Veterans Affairs (VA) Handbook 6500

The VA Handbook 6500 serves as the VA's primary agency document for information assurance requirements for all VA systems.

a. This handbook establishes the foundation for VA’s comprehensive information security program and its practices that will protect the confidentiality, integrity, and availability of information created, processed, stored, aggregated, and transmitted by VA’s information systems and business process.
b. This handbook provides the minimum mandatory security control standards for implementation of VA Directive 6500, Information Security Program.
c. This handbook also provides the criteria to assist management in making governance and integration decisions for VA’s various security programs.

a. The security policies, procedures, and controls in this handbook apply to all VA employees, contractors, researchers, students, volunteers, representatives of Federal, State, local, or Tribal agencies, and all others authorized access to VA facilities, information systems or information in order to perform a VA authorized activity.

b. The requirements in this handbook and appendices apply to all VA or contractor-operated services and information resources located and operated at contract facilities, at other government agencies that support VA mission requirements, or any other third party utilizing VA information in order to perform a VA authorized activity.

c. The VA National Rules of Behavior provide the responsibilities and expected behavior of all individuals (end users) with authorized access to VA’s information and information systems.
d. The security controls apply to all information resources used to carry out the VA mission. For example, the controls apply to desktop PC workstations, laptop computers, other portable devices, servers, network devices, office automation equipment (such as copiers and fax machines with communication capabilities), and operated by or on behalf of VA.

e. This handbook applies to the security of all information collected, transmitted, used, stored, or disposed of, by or on behalf of VA.
f. The Office of Information and Technology (OI&T) will develop and disseminate additional directives, handbooks, memoranda, notices and best practices to implement these procedures, or institute additional requirements to maintain the information assurance program.