the breach could lead to 
misuse, including identity theft, involving the sensitive 
personal information of the individual; describe the specific 
types of sensitive personal information that was compromised as 
a part of the data breach; describe the actions the Department 
is taking to remedy the data breach; inform the individual that 
the individual may require a fraud alert and credit security 
freeze under this section; clearly explain the advantages and 
disadvantages to the individual of receiving fraud alerts and 
credit security freezes underthis section; and include other 
such information as the Secretary determines is appropriate.
    New section 5725(b)(3) of the bill would require the notice 
under paragraph (1) to be provided promptly following the 
discovery of a data breach and the implementation of any 
measures necessary to determine the scope of the breach, 
prevent any further breach or unauthorized disclosures, and 
reasonably restore the integrity of the data system.
    New section 5725(c) of the bill would require the Secretary 
to promptly report, with respect to sensitive personal 
information processed or maintained by the Secretary, to the 
Committees on Veterans' Affairs of the Senate and House of 
Representatives, findings of any independent risk analysis 
conducted under subsection (a)(1), any determination of the 
Secretary under subsection (a)(2), and a description of any 
credit protection services provided under section 5726 of title 
38, United States Code.
    New section 5725(d) of the bill would provide that, 
notwithstanding sections 511 and 7104(a) of title 38, United 
States Code, any determination of the Secretary under 
subsection (a)(2) with respect to the reasonable risk for the 
potential misuse of sensitive information involved in a data 
breach is final and conclusive and may not be reviewed by any 
other official, administrative body, or court, whether by an 
action in the nature of mandamus or otherwise.
    New section 5725(e)(1) of the bill would require the 
Secretary, in the event of a data breach with respect to 
sensitive personal information that is processed or maintained 
by the Secretary, to arrange, upon the request of an individual 
whose sensitive personal information is involved in the breach 
to a principal credit reporting agency with which the Secretary 
has entered into a contract under section 5726( d) and at no 
cost to the individual, for the principal credit reporting 
agency to provide fraud alert services for that individual for 
a period of not less than one year, beginning on the date of 
such request, unless the individual requests that such fraud 
alert be removed before the end of such period, and the agency 
receives appropriate proof of the identity of the individual 
for such purpose.
    New section 5725(e)(2) of the bill would require the 
Secretary to arrange for each principal credit reporting agency 
referred to in paragraph (2) to provide any alert requested 
under such subsection in the file of the individual along with 
any credit score generated in using that file, for a period of 
not less than one year, beginning on the date of such request, 
unless the individual requests that such fraud alert be removed 
before the end of such period, and the agency receives 
appropriate proof of the identity of the individual for such 
purpose.
    New section 5725(f)(1) of the bill would require the 
Secretary to arrange, in the event of a data breach with 
respect to sensitive personal information that is processed or 
maintained by the Secretary, upon request of an individual 
whose sensitive personal information is involved in the breach 
and at no cost to the individual, for each principal credit 
reporting agency to apply a security freeze to the file of that 
individual for a period not less than one year, beginning on 
the date of such request, unless the individual requests that 
such security freeze be removed before the end of such period, 
and the agency receives appropriate proof of the identity of 
the individual for such purpose.
    New section 5725(f)(2) of the bill would require the 
Secretary to arrange for a principal credit reporting agency 
applying a security freeze under paragraph (1) to (A) send 
written confirmation of the security freeze to the individual 
within five business days of applying the freeze; (B) refer the 
information regarding the security freeze to other consumer 
reporting agencies; (C) provide the individual with a unique 
personal identification number or password to be used by the 
individual when providing authorization for the release of the 
individual's credit for a specific party or period of time; and 
(D) upon request of the individual, to temporarily lift the 
freeze for a period of time specified by the individual, 
beginning not later than three business days after the date on 
which the agency receives the request.
    New section 5726(a) of the bill would provide credit 
protection services to a covered individual, who, for the 
purposes of this section, is an individual whose sensitive 
personal information is processed or maintained by the 
Department (or any third-party entity acting on behalf of the 
Department) whose sensitive personal information is involved, 
on or after August 1,2005, in a data breach for which the 
Secretary determines a reasonable risk exists for the potential 
misuse of sensitive personal information under section 
5725(a)(2) of title 38, United States Code.
    New section 5726(b)(1) of the bill would require the 
Secretary to provide, in writing, notification of credit 
protection services, in addition to any notice required under 
subsection 5725(b), to a covered individual that (A) the 
individual may request credit protection services under this 
section; (B) clearly explains the advantages and disadvantages 
to the individual of receiving credit protection services under 
this section; (C) includes a notice of which principal credit 
reporting agency the Secretary has entered into a contract with 
under subsection (d), and information about requesting services 
through that agency; (D) describes actions the individual can 
or should take to reduce the risk of identity theft; and (E) 
includes such other information as the Secretary determines is 
appropriate.
    New section 5726(b)(2) of the bill would require that the 
required notice under paragraph (1) be made as promptly as 
possible and without reasonable delay following the discovery 
of a data breach for which the Secretary determines a 
reasonable risk exists for the potential misuse of sensitive 
personal information under section 5725(a)(2) of this title and 
the implementation of any measures necessary to determine the 
scope of the breach, prevent any further breach or unauthorized 
disclosures, and reasonably restore the integrity of the data 
system.
    New section 5726(b)(3) of the bill would require the 
Secretary to ensure that each notification under paragraph (1) 
includes a form or other means for readily requesting the 
credit protection services under this section. Such form or 
other means may include a telephone number, email address, or 
Internet website address.
    New section 5726(c) of the bill would provide for the 
availability of services through other government agencies. If 
a service required under this section is available to a covered 
individual through another department or agency of the 
Government, the Secretary and the head of that department or 
agency may enter in to an agreement under which the head of 
that department or agency agrees to provide that service to the 
covered individual.
    New section 5726(d) of the bill would require, subject to 
the availability of appropriations and not withstanding any 
other provision of law, that the Secretary shall enter into 
contracts or other agreements as necessary with one or more 
principal credit reporting agencies in order to ensure, in 
advance, the provision of credit protection services under this 
section and fraud alerts and security freezes under section 
5725 of thistitle. Any such contract or agreement may include 
provisions for the Secretary to pay the expenses of such a credit 
reporting agency for the provision of such services.
    New section 5726(e) of the bill would require the 
Secretary, upon request of the individual and at no cost to the 
individual, to provide data breach analysis for the individual 
for a period of not less than one year, beginning on the date 
of such request.
    New section 5726(f) of the bill would require the Secretary 
to arrange, during the one-year period beginning on the date on 
which the Secretary notifies a covered individual that the 
individual's sensitive personal information is involved in a 
data breach, for the provision of credit monitoring services to 
the individual upon the request of the individual and without 
charge to the individual. Credit monitoring services under this 
subsection shall include: (1) one copy of the credit report of 
the individual every three months, (2) fraud resolution 
services for the individual, and (3) identity theft insurance 
in a coverage amount that does not exceed $30,000 in aggregate 
liability for the insured.
    New section 5727(a) of the bill would require that if the 
Secretary enters into any contract for the performance of any 
Department function that requires access to sensitive personal 
information that (1) the contractor not, directly or through an 
affiliate of the contractor, disclose such information to any 
other person unless the disclosure is lawful and is expressly 
permitted under contract, and (2) the contractor or any 
subcontractor for a subcontract of the contract, promptly 
notify the Secretary of any data breach that occurs with 
respect to such information.
    New section 5727(b) of the bill would require each contract 
subject to the requirements of subsection (a) to provide 
liquidated damages to be paid by the contractor to the 
Secretary in the event of a data breach with respect to any 
sensitive personal information processed or maintained by the 
contractor or any subcontractor under that contract.
    New section 5727(c) of the bill would require any amount 
collected by the Secretary under subsection (b) be deposited in 
or credited to the Department account from which the contractor 
is paid and remain available for obligation without fiscal year 
limitation exclusively for the purpose of providing credit 
protection services in accordance with section 5726 of title 
38, United States Code.
    New section 5728 of the bill would authorize such sums as 
