Attention A T users. To access the menus on this page please perform the following steps. 1. Please switch auto forms mode to off. 2. Hit enter to expand a main menu option (Health, Benefits, etc). 3. To enter and activate the submenu links, hit the down arrow. You will now be able to tab or arrow up or down through the submenu options to access/activate the submenu links.
Graphic for the Veterans Crisis Line. It reads Veterans Cris Lins 1 800 273 8255 press 1
My healthevet badge
 

VA Digital Strategy

IT Policy Archive

VA Directive 6001 – Limited Personal use of Government Office Equipment Including Information Technology

This directive defines acceptable, limited conditions for Department of Veterans Affairs (VA) employees’ personal use of Government office equipment, including information technology.

 

VA Directive 6004 - Configuration, Change and Release Management Programs

Directive establishes VA Configuration, Change, and Release Management Programs in accordance with Federal Information Security Management Act (FISMA) (P.L. 107-347, Title III of the E-Government Act), December 2002, which requires the Agency to establish and implement appropriate Department-wide VA Configuration, Change and Release Management Programs based upon Federal requirements and industry best practices. This directive applies to all VA related components and information technology resources, including contracted IT systems and services.

 

VA Directive 6008 – Acquisition and Management of VA Information Technology Resources

This Directive revises Directive 6008 issued in August 2016 and establishes policy for the acquisition and management of information technology (IT) related resources across the Department of Veterans Affairs (VA). VA's IT assets are core resources of the Department and their effective management is critical to the provision of services to our Nation's Veterans. This policy clarifies the scope of VA's IT resources subject to the oversight authority of VA's Chief Information Officer (CIO). This oversight is necessary to ensure alignment of these resources with enterprise IT, information management and information assurance policies, rules, standards and guidance. Additionally, this policy ensures that all VA IT related assets are acquired within the constraints and intent of the VA's IT Systems appropriation account, providing specific guidance as to when IT-related assets must be funded from the IT Systems appropriation account. All of VA's IT-related assets, resources and services are subject to all laws, executive mandates and VA CIO policy. This includes information assurance, security and privacy; enterprise architecture, standards and specifications; and IT management, technical and operational internal controls, regardless of the funding source.

 

VA Directive 6011 - IT One + One Device Policy

OIT created a user class device offering matrix in accordance with VA policy. The End User Class Matrix is used for the issuing of systems to new VA staff members, government or contractor, and provides simplified product choices based on user categorization. The matrix provides reference configurations and thus subject to change as products offerings are revised.

 

VA Directive 6051

This directive establishes mandatory policy for the establishment of an integrated Department-wide One-VA Enterprise Architecture (EA) to be used for the development and management of all information assets. Directive 6051 also prescribes the mandatory compliance with the following three documents as authorities to be used within VA in connection with the EA: (a) Department of Veterans Affairs Enterprise Architecture Strategy, Governance and Implementation; (b) Department of Veterans Affairs One-VA Enterprise Architecture Implementation Plan; and (c) Department of Veterans Enterprise Architecture.

 

VA Directive 6052 - Information Technology Strategic Planning

Directive 6052 establishes policy for the Department of Veterans Affairs' (VA's) Information Technology (IT) strategic planning process in accordance with Federal mandates that require Agencies to develop and publish an IT Strategic Plan. Agencies must comply with the requirements of the Government Performance and Results Act of 1993 (GPRA), the E-Government Act of 2002, and the Office of Management and Budget's (OMB) implementation guidance to improve the effectiveness and efficiency of IT strategic planning. This Directive provides information necessary for governing and implementing IT strategic planning at VA. The Directive provides the framework for developing an IT Strategic Plan that supports VA's strategic business needs while also establishing roles and responsibilities for IT management that ensure accountability throughout the planning process

 

VA Directive 6066 – Protected Health Information (PHI) and Business Associate Agreements Management

This Directive sets policies, roles, and responsibilities for VA components that are Business Associates of the Veterans Health Administration (VHA) as defined by the Health Insurance Portability and Accountability Act (HIPAA) regulations and that enter into Business Associate Agreements (BAAs) that cover the handling of Protected Health Information (PHI) and Electronic Protected Health Information (EPHI).

