Attention A T users. To access the menus on this page please perform the following steps. 1. Please switch auto forms mode to off. 2. Hit enter to expand a main menu option (Health, Benefits, etc). 3. To enter and activate the submenu links, hit the down arrow. You will now be able to tab or arrow up or down through the submenu options to access/activate the submenu links.
Graphic for the Veterans Crisis Line. It reads Veterans Cris Lins 1 800 273 8255 press 1
My healthevet badge

VA Digital Strategy

IT Policy Archive

VA Directive 6001 – Limited Personal use of Government Office Equipment Including Information Technology

This directive defines acceptable, limited conditions for Department of Veterans Affairs (VA) employees’ personal use of Government office equipment, including information technology.


VA Directive 6004 - Configuration, Change and Release Management Programs

The purpose of this directive is to establish/maintain Department-wide Configuration, Change and Release Management Programs in compliance with the Federal Information Security Modernization Act of 2014 (FISMA), 44 U.S.C. § 3551-3559 (Pub. L. 113-283), VA Directive 6500, VA Cybersecurity Program, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Rev 5 Security and Privacy Controls for Federal Information Systems and Organizations and NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems. This directive applies to all VA-related IT hardware, software and communication components and IT resources, including contracted IT systems and services.


VA Directive 6008 – Acquisition and Management of VA Information Technology Resources

This Directive revises Directive 6008 issued in November 2017 and establishes policy for the acquisition and management of information technology (IT), IT-related and other assets and resources, across the Department of Veterans Affairs (VA). VA's IT, IT-related and other assets and resources are core resources of the Department and their effective management is critical to the provision of services to our Nation's Veterans. This directive only pertains to the type of funding that can be used for procuring resources. This oversight is necessary to ensure alignment of items throughout VA enterprise to the information management information assurance policies, VA wide rules, standards and guidance. Additionally, this policy ensures that all IT funded and IT-related assets are acquired within the constraints and intent of the VA's IT Systems appropriations account, providing specific guidance as to when IT-related assets must be funded through IT Systems account or other authorized accounts. In consultation with VA Administrations and offices, all of VA's IT and IT-related assets and resources and services are subject to the laws, executive mandates and policies of the VA Chief Information Officer (CIO). This includes information assurance, security and privacy; enterprise architecture, standards and specifications; and IT management, technical and operational internal controls, regardless of the funding source, unless otherwise indicated by appropriation, regulation, or policy. This policy, which replaces all previous memoranda on this subject, is necessitated by the growing magnitude and speed of change in information technologies, network-attached devices (i.e., the "Internet of Things (IoT)") and information security risks, procedures and regulations. Its full implementation will improve VA’s effectiveness in the use of resources to deliver a standardized, integrated, interoperable and Veteran-centric information environment in accordance with all Federal laws, regulations and industry best practices.


VA Directive 6011 - IT One + One Device Policy

OIT created a user class device offering matrix in accordance with VA policy. The End User Class Matrix is used for the issuing of systems to new VA staff members, government or contractor, and provides simplified product choices based on user categorization. The matrix provides reference configurations and thus subject to change as products offerings are revised.


VA Directive 6051 – Department of Veterans Affairs Enterprise Architecture

This directive establishes mandatory policy for the establishment of an integrated Department-wide One-VA Enterprise Architecture (EA) to be used for the development and management of all information assets. Directive 6051 also prescribes the mandatory compliance with the following three documents as authorities to be used within VA in connection with the EA: (a) Department of Veterans Affairs Enterprise Architecture Strategy, Governance and Implementation; (b) Department of Veterans Affairs One-VA Enterprise Architecture Implementation Plan; and (c) Department of Veterans Enterprise Architecture.


VA Directive 6052 - Information Technology Strategic Planning

Directive 6052 establishes policy for the Department of Veterans Affairs' (VA's) Information Technology (IT) strategic planning process in accordance with Federal mandates that require Agencies to develop and publish an IT Strategic Plan. Agencies must comply with the requirements of the Government Performance and Results Act of 1993 (GPRA), the E-Government Act of 2002, and the Office of Management and Budget's (OMB) implementation guidance to improve the effectiveness and efficiency of IT strategic planning. This Directive provides information necessary for governing and implementing IT strategic planning at VA. The Directive provides the framework for developing an IT Strategic Plan that supports VA's strategic business needs while also establishing roles and responsibilities for IT management that ensure accountability throughout the planning process


VA Directive 6063 - Operational Analysis of VA Information Technology Systems

This directive establishes policy to ensure the Department of Veterans Affairs (VA) Information Technology (IT) systems undergo Operational Analysis (OA) on a regular, periodic basis to examine whether an IT asset in production continues to meet its intended objectives and yield expected benefits and for compliance and alignment with VA policy, rules, standards and capabilities as well as Federal requirements.


