{"formats":[{"name":"JSON","format":"json","url":"\/downloads\/2025\/code-json\/2.2-5514.json"},{"name":"Plain Text","format":"text","url":"\/downloads\/2025\/code-text\/2.2-5514.txt"},{"name":"XML","format":"xml","url":"\/downloads\/2025\/code-xml\/2.2-5514.xml"},{"name":"HTML","format":"html","url":"\/downloads\/2025\/code-html\/2.2-5514.html"}],"law_id":87153,"edition_id":1,"section_id":87153,"structure_id":14501,"section_number":"2.2-5514","catch_line":"Prohibited products and services and required incident reporting","history":"2019, c. 302; 2022, cc. 626, 627; 2024, c. 503.","full_text":"A\n\nAs used in this chapter, unless the context requires a different meaning:\n\t\t\t&#8220;Cybersecurity information&#8221; means information describing or relating to any security system or measure, whether manual or automated, that is used to control access to or use of information technology; security risks, threats, or vulnerabilities involving information technology; or security preparedness, response, or recovery related to information technology. &#8220;Cybersecurity information&#8221; includes critical infrastructure information and information regarding cybersecurity risks, cybersecurity threats, and incidents, as those terms are defined in 6 U.S.C. &#xA7; 650.\n\t\t\t&#8220;Public body&#8221; means any legislative body; any court of the Commonwealth; any authority, board, bureau, commission, district, or agency of the Commonwealth; any political subdivision of the Commonwealth, including counties, cities, and towns, city councils, boards of supervisors, school boards, planning commissions, and governing boards of institutions of higher education; and other organizations, corporations, or agencies in the Commonwealth supported wholly or principally by public funds. &#8220;Public body&#8221; includes any committee, subcommittee, or other entity however designated of the public body or formed to advise the public body, including those with private sector or citizen members and corporations organized by the Virginia Retirement System.B\n\nNo public body may use, whether directly or through work with or on behalf of another public body, any hardware, software, or services that have been prohibited by the U.S. Department of Homeland Security for use on federal systems.C\n\nEvery public body shall report all (i) known incidents that threaten the security of the Commonwealth&#8217;s data or communications or result in exposure of data protected by federal or state laws and (ii) other incidents compromising the security of the public body&#8217;s information technology systems with the potential to cause major disruption to normal activities of the public body or other public bodies. Such reports shall be made to the Virginia Fusion Intelligence Center within 24 hours from when the incident was discovered. The Virginia Fusion Intelligence Center shall share such reports with the Chief Information Officer, as described in &#xA7; 2.2-2005, or his designee at the Virginia Information Technologies Agency, promptly upon receipt.D\n\nNo cybersecurity information received by the Virginia Information Technologies Agency (VITA) shall be subject to the Virginia Freedom of Information Act (&#xA7; 2.2-3700 et seq.) or the Government Data Collection and Dissemination Practices Act (&#xA7; 2.2-3800 et seq.) while in the possession of VITA, neither transferring cybersecurity information to nor sharing cybersecurity information with VITA shall make VITA the custodian of such information for public records purposes. No provision of cybersecurity information to state agencies shall constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection. Persons having access to cybersecurity information maintained by VITA shall keep such information confidential, and no person or agency receiving cybersecurity information from VITA shall release or disseminate such information without prior authorization. The Chief Information Officer, as pursuant to &#xA7; 2.2-2005, or his designee may authorize publication or disclosure of reports or aggregate cybersecurity information as appropriate.","order_by":null,"text":{"0":{"id":312078,"text":"As used in this chapter, unless the context requires a different meaning:\n\t\t\t&#8220;Cybersecurity information&#8221; means information describing or relating to any security system or measure, whether manual or automated, that is used to control access to or use of information technology; security risks, threats, or vulnerabilities involving information technology; or security preparedness, response, or recovery related to information technology. &#8220;Cybersecurity information&#8221; includes critical infrastructure information and information regarding cybersecurity risks, cybersecurity threats, and incidents, as those terms are defined in 6 U.S.C. &#xA7; 650.