 

VA Directive 6102 - Internet/Intranet Services

The directive redefines the organizational responsibilities for all Web activities that govern and/or are related to posting, editing, maintaining, and removing files to or from the Internet and Intranet, the use of emerging Web-based technologies and new uses of existing approved technologies. Important modifications to this directive are the enhanced emphases on privacy-related issues, security requirements, accessibility requirements, the utilization of Web applications and tools for enhanced performance and oversight, and the establishment of the VA Chief Information Officer's (CIO's) Office of Enterprise Development (OED), Resource Management Information Technology Development (RMIT (005Q)), as the entity which will have enforcement authority over all VA Web activities. Failure to comply with the requirements could result in serious consequences, including the immediate removal of Web pages and/or VA Web sites from publication for breaching security, privacy or other significant failure(s), or removal of Web pages or Web sites.

 

VA Directive 6103 – VA Electronic Mail System

This directive establishes policy concerning the integration and implementation of an integrated Department-wide electronic mail (e-mail) system. The Telecommunications Strategic Planning Group (TSPG), which has representation from all organizations, voted unanimously on the need for a standard e-mail system and policy.

 

VA Directive 6221 - Accessible Information and Communications Technology (ICT)

This directive revises policy and assigns administrative responsibility to the Assistant Secretary for Information and Technology (CIO) to ensure that VA's information and communications technology (ICT) is accessible by VA employees and members of the public with disabilities. This directive implements Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d), as amended by the Workforce Investment Act of 1998, Public Law 105-220.

VA Directive 6300 - Records and Information Management

The purpose of this directive is to revise Department-wide records and information management policy. This directive provides policy for the VA Records Management (RM) program, which includes adherence to the Federal Records Act, the Privacy Act (PA), the Freedom of Information Act, the Computer Matching and Privacy Protection Act, and the Release of Names and Addresses. The provisions of this directive are applicable to all elements of VA.

 

VA Directive 6301 – Electronic Mail Records

This directive establishes Department of Veterans Affairs (VA) policies for the implementation of requirements as stipulated in regulations promulgated by the National Archives and Records Administration in the Federal Register of August 28, 1995, for Federal records created or received in electronic mail applications.

 

VA Directive 6309 – Collections of Information

This directive revises the Department of Veterans Affairs (VA) policy for collections of information, under the Paperwork Reduction Act (PRA) of 1995, (44 U.S.C. Chapter 35).

 

VA Directive 6310 – Forms, Collections of Information, and Reports Management

This directive establishes the Department of Veterans Affairs (VA) policy for managing forms, collections of information, and reports. This directive replaces policy contained in MP-1, Part II, Chapter 4, Forms Management, dated October 1991; MP-1, Part II, Chapter 26, Reports Management, dated October 27, 1983; MP-1, Part II, Chapter 28, Interagency Reporting, dated September 24, 1985; and OI-1, Part VI, Chapter 3, Controlling and Monitoring Congressional Reporting Requirements, dated September 11, 1985.

 

VA Directive 6311 – VA E-Discovery

This Directive is to establish policy concerning the care and handling of documents and electronically stored information (ESI) of the Department of Veterans Affairs (VA) that may be relevant to pending or reasonably anticipated litigation. The directive describes the responsibilities of employees, contractors, volunteers, and other VA personnel to identify, locate, preserve, collect, prepare, review, and produce potentially relevant ESI.

 

VA Directive 6320 – Correspondence Management

This Directive is to revise Department of Veterans Affairs (VA) correspondence management policy formerly contained in Chapter 10, “Correspondence, Part II, VA Manual MP – I, “General Administrative.” The afore mentioned VA Manual is retitled as “VA Directive 6320, Correspondence Management.”

