The Virginia Information Technologies Agency (VITA), under the authority of § 2.2-2009 of the Code of Virginia, is directed to: ". . . provide for the security of state government electronic information from unauthorized uses, intrusions or other security threats, the CIO shall direct the development of policies, standards, and guidelines for assessing security risks, determining the appropriate security measures and performing security audits of government electronic information. Such policies, standards, and guidelines shall apply to the Commonwealth's executive, legislative, and judicial branches and independent agencies."
VITA's statutorily-obligated security responsibilities include (but are not limited to):
§ 2.2-2009 of the Code of Virginia requires the Chief Information Officer of the Virginia Information Technologies Agency to develop policies, standards, and guidelines to ensure that any procurement of information technology made by the Commonwealth's executive, legislative, and judicial branches and independent agencies is made in accordance with federal laws and regulations pertaining to information security and privacy.
In accordance with § 2.2-2009 of the Code of Virginia, VITA shall operate an information technology security service center to support the information technology security needs of agencies electing to participate in the information technology security service center. Support for participating agencies shall include, but is not limited to, vulnerability scans, information technology security audits, and Information Security Officer services. Participating agencies shall cooperate with the Virginia Information Technologies Agency by transferring such records and functions as may be required.
Established funding for both Technology Security Oversight Services and Cloud Based Services Oversight (refer to Title 2.2, Chapter 20.1 of the Code of Virginia).
In accordance with Title 2.2, Chapter 20.1, "VITA shall prioritize efforts to modernize current information technology services and to make available to agencies, where appropriate, commercially-offered information technology services including but not limited to cloud computing, mobile, and artificial intelligence."
§ 2.2-2009(C) states "[i]n addition to coordinating security audits as provided in subdivision B 1, the CIO shall conduct an annual comprehensive review of cybersecurity policies of every executive branch agency, with a particular focus on any breaches in information technology that occurred in the reviewable year and any steps taken by agencies to strengthen cybersecurity measures. Upon completion of the annual review, the CIO shall issue a report of his findings to the Chairmen of the House Committee on Appropriations and the Senate Committee on Finance. Such report shall not contain technical information deemed by the CIO to be security sensitive or information that would expose security vulnerabilities."
The CIO has given VITA's Commonwealth Security and Risk Management (CSRM) Division the responsibility for developing security-related policies, standards and guidelines, implementing them and providing governance processes and audits to ensure agency compliance. VITA's Project Management Division (PMD) and Supply Chain Management Division (SCM) and other VITA divisions participate in various oversight and governance capacities to assist CSRM in fulfilling VITA's statutory security obligations.