Virginia Information Technologies Agency (VITA), under the authority of § 2.2-2009 of the Code of Virginia, is directed to: "...provide for the security of state government electronic information from unauthorized uses, intrusions or other security threats, the CIO shall direct the development of policies, standards, and guidelines for assessing security risks, determining the appropriate security measures and performing security audits of government electronic information. Such policies, standards, and guidelines shall apply to the Commonwealth's executive, legislative, and judicial branches and independent agencies."
Additionally, the 2017 General Assembly session included the following legislative changes regarding VITA's statutory security responsibilities:
The CIO has given VITA's Commonwealth Security and Risk Management (CSRM) Division responsibility for developing the security-related policies, standards and guidelines, implementing them and providing governance processes and audits to ensure agency compliance. VITA's Project Management Division (PMD) and Supply Chain Management Division (SCM) and other VITA divisions participate in various oversight and governance capacities to assist CSRM in fulfilling VITA's statutory security obligations.