 

VA Directive 6340 - Mail Management

Updates and revises the Department of Veterans Affairs (VA) policy on Mail Management and implement the provisions found in the Federal Property Management Regulations. This directive establishes policy for a Department-wide Mail Management Program and implements the provisions found in the Federal Property Management Regulations. The Mail Management Program is also designed to provide rapid handling and accurate delivery of mail throughout the Department at minimum cost consistent with mission requirements.

 

VA Directive 6371 – Destruction of Temporary Paper Records

The purpose of this Directive is to revise policy requirements for the Department of Veterans Affairs (VA) on the destruction of temporary records, and temporary paper records that contain personally identifiable and sensitive information.

 

VA Directive 6401– VA Standard Desktop Configurations

This directive sets forth the policies and responsibilities for implementing and complying with VA Standard Desktop Configurations.

 

VA Directive 6402 – Modifications to Standardized

This Directive provides policy and processes that local facilities must follow to request evaluation and approval for modifications to standardized National Software, as well as requirements for annual certification of compliance.

 

VA Directive 6403 – Software Asset Management

The purpose of this software asset management Directive is to establish VA policy regarding the governance and management of all software enterprise license agreements including OI&T, research, medical, construction, and engineering system software.

 

VA Directive 6404 – VA Systems Inventory (VASI)

Directive establishes the Department of Veteran Affairs (VA) Systems Inventory (VASI) as the authoritative source for VA Information Technology (IT) Systems and defines the objectives, principles, roles and responsibilities for the utilization, management and sustainment of the VA Systems Inventory. Full implementation of this policy is necessary to manage current capabilities, prevent duplicative development efforts and facilitate future planning resulting in efficient and effective use of VA resources to deliver an integrated and interoperable information environment.

 

VA Directive 6500 (Reissued) – VA Cybersecurity Program

Reissues VA Directive 6500 pursuant to the authority to maintain a VA cybersecurity program to protect and defend VA information and information technology (IT) that is consistent with VA’s information security statutes, 38 United States Code (U.S.C.) §§ 5721-5728, the Federal Information Security Modernization Act (FISMA), 44 U.S.C. §§ 3551-3558, and Office of Management and Budget (OMB) Circular A-130. Rescinds VA Directive 6500, Managing Information Security Risk: VA Information Security Program, dated September 20, 2012 and VA Handbook 6500.1, Electronic Media Sanitization, dated November 3, 2008. Establishes the governance structure as the Risk Executive Function, the Risk Management Framework (RMF) Technical Advisory Group (TAG), the Information Security Knowledge Service (KS) to provide cybersecurity policies, procedures, and guidance; and aligns the VA’s Information Security Program with the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

 

VA Directive 6502 - VA Enterprise Privacy Program

To update and reaffirm VA Directive 6502, the Departmentwide program policy for the protection of privacy of veterans, their dependents and beneficiaries, as well as the privacy of all employees and contractors of the Department of Veterans Affairs (VA), and other individuals for whom personal records are created and maintained in accordance with Federal law. This directive clarifies policies, roles, and responsibilities for the VA Privacy Service, also known as the VA Enterprise Privacy Program, the program that oversees all VA-wide privacy programs.

 

VA Directive 6502.3 - Webpage Privacy Policy

This directive mandates the creation of a VA General Webpage Privacy Policy (the General Policy), setting forth how information collected via VA Web sites, pages, and forms is to be collected, used and maintained. This directive establishes the requirements and responsibilities for the creation and maintenance of Limited Privacy Policies (Limited Policies), which govern the handling of personally identifiable information collected via specific Websites, pages, and forms. This directive also designates the officials responsible for the General Policy and Limited Policies. The directive applies to all individuals supporting VA Web sites, including but not limited to full-time and part-time employees, contractors, interns, and volunteers. Directive 6502.3 only applies to government information as defined in OMB Circular A-130, i.e., information created, collected, maintained, processed, disseminated, or disposed of by or for the Federal Government.