may be necessary for each fiscal year to be appropriated to 
carry out this subchapter.
    Section 4(b) of the bill would make clerical amendments.
    Section 4(c) of the bill would require the Secretary of 
Veterans Affairs to publish regulations to carry out subchapter 
III of chapter 57, title 38, United States Code, as added by 
subsection (a), not later than 60 days after the enactment of 
this Act.
    Section 5 of the bill would require the Secretary to submit 
to Congress a report containing the assessment of the Secretary 
on the feasibility of using personal identification numbers 
instead of Social Security numbers for the purpose of 
identifying individuals whose sensitive personal information, 
as defined in section 5721 of title 38, United States Code, is 
processed or maintained by the Secretary, not later than 180 
days after enactment of this Act.
    Section 6(a)(1) of the bill would require the President to 
nominate an individual to serve as Under Secretary for 
Information Services under section 307A of title 38, United 
States Code, not later than 180 days after enactment of this 
Act.
    New section 6(a)(2) of the bill would require the Secretary 
of Veterans Affairs to appoint an individual to serve as each 
of the Deputy Under Secretaries of Veterans Affairs for 
Information Services under section 5722 of title 38, United 
States Code, not later than 180 days after enactment of this 
Act.
    New section 6(b) of the bill would require the Secretary of 
Veterans Affairs to submit to Congress a report describing the 
progress of appointments described in subsection (a), not later 
than 30 days after enactment of this Act, and every 30 days 
after until the appointments are made.
    Section 7(a) of the bill would add a new chapter 79, 
``Information Security Education Assistance Program,'' to title 
38, United States Code. The following sections would be added 
to title 38, United States Code.
    New section 7901(a) of the bill would require the Secretary 
to provide financial support for education in computer science, 
and electrical and computer engineering at accredited 
institutions of higher education to encourage the recruitment 
and retention of personnel who have information security skills 
necessary to meet the Department's needs.
    New section 7901(b) of the bill would authorize programs 
for scholarships for the pursuit of doctoral degrees in 
computer science, and electrical and computer engineering from 
accredited institutions of higher education or education debt 
reduction for Department personnel who hold doctoral degrees in 
computer science, or electrical and computer engineering from 
accredited institutions of higher education.
    New section 7902(a)(1) of the bill would require the 
Secretary to establish a scholarship program, subject to the 
availability of appropriations, to provide financial assistance 
to individuals who are pursuing a doctoral degree in computer 
science, and electrical and computer engineering at accredited 
institutions of higher education and enter into an agreement 
with the Secretary as described in the new subsection 7902(b).
    New section 7902(a)(2) of the bill would allow the 
Secretary to provide the scholarship to an individual for up to 
five years unless the Secretary determines that a waiver is 
necessary.
    New section 7902(a)(3) of the bill would allow the 
Secretary to award up to five scholarships per academic year to 
individuals who did not receive the scholarship the preceding 
year. One of the five scholarships each year may be awarded to 
a current VA employee.
    New section 7902(b) of the bill would require any 
individual who receives financial assistance from the 
scholarship to enter into an agreement to accept and continue 
employment with VA for a period of obligated service to be 
determined by the Secretary that would not be less than 2 years 
of service for every one year of financial assistance. The 
period of obligated service would begin on a date after the 
individual receives a degree. The individual would be required 
to maintain a satisfactory academic progress, as determined by 
the Secretary, or the assistance would be terminated. The 
Secretary would have the authority to determine any other 
appropriate terms and conditions for carrying out the 
scholarship.
    New section 7902(c) of the bill would allow the amount of 
financial assistance under the scholarship program to not 
exceed $50,000 per academic year or a total amount of 
assistance of $200,000. The scholarship would be used for 
tuition and fees of the individual and $1500 would be awarded 
to the individual each month the individual is pursuing a 
course of study, independent research and between semesters for 
books, laboratory expenses, and room and board. The assistance 
awarded under this new section would not be considered as 
income or resources when determining eligibility for and 
Federal or federally assisted programs.
    New section 7902(d) of the bill would require any 
individual who receives the scholarship to repay the Secretary 
if the individual fails to satisfy the requirements of the 
service agreement entered into with the Secretary according to 
subsection 7902(b). The Secretary would be authorized to make 
regulations with regard to the repayment policy of the 
scholarship. The repayment obligation would be a debt owed to 
the United States and a discharge in bankruptcy under title 11, 
United States Code, would not discharge the individual's debt 
if the debt is entered into in less than five years after the 
termination of the agreement of contract.
    New section 7902(e) of the bill would require the Secretary 
to prescribe regulations for a waiver or suspension policy for 
service or payment if the Secretary determines the individual 
is noncompliant due to circumstances beyond their control.
    New section 7902(f) of the bill would authorize the 
Secretary to offer compensated internships to individuals 
receiving the scholarship between semesters. Any internship 
performed would not count towards obligated service.
    New section 7902(g) of the bill would prohibit any 
individual who receives education benefits under chapters 30, 
31, 32, 34, or 35 of title 38, United States Code, or from 1606 
or 1607 of title 10, United States Code, to receive the 
scholarship.
    New section 7903(a)(1) of the bill would require the 
Secretary to establish a debt reduction program, subject to the 
availability of appropriations, to provide financial assistance 
to individuals who received a doctoral degree in computer 
science, and electrical and computer engineering at accredited 
institutions of higher education for the individuals to make 
payments to the principal and interest on loans described in 
7903(b).
    New section 7903(a)(2) of the bill would allow the 
Secretary to accept up to five individuals into the program per 
year who did not receive a payment the preceding year. One of 
the five scholarships each year may be awarded to a current VA 
employee.
    New section 7903(b) of the bill would require any 
individual who participates in the program to have completed a 
doctoral degree in computer science, and electrical and 
computer engineering at accredited institutions of higher 
education during the five years preceding the date the 
individual is hired, be an employee in a position related to 
information security, and owes principal or interest on a loan 
which was used to pay the costs of achieving the doctoral 
degree.
    New section 7903(c) of the bill would limit the amount of 
financial assistance under the scholarship program to $16,500 
per year or a total amount of assistance of $82,500 over 5 
years. The total amount paid to the individual would not exceed 
the amount of principal and interest on the loans that the 
individual pays during the year.
    New section 7309(d) of the bill would require the Secretary 
to make the debt reduction payments on an annual basis on the 
last day of the one-year period beginning on the date the 
individual was accepted into the program, or if the individual 
received the payment the previous year, the individual would 
receive the payment on the last day of the one-year period 
beginning on the date of the last payment. The assistance 
awarded under this new section would not be considered as 
income or resources when determining eligibility for federal or 
federally assisted programs.
    New section 7309(e) of the bill would authorize the 
Secretary to make payments under the debt reduction program to 
an individual only if the individual maintains an acceptable 
level of performance in the position or positions during the 
year after acceptance in the program.
    New section 7309(f) of the bill would require the Secretary 
to notify any individual accepted into the debt reduction 
program of the terms and conditions of the program in writing.
    New section 7309(g) of the bill would authorize payment to 
individuals accepted into the debt reduction program for loans 
associated with tuition expenses and all other reasonable 
educational expenses, including fees, books, and laboratory 
expenses.
    New section 7904 of the bill would require the Secretary to 
give preference for the financial assistance programs to 
qualified individuals who are: service-disabled veterans; 
veterans; surviving spouses of veterans who have died of a 
service-connected disability, or spouses of veterans who are 
100 percent permanently and totally disabled; individuals who 
have received or are pursuing a degree at a Center of Academic 
Excellence in Information Assurance Education; or citizens of 
the United States.
    New section 7905 of the bill would require that any veteran 
who receives financial assistance through this new chapter 79 
of title 38, United States Code be discharged from the Armed 
Forces under honorable conditions.
    New section 7906 would require the Secretary to prescribe 
regulations for the new chapter 79 of title 38, United States 
Code.
    New section 7907 of the bill would terminate the new 
financial assistance programs on July 31, 2017.
    New section 7(b) of the bill would require the Comptroller 
General to submit a report to Congress on the scholarship and 
debt reduction programs under the new chapter 79 of title 39, 
United States Code no later than 3 years after date of 
enactment.
    New section 7(c) of the bill would require scholarship 
payments under the new chapter 79 of title 38, United States 
Code to apply to academic semesters or terms beginning on or 
after August 31, 2007.
    New section 7(d) of the bill would make clerical 
amendments.