VA Directive 6066 – Protected Health Information (PHI) and Business Associate Agreements Management

This Directive sets policies, roles, and responsibilities for VA components that are Business Associates of the Veterans Health Administration (VHA) as defined by the Health Insurance Portability and Accountability Act (HIPAA) regulations and that enter into Business Associate Agreements (BAAs) that cover the handling of Protected Health Information (PHI) and Electronic Protected Health Information (EPHI).


VA Directive 6102 - Internet/Intranet Services

The directive establishes the Department of Veterans Affairs (VA) minimum Internet and Intranet Services policies, procedures, and guidelines.


VA Directive 6213 - Freedom of Information Act

To establish Department of Veteran Affairs (VA) policy to implement the Freedom of Information Act, 5 U.S.C. § 552 as amended; The FOIA Improvement Act of 2016; Executive Order (EO) 13392 of December 14, 2005, Improving Agency Disclosure of Information; Title 38 Code of Federal Regulations Part 1, Procedures for Disclosure of Records Under the Freedom of Information Act, 38 C.F.R. §§ 1.550-1.562; and the Presidential Memorandum of January 21, 2009: Memorandum on Transparency and Open Government.


VA Directive 6221 - Accessible Information and Communications Technology (ICT)

This directive revises policy and assigns administrative responsibility to the Assistant Secretary for Information and Technology (CIO) to ensure that VA's information and communications technology (ICT) is accessible by VA employees and members of the public with disabilities. This directive implements Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d), as amended by the Workforce Investment Act of 1998, Public Law 105-220.


VA Directive 6300 - Records and Information Management

The purpose of this directive is to revise Department-wide records and information management policy. This directive provides policy for the VA Records Management (RM) program, which includes adherence to the Federal Records Act, the Privacy Act (PA), the Freedom of Information Act, the Computer Matching and Privacy Protection Act, and the Release of Names and Addresses. The provisions of this directive are applicable to all elements of VA.


VA Directive 6301 – Electronic Mail Records

This directive establishes Department of Veterans Affairs (VA) policies for the implementation of requirements as stipulated in regulations promulgated by the National Archives and Records Administration in the Federal Register of August 28, 1995, for Federal records created or received in electronic mail applications.


VA Directive 6309 – Collections of Information

This directive revises the Department of Veterans Affairs (VA) policy for collections of information, under the Paperwork Reduction Act (PRA) of 1995, (44 U.S.C. Chapter 35).


VA Directive 6310 – Forms, Collections of Information, and Reports Management

This directive establishes the Department of Veterans Affairs (VA) policy for managing forms, collections of information, and reports. This directive replaces policy contained in MP-1, Part II, Chapter 4, Forms Management, dated October 1991; MP-1, Part II, Chapter 26, Reports Management, dated October 27, 1983; MP-1, Part II, Chapter 28, Interagency Reporting, dated September 24, 1985; and OI-1, Part VI, Chapter 3, Controlling and Monitoring Congressional Reporting Requirements, dated September 11, 1985.


VA Directive 6311 – VA E-Discovery

This Directive is to establish policy concerning the care and handling of documents and electronically stored information (ESI) of the Department of Veterans Affairs (VA) that may be relevant to pending or reasonably anticipated litigation. The directive describes the responsibilities of employees, contractors, volunteers, and other VA personnel to identify, locate, preserve, collect, prepare, review, and produce potentially relevant ESI.


VA Directive 6340 - Mail Management

Policy on Mail Management and implement the provisions found in the Federal Property Management Regulations.


VA Directive 6371 – Destruction of Temporary Paper Records

The purpose of this Directive is to revise policy requirements for the Department of Veterans Affairs (VA) on the destruction of temporary records, and temporary paper records that contain personally identifiable and sensitive information.


VA Directive 6401– VA Standard Desktop Configurations

Establishes that there will be a VA-wide corporate software suite and a range of acceptable hardware configurations, and how that information will be published.


