                                 CODE OF VIRGINIA

ADDITIONAL DUTIES OF THE CIO RELATING TO SECURITY OF GOVERNMENT INFORMATION (§
2.2-2009)

A. To provide for the security of state government electronic information from
unauthorized uses, intrusions or other security threats, the CIO shall direct
the development of policies, standards, and guidelines for assessing security
risks, determining the appropriate security measures and performing security
audits of government electronic information. Such policies, standards, and
guidelines shall apply to the Commonwealth&#8217;s executive, legislative, and
judicial branches and independent agencies. The CIO shall work with
representatives of the Chief Justice of the Supreme Court and Joint Rules
Committee of the General Assembly to identify their needs. Such policies,
standards, and guidelines shall, at a minimum:

   1. Address the scope and frequency of security audits. In developing and
   updating such policies, standards, and guidelines, the CIO shall designate a
   government entity to oversee, plan, and coordinate the conduct of periodic
   security audits of all executive branch agencies and independent agencies. The
   CIO shall coordinate these audits with the Auditor of Public Accounts and the
   Joint Legislative Audit and Review Commission. The Chief Justice of the
   Supreme Court and the Joint Rules Committee of the General Assembly shall
   determine the most appropriate methods to review the protection of electronic
   information within their branches;

   2. Control unauthorized uses, intrusions, or other security threats;

   3. Provide for the protection of confidential data maintained by state
   agencies against unauthorized access and use in order to ensure the security
   and privacy of citizens of the Commonwealth in their interaction with state
   government. Such policies, standards, and guidelines shall include
   requirements that (i) any state employee or other authorized user of a state
   technology asset provide passwords or other means of authentication to use a
   technology asset and access a state-owned or state-operated computer network
   or database and (ii) a digital rights management system or other means of
   authenticating and controlling an individual&#8217;s ability to access
   electronic records be utilized to limit access to and use of electronic
   records that contain confidential information to authorized individuals;

   4. Address the creation and operation of a risk management program designed to
   identify information technology security gaps and develop plans to mitigate
   the gaps. All agencies in the Commonwealth shall cooperate with the CIO,
   including (i) providing the CIO with information required to create and
   implement a Commonwealth risk management program, (ii) creating an agency risk
   management program, and (iii) complying with all other risk management
   activities; and

   5. Require that any contract for information technology entered into by the
   Commonwealth&#8217;s executive, legislative, and judicial branches and
   independent agencies require compliance with applicable federal laws and
   regulations pertaining to information security and privacy.

B. 1. The CIO shall annually report to the Governor, the Secretary, and General
Assembly on the results of security audits, the extent to which security policy,
standards, and guidelines have been adopted by executive branch and independent
agencies, and a list of those executive branch agencies and independent agencies
that have not implemented acceptable security and risk management regulations,
policies, standards, and guidelines to control unauthorized uses, intrusions, or
other security threats. For any executive branch agency or independent agency
whose security audit results and plans for corrective action are unacceptable,
the CIO shall report such results to (i) the Secretary, (ii) any other affected
cabinet secretary, (iii) the Governor, and (iv) the Auditor of Public Accounts.
Upon review of the security audit results in question, the CIO may take action
to suspend the executive branch agency&#8217;s or independent agency&#8217;s
information technology projects pursuant to subsection B of § 2.2-2016.1, limit
additional information technology investments pending acceptable corrective
actions, and recommend to the Governor and Secretary any other appropriate
actions.

   2. Executive branch agencies and independent agencies subject to such audits
   as required by this section shall fully cooperate with the entity designated
   to perform such audits and bear any associated costs. Public bodies that are
   not required to but elect to use the entity designated to perform such audits
   shall also bear any associated costs.

C. In addition to coordinating security audits as provided in subdivision B 1,
the CIO shall conduct an annual comprehensive review of cybersecurity policies
of every executive branch agency, with a particular focus on any breaches in
information technology that occurred in the reviewable year and any steps taken
by agencies to strengthen cybersecurity measures. Upon completion of the annual
review, the CIO shall issue a report of his findings to the Chairmen of the
House Committee on Appropriations and the Senate Committee on Finance and
Appropriations. Such report shall not contain technical information deemed by
the CIO to be security sensitive or information that would expose security
vulnerabilities.

D. The provisions of this section shall not infringe upon responsibilities
assigned to the Comptroller, the Auditor of Public Accounts, or the Joint
Legislative Audit and Review Commission by other provisions of the Code of
Virginia.

E. The CIO shall promptly receive reports from public bodies in the Commonwealth
made in accordance with &#xA7; 2.2-5514 and shall take such actions as are
necessary, convenient, or desirable to ensure the security of the
Commonwealth&#8217;s electronic information and confidential data.

F. The CIO shall provide technical guidance to the Department of General
Services in the development of policies, standards, and guidelines for the
recycling and disposal of computers and other technology assets. Such policies,
standards, and guidelines shall include the expunging, in a manner as determined
by the CIO, of all confidential data and personal identifying information of
citizens of the Commonwealth prior to such sale, disposal, or other transfer of
computers or other technology assets.

G. The CIO shall provide all directors of agencies and departments with all such
information, guidance, and assistance required to ensure that agencies and
departments understand and adhere to the policies, standards, and guidelines
developed pursuant to this section.

H. The CIO shall promptly notify all public bodies as defined in &#xA7; 2.2-5514
of hardware, software, or services that have been prohibited pursuant to Chapter
55.3 (&#xA7; 2.2-5514 et seq.). The CIO shall restrict access to prohibited
applications and websites in accordance with the provisions of &#xA7;
2.2-5514.1.

I. 1. This subsection applies to the Commonwealth&#8217;s executive,
legislative, and judicial branches and independent agencies.

   2. In collaboration with the heads of executive branch and independent
   agencies and representatives of the Chief Justice of the Supreme Court and the
   Joint Rules Committee of the General Assembly, the CIO shall develop and
   annually update a curriculum and materials for training all state employees in
   information security awareness and in proper procedures for detecting,
   assessing, reporting, and addressing information security threats. The
   curriculum shall include activities, case studies, hypothetical situations,
   and other methods of instruction (i) that focus on forming good information
   security habits and procedures among state employees and (ii) that teach best
   practices for detecting, assessing, reporting, and addressing information
   security threats.

   3. Every state agency shall provide annual information security training for
   each of its employees using the curriculum and materials developed by the CIO
   pursuant to subdivision 2. Employees shall complete such training within 30
   days of initial employment and by January 31 each year thereafter.
   				State agencies may develop additional training materials that address
   specific needs of such agency, provided that such materials do not contradict
   the training curriculum and materials developed by the CIO.
   				The CIO shall coordinate with and assist state agencies in implementing
   the annual information security training requirement.

   4. Each state agency shall (i) monitor and certify the training activity of
   its employees to ensure compliance with the annual information security
   training requirement, (ii) evaluate the efficacy of the information security
   training program, and (iii) forward to the CIO such certification and
   evaluation, together with any suggestions for improving the curriculum and
   materials, or any other aspects of the training program. The CIO shall
   consider such evaluations when it annually updates its curriculum and
   materials.

HISTORY: 2000, c. 961, §§ 2.1-563.42 - 2.1-563.44; 2001, c. 844, §§ 2.2-136
- 2.2-138; 2002, c. 247, § 2.2-226.1; 2003, cc. 981, 1021; 2004, c. 638; 2007,
cc. 769, 775; 2010, cc. 136, 145; 2015, c. 768; 2016, c. 296; 2017, c. 664;
2018, c. 775; 2019, c. 302; 2020, c. 717; 2022, cc. 626, 627; 2023, c. 768.