                    Performance Goals and Objectives

    The reported bill would establish the position of Under 
Secretary for Information Services, and would provide for an 
Office of Information Services within the Department of 
Veterans Affairs. It would strengthen the Federal Information 
Security Management Act of 2002, to provide the Department's 
Chief Information Officer improved enforcement authority over 
information management, and require certain notification and 
credit services for veterans affected by data breaches. 
Performance goals and objectives are established in VA's annual 
performance plans and are subject to the Committee's regular 
oversight. In addition, the Committee on Government Reform 
conducts regular oversight of the Department's conformance with 
FISMA regulations.

             Statements of the Views of the Administration


Statement of Hon. Gordon H. Mansfield, Deputy Secretary, Department of 
                            Veterans Affairs

    Mr. Chairman and Members of the Committee,
    I am pleased to provide the Department's views on eight 
bills, all intended to protect the personal privacy of veterans 
and others affected by the May 3, 2006 theft of computer 
equipment containing veterans' personal data. While you had 
also invited our views on a draft bill your staff shared last 
week, I regret that time has not permitted us have cleared 
positions on its many provisions. We will supply those for the 
record once the necessary executive-branch coordination is 
completed.
    Initially, I wish to point out that the eight bills covered 
in my testimony were introduced before the stolen computer 
hardware was recovered. As you know, the FBI has concluded with 
a high degree of confidence that, based upon its forensic 
examination and other evidence developed during its 
investigation, the veterans data were not accessed or 
compromised prior to their recovery. That development has 
eliminated the need for much of what is proposed in the 
legislation, and while we understand the concerns that 
engendered these eight bills we do not support their enactment.


                               h.r. 5455


    H.R. 5455, the ``Veterans Identity Protection Act of 
2006,'' would require the Department of Veterans Affairs to: 
(1) provide notification to each individual whose personal' 
information was included in the recent data breach; (2) provide 
to any of these individuals a free one-year credit monitoring 
service; (3) provide a copy of that individual's credit report 
once annually during the two year period following the 
termination of the credit monitoring services; and (4) certify 
in writing to Congress that any individual whose personal 
information has been compromised due to data security lapses at 
the Department has been appropriately notified in writing.
    The Secretary has already taken proactive and aggressive 
steps to notify all individuals whose personal information was 
potentially at risk as a result of the May 3 data theft, Also, 
the recovery of the data, apparently uncompromised, eliminates 
the need to offer credit monitoring or additional free credit 
reports at this time.
    In addition, the Fair Credit Reporting Act (FCRA), 15 
U.S.C. Sec. 1681 et seq., requires each of the three major 
credit bureaus to provide, upon request, a free copy of an 
individual's credit report once every twelve months and upon 
the individual's placement of an initial fraud alert on his or 
her credit file. Therefore, an individual who places an initial 
fraud alert could make a request to each of the three credit 
bureaus and receive up to six free credit reports annually. The 
Department's website at http://www.va.gov. documents the 
actions taken by the Secretary in this regard and advises 
veterans how to place a fraud alert with, and obtain free 
credit reports from, the credit bureaus. For these reasons, 
H.R. 5455 is unnecessary.


                               h.r. 5464


    H.R. 5464, the ``Veterans Identity Protection Act,'' would 
require VA to: (1) provide detailed notification to each 
veteran whose personal information was included in the data 
breach; and (2) include a form for the veteran to elect to 
receive a free credit report once every three months for the 
year following notification and free credit monitoring for that 
year also. The bill also would limit the funds available to 
Office of the Secretary to 90 percent of the funds otherwise 
available if the 16 information security recommendations of 
VA's Inspector General are not fully implemented by January 1, 
2007. The bill would limit the funds otherwise available to the 
Office of the Secretary by 10 percent in subsequent fiscal 
years, after January 1, 2007, for any information security 
recommendation not fully implemented.
    VA supports the underlying intent of H.R. 5464, but cannot 
support the bill. In addition to the actions already discussed, 
VA is taking steps to implement the 16 information security 
recommendations. The Secretary has established an Information 
Security Task Force composed of senior officials and has hired 
a Special Advisor on Information Security. Working together 
with the Chief Information Officer of the Department, these 
individuals will implement the recommendations. For these 
reasons, we believe that H.R. 5464 too is unnecessary.


                               h.r. 5467


    H.R. 5467, the ``Veterans Identity Security Act of 2006,'' 
would establish criminal penalties for knowingly disclosing 
without authorization records containing personal information 
about veterans. The bill would amend title 38, United States 
Code, by adding a new section 5706 applicable to officers, 
employees, contractors, and volunteers of the Department who 
disclose personal information without lawful authorization. The 
bill defines personal information as ``name, date of birth, 
address, phone number, Social Security number, and (if 
applicable) disability rating.'' Penalties range from fines to 
imprisonment for up ten years when there is intent to sell, 
transfer, or use the personal information for commercial 
advantage, personal gain or malicious harm.
    VA has no objection to the intent of H.R. 5467 but has 
several technical suggestions for improving its drafting and 
coverage. We would be happy to discuss these with Committee 
staff at its convenience.


                               h.r. 5487


    H.R. 5487, the ``Veterans' ID Theft Protection Act of 
2006,'' would also require VA to notify any person affected by 
the breach, but also to notify consumer reporting agencies and 
appropriate third parties who may be required to act in a 
manner to further protect affected persons from fraud or 
identity theft. The notice specifications must include details 
of the breach, current safeguards of personal information, 
contact information for the Department, information provided by 
the Federal Trade Commission (FTC) regarding identity theft, 
information on obtaining a copy of a consumer's credit report 
free of charge and other information regarding placing a fraud 
alert on one's file and contact information for the FTC. The 
bill also would require the Department to offer affected 
persons free credit monitoring service, at their request, for 
not less than six months, and to take prompt and reasonable 
measures to repair the data breach that would improve the data 
security policies and procedures.
    For reasons already discussed, H.R. 5487 is unnecessary.


                               h.r. 5490


    H.R. 5490, the ``Veterans Identification Protection Act,'' 
would require the Department of Veterans Affairs to: (1) 
provide a four-digit personal identification number (PIN) for 
each veteran who receives or applies for VA benefits, and (2) 
take steps to provide that any entity entering into a 
commercial transaction with a veteran that ``includes the 
extension to the veteran of credit, a loan, or any other thing 
of value'' shall verify the veteran's identity through the PIN 
established. Any entity that is required to so verify a 
veteran's identity, but fails to, would be liable to that 
individual for all attorney fees and injuries incurred by that 
individual resulting from that failure.
    VA does not support H.R. 5490. VA understands that the 
current level of security as recommended by the National 
Institute of Standards and Technology and other security 
experts requires a PIN number with more than four digits. 
However, even if the bill were amended in this regard, VA would 
be opposed to the requirement that the Secretary provide, 
assign, monitor, or validate any universal PIN number 
exclusively for the use of veterans in commercial enterprises. 
The bill is unclear about the commercial enterprises to be 
covered. For example, there is no distinction made between 
commercial activities with a VA involvement (such as a home 
loan guarantee) and other commercial activities a veteran may 
be involved with that have no VA connection.


                               h.r. 5577


    H.R. 5577, the ``Veterans Identity Protection Act of 
2006,'' is intended to enhance the protection from disclosure 
of VA records containing personal identifying information that 
is required by law to be confidential and privileged.
    It would require the Department to establish an Office of 
Identity Protection, administered by a Director who shall be 
appointed by the Secretary. The Office would notify each 
individual whose personal information has been lost or 
compromised, provide him or her with one credit report every 
six months for three years at no charge, offer a 24-hour toll-
free telephone number and a web site to provide information 
regarding credit reporting services, ensure that active-duty 
military personnel have access to credit reporting services, 
make information available on possible fraudulent consumer 
credit or reporting services that may be targeted at affected 
veterans and service members and notify the Department of 
Justice and the FTC immediately when personal data in VA 
records may have been compromised. Furthermore, the Act would 
require the VA Inspector General (IG) to conduct a study of the 
data-security practices at VA and submit a report not later 
than six months after the date of the law's enactment to the 
Senate and House Committees on Veterans' Affairs. Finally the 
Act would impose criminal penalties of a fine or imprisonment 
on any VA employee who removes records from VA custody without 
proper authorization.
    VA supports the underlying purposes of H.R. 5577, but 
cannot support the bill. In addition to the ameliorative 
actions already discussed, VA has provided a toll-free 
telephone number and a section on the Department's web site 
with information for those individuals seeking assistance, and 
established an Information Security Task Force to improve data 
security. While the Information Security Task Force will 
consider administrative alignments to enhance data security 
protections, there does not appear to be a need for a separate 
administrative Office of Identity Protection at this time. And, 
as already noted, FCRA already provides up to three free credit 
reports annually, and up to another three annually when an 
initial fraud alert is placed. For these reasons, we do not 
believe that these provisions are necessary.
    The requirement for the VA IG to report on the Department's 
progress in implementing data security improvements within six 
months after the law's enactment would not allow sufficient 
time for the Department to address corrective actions before 
the report must be submitted. Furthermore, the VA Inspector 
General regularly issues reports about data security practices 
within VA in Federal Information Security Management Act 
(FISMA) audits and consolidated financial statement audits 
performed annually. There does not appear to be a need for 
additional reports in this area.
    In addition, the criminal penalty provision is not 
sufficiently specific for enforcement purposes. In particular, 
the bill does not specify whether ``remove from the custody of 
VA,'' refers to removal from the ``custody of a VA employee'' 
or any removal from a ``VA worksite.'' H.R. 5577 also does not 
consider the reality that files leave the worksite every day 
for legitimate purposes, nor does it identify the specific part 
of title 18 that would provide for the fines imposed for such 
action. We could support enactment of the additional criminal 
penalties in H.R. 5467 if those provisions were amended as 
discussed above.


