State and Local Cybersecurity Program (language only)

Item 92 #1h

Language

Page 22, line 42, strike "Not set out." and insert:

Authority: Title 2.2, Chapter 20.1, Code of Virginia.

A.1. Out of this appropriation, $33,333,190$34,318,190 the first year and $36,785,703$36,905,703 the second year for Administrative and Support Services is sum sufficient and amounts shown are estimates from an internal service fund which shall be paid solely from charges to other programs within this agency.

2. In accordance with § 2.2-2013 D, Code of Virginia, the surcharge rate used to fund expenses for operations and staff of services administered by the Virginia Information Technologies Agency shall be no more than 12.9012.76 percent the first year and 14.6513.55 percent the second year.

3. Included in the amounts for Administrative and Support Services are funds from the Acquisition Services Special Fund which is paid solely from receipts from vendor information technology contracts. These funds will be used to finance procurement and contracting activities and costs unallowable for federal fund reimbursement.

B. The provisions of Title 2.2, Chapter 20.1 of the Code of Virginia shall not apply to the Virginia Port Authority.

C. The requirement that the Department of Behavioral Health and Developmental Services purchase information technology equipment or services from the Virginia Information Technologies Agency according to the provisions of Chapters 981 and 1021 of the Acts of Assembly of 2003 shall not adversely impact the provision of services to mentally disabled clients.

D. The Chief Information Officer and the Secretary of Administration shall provide the Governor and the Chairs of the House Appropriations and Senate Finance Committees with a report detailing any amendments or modifications to the information technology infrastructure services contracts. The report shall include statements describing the fiscal impact of such amendments or modifications and shall be submitted within 30 days following the signing of any amended agreement.

E.1. Notwithstanding the provisions of §§ 2.2-1509, 2.2-2007 and 2.2-2017, Code of Virginia, the scope of formal reporting on major information technology projects in the Recommended Technology Investment Projects (RTIP) report is reduced. The efforts involved in researching, analyzing, reviewing, and preparing the report will be streamlined and project ranking will be discontinued. Project analysis will be targeted as determined by the Chief Information Officer (CIO) and the Secretary of Administration. Information on major information technology investments will continue to be provided General Assembly members and staff. Specifically, the following tasks will not be required, though the task may be performed in a more streamlined fashion: (i) The annual report to the Governor, the Secretary, and the Joint Commission on Technology and Science; (ii) The annual report from the CIO for submission to the Secretary, the Information Technology Advisory Council, and the Joint Commission on Technology and Science on a prioritized list of Recommended Technology Investment Projects (RTIP Report); (iii) The development by the CIO and regular update of a methodology for prioritizing projects based upon the allocation of points to defined criteria and the inclusion of this information in the RTIP Report; (iv) The indication by the CIO of the number of points and how they were awarded for each project recommended for funding in the RTIP Report; (vi) The reporting, for each project listed in the RTIP, of all projected costs of ongoing operations and maintenance activities of the project for the next three biennia following project implementation, a justification and description for each project baseline change, and whether the project fails to incorporate existing standards for the maintenance, exchange, and security of data; and (vii) The reporting of trends in current projected information technology spending by state agencies and secretariats, including spending on projects, operations and maintenance, and payments to Virginia Information Technologies Agency.

2. Notwithstanding any other provision of law and effective July 1, 2015, the Virginia Information Technologies Agency (VITA) shall maintain and update quarterly a list of major information technology projects that are active or are expected to become active in the next fiscal year and have been approved and recommended for funding by the Secretary of Administration. Such list shall serve as the official repository for all ongoing information technology projects in the Commonwealth and shall include all information required by § 2.2-1509.3 (B)(1)-(8), Code of Virginia. VITA shall make such list publically available on its website, updated on a quarterly basis, and shall submit electronically such quarterly update to the Chairs of the House Appropriations and Senate Finance Committees and the Director, Department of Planning and Budget, in a format mutually agreeable to them. To ensure such list can be maintained and updated quarterly, state agencies with major information technology projects that are active or are expected to become active in the next fiscal year shall provide in a timely manner all data and other information requested by VITA.

F. The Virginia Information Technologies Agency (the agency) shall take the necessary steps to obtain and use the cybersecurity grant funding that is available to Virginia under the State and Local Cybersecurity Improvement Act subtitle of the Infrastructure Investment and Jobs Act of 2021, P.L. 117-58. In accordance with the federal grant requirements, the agency shall establish, and identify candidates for appointment by the Governor to, a planning committee that includes members from: (i) state government; counties, cities, and towns; and institutions of public education and health within Virginia; and (ii) suburban, rural, and high-population jurisdictions. No less than half of the members shall have substantial professional experience in cybersecurity or information technology. The Chief Information Officer of the Commonwealth, or the Chief Information Security Officer as designee, shall be the chair of the planning committee. Staffing for the planning committee shall be provided by the agency. In addition, the agency shall: (i) develop a cybersecurity plan, present such plan to the planning committee for approval, and submit such plan to the appropriate federal officials in compliance with the federal program requirements; (ii) propose priorities for grant funding for the planning committee's consideration and approval, and in establishing priorities, the committee shall consider the needs of local school divisions; (iii) approve, manage, and allocate grant funding once received, ensuring that the grants fit within the priorities approved by the planning committee; and (iv) report on program's activities to the House Appropriations Committee and the Senate Finance and Appropriations Committee by October 1 of each year of the program. To the extent permitted by federal grant guidelines, the agency may retain a portion of the federal grant funding to reimburse actual costs incurred in providing support and administration of the provisions of this paragraph."