\n\t\t\t&#8220;Public body&#8221; means any legislative body; any court of the Commonwealth; any authority, board, bureau, commission, district, or agency of the Commonwealth; any political subdivision of the Commonwealth, including counties, cities, and towns, city councils, boards of supervisors, school boards, planning commissions, and governing boards of institutions of higher education; and other organizations, corporations, or agencies in the Commonwealth supported wholly or principally by public funds. &#8220;Public body&#8221; includes any committee, subcommittee, or other entity however designated of the public body or formed to advise the public body, including those with private sector or citizen members and corporations organized by the Virginia Retirement System.","type":"section","prefixes":["A"],"prefix":"A","entire_prefix":"A","prefix_anchor":"A","level":1,"next_prefix":"B"},"1":{"id":312079,"text":"No public body may use, whether directly or through work with or on behalf of another public body, any hardware, software, or services that have been prohibited by the U.S. Department of Homeland Security for use on federal systems.","type":"section","prefixes":["B"],"prefix":"B","entire_prefix":"B","prefix_anchor":"B","level":1,"prior_prefix":"A","next_prefix":"C"},"2":{"id":312080,"text":"Every public body shall report all (i) known incidents that threaten the security of the Commonwealth&#8217;s data or communications or result in exposure of data protected by federal or state laws and (ii) other incidents compromising the security of the public body&#8217;s information technology systems with the potential to cause major disruption to normal activities of the public body or other public bodies. Such reports shall be made to the Virginia Fusion Intelligence Center within 24 hours from when the incident was discovered. The Virginia Fusion Intelligence Center shall share such reports with the Chief Information Officer, as described in &#xA7; 2.2-2005, or his designee at the Virginia Information Technologies Agency, promptly upon receipt.","type":"section","prefixes":["C"],"prefix":"C","entire_prefix":"C","prefix_anchor":"C","level":1,"prior_prefix":"B","next_prefix":"D"},"3":{"id":312081,"text":"No cybersecurity information received by the Virginia Information Technologies Agency (VITA) shall be subject to the Virginia Freedom of Information Act (&#xA7; 2.2-3700 et seq.) or the Government Data Collection and Dissemination Practices Act (&#xA7; 2.2-3800 et seq.) while in the possession of VITA, neither transferring cybersecurity information to nor sharing cybersecurity information with VITA shall make VITA the custodian of such information for public records purposes. No provision of cybersecurity information to state agencies shall constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection. Persons having access to cybersecurity information maintained by VITA shall keep such information confidential, and no person or agency receiving cybersecurity information from VITA shall release or disseminate such information without prior authorization. The Chief Information Officer, as pursuant to &#xA7; 2.2-2005, or his designee may authorize publication or disclosure of reports or aggregate cybersecurity information as appropriate.","type":"section","prefixes":["D"],"prefix":"D","entire_prefix":"D","prefix_anchor":"D","level":1,"prior_prefix":"C"}},"ancestry":[{"id":14501,"edition_id":1,"name":"Prohibition on the Use of Certain Products and Services","identifier":"55.3","label":"chapter","depth":4,"order_by":1,"parent_id":12751,"metadata":{},"date_created":"2026-06-26 03:48:22","date_modified":"2026-06-26 03:48:22","permalink":{"id":177999,"object_type":"structure","relational_id":14501,"identifier":"55.3","token":"2.2\/II\/B\/55.3","url":"\/2.2\/II\/B\/55.3\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12751,"edition_id":1,"name":"Transaction of Public Business","identifier":"B","label":"part","depth":3,"order_by":1,"parent_id":12750,"metadata":{},"date_created":"2026-06-26 03:43:51","date_modified":"2026-06-26 