Virginia Code 2.2-5514: Prohibited products and services and required incident reporting
A. As used in this chapter, unless the context requires a different meaning:
Terms Used In Virginia Code 2.2-5514
- City: means an independent incorporated community which became a city as provided by law before noon on July 1, 1971, or which has within defined boundaries a population of 5,000 or more and which has become a city as provided by law. See Virginia Code 1-208
- Cybersecurity information: includes critical infrastructure information and information regarding cybersecurity risks, cybersecurity threats, and incidents, as those terms are defined in Virginia Code 2.2-5514
- Freedom of Information Act: A federal law that mandates that all the records created and kept by federal agencies in the executive branch of government must be open for public inspection and copying. The only exceptions are those records that fall into one of nine exempted categories listed in the statute. Source: OCC
- Includes: means includes, but not limited to. See Virginia Code 1-218
- Public body: includes any committee, subcommittee, or other entity however designated of the public body or formed to advise the public body, including those with private sector or citizen members and corporations organized by the Virginia Retirement System. See Virginia Code 2.2-5514
- State: when applied to a part of the United States, includes any of the 50 states, the District of Columbia, the Commonwealth of Puerto Rico, Guam, the Northern Mariana Islands, and the United States Virgin Islands. See Virginia Code 1-245
“Cybersecurity information” means information describing or relating to any security system or measure, whether manual or automated, that is used to control access to or use of information technology; security risks, threats, or vulnerabilities involving information technology; or security preparedness, response, or recovery related to information technology. “Cybersecurity information” includes critical infrastructure information and information regarding cybersecurity risks, cybersecurity threats, and incidents, as those terms are defined in 6 U.S.C. § 650.
“Public body” means any legislative body; any court of the Commonwealth; any authority, board, bureau, commission, district, or agency of the Commonwealth; any political subdivision of the Commonwealth, including counties, cities, and towns, city councils, boards of supervisors, school boards, planning commissions, and governing boards of institutions of higher education; and other organizations, corporations, or agencies in the Commonwealth supported wholly or principally by public funds. “Public body” includes any committee, subcommittee, or other entity however designated of the public body or formed to advise the public body, including those with private sector or citizen members and corporations organized by the Virginia Retirement System.
B. No public body may use, whether directly or through work with or on behalf of another public body, any hardware, software, or services that have been prohibited by the U.S. Department of Homeland Security for use on federal systems.
C. Every public body shall report all (i) known incidents that threaten the security of the Commonwealth’s data or communications or result in exposure of data protected by federal or state laws and (ii) other incidents compromising the security of the public body’s information technology systems with the potential to cause major disruption to normal activities of the public body or other public bodies. Such reports shall be made to the Virginia Fusion Intelligence Center within 24 hours from when the incident was discovered. The Virginia Fusion Intelligence Center shall share such reports with the Chief Information Officer, as described in § 2.2-2005, or his designee at the Virginia Information Technologies Agency, promptly upon receipt.
D. No cybersecurity information received by the Virginia Information Technologies Agency (VITA) shall be subject to the Virginia Freedom of Information Act (§ 2.2-3700 et seq.) or the Government Data Collection and Dissemination Practices Act (§ 2.2-3800 et seq.) while in the possession of VITA, neither transferring cybersecurity information to nor sharing cybersecurity information with VITA shall make VITA the custodian of such information for public records purposes. No provision of cybersecurity information to state agencies shall constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection. Persons having access to cybersecurity information maintained by VITA shall keep such information confidential, and no person or agency receiving cybersecurity information from VITA shall release or disseminate such information without prior authorization. The Chief Information Officer, as pursuant to § 2.2-2005, or his designee may authorize publication or disclosure of reports or aggregate cybersecurity information as appropriate.