28.0 Introduction

Virginia Information Technologies Agency (VITA), under the authority of § 2.2-2009 of the Code of Virginia, is directed to: "...provide for the security of state government electronic information from unauthorized uses, intrusions or other security threats, the CIO shall direct the development of policies, standards, and guidelines for assessing security risks, determining the appropriate security measures and performing security audits of government electronic information. Such policies, standards, and guidelines shall apply to the Commonwealth's executive, legislative, and judicial branches and independent agencies."  

Additionally, the 2017 General Assembly session included the following legislative changes regarding VITA's statutory security responsibilities:

  • § 2.2-2009 of the Code of Virginia requires the Chief Information Officer of the Virginia Information Technologies Agency to develop policies, standards, and guidelines to ensure that any procurement of information technology made by the Commonwealth's executive, legislative, and judicial branches and independent agencies is made in accordance with federal laws and regulations pertaining to information security and privacy.
  • In accordance with § 2.2-2009 of the Code of Virginia, the Virginia Information Technologies Agency shall operate an information technology security service center to support the information technology security needs of agencies electing to participate in the information technology security service center. Support for participating agencies shall include, but not be limited to, vulnerability scans, information technology security audits, and Information Security Officer services. Participating agencies shall cooperate with the Virginia Information Technologies Agency by transferring such records and functions as may be required.
  • Established funding for both Technology Security Oversight Services and Cloud Based Services Oversight (refer to Title 2.2, Chapter 20.1 of the Code of Virginia).

The CIO has given VITA's Commonwealth Security and Risk Management (CSRM) Division responsibility for developing the security-related policies, standards and guidelines, implementing them and providing governance processes and audits to ensure agency compliance. VITA's Project Management Division (PMD) and Supply Chain Management Division (SCM) and other VITA divisions participate in various oversight and governance capacities to assist CSRM in fulfilling VITA's statutory security obligations.