Department of Veterans Affairs Acquisition Regulation (VAAR)—Information Security and Privacy Contract Clauses

ICR 202511-2900-002

OMB: 2900-0895

Federal Form Document

Forms and Documents

Document Name	Status

No forms / supporting documents in this ICR. Check IC Document Collections.

IC Document Collections

IC ID	Document Title	Status
239190	Part 839 Three Clauses Instruction	Unchanged

ICR Details

OMB Control No: 2900-0895	ICR Reference No: 202511-2900-002
Status: Received in OIRA	Previous ICR Reference No: 202301-2900-013
Agency/Subagency: VA	Agency Tracking No: PPS - 5
Title: Department of Veterans Affairs Acquisition Regulation (VAAR)—Information Security and Privacy Contract Clauses
Type of Information Collection: Revision of a currently approved collection	Common Form ICR: No
Type of Review Request: Regular	Date Submitted to OIRA: 03/25/2026

	Requested	Previously Approved
Expiration Date	36 Months From Approved	03/31/2026
Responses	15,384	15,384
Time Burden (Hours)	4,815	4,815
Cost Burden (Dollars)	0	0

Abstract: VA uses three Department of Veterans Affairs Acquisition Regulation (VAAR) contract clauses to ensure security when a contractor has access to VA information or information systems, as follows: • Clause 852.239-70, Security Requirements for Information Technology Resources, is required in all solicitations, contracts and orders exceeding the micro-purchase threshold that include information technology services. This clause requires the contractor to be responsible for information technology security for all systems connected to a VA network or operated by the contractor for VA, regardless of location. • Clause 852.239-72, Information System Design and Development, is required in all solicitations, contracts, orders and agreements where services to perform information system design and development are required. • Clause 852.239-73, Information System Hosting, Operation, Maintenance, or Use, is required in all solicitations, contracts, orders and agreements where services to perform information system hosting, operation, or maintenance are required. Clauses 852.239-72 and 852.239-73 are intended to protect VA sensitive information and information technology by requiring contractor and subcontractor personnel to be subject to the same Federal laws, regulations, standards, and VA directives and handbooks as VA and VA personnel regarding information and information system security. This revision changes the title from “Department of Veterans Affairs Acquisition Regulation Clause 852.239-70, VA Information and Information System Security and Privacy” to “Department of Veterans Affairs Acquisition Regulation (VAAR)—Information Security and Privacy Contract Clauses”. The previous title implied that this OMB Control Number covered a single clause instead of multiple clauses. The title change is the only revision to the currently approved collection.

Authorizing Statute(s): PL: Pub.L. 113 - 283 2521 Name of Law: Federal Information Security Modernization Act of 2014

Citations for New Statutory Requirements: None

Associated Rulemaking Information
RIN:	Stage of Rulemaking:	Federal Register Citation:	Date:
	Not associated with rulemaking

Federal Register Notices & Comments
60-day Notice:	Federal Register Citation:	Citation Date:
	91 FR 2276	01/16/2026
30-day Notice:	Federal Register Citation:	Citation Date:
	91 FR 14636	03/25/2026
Did the Agency receive public comments on this ICR? Yes

Number of Information Collection (IC) in this ICR: 1

IC Title	Form No.	Form Name
Part 839 Three Clauses

ICR Summary of Burden

	Total Request	Previously Approved
Annual Number of Responses	15,384	15,384
Annual Time Burden (Hours)	4,815	4,815
Annual Cost Burden (Dollars)	0	0

Burden increases because of Program Change due to Agency Discretion: No

Burden Increase Due to:

Burden decreases because of Program Change due to Agency Discretion: No

Burden Reduction Due to:

Short Statement:

Annual Cost to Federal Government: $227,268

Does this IC contain surveys, censuses, or employ statistical methods? No

Does this ICR request any personally identifiable information (see OMB Circular No. A-130 for an explanation of this term)? Please consult with your agency's privacy program when making this determination. No

Does this ICR include a form that requires a Privacy Act Statement (see 5 U.S.C. §552a(e)(3))? Please consult with your agency's privacy program when making this determination. Yes

Is this ICR related to the Affordable Care Act [Pub. L. 111-148 & 111-152]? No

Is this ICR related to the Dodd-Frank Wall Street Reform and Consumer Protection Act, [Pub. L. 111-203]? No

Is this ICR related to the American Recovery and Reinvestment Act of 2009 (ARRA)? No

Is this ICR related to the Pandemic Response? No

Agency Contact: Forrest Browne 202 714-6863 forrest.browne@va.gov

Common Form ICR: No

Something went wrong when downloading this file. If you have any questions, please send an email to risc@gsa.gov.