03:43:51","permalink":{"id":176445,"object_type":"structure","relational_id":12751,"identifier":"B","token":"2.2\/II\/B","url":"\/2.2\/II\/B\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12750,"edition_id":1,"name":"Administration of State Government","identifier":"II","label":"subtitle","depth":2,"order_by":1,"parent_id":12749,"metadata":{},"date_created":"2026-06-26 03:43:51","date_modified":"2026-06-26 03:43:51","permalink":{"id":176253,"object_type":"structure","relational_id":12750,"identifier":"II","token":"2.2\/II","url":"\/2.2\/II\/","edition_id":1,"permalink":0,"preferred":1}},{"id":12749,"edition_id":1,"name":"Administration of Government","identifier":"2.2","label":"title","depth":1,"order_by":1,"parent_id":null,"metadata":{},"date_created":"2026-06-26 03:43:51","date_modified":"2026-06-26 03:43:51","permalink":{"id":171453,"object_type":"structure","relational_id":12749,"identifier":"2.2","token":"2.2","url":"\/2.2\/","edition_id":1,"permalink":0,"preferred":1}}],"structure_contents":[{"id":87153,"structure_id":14501,"section_number":"2.2-5514","catch_line":"Prohibited products and services and required incident reporting","url":"\/2.2-5514\/","token":"2.2\/II\/B\/55.3\/2.2-5514","metadata":false},{"id":55911,"structure_id":14501,"section_number":"2.2-5514.1","catch_line":"Prohibited applications and websites","url":"\/2.2-5514.1\/","token":"2.2\/II\/B\/55.3\/2.2-5514.1","metadata":false}],"next_section":{"id":55911,"structure_id":14501,"section_number":"2.2-5514.1","catch_line":"Prohibited applications and websites","url":"\/2.2-5514.1\/","token":"2.2\/II\/B\/55.3\/2.2-5514.1","metadata":false},"metadata":false,"official_url":"https:\/\/law.lis.virginia.gov\/vacode\/2.2-5514\/","history_text":"<p>This law was first created in 2019. The record of its establishment is cataloged in chapter <a href=\"https:\/\/legacylis.virginia.gov\/cgi-bin\/legp604.exe?191+ful+CHAP0302\">302<\/a> of that year\u2019s edition of \u201cActs of Assembly,\u201d the annual state publication listing all changes made to the Code of Virginia in that year. It has been modified 2 times. Those modifications are cataloged by \u201cThe Acts of Assembly,\u201d a state publication, by year and chapter. Those modifications that can be read on the General Assembly\u2019s website will be linked accordingly. Those modifications are as follows: in 2022, chapters <a href=\"https:\/\/legacylis.virginia.gov\/cgi-bin\/legp604.exe?221+ful+CHAP0626\">626<\/a> and <a href=\"https:\/\/legacylis.virginia.gov\/cgi-bin\/legp604.exe?221+ful+CHAP0627\">627<\/a>; in 2024, chapter <a href=\"https:\/\/legacylis.virginia.gov\/cgi-bin\/legp604.exe?241+ful+CHAP0503\">503<\/a>.<\/p>","references":[{"id":57889,"section_number":"2.2-2009","catch_line":"Additional duties of the CIO relating to security of government information","order_by":null,"url":"\/2.2-2009\/"},{"id":55911,"section_number":"2.2-5514.1","catch_line":"Prohibited applications and websites","order_by":null,"url":"\/2.2-5514.1\/"}],"refers_to":[{"id":73383,"section_number":"2.2-2005","catch_line":"Creation of Agency; appointment of Chief Information Officer","order_by":null,"url":"\/2.2-2005\/"},{"id":55569,"section_number":"2.2-3700","catch_line":"Short title; policy","order_by":null,"url":"\/2.2-3700\/"},{"id":69409,"section_number":"2.2-3800","catch_line":"Short title; findings; principles of information practice","order_by":null,"url":"\/2.2-3800\/"}],"permalink":{"id":178001,"object_type":"law","relational_id":87153,"identifier":"2.2-5514","token":"2.2\/II\/B\/55.3\/2.2-5514","url":"\/2.2-5514\/","edition_id":1,"permalink":0,"preferred":1},"url":"\/2.2-5514\/","token":"2.2\/II\/B\/55.3\/2.2-5514","dublin_core":{"Title":"Prohibited products and services and required incident reporting","Type":"Text","Format":"text\/html","Identifier":"\u00a7 2.2-5514","Relation":"Code of Virginia"},"html":"\n\t\t\t\t\t\t<section id=\"A\"><p><span class=\"prefix-number\">A.<\/span> As used in this chapter, unless the context requires a different meaning:\n\t\t\t&#8220;<span class=\"dictionary\">Cybersecurity information<\/span>&#8221; means information describing or relating to any security system or measure, whether manual or automated, that is used to control access to or use of information technology; security risks, threats, or vulnerabilities involving information technology; or security preparedness, response, or recovery related to information technology. &#8220;<span class=\"dictionary\">Cybersecurity information<\/span>&#8221; includes critical infrastructure information and information regarding cybersecurity risks, cybersecurity threats, and incidents, as those terms are defined in 6 U.S.C. &#xA7; 650.