                               h.r. 5588


    H.R. 5588, the ``Comprehensive Veterans'' Data Protection 
and Identity Theft Prevention Act of 2006,'' would require the 
Secretary of Veterans Affairs to: (1) issue policies and 
procedures to safeguard sensitive personal information before 
the end of the 90-day period beginning on the date of the 
enactment of the Act; (2) notify the Secret Service, VA IG, 
Senate and House Committees on Veterans' Affairs, the FTC, and 
the affected individual of any breach: (3) place fraud alerts 
or security freezes in the credit file of affected individuals; 
(4) provide affected individuals with credit monitoring 
services; and (5) establish the position of an Ombudsman for 
Data Security within the Department to provide information and 
assistance to such individuals.
    In light of the ameliorative actions outlined above, VA 
does not believe that H.R. 5588 is necessary and does not 
support enactment.


                               h.r. 5636


    H.R. 5636, the ``Social Security Numbers Privacy and 
Protection Act,'' would require: (1) the alteration of 
selective service reminder mailback cards; and (2) the 
elimination and prohibition of social security account numbers 
from Medicare, Medicaid, and SCHIP- and VA-issued health care 
identification cards by the end of the two-year period after 
the enactment of the Act.
    VA supports alternative methods for the identification of 
veterans for the purpose of providing health care or other 
benefits available under Title 38. To that end, VA has already 
removed the social security numbers from the Veterans 
Identification Cards known as VIC cards and is therefore 
already in compliance with the bill. With respect to Medicare, 
Medicaid, and SCHIP programs, the Department of Health and 
Human Services advises us that instituting a new number for use 
on the identity cards used for these programs would entail 
substantial expense and require a substantially longer time 
than allowed by the bill. They are continuing to work on these 
efforts. Therefore, we believe that enactment of H.R. 5636 
would not be productive.


                               conclusion


    As I have indicated, VA already has implemented many of the 
provisions of the various bills that provide, among other 
things, stronger safeguards to protect against data breaches 
within the Department. VA is strongly committed to providing 
all available protections to the safety and security of 
personal information of all veterans' and their beneficiaries. 
As we continue to work on improvements in our systems and 
procedures, we will be pleased to work with your Committee in 
fostering methods to achieve a level of information security 
that is responsible and necessary.

               Congressional Budget Office Cost Estimate

    The following letter was received from the Congressional 
Budget Office concerning the cost of the reported bill:

                                     U.S. Congress,
                               Congressional Budget Office,
                                     Washington, DC, July 28, 2006.
Hon. Steve Buyer,
Chairman, Committee on Veterans' Affairs,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 5835, the Veterans 
Identity and Credit Security Act of 2006.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Sam 
Papenfuss.
            Sincerely,
                                          Donald B. Marron,
                                                   Acting Director.
    Enclosure.

H.R. 5835--Veterans Identity and Credit Security Act of 2006

    Summary: H.R. 5835 would create a new Office of the Under 
Secretary for Information Services within the Department of 
Veterans Affairs (VA). The bill also would require VA to notify 
affected individuals when sensitive, personal information held 
by VA is lost, stolen, or otherwise compromised. Additionally, 
if the Secretary of VA determines there is a risk that the 
compromised information could be used in a criminal manner, VA 
would be required to provide services to alleviate any loss 
those individuals might suffer. Furthermore, H.R. 5835 would 
require contractors to pay damages to VA if the compromised 
information was under the contractors' control and would allow 
VA to spend those receipts without further appropriation 
action. Finally, the bill would allow VA to provide 
scholarships and pay school debts for individuals pursuing a 
doctoral degree in computer science or related fields who agree 
to work for VA.
    CBO estimates that implementing H.R. 5835 would cost $5 
million in 2007 and about $50 million over the 2007-2011 
period, assuming appropriation of the estimated amounts. 
However, if VA were to experience another data breach similar 
to the recent incident involving personal information on 17 
million individuals, the cost could be as much as $1 billion. 
Under the bill, VA would be authorized to collect and spend 
certain receipts, but CBO estimates that the net effect of 
those receipts on the federal budget would be insignificant.
    H.R. 5835 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act (UMRA) 
and would not affect the budgets of state, local, or tribal 
governments.
    Estimated cost to the Federal Government: The estimated 
budgetary impact of H.R. 5835 is shown in the following table. 
The costs of this legislation fall within budget function 700 
(veterans benefits and services).

----------------------------------------------------------------------------------------------------------------
                                                                  By fiscal year, in millions of dollars--
                                                           -----------------------------------------------------
                                                              2006     2007     2008     2009     2010     2011
----------------------------------------------------------------------------------------------------------------
                                  CHANGES IN SPENDING SUBJECT TO APPROPRIATION

Credit-Protection Services:
    Estimated Authorization Level.........................        0        9       10       10       10       11
    Estimated Outlays.....................................        0        5        9       10       10       11
Scholarships and Debt Reduction:
    Estimated Authorization Level.........................        0      (*)        1        1        1        1
    Estimated Outlays.....................................        0      (*)        1        1        1        1
Total Changes in Spending Under H.R. 5835:
    Estimated Authorization Level.........................        0        9       11       11       11       12
    Estimated Outlays.....................................        0        5       10       11       11       12
----------------------------------------------------------------------------------------------------------------
Note.--* = less than $500,000.

    Basis of estimate: For the purposes of this estimate, CBO 
assumes that the bill will be enacted near the start of fiscal 
year 2007 and that the estimated amounts will be appropriated 
for each year.

Spending subject to appropriation

    Assuming appropriation of the estimated amounts, 
implementing H.R. 5835 would cost $5 million in 2007 and about 
$50 million over the 2007-2011 period, CBO estimates. This 
spending would be for credit-protection services for certain 
veterans and for scholarships and debt-reduction grants 
provided to current and future VA employees.
    Credit-Protection Services. H.R. 4835 would require VA to 
notify individuals and provide them with certain services when 
their sensitive, personal information is lost, stolen, or 
otherwise compromised, while in VA's possession. All of those 
services would be provided at no cost to those individuals. 
Initially, VA would have to:
           Notify all affected individuals of the lost 
        or compromised data,
           Inform those individuals of the steps VA is 
        taking to remedy the problem,
           Explain to each individual the advantages 
        and disadvantages of requesting a fraud alert and a 
        credit security freeze from the major credit-reporting 
        agencies, and
           Contract with the credit-reporting agencies 
        to implement a security freeze of the file of each 
        affected individual who requests it.
    If the Secretary of VA determines there is a reasonable 
risk that the compromised data could be misused, the department 
would have to provide an additional notification detailing the 
availability of credit-protection services. Under the bill, VA 
would contract with one of the principal credit-reporting 
agencies to provide affected individuals credit-protection 
services that include:
           A credit report every three months,
           Services to assist in rehabilitating the 
        individual's credit in the event of identity theft, and
           Identity theft insurance of up to $30,000 
        that would cover the damages of identity theft, 
        including travel costs, legal fees, and lost wages.
    Based on publicly available information on the recent loss 
of personal information by government agencies (including VA), 
CBO estimates that VA could be expected to experience an 
average of three incidents a year in which sensitive, personal 
information is compromised in some manner. Excluding the 
incident that occurred on May 3, 2006, when a computer with 
information on more than 17 million people was stolen, the 
average number of people affected by a data breach has been 
about 50,000. Based on information from VA, CBO expects that 
the cost of notifying individuals in the event of such data 
breaches would generally be less than $500,000 a year.
    Using information from a Federal Trade Commission survey 
report on identity theft, CBO estimates that 10 percent to 15 
percent of those individuals who have their personal 
information compromised might have problems with identity theft 
and experience a loss. CBO estimates that, in 2007, such a loss 
would, on average, amount to about $450. Thus, CBO estimates 
that requiring VA to provide insurance and fraud-resolution 
services to individuals who have had their personal information 
compromised would cost about $10 million a year, on average, 
assuming appropriation of the necessary amounts. CBO projects 
that outlays would be $5 million in 2007 and about $45 million 
over the 2007-2011 period. (If VA were to experience another 
data breach where information for more than 17 million people 
were to be compromised, the cost for such an incident could be 
as high as $1 billion.)
    Scholarship and Debt Reduction. H.R. 5835 also would 
establish programs that would improve VA's ability to recruit 
employees with skills in information security. The bill would 
allow VA to pay tuition, fees, and a monthly stipend of $1,500 
for individuals who are pursuing a doctoral degree in computer 
science or a related field. Under the bill, VA could provide 
the assistance for up to five years if those individuals agreed 
to work at VA for twice as long as they received such 
assistance. VA could offer up to five new scholarships each 
year and could provide up to $50,000 a year or $200,000 per 
scholarship for each individual.
    In addition, H.R. 5835 would allow VA to establish an 
education debt-reduction program as a recruitment tool to 
attract individuals who completed a doctoral program in 
computer science or a related field within the previous five 
years. The bill would allow VA to pay up to $16,500 a year for 
five years to eligible employees for repayment of loans related 
to their doctoral degree. VA would be authorized to make such 
payments to an additional five individuals each year.
    Based on the amounts specified in the bill, CBO estimates 
that implementing these provisions would cost less than 
$500,000 in 2007 and about $4 million over the 2007-2011 
period, assuming appropriation of the necessary amounts.

