<?xml version="1.0"?>
<law><site_title>Virginia Decoded</site_title><site_url>https://vacode.org</site_url><law_id>87153</law_id><section_number>2.2-5514</section_number><catch_line>Prohibited products and services and required incident reporting</catch_line><edition url="https://vacode.org/2025/" slug="2025" current="TRUE" last_updated="">2025</edition><referred_to_by><reference>2.2-2009</reference><reference>2.2-5514.1</reference></referred_to_by><structure><unit label="title" level="1" order_by="1" identifier="2.2">Administration of Government</unit><unit label="subtitle" level="2" order_by="1" identifier="II">Administration of State Government</unit><unit label="part" level="3" order_by="1" identifier="B">Transaction of Public Business</unit><unit label="chapter" level="4" order_by="1" identifier="55.3">Prohibition on the Use of Certain Products and Services</unit></structure><text>
						<section id="A"><p><span class="prefix-number">A.</span> As used in this chapter, unless the context requires a different meaning:
			&#x201C;<span class="dictionary">Cybersecurity information</span>&#x201D; means information describing or relating to any security system or measure, whether manual or automated, that is used to control access to or use of information technology; security risks, threats, or vulnerabilities involving information technology; or security preparedness, response, or recovery related to information technology. &#x201C;<span class="dictionary">Cybersecurity information</span>&#x201D; includes critical infrastructure information and information regarding cybersecurity risks, cybersecurity threats, and incidents, as those terms are defined in 6 U.S.C. &#xA7; 650.
			&#x201C;<span class="dictionary">Public body</span>&#x201D; means any legislative body; any <span class="dictionary">court</span> of the Commonwealth; any authority, board, bureau, commission, district, or agency of the Commonwealth; any political subdivision of the Commonwealth, including counties, cities, and towns, city councils, boards of supervisors, school boards, planning commissions, and governing boards of institutions of higher education; and other organizations, corporations, or agencies in the Commonwealth supported wholly or principally by public funds. &#x201C;<span class="dictionary">Public body</span>&#x201D; includes any committee, subcommittee, or other entity however designated of the <span class="dictionary">public body</span> or formed to advise the <span class="dictionary">public body</span>, including those with private sector or citizen members and corporations organized by the Virginia Retirement System. <a id="paragraph-312078" class="section-permalink" href="https://vacode.org/2.2-5514/#A"><i class="fa fa-link"/></a></p></section>
						<section id="B"><p><span class="prefix-number">B.</span> No <span class="dictionary">public body</span> may use, whether directly or through work with or on behalf of another <span class="dictionary">public body</span>, any hardware, software, or services that have been prohibited by the U.S. Department of Homeland Security for use on federal systems. <a id="paragraph-312079" class="section-permalink" href="https://vacode.org/2.2-5514/#B"><i class="fa fa-link"/></a></p></section>
						<section id="C"><p><span class="prefix-number">C.</span> Every <span class="dictionary">public body</span> shall report all (i) known incidents that threaten the security of the Commonwealth&#x2019;s data or communications or result in exposure of data protected by federal or state <span class="dictionary">laws</span> and (ii) other incidents compromising the security of the <span class="dictionary">public body</span>&#x2019;s information technology systems with the potential to cause major disruption to normal activities of the <span class="dictionary">public body</span> or other public bodies. Such reports shall be made to the Virginia Fusion Intelligence Center within 24 hours from when the incident was discovered. The Virginia Fusion Intelligence Center shall share such reports with the Chief Information Officer, as described in &#xA7; <a class="law" title="Creation of Agency; appointment of Chief Information Officer" href="/2.2-2005/">2.2-2005</a>, or his designee at the Virginia Information Technologies Agency, promptly upon receipt. <a id="paragraph-312080" class="section-permalink" href="https://vacode.org/2.2-5514/#C"><i class="fa fa-link"/></a></p></section>
						<section id="D"><p><span class="prefix-number">D.</span> No <span class="dictionary">cybersecurity information</span> received by the Virginia Information Technologies Agency (VITA) shall be subject to the Virginia Freedom of Information Act (&#xA7; <a class="law" title="Short title; policy" href="/2.2-3700/">2.2-3700</a> et seq.) or the Government Data Collection and Dissemination Practices Act (&#xA7; <a class="law" title="Short title; findings; principles of information practice" href="/2.2-3800/">2.2-3800</a> et seq.) while in the <span class="dictionary">possession</span> of VITA, neither transferring <span class="dictionary">cybersecurity information</span> to nor sharing <span class="dictionary">cybersecurity information</span> with VITA shall make VITA the custodian of such information for public records purposes. No provision of <span class="dictionary">cybersecurity information</span> to state agencies shall constitute a <span class="dictionary">waiver</span> of any applicable <span class="dictionary">privilege</span> or protection provided by <span class="dictionary">law</span>, including trade secret protection. Persons having access to <span class="dictionary">cybersecurity information</span> maintained by VITA shall keep such information confidential, and no person or agency receiving <span class="dictionary">cybersecurity information</span> from VITA shall release or disseminate such information without prior authorization. The Chief Information Officer, as pursuant to &#xA7; <a class="law" title="Creation of Agency; appointment of Chief Information Officer" href="/2.2-2005/">2.2-2005</a>, or his designee may authorize publication or disclosure of reports or aggregate <span class="dictionary">cybersecurity information</span> as appropriate. <a id="paragraph-312081" class="section-permalink" href="https://vacode.org/2.2-5514/#D"><i class="fa fa-link"/></a></p></section></text><history>2019, c. 302; 2022, cc. 626, 627; 2024, c. 503.</history><metadata></metadata></law>