 

VA Directive 6507 – Reducing the Use of Social Security Numbers

This Directive issues policy requirements for the Department of Veterans Affairs (VA) to reduce and, where possible, eliminate the collection and use of the Social Security Number (SSN) as a primary identifier for uniquely identifying individuals in VA operations, programs and services.

 

VA Directive 6508 – Implementation of Privacy Threshold Analysis and Privacy Impact Assessment

This Directive establishes a VA Enterprise-wide policy for incorporating and implementing the Privacy Threshold Analysis (PTA) into the current compliance process as recommended by the National Institute of Standards and Technology (NIST) Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). This Directive also reinstitutes policy for the Privacy Impact Assessment (PIA), pursuant to the E-Government Act of 2002 (P.L.107-347).

VA Directive 6509 – Duties of Privacy Officers

This directive assigns responsibilities to Department of Veterans Affairs (VA) Privacy Officers to ensure the protection of Personal Identifiable Information (PII), Protected Health Information (PHI), and Sensitive Personal Information (SPI) collected by VA. PII and PHI are subsets of SPI and included in this directive.

 

VA Directive 6510 - VA Identity and Access Management

This Directive defines the policies for enterprise identity and access management (IAM) for the Department of Veterans Affairs (VA). Additionally, this Directive apply to all VA administrations, staff offices, and all VA staff who support IAM functionality, Veterans, affiliates, and any users who require logical access to VA information services including resources both internally and externally managed and offered through VA.

 

VA Directive 6511 – Presentations Displaying Personally-Identifiable Information

This Directive establishes the policy that personally-identifiable information (PII) and information that is not releasable under the Freedom of Information Act of 1966 (FOIA), as amended, must not be included in presentations that may be seen by non-VA parties, a term which includes members of the public, and VA employees, volunteers, trainees, contractors, or other appointees without an official need to know such information. The document addresses methods of sanitizing presentations that may be made available to these individuals or groups. The requirements set forth in this Directive ensure that these presentations and materials do not contain PII or information exempt from release under FOIA. It also implements the policies pertaining to privacy reviews, as discussed in Department of Veterans Affairs (VA) Directive 6502, Privacy Program.

 

VA Directive 6512 – Secure Wireless Technology

This Directive establishes the Department of Veterans Affairs (VA) policy and responsibilities regarding security for wireless technology for implementation or use across VA. The Directive applies to all VA components and information technology resources, including contracted information technology (IT) systems and services.

 

VA Directive 6513 – Secure External Connections

This Directive establishes overarching guidelines and authorizations for managing and securing all of VA’s external connections on and to a VA Trusted Internet Connection (TIC) Gateway. This policy complies with Federal laws, Office of Management and Budget (OMB) mandates, the National Institute of Standards and Technology (NIST) standards and recommendations, Department of Homeland Security Trusted Internet Connections Reference Architecture v2.0, and VA Directive 6500, Managing Information Security Risk: VA Information Security Program and VA Handbook 6500, Risk Management Framework for VA Information Systems – Tier 3: VA Information Security Program.

 

VA Directive 6515 – Use of Web Based Collaboration Technologies

The Department of Veterans Affairs (VA) endorses the secure use of Web-based collaboration and social media tools to enhance communication, stakeholder outreach collaboration, and information exchange; streamline processes; and foster productivity improvements. Use of these tools supports VA and VA’s goal of achieving an interoperable, net-centric environment by improving employee effectiveness through seamless access to information. Web-based collaboration tools enable widely dispersed facilities and VA personnel to more effectively collaborate and share information—which can result in better productivity, higher efficiency, and foster innovation. This Directive establishes policy on the proper use of these tools, consistent with applicable laws, regulations, and policies.

 

VA Directive 6517 - Risk Management Framework for Cloud Computing Services

Directive is being reissued to reflect VA’s commitment to cloud computing services and align with the VA Cloud Computing Strategy. The specific changes required include reflection of roles and responsibilities of a VA Cloud Broker, the addition of Cloud Consumer management responsibilities and alignment of these roles with specific VA organizations.