Direct spending

    Section 4 of the bill would require that VA contractors who 
have access to sensitive personal information pay damages to VA 
in the event the personal data is compromised. Damages paid to 
VA would be credited to the appropriation account under which 
the contract was paid and would be available without fiscal 
year limitation to pay for credit-protection services. Because 
VA would be able to spend the funds collected under this 
section, CBO estimates that enacting the bill would have no 
significant net effect on direct spending in any year over the 
2007-2016 period.
    Intergovernmental and private-sector impact: H.R. 5835 
contains no intergovernmental or private-sector mandates as 
defined in UMRA and would not affect the budgets of state, 
local, or tribal governments.
    Estimated prepared by: Federal Costs: Sam Papenfuss. Impact 
on State, Local, and Tribal Governments: Melissa Merrell. 
Impact on the Private Sector: Allison Percy.
    Estimate approved by: Robert A. Sunshine, Assistant 
Director for Budget Analysis.

                     Statement of Federal Mandates

    The preceding Congressional Budget Office (CBO) cost 
estimate states that H.R. 5835, as amended, does not contain 
any intergovernmental and private-sector mandates as defined in 
the Unfunded Mandates Reform Act (UMRA), Public Law 104-4.

                 Statement of Constitutional Authority

    Pursuant to Article I, section 8 of the United States 
Constitution, the reported bill is authorized by Congress' 
power to ``provide for the common Defense and general Welfare 
of the United States.''

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italic, existing law in which no change is 
proposed is shown in roman):

               CHAPTER 35 OF TITLE 44, UNITED STATES CODE


CHAPTER 35--COORDINATION OF FEDERAL INFORMATION POLICY

           *       *       *       *       *       *       *



SUBCHAPTER III--INFORMATION SECURITY

           *       *       *       *       *       *       *



Sec. 3542. Definitions

  (a) * * *
  (b) Additional Definitions.--As used in this subchapter:
          (1) * * *

           *       *       *       *       *       *       *

          (4) The term ``sensitive personal information'' means 
        any information contained in a record, as defined in 
        section 552a(4) of title 5.

           *       *       *       *       *       *       *


Sec. 3543. Authority and functions of the Director

  (a) In General.--The Director shall oversee agency 
information security policies and practices, including--
          (1) * * *

           *       *       *       *       *       *       *

          (7) overseeing the operation of the Federal 
        information security incident center required under 
        section 3546; [and]
          (8) reporting to Congress no later than March 1 of 
        each year on agency compliance with the requirements of 
        this subchapter, including--
                  (A) * * *

           *       *       *       *       *       *       *

                  (E) a summary of, and the views of the 
                Director on, the report prepared by the 
                National Institute of Standards and Technology 
                under section 20(d)(10) of the National 
                Institute of Standards and Technology Act (15 
                U.S.C. 278g-3)[.]; and
          (9) establishing policies, procedures, and standards 
        for agencies to follow in the event of a breach of data 
        security involving the disclosure of sensitive personal 
        information in violation of section 552a of title 5, 
        including a requirement for timely notice to be given 
        to those individuals whose sensitive personal 
        information could be compromised as a result of such 
        breach, except no notice shall be required if the 
        breach does not create a reasonable risk of identity 
        theft, fraud, or other unlawful conduct regarding such 
        individual.

           *       *       *       *       *       *       *


Sec. 3544. Federal agency responsibilities

  (a) In General.--The head of each agency shall--
          (1) * * *

           *       *       *       *       *       *       *

          (3) delegate to the agency Chief Information Officer 
        established under section 3506 (or comparable official 
        in an agency not covered by such section) the authority 
        to ensure compliance with and, to the extent determined 
        necessary and explicitly authorized by the head of the 
        agency, to enforce the requirements imposed on the 
        agency under this subchapter, including--
                  (A) * * *

           *       *       *       *       *       *       *

  (b) Agency Program.--Each agency shall develop, document, and 
implement an agencywide information security program, approved 
by the Director under section 3543(a)(5), to provide 
information security for the information and information 
systems that support the operations and assets of the agency, 
including those provided or managed by another agency, 
contractor, or other source, that includes--
          (1) * * *

           *       *       *       *       *       *       *

          (7) procedures for detecting, reporting, and 
        responding to security incidents, consistent with 
        standards and guidelines issued pursuant to section 
        3546(b), including--
                  (A) * * *

           *       *       *       *       *       *       *

                  (C) notifying and consulting with, as 
                appropriate--
                          (i) * * *

           *       *       *       *       *       *       *

                          (iii) any other agency or office, in 
                        accordance with law or as directed by 
                        the President; [and]
          (8) plans and procedures to ensure continuity of 
        operations for information systems that support the 
        operations and assets of the agency[.]; and
          (9) procedures for notifying individuals whose 
        sensitive personal information is compromised 
        consistent with policies, procedures, and standards 
        established under section 3543(a)(9) of this title.

           *       *       *       *       *       *       *

                              ----------                              


TITLE 38, UNITED STATES CODE

           *       *       *       *       *       *       *


                       PART I--GENERAL PROVISIONS

Chapter                                                             Sec.
      General........................................................101
     * * * * * * *

              PART V--BOARDS, ADMINISTRATIONS, AND SERVICES

      Board of Veterans' Appeals....................................7101
     * * * * * * *
7901Information Security Education Assistance Program.................

           *       *       *       *       *       *       *


PART I--GENERAL PROVISIONS

           *       *       *       *       *       *       *


               CHAPTER 3--DEPARTMENT OF VETERANS AFFAIRS

Sec.
301.  Department.
     * * * * * * *
307A.   Under Secretary for Information Services.
     * * * * * * *

Sec. 307A. Under Secretary for Information Services

  (a) Under Secretary.--There is in the Department an Under 
Secretary for Information Services, who is appointed by the 
President, by and with the advice and consent of the Senate. 
The Under Secretary shall be the head of the Office of 
Information Services and shall perform such functions as the 
Secretary shall prescribe.
  (b) Service as Chief Information Officer.--Notwithstanding 
any other provision of law, the Under Secretary for Information 
Services shall serve as the Chief Information Officer of the 
Department under section 310 of this title.

Sec. 308. Assistant Secretaries; Deputy Assistant Secretaries

  (a) * * *
  (b) The Secretary shall assign to the Assistant Secretaries 
responsibility for the administration of such functions and 
duties as the Secretary considers appropriate, including the 
following functions:
          (1) * * *

           *       *       *       *       *       *       *

          [(5) Information management functions as required by 
        section 3506 of title 44.]
          [(6)] (5) Capital facilities and real property 
        program functions.
          [(7)] (6) Equal opportunity functions.
          [(8)] (7) Functions regarding the investigation of 
        complaints of employment discrimination within the 
        Department.
          [(9)] (8) Functions regarding intergovernmental, 
        public, and consumer information and affairs.
          [(10)] (9) Procurement functions.
          [(11)] (10) Operations, preparedness, security, and 
        law enforcement functions.

           *       *       *       *       *       *       *


PART IV--GENERAL ADMINISTRATIVE PROVISIONS

           *       *       *       *       *       *       *


                 CHAPTER 57--RECORDS AND INVESTIGATIONS

                         SUBCHAPTER I --RECORDS

Sec.
5701.  Confidential nature of claims.
     * * * * * * *

                   Subchapter III--Information Security

5721.  Definitions.
5722.  Office of the Under Secretary for Information Services.
5723.  Information security management.
5724.  Congressional reporting and notification of data breaches.
5725.  Data breaches.
5726.  Provision of credit protection services.
5727.  Contracts for data processing or maintenance.
5728.  Authorization of appropriations.