VA Directive 6402 – Modifications to Nationally Released Vista Software

The purpose of this directive is to control variation in nationally released Veterans Health Information Systems and Technology Architecture (VistA) software through defined, mandatory governance channels. The scope of this directive addresses non-standardized changes to National Class I Software.


VA Directive 6403 – Software Asset Management

The purpose of this software asset management Directive is to establish VA policy regarding the governance and management of all software enterprise license agreements including OI&T, research, medical, construction, and engineering system software.


VA Directive 6404 – VA Systems Inventory (VASI)

Directive establishes the Department of Veteran Affairs (VA) Systems Inventory (VASI) as the authoritative source for VA Information Technology (IT) Systems and defines the objectives, principles, roles and responsibilities for the utilization, management and sustainment of the VA Systems Inventory. Full implementation of this policy is necessary to manage current capabilities, prevent duplicative development efforts and facilitate future planning resulting in efficient and effective use of VA resources to deliver an integrated and interoperable information environment.


VA Directive 6500 – VA Cybersecurity Program

Reissues VA Directive 6500 pursuant to the authority to maintain a VA cybersecurity program to protect and defend VA information and information technology (IT) that is consistent with VA’s information security statutes, 38 United States Code (U.S.C.) §§ 5721-5728, the Federal Information Security Modernization Act (FISMA), 44 U.S.C. §§ 3551-3558, and Office of Management and Budget (OMB) Circular A-130.


VA Directive 6502 - VA Enterprise Privacy Program

To update and reaffirm VA Directive 6502, the Departmentwide program policy for the protection of privacy of veterans, their dependents and beneficiaries, as well as the privacy of all employees and contractors of the Department of Veterans Affairs (VA), and other individuals for whom personal records are created and maintained in accordance with Federal law. This directive clarifies policies, roles, and responsibilities for the VA Privacy Service, also known as the VA Enterprise Privacy Program, the program that oversees all VA-wide privacy programs.


VA Directive 6502.3 - Webpage Privacy Policy

This directive mandates the creation of a VA General Webpage Privacy Policy (the General Policy), setting forth how information collected via VA Web sites, pages, and forms is to be collected, used and maintained. This directive establishes the requirements and responsibilities for the creation and maintenance of Limited Privacy Policies (Limited Policies), which govern the handling of personally identifiable information collected via specific Websites, pages, and forms. This directive also designates the officials responsible for the General Policy and Limited Policies. The directive applies to all individuals supporting VA Web sites, including but not limited to full-time and part-time employees, contractors, interns, and volunteers. Directive 6502.3 only applies to government information as defined in OMB Circular A-130, i.e., information created, collected, maintained, processed, disseminated, or disposed of by or for the Federal Government.


VA Directive 6505 – VA Cyber Workforce Management

To establish policies and assigned responsibilities for managing, maintaining, and supporting the VA cyber workforce, consistent with VA strategies.


VA Directive 6507 – Reducing the Use of Social Security Numbers

This Directive issues policy requirements for the Department of Veterans Affairs (VA) to reduce and, where possible, eliminate the collection and use of the Social Security Number (SSN) as a primary identifier for uniquely identifying individuals in VA operations, programs, and services.


VA Directive 6508 – Implementation of Privacy Threshold Analysis and Privacy Impact Assessment

This Directive establishes a VA Enterprise-wide policy for incorporating and implementing the Privacy Threshold Analysis (PTA) into the current compliance process as recommended by the National Institute of Standards and Technology (NIST) Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). This Directive also reinstitutes policy for the Privacy Impact Assessment (PIA), pursuant to the E-Government Act of 2002 (P.L.107-347).


VA Directive 6509 – Duties of Privacy Officers

This directive assigns responsibilities to Department of Veterans Affairs (VA) Privacy Officers to ensure the protection of Personal Identifiable Information (PII), Protected Health Information (PHI), and Sensitive Personal Information (SPI) collected by VA. PII and PHI are subsets of SPI and included in this directive.


VA Directive 6510 - VA Identity and Access Management

This Directive defines the policies for enterprise identity and access management (IAM) for the Department of Veterans Affairs (VA). Additionally, this Directive apply to all VA administrations, staff offices, and all VA staff who support IAM functionality, Veterans, affiliates, and any users who require logical access to VA information services including resources both internally and externally managed and offered through VA.


