In this subchapter:
The term “availability” means ensuring timely and reliable access to and use of information.
The term “confidentiality” means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.
(3) Control techniques.—
(4) Data breach.—
The term “data breach” means the loss, theft, or other unauthorized access, other than those incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data.
(5) Data breach analysis.—
(6) Fraud resolution systems.—
(7) Identity theft.—
(8) Identity theft insurance.—
The term “identity theft insurance” means any insurance policy that pays benefits for costs, including travel costs, notary fees, and postage costs, lost wages, and legal fees and expenses associated with efforts to correct and ameliorate the effects and results of identity theft of the insured individual.
(9) Information owner.—
The term “information owner” means an agency official with statutory or operational authority for specified information and responsibility for establishing the criteria for its creation, collection, processing, dissemination, or disposal, which responsibilities may extend to interconnected systems or groups of interconnected systems.
(10) Information resources.—
The term “information resources” means information in any medium or form and its related resources, such as personnel, equipment, funds, and information technology.
(11) Information security.—
(12) Information security requirements.—
The term “information security requirements” means information security requirements promulgated in accordance with law, or directed by the Secretary of Commerce, the National Institute of Standards and Technology, and the Office of Management and Budget, and, as to national security systems, the President.
(13) Information system.—
The term “integrity” means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
(15) National security system.—
The term “national security system” means an information system that is protected at all times by policies and procedures established for the processing, maintenance, use, sharing, dissemination or disposition of information that has been specifically authorized under criteria established by statute or Executive Order to be kept classified in the interest of national defense or foreign policy.
(16) Plan of action and milestones.—The term “plan of action and milestones”, means a plan used as a basis for the quarterly reporting requirements of the Office of Management and Budget that includes the following information:
(17) Principal credit reporting agency.—
(18) Security incident.—
The term “security incident” means an event that has, or could have, resulted in loss or damage to Department assets, or sensitive information, or an action that breaches Department security procedures.
(19) Sensitive personal information.—The term “sensitive personal information”, with respect to an individual, means any information about the individual maintained by an agency, including the following:
(20) Subordinate plan.—
The term “subordinate plan”, also referred to as a “system security plan”, means a plan that defines the security controls that are either planned or implemented for networks, facilities, systems, or groups of systems, as appropriate, within a specific accreditation boundary.
(22) Va national rules of behavior.—
(23) Va sensitive data.—
The term “VA sensitive data” means all Department data, on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information and includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, and records about individuals requiring protection under applicable confidentiality provisions.