           *       *       *       *       *       *       *


                  SUBCHAPTER III--INFORMATION SECURITY

Sec. 5721. Definitions

  For the purposes of this subchapter:
          (1) The term ``sensitive personal information'' means 
        the name, address, or telephone number of an 
        individual, in combination with any of the following:
                  (A) The Social Security number of the 
                individual.
                  (B) The date of birth of the individual.
                  (C) Any information not available as part of 
                the public record regarding the individual's 
                military service or health.
                  (D) Any financial account or other financial 
                information relating to the individual.
                  (E) The driver's license number or equivalent 
                State identification number of the individual.
                  (F) The deoxyribonucleic acid profile or 
                other unique biometric data of the individual, 
                including the fingerprint, voice print, retina 
                or iris image, or other unique physical 
                representation of the individual.
          (2) The term ``data breach'' means the loss, theft, 
        or other unauthorized access to data containing 
        sensitive personal information, in electronic or 
        printed form, that results in the potential compromise 
        of the confidentiality or integrity of the data.
          (3) The term ``data breach analysis'' means the 
        identification of any misuse of sensitive personal 
        information involved in a data breach.
          (4) The term ``fraud resolution services'' means 
        services to assist an individual in the process of 
        recovering and rehabilitating the credit of the 
        individual after the individual experiences identity 
        theft.
          (5) The term ``identity theft'' has the meaning given 
        such term under section 603 of the Fair Credit 
        Reporting Act (15 U.S.C. 1681a).
          (6) The term ``identity theft insurance'' means any 
        insurance policy that pays benefits for costs, 
        including travel costs, notary fees, and postage costs, 
        lost wages, and legal fees and expenses associated with 
        the identity theft of the insured individual.
          (7) The term ``principal credit reporting agency'' 
        means a consumer reporting agency as described in 
        section 603(p) of the Fair Credit Reporting Act (15 
        U.S.C. 1681a(p)).

Sec. 5722. Office of the Under Secretary for Information Services

  (a) Deputy Under Secretaries.--The Office of the Under 
Secretary for Information Services shall consist of the 
following:
          (1) The Deputy Under Secretary for Information 
        Services for Security, who shall serve as the Senior 
        Information Security Officer of the Department.
          (2) The Deputy Under Secretary for Information 
        Services for Operations and Management.
          (3) The Deputy Under Secretary for Information 
        Services for Policy and Planning.
  (b) Appointments.--Appointments under subsection (a) shall be 
made by the Secretary, notwithstanding the limitations of 
section 709 of this title.
  (c) Qualifications.--At least one of positions established 
and filled under subsection (a) shall be filled by an 
individual who has at least five years of continuous service in 
the Federal civil service in the executive branch immediately 
preceding the appointment of the individual as a Deputy Under 
Secretary. For purposes of determining such continuous service 
of an individual, there shall be excluded any service by such 
individual in a position--
          (1) of a confidential, policy-determining, policy-
        making, or policy-advocating character;
          (2) in which such individual served as a noncareer 
        appointee in the Senior Executive Service, as such term 
        is defined in section 3132(a)(7) of title 5; or
          (3) to which such individual was appointed by the 
        President.

Sec. 5723. Information security management

  (a) Responsibilities of Chief Information Officer.--To 
support the economical, efficient, and effective execution of 
subtitle III of chapter 35 of title 44, and policies and plans 
of the Department, the Secretary shall ensure that the Chief 
Information Officer of the Department has the authority and 
control necessary to develop, approve, implement, integrate, 
and oversee the policies, procedures, processes, activities, 
and systems of the Department relating to that subtitle, 
including the management of all related mission applications, 
information resources, personnel, and infrastructure.
  (b) Annual Compliance Report.--Not later than March 1 of each 
year, the Secretary shall submit to the Committees on Veterans' 
Affairs of the Senate and House of Representatives, the 
Committee on Government Reform of the House of Representatives, 
and the Committee on Homeland Security and Governmental Affairs 
of the Senate, a report on the Department's compliance with 
subtitle III of chapter 35 of title 44. The information in such 
report shall be displayed in the aggregate and separately for 
each Administration, office, and facility of the Department.
  (c) Reports to Secretary of Compliance Deficiencies.--(1) At 
least once every month, the Chief Information Officer shall 
report to the Secretary any deficiency in the compliance with 
subtitle III of chapter 35 of title 44 of the Department or any 
Administration, office, or facility of the Department.
  (2) The Chief Information Officer shall immediately report to 
the Secretary any significant deficiency in such compliance.
  (d) Data Breaches.--(1) The Chief Information Officer shall 
immediately provide notice to the Secretary of any data breach.
  (2) Immediately after receiving notice of a data breach under 
paragraph (1), the Secretary shall provide notice of such 
breach to the Director of the Office of Management and Budget, 
the Inspector General of the Department, and, if appropriate, 
the Federal Trade Commission and the United States Secret 
Service.
  (e) Budgetary Matters.--When the budget for any fiscal year 
is submitted by the President to Congress under section 1105 of 
title 31, the Secretary shall submit to Congress a report that 
identifies amounts requested for Department implementation and 
remediation of and compliance with this subchapter and subtitle 
III of chapter 35 of title 44. The report shall set forth those 
amounts both for each Administration within the Department and 
for the Department in the aggregate and shall identify, for 
each such amount, how that amount is aligned with and supports 
such implementation and compliance.

Sec. 5724. Congressional reporting and notification of data breaches

  (a) Quarterly Reports.--(1) Not later than 30 days after the 
last day of a fiscal quarter, the Secretary shall submit to the 
Committees on Veterans' Affairs of the Senate and House of 
Representatives a report on any data breach with respect to 
sensitive personal information processed or maintained by the 
Department that occurred during that quarter.
  (2) Each report submitted under paragraph (1) shall identify, 
for each data breach covered by the report, the Administration 
and facility of the Department responsible for processing or 
maintaining the sensitive personal information involved in the 
data breach.
  (b) Notification of Significant Data Breaches.--(1) In the 
event of a data breach with respect to sensitive personal 
information processed or maintained by the Secretary that the 
Secretary determines is significant, the Secretary shall 
provide notice of such breach to the Committees on Veterans' 
Affairs of the Senate and House of Representatives.
  (2) Notice under paragraph (1) shall be provided promptly 
following the discovery of such a data breach and the 
implementation of any measures necessary to determine the scope 
of the breach, prevent any further breach or unauthorized 
disclosures, and reasonably restore the integrity of the data 
system.

Sec. 5725. Data breaches

  (a) Independent Risk Analysis.--(1) In the event of a data 
breach with respect to sensitive personal information that is 
processed or maintained by the Secretary, the Secretary shall 
ensure that, as soon as possible after the data breach, a non-
Department entity conducts an independent risk analysis of the 
data breach to determine the level of risk associated with the 
data breach for the potential misuse of any sensitive personal 
information involved in the data breach.
  (2) If the Secretary determines, based on the findings of a 
risk analysis conducted under paragraph (1), that a reasonable 
risk exists for the potential misuse of sensitive information 
involved in a data breach, the Secretary shall provide credit 
protection services in accordance with section 5726 of this 
title.
  (b) Notification.--(1) In the event of a data breach with 
respect to sensitive personal information that is processed or 
maintained by the Secretary, the Secretary shall provide to an 
individual whose sensitive personal information is involved in 
that breach notice of the data breach--
          (A) in writing; or
          (B) by email, if--
                  (i) the Department's primary method of 
                communication with the individual is by email; 
                and
                  (ii) the individual has consented to receive 
                such notification.
  (2) Notice provided under paragraph (1) shall--
          (A) describe the circumstances of the data breach and 
        the risk that the breach could lead to misuse, 
        including identity theft, involving the sensitive 
        personal information of the individual;
          (B) describe the specific types of sensitive personal 
        information that was compromised as a part of the data 
        breach;
          (C) describe the actions the Department is taking to 
        remedy the data breach;
          (D) inform the individual that the individual may 
        request a fraud alert and credit security freeze under 
        this section;
          (E) clearly explain the advantages and disadvantages 
        to the individual of receiving fraud alerts and credit 
        security freezes under this section; and
          (F) includes such other information as the Secretary 
        determines is appropriate.
  (3) The notice required under paragraph (1) shall be provided 
promptly following the discovery of a data breach and the 
implementation of any measures necessary to determine the scope 
of the breach, prevent any further breach or unauthorized 
disclosures, and reasonably restore the integrity of the data 
system.
  (c) Report.--For each data breach with respect to sensitive 
personal information processed or maintained by the Secretary, 
the Secretary shall promptly submit to the Committees on 
Veterans' Affairs of the Senate and House of Representatives a 
report containing the findings of any independent risk analysis 
conducted under subsection (a)(1), any determination of the 
Secretary under subsection (a)(2), and a description of any 
credit protection services provided under section 5726 of this 
title.
  (d) Final Determination.--Notwithstanding sections 511 and 
7104(a) of this title, any determination of the Secretary under 
subsection (a)(2) with respect to the reasonable risk for the 
potential misuse of sensitive information involved in a data 
breach is final and conclusive and may not be reviewed by any 
other official, administrative body, or court, whether by an 
action in the nature of mandamus or otherwise.
  (e) Fraud Alerts.--(1) In the event of a data breach with 
respect to sensitive personal information that is processed or 
maintained by the Secretary, the Secretary shall arrange, upon 
the request of an individual whose sensitive personal 
information is involved in the breach to a principal credit 
reporting agency with which the Secretary has entered into a 
contract under section 5726(d) and at no cost to the 
individual, for the principal credit reporting agency to 
provide fraud alert services for that individual for a period 
of not less than one year, beginning on the date of such 
request, unless the individual requests that such fraud alert 
be removed before the end of such period, and the agency 
receives appropriate proof of the identity of the individual 
for such purpose.
  (2) The Secretary shall arrange for each principal credit 
reporting agency referred to in paragraph (1) to provide any 
alert requested under such subsection in the file of the 
individual along with any credit score generated in using that 
file, for a period of not less than one year, beginning on the 
date of such request, unless the individual requests that such 
fraud alert be removed before the end of such period, and the 
agency receives appropriate proof of the identity of the 
individual for such purpose.
  (f) Credit Security Freeze.--(1) In the event of a data 
breach with respect to sensitive personal information that is 
processed or maintained by the Secretary, the Secretary shall 
arrange, upon the request of an individual whose sensitive 
personal information is involved in the breach and at no cost 
to the individual, for each principal credit reporting agency 
to apply a security freeze to the file of that individual for a 
period of not less than one year, beginning on the date of such 
request, unless the individual requests that such security 
freeze be removed before the end of such period, and the agency 
receives appropriate proof of the identity of the individual 
for such purpose.
  (2) The Secretary shall arrange for a principal credit 
reporting agency applying a security freeze under paragraph 
(1)--
          (A) to send a written confirmation of the security 
        freeze to the individual within five business days of 
        applying the freeze;
          (B) to refer the information regarding the security 
        freeze to other consumer reporting agencies;
          (C) to provide the individual with a unique personal 
        identification number or password to be used by the 
        individual when providing authorization for the release 
        of the individual's credit for a specific party or 
        period of time; and
          (D) upon the request of the individual, to 
        temporarily lift the freeze for a period of time 
        specified by the individual, beginning not later than 
        three business days after the date on which the agency 
        receives the request.

