WeVote

Bill

Bill

HR 9152

VETRA Act

119th Congress Introduced by Mike Lawler

The bill directs a VA pilot to modernize digital identity with high-assurance, multi-layer authentication, risk-based access, and rigorous evaluation before broader deployment.

Introduced in House
0
WeVote Research Nonpartisan
Bill Summary · HR 9152

Summary of HR 9152 – VETRA Act (Veterans Electronic Trust and Records Authentication Act)

Purpose and intent

HR 9152 directs the Department of Veterans Affairs (VA) to establish a pilot program to modernize the VA’s digital identity proofing and authentication systems. The goal is to replace aging, less secure methods with higher-assurance, multi-layered digital identity solutions, reduce fraud and improper payments, and evaluate cost savings and operational efficiency before any full-scale deployment.

Key provisions and changes

  • Pilot program establishment (Section 2a)

    • The VA Secretary must carry out a pilot to modernize digital identity proofing and authentication, replacing legacy knowledge-based and single-factor verification with multi-layered, high-assurance solutions.
    • Objectives include reducing fraud/improper payments, improving secure access to VA digital service platforms for veterans and eligible beneficiaries, and assessing cost savings and efficiencies prior to broader deployment.
  • Platform selection (Section 2b)

    • Up to three high-volume VA digital service platforms may participate, potentially encompassing multiple underlying systems or services. Examples include:
    • Disability compensation claims system
    • Veterans health care enrollment portal
    • Education benefits management
    • Home loan benefits administration
  • Risk-tiered implementation (Section 2c)

    • The VA must map digital transactions to risk tiers based on transaction sensitivity, fraud risk, and potential harm.
    • Implement adaptive authentication that adjusts requirements based on contextual/behavioral risk signals.
    • Apply more rigorous authentication only when warranted by risk, as practicable under federal standards.
  • Standards and compliance (Section 2d)

    • Any pilot solution must be commercially available (not exclusive to the VA).
    • Must meet or exceed Identity Assurance Level 2 (IAL2) and Authentication Assurance Level 2 (AAL2) per NIST SP 800-63 (or successors).
    • Must comply with applicable federal cybersecurity and privacy requirements (38 U.S.C. chapter 57; Privacy Act; FISMA).
  • Funding (Section 2e)

    • The pilot is funded from existing IT appropriations, with a cap of $25 million in aggregate authority.
    • No additional authorization is provided beyond this amount.
  • Reporting and evaluation (Section 2f–g)

    • Implementation plan due within 120 days of enactment.
    • Interim performance report at 1 year, covering proofing/authentication metrics, fraud reduction, cost impacts, and cybersecurity indicators.
    • Final comprehensive evaluation and legislative recommendations due 90 days before the end of the authorization period.
    • GAO must conduct an independent evaluation within 18 months, reporting on:
    • Alignment with IAL2/AAL2 standards
    • Fraud/improper payments reductions
    • Veteran access and user experience (including rural, disabled, and low digital literacy populations)
    • Cost-benefit analysis and cybersecurity/privacy compliance
    • Feasibility and integration with broader identity infrastructure and potential government-wide identity services
    • GAO recommendations on expansion, modification, or discontinuation.
  • Authorization period (Section 2h)

    • The pilot authority terminates two years after enactment.
    • No automatic continuation or expansion; any expansion or additional funding requires a subsequent Act of Congress.

Who is affected

  • Primary: VA digital service users, including veterans and other benefit recipients who rely on VA online portals (e.g., disability, health care enrollment, education benefits, home loan programs).
  • VA program offices administering high-volume platforms will participate or be considered for participation.
  • VA information technology and cybersecurity offices responsible for implementing and monitoring identity proofing and authentication.

Timeline and procedural notes

  • Implementation plan due within 120 days of enactment.
  • Interim report due after one year of pilot operation.
  • Final report due roughly 90 days before the end of the two-year authorization window.
  • GAO evaluation due within 18 months of enactment.

Overall, the bill seeks a tightly scoped, fiscally constrained pilot to modernize VA digital identity with higher security standards, while incorporating risk-based authentication and rigorous evaluation to inform future agency-wide modernization.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.