\n\t\t\t&#8220;<span class=\"dictionary\">Public body<\/span>&#8221; means any legislative body; any <span class=\"dictionary\">court<\/span> of the Commonwealth; any authority, board, bureau, commission, district, or agency of the Commonwealth; any political subdivision of the Commonwealth, including counties, cities, and towns, city councils, boards of supervisors, school boards, planning commissions, and governing boards of institutions of higher education; and other organizations, corporations, or agencies in the Commonwealth supported wholly or principally by public funds. &#8220;<span class=\"dictionary\">Public body<\/span>&#8221; includes any committee, subcommittee, or other entity however designated of the <span class=\"dictionary\">public body<\/span> or formed to advise the <span class=\"dictionary\">public body<\/span>, including those with private sector or citizen members and corporations organized by the Virginia Retirement System. <a id=\"paragraph-312078\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/2.2-5514\/#A\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"B\"><p><span class=\"prefix-number\">B.<\/span> No <span class=\"dictionary\">public body<\/span> may use, whether directly or through work with or on behalf of another <span class=\"dictionary\">public body<\/span>, any hardware, software, or services that have been prohibited by the U.S. Department of Homeland Security for use on federal systems. <a id=\"paragraph-312079\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/2.2-5514\/#B\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"C\"><p><span class=\"prefix-number\">C.<\/span> Every <span class=\"dictionary\">public body<\/span> shall report all (i) known incidents that threaten the security of the Commonwealth&#8217;s data or communications or result in exposure of data protected by federal or state <span class=\"dictionary\">laws<\/span> and (ii) other incidents compromising the security of the <span class=\"dictionary\">public body<\/span>&#8217;s information technology systems with the potential to cause major disruption to normal activities of the <span class=\"dictionary\">public body<\/span> or other public bodies. Such reports shall be made to the Virginia Fusion Intelligence Center within 24 hours from when the incident was discovered. The Virginia Fusion Intelligence Center shall share such reports with the Chief Information Officer, as described in &#xA7; <a class=\"law\" title=\"Creation of Agency; appointment of Chief Information Officer\" href=\"\/2.2-2005\/\">2.2-2005<\/a>, or his designee at the Virginia Information Technologies Agency, promptly upon receipt. <a id=\"paragraph-312080\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/2.2-5514\/#C\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>\n\t\t\t\t\t\t<section id=\"D\"><p><span class=\"prefix-number\">D.<\/span> No <span class=\"dictionary\">cybersecurity information<\/span> received by the Virginia Information Technologies Agency (VITA) shall be subject to the Virginia Freedom of Information Act (&#xA7; <a class=\"law\" title=\"Short title; policy\" href=\"\/2.2-3700\/\">2.2-3700<\/a> et seq.) or the Government Data Collection and Dissemination Practices Act (&#xA7; <a class=\"law\" title=\"Short title; findings; principles of information practice\" href=\"\/2.2-3800\/\">2.2-3800<\/a> et seq.) while in the <span class=\"dictionary\">possession<\/span> of VITA, neither transferring <span class=\"dictionary\">cybersecurity information<\/span> to nor sharing <span class=\"dictionary\">cybersecurity information<\/span> with VITA shall make VITA the custodian of such information for public records purposes. No provision of <span class=\"dictionary\">cybersecurity information<\/span> to state agencies shall constitute a <span class=\"dictionary\">waiver<\/span> of any applicable <span class=\"dictionary\">privilege<\/span> or protection provided by <span class=\"dictionary\">law<\/span>, including trade secret protection. Persons having access to <span class=\"dictionary\">cybersecurity information<\/span> maintained by VITA shall keep such information confidential, and no person or agency receiving <span class=\"dictionary\">cybersecurity information<\/span> from VITA shall release or disseminate such information without prior