 

VA Directive 6518 – Enterprise Information Management (EIM)

This Directive establishes Enterprise Information Management (EIM) policy for the US Department of Veterans Affairs. The VA’s information assets are core resources of the Department, and their effective management is critical to the provision of services to our nation’s Veterans. This Directive defines the objectives, establishes overarching principles and policy, assigns responsibilities, and delegates authority for the management and use of VA’s information assets. Full implementation of this policy is necessary to enable VA to most effectively use resources to deliver an integrated, interoperable, Veteran-centric information environment.

 

VA Directive 6550 - Pre-Procurement Assessment and Implementation of Medical Devices/Systems

This Directive establishes the technical Pre-Procurement Assessment (PPA) and Implementation requirements for medical devices/systems. This Directive covers medical devices/systems that are connected to the VA network and medical devices and systems that store sensitive patient information. Major changes include updating mandatory policy, responsibilities, definitions and inclusion of risk analysis and implementation processes.

 

VA Directive 6551 – VA Enterprise Design Patterns

This directive establishes mandatory policy for establishing and utilizing Enterprise Design Patterns by all Department of Veterans Affairs (VA) projects developing information technology (IT) systems in accordance with the VA’s Office of Information and Technology (OI&T) integrated development and release management process, the Veteran-focused Integration Process (VIP).

 

VA Directive 6609 – Mailing of Sensitive Personal Information

The purpose of this policy is to revise policy requirements for the Department of Veterans Affairs (VA) for the protection of sensitive personal information (SPI) of Veterans and VA beneficiaries, their dependents, and VA employees, that is sent using mailing services. This directive alters the policy for the protection of mail containing SPI being sent between VA facilities, and to its business partners. This Directive sets forth the measures to be implemented in order to provide adequate protection for mail that contains SPI.

 

Transition Policy Supporting the Replacement of the IT Acquisition Request System

Effective March 2018, this policy establishes that all OIT funded procurements and Non-IT funded products that have the potential to connect to a VA network must process through the Acquisition Review Module (ARM) within the Budget Tracking Tool (BTT).

  

ONE-VA Technical Reference Model

The One-VA TRM provides consolidated and coordinated guidance concerning technologies and standards that are allowed and prohibited in the VA environment. OIT staff and contractors use the TRM as a reference to ensure their technology programs and projects use only approved technologies and standards.

 

Department of Veterans Affairs Source Selection Authority Delegation Pilot Program

The Source Selection Authority (SSA) delegation Pilot Program establishes criteria and procedures for the appointment of selected Office of Information Technology (OIT) officials as the SSA for individual source selections or groups of source selections. For contacting actions to be eligible for SSA delegation, it must meet the following criteria: a) responsibility for the requirement must belong to OIT; b) the Independent Government Cost estimate is in excess of $5 million; and c) the action utilizes FAR Part 15 and the best value continuum for source selection procedures.

 

Proper Use of Email and Other Messaging Services

The intent of this memorandum is to advise all VA personnel, including employees, contractors, trainees, and volunteers, that the use of non-official accounts or devices to conduct official agency business is prohibited.

 

Requirement of Two Factor Authentication for VA Network Access for Individuals with Dual Identities

Consistent with Office of Management and Budget guidance, VA policy requires individuals with "multiple person categories" (also referred to as "second person categories"), be issued a unique 2FA credentials for each personnel category for which they are eligible. The policy necessitates that the two statuses be distinguishable, and that all systems must enforce this standard in a consistent manner.

VA Notice 20-09 - Interim Policy on Complying with the Federal Information Technology Acquisition Reform Act (FITARA)

Establishes the Department of Veterans Affairs (VA) interim FITARA policy. Under FITARA, all information technology (IT) acquisition capabilities and investments are subject to specific review requirements, regardless of dollar value, funding authority, funding source, or other considerations.
 

IT Policy Archive

Consolidated file in zip format