Sec. 5726. Provision of credit protection services

  (a) Covered Individual.--For purposes of this section, a 
covered individual is an individual whose sensitive personal 
information that is processed or maintained by the Department 
(or any third-party entity acting on behalf of the Department) 
is involved, on or after August 1, 2005, in a data breach for 
which the Secretary determines a reasonable risk exists for the 
potential misuse of sensitive personal information under 
section 5725(a)(2) of this title.
  (b) Notification.--(1) In addition to any notice required 
under subsection 5725(b) of this title, the Secretary shall 
provide to a covered individual notice in writing that--
          (A) the individual may request credit protection 
        services under this section;
          (B) clearly explains the advantages and disadvantages 
        to the individual of receiving credit protection 
        services under this section;
          (C) includes a notice of which principal credit 
        reporting agency the Secretary has entered into a 
        contract with under subsection (d), and information 
        about requesting services through that agency;
          (D) describes actions the individual can or should 
        take to reduce the risk of identity theft; and
          (E) includes such other information as the Secretary 
        determines is appropriate.
  (2) The notice required under paragraph (1) shall be made as 
promptly as possible and without unreasonable delay following 
the discovery of a data breach for which the Secretary 
determines a reasonable risk exists for the potential misuse of 
sensitive personal information under section 5725(a)(2) of this 
title and the implementation of any measures necessary to 
determine the scope of the breach, prevent any further breach 
or unauthorized disclosures, and reasonably restore the 
integrity of the data system.
  (3) The Secretary shall ensure that each notification under 
paragraph (1) includes a form or other means for readily 
requesting the credit protection services under this section. 
Such form or other means may include a telephone number, email 
address, or Internet website address.
  (c) Availability of Services Through Other Government 
Agencies.--If a service required to be provided under this 
section is available to a covered individual through another 
department or agency of the Government, the Secretary and the 
head of that department or agency may enter into an agreement 
under which the head of that department or agency agrees to 
provide that service to the covered individual.
  (d) Contract With Credit Reporting Agency.--Subject to the 
availability of appropriations and notwithstanding any other 
provision of law, the Secretary shall enter into contracts or 
other agreements as necessary with one or more principal credit 
reporting agencies in order to ensure, in advance, the 
provision of credit protection services under this section and 
fraud alerts and security freezes under section 5725 of this 
title. Any such contract or agreement may include provisions 
for the Secretary to pay the expenses of such a credit 
reporting agency for the provision of such services.
  (e) Data Breach Analysis.--The Secretary shall arrange, upon 
the request of a covered individual and at no cost to the 
individual, to provide data breach analysis for the individual 
for a period of not less than one year, beginning on the date 
of such request.
  (f) Provision of Credit Monitoring Services and Identity 
Theft Insurance.--During the one-year period beginning on the 
date on which the Secretary notifies a covered individual that 
the individual's sensitive personal information is involved in 
a data breach, the Secretary shall arrange, upon the request of 
the individual and without charge to the individual, for the 
provision of credit monitoring services to the individual. 
Credit monitoring services under this subsection shall include 
each of the following:
          (1) One copy of the credit report of the individual 
        every three months.
          (2) Fraud resolution services for the individual.
          (3) Identity theft insurance in a coverage amount 
        that does not exceed $30,000 in aggregate liability for 
        the insured.

Sec. 5727. Contracts for data processing or maintenance

  (a) Contract Requirements.--If the Secretary enters into a 
contract for the performance of any Department function that 
requires access to sensitive personal information, the 
Secretary shall require as a condition of the contract that--
          (1) the contractor shall not, directly or through an 
        affiliate of the contractor, disclose such information 
        to any other person unless the disclosure is lawful and 
        is expressly permitted under the contract;
          (2) the contractor, or any subcontractor for a 
        subcontract of the contract, shall promptly notify the 
        Secretary of any data breach that occurs with respect 
        to such information.
  (b) Liquidated Damages.--Each contract subject to the 
requirements of subsection (a) shall provide for liquidated 
damages to be paid by the contractor to the Secretary in the 
event of a data breach with respect to any sensitive personal 
information processed or maintained by the contractor or any 
subcontractor under that contract.
  (c) Provision of Credit Protection Services.--Any amount 
collected by the Secretary under subsection (b) shall be 
deposited in or credited to the Department account from which 
the contractor was paid and shall remain available for 
obligation without fiscal year limitation exclusively for the 
purpose of providing credit protection services in accordance 
with section 5726 of this title.

Sec. 5728. Authorization of appropriations

  There are authorized to be appropriated to carry out this 
subchapter such sums as may be necessary for each fiscal year.

           *       *       *       *       *       *       *


             PART V--BOARDS, ADMINISTRATIONS, AND SERVICES

Chapter                                                             Sec.
      Board of Veterans' Appeals....................................7101
     * * * * * * *
7901Information Security Education Assistance Program.................

           *       *       *       *       *       *       *


     CHAPTER 79--INFORMATION SECURITY EDUCATION ASSISTANCE PROGRAM

Sec.
7901.  Programs; purpose.
7902.  Scholarship program.
7903.  Education debt reduction program.
7904.  Preferences in awarding financial assistance.
7905.  Requirement of honorable discharge for veterans receiving 
          assistance.
7906.  Regulations.
7907.  Termination.

Sec. 7901. Programs; purpose

  (a) In General.--To encourage the recruitment and retention 
of Department personnel who have the information security 
skills necessary to meet Department requirements, the Secretary 
shall carry out programs in accordance with this chapter to 
provide financial support for education in computer science and 
electrical and computer engineering at accredited institutions 
of higher education.
  (b) Types of Programs.--The programs authorized under this 
chapter are as follows:
          (1) Scholarships for pursuit of doctoral degrees in 
        computer science and electrical and computer 
        engineering at accredited institutions of higher 
        education.
          (2) Education debt reduction for Department personnel 
        who hold doctoral degrees in computer science and 
        electrical and computer engineering at accredited 
        institutions of higher education.

