Authority: Title 2.2, Chapter 20.1, Code of Virginia.

A. Out of this appropriation, $4,275,798 the first year and $3,346,639 the second year for Technology Security Oversight Services is sum sufficient and amounts shown are estimates from an internal service fund which shall be paid solely from charges to other programs within this agency.

B.1. The Virginia Information Technologies Agency shall operate an information technology security service center to support the information technology security needs of agencies electing to participate in the information technology security service center. Support for participating agencies shall include, but not be limited to, vulnerability scans, information technology security audits, and Information Security Officer services. Participating agencies shall cooperate with the Virginia Information Technologies Agency by transferring such records and functions as may be required.

2.a. The Virginia Information Technologies Agency shall perform vulnerability scans of all public-facing websites and systems operated by state agencies. All state agencies which operate such websites and systems shall cooperate with the Virginia Information Technologies Agency in order to complete the vulnerability scans.

b. Out of this appropriation, $312,515 the first year and $274,092 the second year from the general fund shall be used to support vulnerability scanning of public-facing websites and systems of the Commonwealth.

3. Agencies electing to participate in the information technology security service center shall enter into a memorandum of understanding with the Virginia Information Technologies Agency. Such memorandums shall outline the services to be provided by the Virginia Information Technologies Agency and the costs to provide those services. If a participating agency elects to not renew its memorandum of understanding, the agency shall notify the Virginia Information Technologies Agency twelve months prior to the scheduled renewal date of its intent to become a non-participating agency.

4. Non-participating agencies shall be required by July 1 each year to notify the Chief Information Officer of the Commonwealth that the agency has met the requirements of the Commonwealth's information security standards. If the agency has not met the requirements of the Commonwealth's information security standards, the agency shall report to the Chief Information Officer of the Commonwealth the steps and procedures the agency is implementing in order to satisfy the requirements.

5. Out of this appropriation, $1,402,516 the first year and $1,466,514 $2,188,503 the second year for Information Technology Security Service Center is sum sufficient and amounts shown are estimates from an internal service fund which shall be paid solely from internal service fund revenues.

6. Notwithstanding any other provision of state law, and to the extent and in the manner permitted by federal law, the Virginia Information Technologies Agency shall have the legal authority to access, use, and view data and other records transferred to or in the custody of the information technology security service center pursuant to this Item. The services of the center are intended to enhance data security, and no state law or regulation imposing data security or dissemination restrictions on particular records shall prevent or burden the custodian agency's authority under this Item to transfer such records to the center for the purpose of receiving the center's services. All such transfers and any access, use, or viewing of data by center personnel in support of the center's provision of such services to the transferring agency shall be deemed necessary to assist in valid administrative needs of the transferring agency's program that received, used, or created the records transferred, and personnel of the center shall, to the extent necessary, be deemed agents of the transferring agency's administrative unit that is responsible for the program. Without limiting the foregoing, no transfer of records under this Item shall trigger any requirement for notice or consent under the Government Data Collection and Dissemination Practices Act (GDCDPA) (§ 2.2-3800 et. seq.) or other law or regulation of the Commonwealth. The transferring agency shall continue to be deemed the custodian of any record transferred to the center for purposes of the GDCDPA, the Freedom Of Information Act, and other laws or regulations of the Commonwealth pertaining to agencies that administer the transferred records and associated programs. Custody of such records for security purposes shall not make the Virginia Information Technologies Agency a custodian of such records. Any memorandum of understanding under authority of this Item shall specify the records to be transferred, security requirements, and permitted use of data provided. VITA and any contractor it uses in the provision of the center's services shall hold such data in confidence and implement and maintain all information security safeguards defined in the memorandum of understanding or required by federal or state laws, regulations, or policies for the protection of sensitive data.

7. The rates required to recover the costs of the information technology security service center shall be provided by the Virginia Information Technologies Agency to the Department of Planning and Budget by September 1 each year for review and approval of the subsequent fiscal year's rate.