VA Directive 6511 – Presentations Displaying Personally-Identifiable Information

This Directive establishes the policy that personally-identifiable information (PII) and information that is not releasable under the Freedom of Information Act of 1966 (FOIA), as amended, must not be included in presentations that may be seen by non-VA parties, a term which includes members of the public, and VA employees, volunteers, trainees, contractors, or other appointees without an official need to know such information. The document addresses methods of sanitizing presentations that may be made available to these individuals or groups. The requirements set forth in this Directive ensure that these presentations and materials do not contain PII or information exempt from release under FOIA. It also implements the policies pertaining to privacy reviews, as discussed in Department of Veterans Affairs (VA) Directive 6502, Privacy Program.


VA Directive 6512 – Secure Wireless Technology

This Directive establishes the Department of Veterans Affairs (VA) policy and responsibilities regarding security for wireless technology for implementation or use across VA. The Directive applies to all VA components and information technology resources, including contracted information technology (IT) systems and services.


VA Directive 6513 – Secure External Connections

This Directive establishes overarching guidelines and authorizations for managing and securing all of VA’s external connections on and to a VA Trusted Internet Connection (TIC) Gateway. This policy complies with Federal laws, Office of Management and Budget (OMB) mandates, the National Institute of Standards and Technology (NIST) standards and recommendations, Department of Homeland Security Trusted Internet Connections Reference Architecture v2.0, and VA Directive 6500, Managing Information Security Risk: VA Information Security Program and VA Handbook 6500, Risk Management Framework for VA Information Systems – Tier 3: VA Information Security Program.


VA Directive 6515 – Use of Web Based Collaboration Technologies

The Department of Veterans Affairs (VA) endorses the secure use of Web-based collaboration and social media tools to enhance communication, stakeholder outreach collaboration, and information exchange; streamline processes; and foster productivity improvements. Use of these tools supports VA and VA’s goal of achieving an interoperable, net-centric environment by improving employee effectiveness through seamless access to information. Web-based collaboration tools enable widely dispersed facilities and VA personnel to more effectively collaborate and share information—which can result in better productivity, higher efficiency, and foster innovation. This Directive establishes policy on the proper use of these tools, consistent with applicable laws, regulations, and policies.


VA Directive 6517 - Risk Management Framework for Cloud Computing Services

Directive is being reissued to reflect VA’s commitment to cloud computing services and align with the VA Cloud Computing Strategy. The specific changes required include reflection of roles and responsibilities of a VA Cloud Broker, the addition of Cloud Consumer management responsibilities and alignment of these roles with specific VA organizations.


VA Directive 6550 - Pre-Procurement Assessment and Implementation of Medical Devices/Systems

This Directive establishes the technical Pre-Procurement Assessment (PPA) and Implementation requirements for medical devices/systems. This Directive covers medical devices/systems that are connected to the VA network and medical devices and systems that store sensitive patient information. Major changes include updating mandatory policy, responsibilities, definitions and inclusion of risk analysis and implementation processes.


VA Directive 6551 – VA Enterprise Design Patterns

This directive establishes mandatory policy for establishing and utilizing Enterprise Design Patterns by all Department of Veterans Affairs (VA) projects developing information technology (IT) systems in accordance with the VA’s Office of Information and Technology (OI&T) integrated development and release management process, the Veteran-focused Integration Process (VIP).


VA Directive 6609 – Mailing of Sensitive Personal Information

The purpose of this policy is to revise policy requirements for the Department of Veterans Affairs (VA) for the protection of sensitive personal information (SPI) of Veterans and VA beneficiaries, their dependents, and VA employees, that is sent using mailing services. This directive alters the policy for the protection of mail containing SPI being sent between VA facilities, and to its business partners. This Directive sets forth the measures to be implemented in order to provide adequate protection for mail that contains SPI.


Department of Veterans Affairs and Department of Defense Joint Executive Committee Guidance Memo

The Department of Veterans Affairs (VA) and Department of Defense (DoD) are obligated by law to collaborate and share resources where mutually beneficial to improve efficiency and cost effectiveness of health care, benefits(1), transition and career readiness(2) for Service members and Veterans. Congress enacted the first specific legislation in 1982, the Veterans Administration and Department of Defense Health Resources Sharing and Emergency Operations Act (Public Law 97-174), followed by a number of additional Congressional mandates over subsequent years. While VA and DoD have always worked together to meet these obligations, the collaborative relationship and view of both Departments’ responsibilities to our shared beneficiaries(3) has evolved significantly over the last 40 years.


IT Policy Archive

Consolidated file in zip format