Sec. 7902. Scholarship program

  (a) Authority.--(1) Subject to the availability of 
appropriations, the Secretary shall establish a scholarship 
program under which the Secretary shall, subject to subsection 
(d), provide financial assistance in accordance with this 
section to a qualified person--
          (A) who is pursuing a doctoral degree in computer 
        science or electrical or computer engineering at an 
        accredited institution of higher education; and
          (B) who enters into an agreement with the Secretary 
        as described in subsection (b).
  (2)(A) Except as provided under subparagraph (B), the 
Secretary may provide financial assistance under this section 
to an individual for up to five years.
  (B) The Secretary may waive the limitation under subparagraph 
(A) if the Secretary determines that such a waiver is 
appropriate.
  (3)(A) The Secretary may award up to five scholarships for 
any academic year to individuals who did not receive assistance 
under this section for the preceding academic year.
  (B) Not more than one scholarship awarded under subparagraph 
(A) may be awarded to an individual who is an employee of the 
Department when the scholarship is awarded.
  (b) Service Agreement for Scholarship Recipients.--(1) To 
receive financial assistance under this section an individual 
shall enter into an agreement to accept and continue employment 
in the Department for the period of obligated service 
determined under paragraph (2).
  (2) For the purposes of this subsection, the period of 
obligated service for a recipient of financial assistance under 
this section shall be the period determined by the Secretary as 
being appropriate to obtain adequate service in exchange for 
the financial assistance and otherwise to achieve the goals set 
forth in section 7901(a) of this title. In no event may the 
period of service required of a recipient be less than the 
period equal to two times the total period of pursuit of a 
degree for which the Secretary agrees to provide the recipient 
with financial assistance under this section. The period of 
obligated service is in addition to any other period for which 
the recipient is obligated to serve on active duty or in the 
civil service, as the case may be.
  (3) An agreement entered into under this section by a person 
pursuing an doctoral degree shall include terms that provide 
the following:
          (A) That the period of obligated service begins on a 
        date after the award of the degree that is determined 
        under the regulations prescribed under section 7906 of 
        this title.
          (B) That the individual will maintain satisfactory 
        academic progress, as determined in accordance with 
        those regulations, and that failure to maintain such 
        progress constitutes grounds for termination of the 
        financial assistance for the individual under this 
        section.
          (C) Any other terms and conditions that the Secretary 
        determines appropriate for carrying out this section.
  (c) Amount of Assistance.--(1) The amount of the financial 
assistance provided for an individual under this section shall 
be the amount determined by the Secretary as being necessary to 
pay--
          (A) the tuition and fees of the individual; and
          (B) $1500 to the individual each month (including a 
        month between academic semesters or terms leading to 
        the degree for which such assistance is provided or 
        during which the individual is not enrolled in a course 
        of education but is pursuing independent research 
        leading to such degree) for books, laboratory expenses, 
        and expenses of room and board.
  (2) In no case may the amount of assistance provided for an 
individual under this section for an academic year exceed 
$50,000.
  (3) In no case may the total amount of assistance provided 
for an individual under this section exceed $200,000.
  (4) Notwithstanding any other provision of law, financial 
assistance paid an individual under this section shall not be 
considered as income or resources in determining eligibility 
for, or the amount of benefits under, any Federal or federally 
assisted program.
  (d) Repayment for Period of Unserved Obligated Service.--(1) 
An individual who receives financial assistance under this 
section shall repay to the Secretary an amount equal to the 
unearned portion of the financial assistance if the individual 
fails to satisfy the requirements of the service agreement 
entered into under subsection (b), except in certain 
circumstances authorized by the Secretary.
  (2) The Secretary may establish, by regulations, procedures 
for determining the amount of the repayment required under this 
subsection and the circumstances under which an exception to 
the required repayment may be granted.
  (3) An obligation to repay the Secretary under this 
subsection is, for all purposes, a debt owed the United States. 
A discharge in bankruptcy under title 11 does not discharge a 
person from such debt if the discharge order is entered less 
than five years after the date of the termination of the 
agreement or contract on which the debt is based.
  (e) Waiver or Suspension of Compliance.--The Secretary shall 
prescribe regulations providing for the waiver or suspension of 
any obligation of a individual for service or payment under 
this section (or an agreement under this section) whenever 
noncompliance by the individual is due to circumstances beyond 
the control of the individual or whenever the Secretary 
determines that the waiver or suspension of compliance is in 
the best interest of the United States.
  (f) Internships.--(1) The Secretary may offer a compensated 
internship to an individual for whom financial assistance is 
provided under this section during a period between academic 
semesters or terms leading to the degree for which such 
assistance is provided. Compensation provided for such an 
internship shall be in addition to the financial assistance 
provided under this section.
  (2) An internship under this subsection shall not be counted 
toward satisfying a period of obligated service under this 
section.
  (g) Ineligibility of Individuals Receiving Certain Education 
Assistance Payments.--An individual who receives a payment of 
educational assistance under chapter 30, 31, 32, 34, or 35 of 
this title or chapter 1606 or 1607 of title 10 for a month in 
which the individual is enrolled in a course of education 
leading to a doctoral degree in information security is not 
eligible to receive financial assistance under this section for 
that month.

Sec. 7903. Education debt reduction program

  (a) Authority.--(1) Subject to the availability of 
appropriations, the Secretary shall establish an education debt 
reduction program under which the Secretary shall make 
education debt reduction payments under this section to 
qualified individuals eligible under subsection (b) for the 
purpose of reimbursing such individuals for payments by such 
individuals of principal and interest on loans described in 
paragraph (2) of that subsection.
  (2)(A) For each fiscal year, the Secretary may accept up to 
five individuals into the program established under paragraph 
(1)who did not receive such a payment during the preceding 
fiscal year.
  (B) Not more than one individual accepted into the program 
for a fiscal year under subsection (A) shall be a Department 
employee as of the date on which the individual is accepted 
into the program.
  (b) Eligibility.--An individual is eligible to participate in 
the program under this section if the individual--
          (1) has completed a doctoral degree a doctoral degree 
        in computer science or electrical or computer 
        engineering at an accredited institution of higher 
        education during the five-year period preceding the 
        date on which the individual is hired;
          (2) is an employee of the Department who serves in a 
        position related to information security (as determined 
        by the Secretary); and
          (3) owes any amount of principal or interest under a 
        loan, the proceeds of which were used by or on behalf 
        of that individual to pay costs relating to a doctoral 
        degree in computer science or electrical or computer 
        engineering at an accredited institution of higher 
        education.
  (c) Amount of Assistance.--(1) Subject to paragraph (2), the 
amount of education debt reduction payments made to an 
individual under this section may not exceed $82,500 over a 
total of five years, of which not more than $16,500 of such 
payments may be made in each year.
  (2) The total amount payable to an individual under this 
section for any year may not exceed the amount of the principal 
and interest on loans referred to in subsection (b)(3) that is 
paid by the individual during such year.
  (d) Payments.--(1) The Secretary shall make education debt 
reduction payments under this section on an annual basis.
  (2) The Secretary shall make such a payment--
          (A) on the last day of the one-year period beginning 
        on the date on which the individual is accepted into 
        the program established under subsection (a); or
          (B) in the case of an individual who received a 
        payment under this section for the preceding fiscal 
        year, on the last day of the one-year period beginning 
        on the date on which the individual last received such 
        a payment.
  (3) Notwithstanding any other provision of law, education 
debt reduction payments under this section shall not be 
considered as income or resources in determining eligibility 
for, or the amount of benefits under, any Federal or federally 
assisted program.
  (e) Performance Requirement.--The Secretary may make 
education debt reduction payments to an individual under this 
section for a year only if the Secretary determines that the 
individual maintained an acceptable level of performance in the 
position or positions served by the individual during the year.
  (f) Notification of Terms of Provision of Payments.--The 
Secretary shall provide to an individual who receives a payment 
under this section notice in writing of the terms and 
conditions that apply to such a payment.
  (g) Covered Costs.--For purposes of subsection (b)(3), costs 
relating to a course of education or training include--
          (1) ) tuition expenses; and
          (2) all other reasonable educational expenses, 
        including fees, books, and laboratory expenses;

Sec. 7904. Preferences in awarding financial assistance

  In awarding financial assistance under this chapter, the 
Secretary shall give a preference to qualified individuals who 
are otherwise eligible to receive the financial assistance in 
the following order of priority:
          (1) Veterans with service-connected disabilities.
          (2) Veterans.
          (3) Persons described in section 4215(a)(1)(B) of 
        this title.
          (4) Individuals who received or are pursuing degrees 
        at institutions designated by the National Security 
        Agency as Centers of Academic Excellence in Information 
        Assurance Education.
          (5) Citizens of the United States.

Sec. 7905. Requirement of honorable discharge for veterans receiving 
                    assistance

  No veteran shall receive financial assistance under this 
chapter unless the veteran was discharged from the Armed Forces 
under honorable conditions.

Sec. 7906. Regulations

  The Secretary shall prescribe regulations for the 
administration of this chapter.

Sec. 7907. Termination

  The authority of the Secretary to make a payment under this 
chapter shall terminate on July 31, 2017.

           *       *       *       *       *       *       *