authorization. The Chief Information Officer, as pursuant to &#xA7; <a class=\"law\" title=\"Creation of Agency; appointment of Chief Information Officer\" href=\"\/2.2-2005\/\">2.2-2005<\/a>, or his designee may authorize publication or disclosure of reports or aggregate <span class=\"dictionary\">cybersecurity information<\/span> as appropriate. <a id=\"paragraph-312081\" class=\"section-permalink\" href=\"https:\/\/vacode.org\/2.2-5514\/#D\"><i class=\"fa fa-link\"><\/i><\/a><\/p><\/section>","plain_text":"                                 CODE OF VIRGINIA\n\nPROHIBITED PRODUCTS AND SERVICES AND REQUIRED INCIDENT REPORTING (\u00a7 2.2-5514)\n\nA. As used in this chapter, unless the context requires a different meaning:\n\t\t\t&#8220;Cybersecurity information&#8221; means information describing or\nrelating to any security system or measure, whether manual or automated, that is\nused to control access to or use of information technology; security risks,\nthreats, or vulnerabilities involving information technology; or security\npreparedness, response, or recovery related to information technology.\n&#8220;Cybersecurity information&#8221; includes critical infrastructure\ninformation and information regarding cybersecurity risks, cybersecurity\nthreats, and incidents, as those terms are defined in 6 U.S.C. &#xA7; 650.\n\t\t\t&#8220;Public body&#8221; means any legislative body; any court of the\nCommonwealth; any authority, board, bureau, commission, district, or agency of\nthe Commonwealth; any political subdivision of the Commonwealth, including\ncounties, cities, and towns, city councils, boards of supervisors, school\nboards, planning commissions, and governing boards of institutions of higher\neducation; and other organizations, corporations, or agencies in the\nCommonwealth supported wholly or principally by public funds. &#8220;Public\nbody&#8221; includes any committee, subcommittee, or other entity however\ndesignated of the public body or formed to advise the public body, including\nthose with private sector or citizen members and corporations organized by the\nVirginia Retirement System.\n\nB. No public body may use, whether directly or through work with or on behalf of\nanother public body, any hardware, software, or services that have been\nprohibited by the U.S. Department of Homeland Security for use on federal\nsystems.\n\nC. Every public body shall report all (i) known incidents that threaten the\nsecurity of the Commonwealth&#8217;s data or communications or result in\nexposure of data protected by federal or state laws and (ii) other incidents\ncompromising the security of the public body&#8217;s information technology\nsystems with the potential to cause major disruption to normal activities of the\npublic body or other public bodies. Such reports shall be made to the Virginia\nFusion Intelligence Center within 24 hours from when the incident was\ndiscovered. The Virginia Fusion Intelligence Center shall share such reports\nwith the Chief Information Officer, as described in &#xA7; 2.2-2005, or his\ndesignee at the Virginia Information Technologies Agency, promptly upon receipt.\n\nD. No cybersecurity information received by the Virginia Information\nTechnologies Agency (VITA) shall be subject to the Virginia Freedom of\nInformation Act (&#xA7; 2.2-3700 et seq.) or the Government Data Collection and\nDissemination Practices Act (&#xA7; 2.2-3800 et seq.) while in the possession of\nVITA, neither transferring cybersecurity information to nor sharing\ncybersecurity information with VITA shall make VITA the custodian of such\ninformation for public records purposes. No provision of cybersecurity\ninformation to state agencies shall constitute a waiver of any applicable\nprivilege or protection provided by law, including trade secret protection.\nPersons having access to cybersecurity information maintained by VITA shall keep\nsuch information confidential, and no person or agency receiving cybersecurity\ninformation from VITA shall release or disseminate such information without\nprior authorization. The Chief Information Officer, as pursuant to &#xA7;\n2.2-2005, or his designee may authorize publication or disclosure of reports or\naggregate cybersecurity information as appropriate.\n\nHISTORY: 2019, c. 302; 2022, cc. 626, 627; 2024, c. 503.","edition":{"id":1,"name":"2025","slug":"2025","date_created":"2026-06-21 22:39:22","date_modified":"2026-06-21 22:39:22","current":1,"order_by":1,"last_import":null}}